Tag Archive for: maximum security

Enhancements for Safe4

Version 6.04 of the highly secure Safe4 information delivery and storage service has been released. These enhancements for Safe4 reflect response to customer requirements, especially those who operate internationally, and those who are particularly active in uploading and sharing documents.

Enhancements for Safe4

As well as general security and performance improvements, version 6.04 of Safe4 delivers a number of specific changes:

  • Individual users are now able to choose the time and frequency of receiving upload notifications of file uploads or changes in structured data. Busy accounts can generate significant volumes of email traffic, resulting in very full inboxes. Selecting a specific time of day when these are received, as well as deciding the number of days’ interval between emails arriving, offers more flexibility and control for users. The selections can be made easily from each user’s My Account settings:

  • Safe4 has become Accessible. Users who are impaired in some way, particularly those who suffer from vision difficulties, can navigate around Safe4 screens by using the tab key. When used in conjunction with screen readers, users will receive an audio description of where they are on the page and can activate Safe4 functions without needing to use a mouse or tap the screen.
  • Signing documents in Safe4 has become easier, and users who have issued documents for signature can follow their progress more easily. If several documents are issued for signature as a pack by a number of different users, for instance, the initiating user can establish how the request has progressed, and which individual signatures are yet to be added. Documents signed in Safe4 are accepted by Companies House and HMRC in the UK.
  • For customers who have users or clients in other countries, using the 2-Factor Authentication security function has potentially been a problem. Several countries in Africa cannot receive text messages from the United Kingdom, and other nations such as Canada have barred the receipt of text messages generated automatically by IT systems. 2FA codes are now sent by text and email, so that users will definitely be able to receive the codes even if text messages cannot be delivered. This will also be helpful in situations when a user’s phone may be lost, damaged, or out of signal, and unable to receive text messages.

Contact Us

Safe4 is being improved constantly, with the addition of more functional enhancements as well as security updates. Please contact us if you would like more information on forthcoming changes, and in particular how these changes might be of value for your business.

 

More news about leaks of highly sensitive information

There are now virtually daily examples in the media of how leaks of highly sensitive information are occurring, often due to human error or misbehaviour, but also due to lack of security in poorly designed or managed systems. A current article in the media today highlights a glaring example of this – click here for more information.

Safe4 was designed with security at the core

The fundamental design of Safe4 is based around the use of secure vaults, into which information can be placed by the provider of the service, such as a professional practitioner or an employer, and the individual users who have been given access to that specific vault. Information cannot “leak” in the way that seems to be occurring regularly in other systems.

Even if a hacker were to break in to the “back door” of Safe4, without using one of the normal user interfaces, nothing can be inferred due to the way that the data is obfuscated and encrypted. The secure vault design underpins this, so that each vault becomes a completely discrete storage space for information in structured form (in columns and rows, similar to spreadsheets and simple databases) or unstructured form (document files).

Regulatory compliance

Safe4 complies with a number of regulatory frameworks by virtue of the fact that all stored information is encrypted, everything is held in UK-based data centres that comply with ISO 27001, 2-factor authentication, and a full audit trail of all user actions is maintained. The ideal solution for the storage and management of highly sensitive information, in effect.

Please contact us if you would like more information on how Safe4 can help your organisation to enhance compliance, reduce costs, and improve client service.

Password strength requirements for Safe4 are being increased

Cyber crime, identity theft and online fraud are becoming more frequent. It is known that there are large organisations, some of whom are state-backed, whose sole purpose is to disrupt the lawful activities on which much of our normal economic life is based. Recent ransomware attacks, as well as the ever-increasing use of spam email, are evidence of the scale of the threat. For this reason, the password strength requirements for the Safe4 system are being increased.

Safe4 works very closely with a number of public-sector organisations for whom security is paramount. Acting on the advice of the UK National Cyber Security Centre, part of GCHQ, the password requirements for Safe4 are being changed to incorporate a minimum length of 10 characters and a maximum of 150 characters. As before, each password will have to contain an upper and lower case alpha character, a number, and a symbol such as a punctuation mark. Passwords will accommodate spaces as well as normal characters, thus allowing the use of pass-phrases as well as basic passwords. The advice of the NCSC is that passwords up to 8 characters can now be cracked by brute-force attack methods in a few minutes, whereas those with 10 or more characters are unlikely to be cracked in meaningful time.

Password strength matters

Choosing a new password is increasingly challenging, hence the ability to use a pass-phrase for Safe4. This can be a favourite piece of text, such as line from a book or song, which will generally be easier to remember than a shorter password containing an obtuse string of characters. The longer the password, the more difficult for criminals to crack it. A random sequence of words that are easily remembered will have the same effect.

