Category: Security

569 – Password migration

Posted on by ewand

clip_image002One of the problems with free software and particularly free services, is that at some point, they might stop being free. The path of freely-provided online services is littered with companies who gave their service away to get the users, then grappled with the reality that more users means more costs to deliver the service – and if they don’t get enough income from whatever sources they can, the free ride will come to an end. Just look at Photobucket. And every web site that makes you whitelist them in your ad-blocker before you can continue.

The latest in a line of what-used-to-be-free but is now tightening its belt is LastPass, an excellent password manager that has a lot of users but may end up with a good few fewer. The day after the Ides of March, LastPass Free will only allow use on a single device type, so if you currently use it to sync passwords across desktops and tablets or mobiles, then you need to start paying (and maybe you should) or stick to either mobile or desktop.

As soon as the company announced its plans, the web sprung up many articles offering “what is the best alternative to…” type advice. Only a few weeks ago, ToW#561 espoused the virtues of cleaning up your passwords, featuring LastPass and also trailing some features that were coming to an alternative that you might already be using to provide 2 factor authentication on your phone – Microsoft Authenticator.

It’s fairly easy to switch to using Authenticator on your device to also sync passwords and to provide the Auto-Fill function which plugs in usernames/passwords not only to sites on your mobile browser but to other apps too. If you already have a load of passwords set up in LastPass or other locations, there are methods to export them and then import the data into Authenticator.

clip_image004

In the case of LastPass, you sign into the Vault (either through the browser plugin or directly on their website) and under Advanced Options, select the Export function. It will immediately drop a lastpass_export.csv file into your Downloads folder; be very careful with this file as it contains all your usernames & passwords in clear text.

clip_image006You can get these passwords into Authenticator either by copying the file to your phone (Not a Good Idea) and importing from there, or by installing the Microsoft Autofill extension for Chrome into Edge (remember, Edge is a Chromium browser under the hood), then click on Settings and choose the Import data feature.

Now navigate to your Downloads folder and choose the lastpass_export file. It might take a little while to complete, but when it’s done, make sure you go back to the Downloads folder and clip_image008hard-delete that CSV file (ie select the file, hold the SHIFT key down and press the Delete key – this makes sure it doesn’t go to the recycle bin). You definitely don’t want that file being left behind, or copied or synced anywhere that is not encrypted.

The LastPass browser extension (like other password managers) remains potentially useful on the desktop as it can help to sync passwords between profiles (eg the Work and Personal profile of Edge, if both have the extension installed and logged in using the same LastPass account), or even between browsers – in the cases you might want to use Chrome for some things and Edge for others.

Edge on the PC does have password sync capabilities, though not quite with the same level of flexibility –

clip_image012clip_image014

clip_image010

Edge will let you sync passwords, favourites etc if you’re using a Microsoft Account (eg outlook.com) for your Personal profile, and it may do if you have a Microsoft 365 account for your Work Profile.

In a twist of fate, if you pay for a Microsoft 365 Family or a small business environment rather than using the free Microsoft Account, your subscription lacks the Azure Information Protection feature that is required to allow syncing. In which case, a 3rd party password sync feature may be your best option, even if you choose to use Authenticator on your mobile device, and perhaps do a periodic export/import from LastPass to keep your mobile passwords in sync.

Or best of all, just install the Autofill extension into multiple profiles (or Edge & Chrome), signing into the extension using the same Microsoft Account, to keep the passwords in sync. Tidy.

565 – 88 Edge updates

Posted on by ewand

clip_image001Just over a year ago, the new release of the Edge browser with the Chromium engine was released, and lots of functionality has been shipped since. Much effort has been to differentiate the Edge browser from others, because it integrates better with Microsoft services and other offerings. From synching settings, history, favourites, extensions… to adding protections around passwords and having a great multi-profile experience… it’s been getting better all the time. But 88 updates? That’s crazy!

(it doesn’t necessarily have 88 updates – that was just a ploy to get in the Crazy 88 link above)

The latest version of Edge shipped to mainstream users recently; release 88 is named after the core engine version, so Google shipped Chrome 88 at the same time. Some of the “what’s new” in Chrome will be consistent with Edge, since the rendering engine is the same – like the deprecation of a couple of features; Chrome & Edge no longer have FTP support natively, and they finally killed Flash.

