Make your passwords safer with advice from Safe4

The release of personal photographs and videos of celebrities has made headline news around the world this week. Once again the security of cloud storage services has been called into doubt. As the story has unfolded it has become clear that the vulnerability was not a result of a failure of the iCloud security systems. Instead it appears that the breach was the result of social or people engineering.

Read more

May flowers … planning security for the future

Having secured your operation against the security issues seen in April and reviewed in my last blog post, how do you assess the robustness of your organization to defend against the ongoing threat environment in May and through the summer?

It is difficult enough for an organisation to determine its exposure to security threats, such as have been seen in the last couple of months. It is often harder to establish guidelines and policies around the handling of different types of information flowing through the many channels of your business in a robust and defensible way. A simple risk based approach can be used to develop these policies and ensure that your organisations are protected as much as possible.

The analysis can be done very quickly and simply by a small team.

First, look at the types of information that may have been affected, breaking them down into broad categories, for example

  • Contracts
  • Plans and Strategies
  • Client confidential information
  • Bidding documents for deal A
  • Marketing information
  • etc.

Like any risk based approach for each of the above categories you need to consider two dimensions.

  • Likelihood – how likely is it that the information has been compromised? A simple scale of Unlikely/Likely/Very Likely should be considered.
  • Consequence – what are the consequences if the information were to be compromised. You should consider financial and reputational impacts to yourselves and where appropriate your clients. A simple scale of Low/Medium/Significant is in most cases sufficient.

If this is plotted as a simple matrix it is possible to assign a risk to each combination of likelihood and consequence, and to devise mitigating actions for those information categories that have a high risk.


For each of the assessed risks it is important to take appropriate mitigating actions, for example as shown below. The mitigating actions are best worked out as a workshop session.

Critically the risk matrix can also be used to categorise your information and decide on its use, storage and techniques for distribution, especially electronic. This can minimize your exposure to future threats and demonstrate to your clients the effectiveness of your information security controls.

Again a simplified example of a set of strategies for information handling could be.

Such a review can be completed in about a day using a small team and can provide invaluable input to dealing proactively with information that may already have been compromised, or to define a future strategy for handling information.

Having an effective strategy for management of your information is vitally important since two things are certain

  1. ~ Clients want their information quicker and at a location and on a device of their choosing. Cloud based distribution of information is going to remain.
  2. ~ Valuable information will be of interest to other parties and techniques for stealing that information will only increase in sophistication.

 

Safe4 will continue to provide a top level of security for all confidential documents stored by its customers within their overall security strategy.

I hope this summary has been useful and will enable you to use the March Winds and April Showers of the recent security scares to bring forth a May flowering of a robust security environment for your documents.

Please respond to this blog or contact us at [email protected] with any questions or comments.

New document from the ICO confirms the need to keep browsers updated

Recent well-publicised issues regarding security threats to Internet users have highlighted the problems that arise through the use of out-of-date operating systems and web browsers when accessing Internet-based services.  Safe4 have rigorously applied all current security patches to our servers, and consequently we have avoided any of the risks caused by the Open SSL HeartBleed bug (see the other posts on this blog).

As a result some users of very old technology, typically Windows XP and early versions of Internet Explorer, have been blocked from accessing Safe4.  This is because the older security protocols have been the cause of many of the current threats to secure web-based services.  As before, our advice to users is to upgrade their operating system and browser and apply all of the security patches supplied by Microsoft, or alternatively to use another browser such as Google Chrome or Mozilla Firefox.

The UK Information Commissioner’s Office has now published further guidance on this issue, with specific reference to data protection.  Their document can be read by clicking here.

Safe4 will continue to apply all possible protection measures to safeguard our customers’ information, and will not maintain the use of outdated security protocols to permit access by unsupported browsers or operating systems.