An additional feature that Safe4 have incorporated in this release is a warning message if the password chosen by a user has already been compromised on another site. This does not prevent the selection of that password, but the user is warned of the potential risk.

Following the release of Safe4 version 6.01, scheduled for 25 May 2019, new users will be invited to create accounts using the updated password strength requirements. The new rules will also be applied to password changes and to resets.

2-Factor Authentication by Text Message

At present, the 2-factor authentication applied by Safe4 is based on the use of a 6-digit PIN as well as a username and password. In July 2019 this will be changed, and the PIN will be replaced by a numeric code sent to the user by text message.

We at Safe4 are constantly trying to ensure that the system is as secure as possible, and that our customers’ data is protected to the maximum extent. If you have any questions, or if you would like any information on how Safe4 can assist your organisation to enhance the security of your communications, please contact us.

Document signing in Safe4 is now available – version 6.0 is released

The need for documents to be signed electronically in accordance with the requirements of HMRC and Companies House in the UK has been highlighted by a number of Safe4 customers. Consequently Safe4 have now added a document signing facility to their highly secure information delivery and storage service, without the need for any external technologies.

How the signing function works

There are a couple of prerequisites for this facility: the document must be held in Safe4 in PDF format, and the required signatories must be users of Safe4 and have access to the folder in which the document is located.

Single or multiple documents can be issued for signature, and if required multiple users can be requested to sign. In the case of multiple documents being selected, there is an option to create a “pack”, so that all of the documents can be signed in a single action. Requested signatories will receive an email with a link to the document/s requiring signature. When this is clicked they will be presented with an option to sign or decline the document, after having entered their Safe4 password and PIN. When all documents have been signed and all users have actioned the signature request, a new version of the PDF file will be created with an added page – this will show a complete list of all of the signatures, together with a verification code, made up of a hash of the user details, the document ID, and the date and time of signature. This functions in a similar way to blockchain, being an immutable record of the signing event.

Other enhancements

In addition to the document signing function, a setting has been added to the provider administration screen, allowing Safe4 Common Folders to be disabled. If selected, this will prevent users uploading files into the Common Folders area of a Safe4 vault in error.

Significant changes have also been made to the Safe4 server architecture, enhancing security and performance, to ensure that the class-leading safety and availability provided by Safe4 is maintained in line with industry best practice.

If you would like any further information on how these enhancements can add value to your business, please contact us at Safe4. We will be delighted to hear from you.

Password strength checker improvements for Safe4

One of the challenges of enforcing strict rules about the strength of passwords is how to make them secure and still easily usable by people who perhaps utilise a system occasionally and often need rapid access to share or obtain important information.

Safe4 has now been updated to make it easier for users to select passwords in the first place, by listing each of the strength requirements and showing visually when these have been satisfied. Because Safe4 is used in many countries around the world and by speakers of many languages, it can be difficult to prevent users from choosing a password that is a common word in one language but not in another. Using sequential characters on a keyboard is also potentially an issue, as in several European countries different keyboard layouts are utilised. Beyond Europe, in countries where alphabets may also differ, keyboard layouts are often radically different from those familiar in Anglophone regions.

Keeping it simple without sacrificing security

Safe4 has become established as one of the most secure sites on the Internet, and consequently enforcing strict password requirements is essential given the presence of brute-force attack systems that can crack simple passwords very quickly. Whilst setting a strong password is the responsibility of each individual user, applying specific rules governing this, as well as limiting the number of unsuccessful login attempts within a single browser session, makes it easier to prevent unauthorised access to the system. The changes made by Safe4 will inform new users of the strength of their password as each character is chosen, and show any discrepancies visually.

Please contact us if you would like any further information on the security measures that are taken by Safe4 to protect the integrity of information that we hold, and the protection that this offers for our customers.

Transport Layer Security still not universally applied

Safe4 implemented Transport Security Layer (TLS) as the successor to Secure Sockets Layer (SSL) back in 2010 as the connection layer that is used when the system is accessed by users, but it seems that there is still some uncertainty as to how this level of security will be deployed in corporate environments, from which users are often accessing the internet through multiple layers of middleware, or middleboxes as they are sometimes known.

Not only has Safe4 implemented TLS, but this connection layer is very tightly configured to offer connected users the highest level of security possible. The configuration was significantly enhanced in 2015, when Safe4 announced a radically overhauled user interface.  Thus when Safe4 is being accessed using a device that is not under the user’s control, such as from a hotel lobby or an airport lounge, the connection is still highly encrypted and thus secure.

Making sure that customers’ information is being managed securely is the primary focus of Safe4, so that users of all levels can be confident that their data is being handled safely. Please get in touch with us if you would like more detail on how the Safe4 service could be of value for your organisation.