Back to Edge 88 – go to the menu, then settings | about to find which version you have – there are a bunch of cool things to try out or investigate:

Themes – there are some really nice pre-built themes packaging background images and colour schemes; see them here. You can apply a theme to a specific user profile, which might help you differentiate them from each other – so a Forza or Halo theme applied to your personal profile would change the colour scheme for that one, making it easier to spot which profile you’re using. You can also add themes from the Chrome web store.

clip_image003Sleeping Tabs – helping to reduce system resource demands, Edge can now make tabs go to sleep if they haven’t been used for a while. You need to switch it on (the plan being that it will be a default in a later version) by going to edge://flags and search for sleep.

If you regularly use websites that fire notifications – like mail, or news readers – then be aware that they will not show when the tab is asleep. Work is underway to report back which sites should not be put to sleep, so Edge will be able to know when it’s a help and when it would be a nuisance.

clip_image005Passwords – as discussed previously when it was in dev mode, the password monitoring and strong password suggestion features are now generally available. Edge can look for common username/password combinations that are in your cached credentials, but which are known to have been leaked.

If you get a report of such a leak, you should change all of the passwords on affected sites as soon as possible. Looking under Edge Settings / Profile / Passwords, you should see the options to enable both Password Monitor and suggestion. For more info on how the Password Monitor works, check out this MS Research note.

PWAs and ProfilesProgressive Web Apps are increasingly being seen as the way to take a site and treat it like an app; it can show up in Start menu, can be pinned to task bar, will run with a specific icon and name, and won’t have all the UI of a browser, so it looks just like a native app.

clip_image007To install a PWA on Edge, just go to the menu on the top right when you’re browsing to a site, and you clip_image009should see Apps > Install … as an option. You get to give the “app” a name, and it will then look and feel much like a native application.

clip_image011If you install the PWA in more than one Edge browser profile, there’s a new function that means when you start the app – from the Start menu etc – then you can switch between which profile it should run in (scoping identity, passwords etc within).

PWAs are cool. Unless you’re using Firefox, where PWAs are not cool.

561 – Password clean up

Posted on by ewand

clip_image001As most of us look to put 2020 firmly behind us and take some down-time over the festive season, there may be a list of jobs which get left to this time of year – filling out the annual tax return, maybe, or clearing out that drawer with miscellaneous stuff in it.

clip_image003You could set your sights higher, even – like gathering all the papers scattered throughout your house (user guides, receipts, utility bills etc etc) and putting them in one place, as recommended by Getting Things Done guru, David Allen.

Or just scan them all in then recycle…

Maybe it’s time to finally sort out all the passwords you use for different websites. Even though Multi-Factor Authentication is gradually replacing the need to enter a username & password every time you access a resource, there’s still often a need to create a username and password combo when you sign up for something. If you’ve used Edge or Chrome to remember your passwords, you might find there are many hundreds of them, and being weak carbon-based lifeforms, we’re quite likely to use the same ones for many sites. Naughty!

clip_image005There are browser addins and other tools you can use to remember the passwords you use, and (using LastPass as an example) can give you the option of generating something strong and unique at the point of signing up on a site, then syncing that username and password back to a central service so you don’t need to re-enter it next time (or remember something truly unmemorable). LastPass recently announced their 2020 stats – they’ve generated 94 million secure passwords and been used to log in more than 10 billion times.

Microsoft Edge offers some password management capabilities – as well as being able to remember passwords within the Edge browser, and sync them between different machines or mobile devices, Edge is also getting to be capable of suggesting and storing complex passwords for new sign-ups.

clip_image007Edge is beefing up its password security in other ways, offering proactive warnings if your passwords have shown up in databases of leaked credentials (at the moment, this is a test feature in the dev builds). One-by-one, you can use Edge’s “fix leaked passwords” function to check what the existing password is for each site, and then click a button to jump to the site to reset it – in some cases, going straight to the change password part of the site.

clip_image009Finally, the password sync feature is getting some extra legs – using the Microsoft Authenticator app on your phone and it’s new beta Autofill feature, you can use that app to provide the username/password for website or even mobile app logins. There’s a Chrome extension too, so if you want to switch back and forth between Edge & Chrome on a PC, your passwords will be available to both.