Microsoft patches Internet Explorer Vulnerability

Following the announcement earlier this week that a vulnerability had been found in all versions of Internet Explorer (6, 7, 8, 9, 10 and 11), Microsoft has acted quickly to provide an update. All users of Internet Explorer are strongly encouraged to upgrade at the earliest opportunity.

The upgrade process is simple – just use the Update functionality built into Windows by clicking on “Check for updates” in Windows Update which can be accessed from your Control Panel.

Further details can be found on the Microsoft blog –http://blogs.technet.com/b/microsoft_blog/archive/2014/05/01/updating-internet-explorer-and-driving-security.aspx

In an interesting move Microsoft has also issued an update for users of Windows XP – despite discontinuing support for XP at the beginning of April. Safe4 would however encourage you to upgrade as soon as practical to take advantage of the latest security features and to remain secure against future threats.

If upgrading from Windows XP is impractical for you at the moment, we recommend using a browser other than Internet Explorer, as mentioned in earlier blogs.  Google Chrome and Mozilla Firefox are both viable alternatives.

 

Posted by Alistair Stubbs, Safe4 Information Management Technical Director

Internet Explorer Vulnerability

Following concern about the Heartbleed bug, there has been an additional significant announcement from Microsoft about a security vulnerability in ALL versions of Internet Explorer. See https://technet.microsoft.com/en-US/library/security/2963983 for full details.

This is a pretty major vulnerability as it could enable someone to execute arbitrary code on someones PC. It does however require a user to visit a website that has been crafted to exploit this vulnerability. Users of Internet Explorer browsers should be especially vigilant about visiting unknown sites, phishing and following unrecognised links in emails or instant messages.

Both the US and UK governments have provided advice and are recommending that until the problem is resolved you should use an alternative browser, such as Google Chrome or Mozilla Firefox.

Safe4  also encourages our users to find an alternative to Internet Explorer until Microsoft has issued an update.

Please note this is in addition to our recommendation in a recent blog post to upgrade from Microsoft XP.

March winds and April Showers bring forth …

The Spring of 2014 has seen a raft of news about online document security – both good and bad. The year was ushered in by guidance from regulatory bodies and professional organizations including the Solicitors Regulation Authority (SRA) on cloud based document security and the Institute of Chartered Accountants with the ICAEW guide to cyber security in corporate finance.

As if this was a challenge, the barometric pressure around some key security vulnerabilities was building up as Spring started and the March winds began to blow.   April came, not just with rain, but with security showers and dire warnings about the need to protect the security of your valuable information.  3 significant events caused us all to check that our security raincoats were actually keeping the rain out:-

Heartbleed

First the Heartbleed vulnerability hit the headlines. This was possibly one of the most significant security vulnerabilities of recent years with two main characteristics causing it to be a real problem:

  • The vulnerability exposed the encryption keys used to secure information sent between your browser and many websites. Once someone has the encryption keys it is possible to read all of the information exchanged. This could include items such as passwords, credit cards, commercially or legally sensitive documents and other personal information.
  • The nature of the vulnerability also made it impossible for someone to know if their encryption keys, or other information exchanged has been intercepted. In light of this everyone who has been operating the vulnerable versions of the software needs to assume they have been compromised.

Unfortunately there was also a shower of poor advice about how to deal with Heartbleed. The most significant misdirection was the advice to immediately update your passwords in the belief this would protect your information – it wouldn’t necessarily. For this reason alone, it is worth reviewing what action was taken and whether it worked.

Did you deal effectively with Heartbleed?

If you are a user of a web site, the main imperative was to check with the provider of the services that you use that they patched the Heartbleed vulnerability before you updated your passwords. If they didn’t then you still may be at risk.

Reputable providers of web services have been very open with the status of their systems, whether they are affected, and what steps they have taken. Look for emails from the providers, or blogs on their websites. For example, we at Safe4 had a strong enough architecture and controls that our users were not at risk and we confirmed this with messages at system log in and with blog information on our website.