Met Police see ransomware as the biggest cyber-security threat in 2018

A series of global ransomware attacks in 2017 have reaped millions of dollars in rewards for criminals who have penetrated unsuspecting users’ IT systems and encrypted their data. In the UK, the National Health Service was one of a number of high-profile victims of such attacks.  According to London’s Metropolitan Police, ransomware looks likely to be a major threat again in 2018. Ransomware cannot prevent access to data stored in Safe4, as indicated in previous articles on this website.

In an article published in The Times newspaper today, the need for managing personal information is highlighted even more strongly. Theft of identity, and with it money, has become such an enormous issue that more and more of us are likely to be at risk through insecure management of our online activities. Using clever apps or devices on mobile phones or computers will obviously help; however using secure online services to deliver and store critical personal information will give the greatest level of protection to businesses and their clients alike.

Safe4 has been rated among the most secure 0.8% of sites on the Internet by independent agencies, out of more than 1.5 million tested. Using the Safe4 Asset Register to handle personal details for a wide range of online activities offers a unique facility for holding both confidential documents and individual elements of data, such as personal identification details. All data held in Safe4 is stored in UK-only data centres accredited to ISO 27001. Please contact us for more information.

Safe4 virus protection enhanced

In order to maintain the primary Safe4 commitment of security for information held on behalf of customers and their clients, the anti-virus protection applied when documents are uploaded to the system has been enhanced. Scanning for viruses as every document is uploaded has been an automatic function of the system since Safe4 was launched, and this has now been updated and strengthened.

As well as rejecting any files that are found to contain a virus, the system will now send an email to the uploading user advising that the file has disallowed content, and to the nominated administrator. In addition, the attempted upload and the rejection are now captured by the Safe4 audit trail, and can be queried by a user with the appropriate administration permissions. If an infected file is placed into a ZIP file, Safe4 will detect the virus and reject the upload, regardless how many levels of ZIP file have been used. Similarly, any infected files uploaded using the WebDAV interface will be rejected and reported in the same way.

For more information on how Safe4 can enhance your online security and keep your information safe, please contact us.

Ransomware – why Safe4 customers are protected

The ransomware attacks that have affected many organisations around the world over the weekend have exposed some serious vulnerabilities in the way that information is managed; using out-of-date operating systems and the failure to implement security updates are clearly primary causes of the exposure. However, it should be remembered that the problem normally arises when an unsuspecting user clicks a link in an email that is urging them to take some “essential” action, such as to update the information stored by a service provider.

Of course the email does not come from the service provider at all, but is a cleverly-disguised piece of work by a criminal organisation that will install an invasive piece of software on the user’s computer that can encrypt files and demand ransom payments in exchange for a decryption key.

Safe4 customers, and their clients, are protected against this risk in a number of ways:

  • Firstly, it is never necessary to send any confidential information, or indeed any information at all, by email. The primary function of Safe4 is to provide organisations of all types with the ability to deliver and store information of any kind in a way that makes it accessible to authorised users only. Thus if a Safe4 user receives an email requesting them to take any unusual or unexpected action, it can safely be ignored.
  • Secondly, all the files held in Safe4 are maintained in UK-based data centres accredited to ISO 27001, and are only available after the user has authenticated themselves through a web portal. The user does not therefore have direct access to the information in the way that they would if the files were held on a local or network drive.
  • The third reason for the safety of Safe4 customers is the inherent design of the system. Safe4 is a system of record. Files held in the system cannot be changed; this means they cannot be encrypted. Even if malware were to penetrate the security layers of Safe4, it cannot alter the files that have been stored. New versions of files could theoretically be created containing an encryption code, but the original files are still available for retrieval at any time – without having to pay any ransom.

We at Safe4 are continuing to remain vigilant in the constant battle against cyber criminals. Independent tests have rated Safe4 among the most secure 0.8% of sites on the internet out of millions tested due to the measures that we have put in place to protect our customers’ data. Please contact us if you would like any further detail on the security features of Safe4.

US may be set to change data privacy laws – again!

The Safe Harbor data privacy agreement between the US and the EU was deemed to be ineffective in 2015, and was subsequently replaced with a Privacy Shield arrangement – which is still considered by many to be inadequate. Recent announcements by the new US administration suggest that the internal data privacy laws in the US will be subject to further change, affecting those who are not US citizens or permanent residents in the US. Please click here for more background on this development.

Safe4 decided back in 2010 that all of the data held within its secure document delivery and storage service would be stored in UK-located data centres, accredited to ISO 27001. This offers maximum protection to our customers and their clients, employees, suppliers, partners and associates. Reliance on US-hosted data storage could be seen to carry unnecessary risk of misuse or disclosure of personally-identifiable information, hence the benefit of keeping all stored data onshore within the UK.

For more detail on the measures that Safe4 applies to keep information secure, please contact us. We would be very pleased to speak with you.