In some senses, storing passwords and allowing them to be automatically filled in feels like a security risk – anyone with access to your unlocked computer or phone could potentially access your online services. Using Autofill and Authenticator, though, the default setup is to require biometric authentication – so you’ll need a fingerprint or camera, or unlocking with a PIN, before the auto-fill will happen.

Also, it’s more important to have complex passwords that are hard to break or guess, and to have different ones for each and every site or app you use.

This is the final ToW for 2020. Let’s hope ’21 brings us all better luck.

In the meantime, have a great holiday season, stay safe, see you on The Other Side!

556 – Using MFA more widely

Posted on by ewand

{10B132AF-CB81-488A-9B6B-27D6F996ACBA}Previous Tips have covered making use of 2FA – or 2 Factor Authentication – with your Microsoft Account (ie your account from Outlook.com/Hotmail/MSN/Passport etc) and how to manage passwords better, so you don’t end up with P@ssw0rd1 for every single one of your website logins. Dealing with passwords can be complicated and since humans are typically weak and seek the path of least resistance, this can often lead to huge security lapses.

So 2FA – or its cousin, Multi-Factor Authentication (MFA) – is a better way to secure things, as a remote system can validate that the user knows something which identifies them (their username & password, secret phrase, date of birth etc etc) but also has something that identifies them too; a security token, smart card, digital certificate or something else that has been issued, or even just a mobile phone that has been registered previously with whatever is trying to validate them.

Although such systems have been around for a while, the average punter in the EU has been more recently exposed to 2FA through a banking directive that requires it for many services that involve transfer of funds, setting up payments or even using credit cards. In some cases, the tech is pretty straightforward – you get a SMS text message with a 6-digit one-time code that you need to enter into the mobile app or website, thus proving you know something (you’re logged in) and you have something (your phone), so validating that it really is you. Or someone has stolen your phone and your credentials…

MFA is stronger than 2FA, as you can combine what you know and what you have, with what you are. An example could be installing a mobile banking app on your phone then enrolling your account number, username & password; the know is your credentials, and the have is a certificate or unique identifier associated with your phone, as it’s registered as a trusted device by the banking service that’s being accessed. Using your fingerprint to unlock the app would add a 3rd level of authentication – so the only likely way that your access to the service (for transferring funds or whatever) could be nefarious, is if you are physically being coerced into doing it.

2FA and MFA aren’t perfect but they’re a lot better than username & password alone, and Microsoft’s @Alex Weinert this week wrote that it’s time to give up on simpler 2FA like SMS and phone-call based validations, in favour of a stronger MFA approach. And what better way that to use the free Microsoft Authenticator app?

Once you have Authenticator set up and running, It’s really easy to add many {6CB942E5-5D57-48E1-BE97-E89CA2CF482B}services or apps to it – let’s use Twitter as an example. If you’re using a browser, go to Settings and look under Security and account access | Security | two-factor authentication.

{3D294F5C-25AA-4DA7-8C84-C13CF43B7321}If you enable 2FA and tick the box saying you want to use an authenticator app, it will ask you for your password again, then show you a QR code which can be used to enrol in the app.

In the Microsoft Authenticator app itself, add an account from the menu in the top right and then choose the option that it’s for “other” – presuming you’ve already have enrolled your Work or school Account (Microsoft/Office 365) and your Personal account (MSA, ie Outlook.com etc).

{E43FB7C2-CE71-430B-A0BC-21A7CB912CD0}

After tapping the option to add, point your phone at the QR code on the screen and you’re pretty much done; you’ll need to enter a one-time code to confirm it’s all set up – rather than getting an SMS, go into the list of accounts in the Authenticator app home screen, open the account you’ve just added then enter the 6-digit code that’s being displayed. This is the method you’ll use in future, rather than waiting to be sent the 6-digit code by text.