If you are uncertain about any of this, it is very easy to check whether the site you use is still vulnerable. Go to the free Qualys SSL Labs online test and put in the site URL. The result will tell you whether Heartbleed is still an issue or not with the site. Then, check directly with the site whether they were “clean” when you last updated your password. If this was before your last password update, then you should be safe. However, as it is good security to change your password periodically, then you might want to play absolutely safe and update it again anyway.

Windows XP and Internet Explorer 8

There was also a significant date during the month for those people who are still using Windows XP.On the 8th April Microsoft discontinued support for XP.

There may be no obvious immediate implications since the software will continue to run as before. However Microsoft will not be issuing any further security updates to XP. As time goes by, this operating system will become increasingly vulnerable.

Interestingly Windows XP already does not support a number of the modern information security protocols which have been developed to improve security.

Many companies, including Safe4, who have undertaken detailed reviews of their information security strategies, have decided to disable support for older security protocols – which unfortunately cannot be used by Internet Explorer 8 on Windows XP. Disabling support for Internet Explorer on Windows XP has enabled these companies to attain the highest possible ratings for security in independent analysis.

Safe4 therefore strongly recommends that companies and all users of secure online services look to upgrade from Windows XP to Windows 8 as soon as possible. In the meantime, if upgrading XP is not an available alternative, we would suggest using an alternative browser such as Google Chrome which will take advantage of the latest security protocols.

Dropbox and Box weblinks

As April gave way to May, there was emerging news that these two widely used free file sharing services were vulnerable to a web linking loophole exposing files to unauthorized access. The vulnerability, described here by independent security analyst  Graham Cluley, laid bare sensitive information including tax returns, mortgage applications and corporate information including a business plan.

The problem appears to be that Dropbox and Box did not always require users accessing a shared link to authenticate themselves.

Safe4 always requires valid authentication from a user and checks that the user has permission to access the particular file linked to. Safe4 Technical Director, Alistair Stubbs, commented “proper user authentication has always been a foundation of the Safe4 architecture, specifically to guard against potential problems such as this.”

What next for May?

Even a quick review of history will clearly show that wars have been won and lost, or empires fallen due to intercepted information.

We assume that you have used the information above to review the current security of your documents and information. For the future and without being overwhelmed by a further downpour of technical information, how do you handle the commercial implications of staying secure through the summer and beyond?

A simple risk based approach which can provide a framework to help an organisation review its commercial exposure and to take the most appropriate mitigating actions is further explored in another blog post by Safe4 Technical Director Alistair Stubbs.

Safe4 will continue to provide a top level of security for all confidential documents stored by its customers. We hope this summary has been useful and will enable you to use the March Winds and April Showers of the recent security scares to bring forth a May flowering of a robust security environment for your documents.

 

Posted by: Alistair Stubbs, Safe4 Information Management Technical Director

Dealing with the latest security threats

There has been a lot of attention in the media recently following the OpenSSL Heartbleed vulnerability. While Safe4 was never affected by this problem we have recently reviewed our security settings covering the security of the connection between your computer and our servers.

The SSL protocol which is used to encrypt the communication between a client computer and a server when a site specifies HTTPS has evolved over the past years, with 5 recent versions – SSL2.0, SSL3.0, TLS1.0, TLS1.1 and TLS1.2. Obviously the newer protocols are more secure than the earlier ones.

At our last review we took the decision to disable the SSL2.0 and SSL3.0 protocols. It was originally thought that this would only impact users of IE6 on Windows XP (Safe4 does not see this combination in our user base) but it also appears to affect IE8 on Windows XP since Internet Explorer relies on the operating system to secure the communication.

Safe4 would recommend upgrading from Windows XP at the earliest opportunity.  However this may not be an immediately available option, in which case Safe4 would recommend the use of an alternative browser such as Google Chrome which supports these latest security protocols and will help to keep your information secure.