As you can see from the description, there are lots of other 3rd party apps and websites that support MFA using authenticator apps –

532 – Party like it’s 2004

Posted on by ewand

clip_image0042004 was a momentous year in many respects. The first crewed private spaceflight took place, NASA flew a Scramjet at nearly 10x the speed of sound, there was an election in the US and an Olympics took place. Not entirely like 2020, then. Windows XP was the world’s most-used operating system, and Microsoft’s Trustworthy Computing (TwC) initiative brought forth Windows XP SP2, which added a ton of security updates brought forward from the Longhorn project.

In a tenuous segue, this leads us to Windows and 2004 in the year 2020 – namely, the release of “2004” build, otherwise known as the Windows 10 May 2020 Update. This is the 10th major update of Windows 10 – updates which, not unlike the service packs of old, roll-up the fixes of known issues while introducing new features and improving existing ones.

clip_image006There are quite a few new features and lots of incremental improvements in the May 2020 update; some are fairly minor, others could be more significant – like the many accessibility improvements or improving security with the PUA-blocking feature which could stop the end user from unwittingly installing an app which is not exactly legit but is not exactly malware.

clip_image008Cortana is getting another reboot, this time as a chat-based assistant, in conjunction with M365;

UK users – after installation, you’ll need to wait for an app update to arrive via the Store, as the Cortana app initially says it’s not available in the UK – though ironically, one of the examples asks for the weather and gets the answer for London… in Fahrenheit

For an idea of what the latest Cortana invocation will give you, see here.

It might take a little while for 2004 to arrive via Windows Update – it’s a staged rollout, and there have been some reported issues with incompatible drivers, so it may be held back from certain machines until the drivers are updated. See more info on blocked machines.

If you want to force the update to 2004 rather than wait for Windows Update, you can go to the Download Windows 10 page and hit the Update Now button. You might find that the update process goes through a load of downloading and processing, only to tell you that your machine is in a “compatibility hold” because of known driver issues. So you’ll just have to wait…

There are some deprecated and removed features, too, including the Windows To Go ability to run Windows off a portable USB stick.

503 – OneDrive Personal Vault

Posted on by ewand

clip_image001A previously-announced capability of OneDrive has been widely rolling out – the Personal Vault. This is a special area of your OneDrive Personal storage which is invisible until you choose to unlock it, using a second strong factor of authentication (such as 2FA and the Microsoft Authenticator mobile app). On a mobile device, you can use a PIN, fingerprint or facial recognition to provide the additional identity verification.

clip_image003When you unlock the Personal Vault from the OneDrive app on your PC (eg. right-click on OneDrive’s white cloud icon in your system tray), it appears as a special folder clip_image004under the root of your personal OneDrive folder list, on PCs where your OneDrive content is synchronised.

Browsing in your OneDrive data folder, you may need to enable Hidden Items in the View tab to even see it.

You can treat it like any other folder, adding files and other folders that are particularly sensitive – scans of important but infrequently-accessed documents like passports, driving licenses and so on.

Why infrequently accessed, you may ask?

clip_image006When the PV is visible, it will re-lock after 20 minutes of inactivity (or can be locked manually) and would need another 2-factor authentication method to unlock it again (text message, phone-app approval etc). On the PC, when the PV is locked, the “Personal Vault” folder (and therefore everything under it) is completely hidden and therefore any files within it do not exist as far as Windows is concerned.

clip_image008In fact, the PV isn’t just a hidden folder – it’s treated by Windows as another physical volume that is mounted on the PC for the duration of it being unlocked; a Junction is then created so it can be accessed as if it’s part of your OneDrive data folder. When the PV is locked again, the volume is clip_image010dismounted and the junction disappears, so there is no way to access the data using the normal file system.

If you had a file in your now-locked PV that you tried to access from clip_image012the most-recently-used files list in either Windows itself or within an appclip_image014, you’ll get a jarring “file does not exist” type error rather than a prompt to unlock the PV and the file within.

Maybe apps will in time come to know that a file is in PV, and prompt the user to unlock before opening?