Importantly Microsoft has discontinued support for Windows XP as of 8th April 2014 – see http://www.microsoft.com/windows/en-gb/xp/end-of-xp-support.aspx. Critically this means that Microsoft will not be issuing any further security patches or software updates – which means your PC and the information on it may become vulnerable in the future.

Dealing with Heartbleed

I am sure that everyone is aware of the news regarding the HeartBleed bug that has been discovered in some web sites. As usual the BBC has a well balanced report on the background – see http://www.bbc.co.uk/news/technology-26954540.

Happily I am very pleased to advise that the Safe4 service was not affected by this security bug as we do not and have never used the software, OpenSSL, to secure and encrypt the communication between your computers and Safe4.

In an environment where web attacks are increasingly common, there are a few things that made this problem so significant to propel it to headline news.

  • Principally it enabled access to the server’s private security / encryption keys. These keys are used to decrypt transmitted information. Once an attacker has these keys it is possible for them to decrypt all traffic that used those keys both for historically intercepted traffic and, until the keys have been changed, future traffic as well.
  • Many attacks leave a clear trace that the attack has taken place – in this specific case there is no means to detect that the attack has happened – therefore it is not possible for sites to detect if they have been the subject of an attack. Best practice therefore is to assume that sites using the affected versions of the software have been compromised.

These things combined have led to the advice for users to change their passwords in use on the internet. This is clearly a daunting task since if you follow best practice advice, which I would wholeheartedly endorse, then you probably have many tens of passwords to change. I would encourage you to consider using tools like 1Password,https://agilebits.com/onepassword‎, which help you to use much more secure passwords and manage and keep track of them securely.

Safe-4 is obviously built from the ground up around security of your information. We are proud that you trust your sensitive information to us. Although not affected by this bug we have, probably like many companies today, reviewed our system configurations and run some further tests to ensure we remain secure. As a result of the review we took the decision today to disable some outdated routines which were only used by older browsers. Independent testing has given us a clean bill of health.

Reporting of carbon emissions is becoming an issue – and soon

New legislation will shortly be putting pressure on many organisations to reduce their carbon footprint.  This applies to small and medium-sized companies too, if they are suppliers to either public-sector organisations, or corporates that fall within the scope of the UK Carbon Reduction Commitment requirements (annual energy expenditure of more than £500,000, or listed on the LSE main exchange).

But before any organisation can start to think about reporting on their carbon footprint, they must of course measure it – what is the starting point?  This will almost certainly involve the need for specialist skills and tools – hence the importance of the partnership between Safe4 and Co2conut.  Safe4 can assist with bringing down carbon emissions by reducing dependence on paper and hard-copy information deliveries; Co2conut can provide expert guidance, and access to tools that will help with the accurate measurement of current emissions.

How does this issue affect your business?  We would be glad to hear from anyone who has a view on this issue – please post your blog entry below.

How secure are your Email transmissions?

Email has become, over the last two decades, the accepted means by which communication between businesses takes place.  We all use it every day, perhaps without thinking in many cases.  But is it the right way to send confidential or secure information?  And how do we control what happens when it gets to the recipient’s inbox?  Will our confidential information be forwarded in error, deleted, misfiled, or simply ignored?

This raises some important questions:

  • Do we trust email for the transfer of confidential information?  In this age of spamming, phishing, banking scams, and sundry other criminal activities based on email, are we happy to entrust private, mission-critical information to this medium?
  • Even if we were to find a completely secure, encrypted email transmission and receipt service that everybody we might want to communicate with was happy to use, are we still sure that attachments are handled correctly at the other end?
  • And what if you are travelling, and can’t get access to your desktop email client with encryption keys, does everything stop and wait for you?

At Safe4, we believe that there is a better way of achieving complete security of information transfer.  With the Information Commissioner announcing fines of up to £500,000 for breaches of information security, this is not a good time to ignore this issue.

The UK’s legal professional makes use of insecure email constantly.  Most legal professionals instinctively use email to send highly confidential information as attachments.  Perhaps better alternatives can now be considered?