Then again, security through obscurity (the most sophisticated form of protection, right?) might be a good thing here; when the PV is locked, there is no such folder therefore no apps can get access to it without the user taking specific and separate action to unlock it first. Not being seen is indeed a useful tactic.

clip_image016Personal Vault can be accessed from the PCs or mobile devices through the OneDrive app, or in a browser – at onedrive.com. No Mac support is planned.

Unlike in the PC scenario, the PV folder is always shown and indicates if it’s open or locked based on the icon.

The Web UI offers other help and advice about how to use the Personal Vault effectively.

clip_image017

OneDrive on PC – Setup error 0x8031002c

clip_image019Enabling Personal Vault for the first time might throw an error if your PC is corporately managed with a BitLocker policy.

To work around this and get up and running, try:

  • Press WindowsKey and type Group Policy, then open the Edit group policy control panel (if you don’t see this or get an error, try running mmc from a WinKey+R prompt, then File | Add/remove Snap-in | Group Policy Object… | clip_image021Add | Local Computer | Finish | OK)
  • Expand to the Computer Configuration | Administrative Templates | Windows Components | BitLocker Drive Encryption | Fixed Data Drives node
  • Double-click on the Choose how BitLocker… setting and update it to Disabled then hit OK
    clip_image022
  • Press WindowsKey+R and type cmd then hold SHIFT+CTRL when pressing ENTER, to run the command prompt with administrative rights
  • In the ensuing command prompt enter gpupdate /force and, assuming everything runs without blowing up, you can close the command & Group Policy windows down and try enabling Personal Vault again.

Tip o’ the Week 431 – Hiding your name

Posted on by ewand

clip_image002If you use your laptop on a train or in other public spaces, there’s always the concern that someone might be looking over your shoulder and reading what’s on your screen. With the GDPR bogeyman about to be unleashed, there’s never been more concern and focus on not leaking information.

clip_image004You could invest in a screen filter to stop snooping, but a simple step to make you immediately more comfortable, is to not show your own name – have you ever felt self-conscious that random people in the wild can see your name, and maybe even recognise you?

Paranoid Microsoftie Andrew Brook-Holmes went digging to see how to stop this behaviour, and thus inspired this tip.

To switch off the display of your name on the login clip_image006or lock screen, first go into the Local policy of your machine – the quickest way is to press WindowsKey+R then enter gpedit.msc, then expand out the local policy to Security Options as shown on the right.

In the right-hand pane, you’ll see a long list of policy items, many of which won’t be configured but could conceivably be; there are options to hide or show elements on the login screen, but in this case we’re going to try not showing the last named user at all.

clip_image008

Double-clock on the Interactive logon: Don’t display last signed-in, and you’ll have a simple Enable/Disable choice – in this case, we want to use a double negative – enable the fact that we’re not displaying. If you’d like a more detailed explanation of what it does, there’s another tab on the dialog showing exactly that.

Now if you lock your screen (WindowsKey+L), you’ll see tclip_image010hat it’s already in effect. It might be annoying depending on how you’ve got the machine set up, as you’ll probably need to enter your username as well as PIN/password etc every time.

If you use Windows Hello to sign in with your face, then you won’t need to do anything except present your boat race to the camera. If you decide you’d rather go back to normal for easier sign-in, just reverse the process you’ve done above.

clip_image012If you can’t find Local Computer Policy (as home edition doesn’t have that capability, for example), you may need to use the Registry instead…

Press WindowsKey+R – enter regedit – navigate to…

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

…and set the value of dontdisplaylastusername to 1. Log out to apply the change.

Tip o’ the Week 430 – developers, developers, developers

Posted on by ewand

clip_image001This week has seen the Microsoft developer conference, called //build/ in its current guise, take place in “Cloud City”, Seattle (not so-called because it rains all the time – in fact, it rains less than in Miami. Yeah, right). Every major tech company has a developer conference, usually a sold-out nerdfest where the (mostly) faithful gather to hear what’s coming down the line, so they know what to go and build themselves.

Apple has its WWDC in California every year (for a long time, in San Francisco), and at its peak was a quasi-religious experience for the faithful. Other similar keynotes sometimes caused deep soul searching and gnashing of teeth.

The Microsoft one used to be the PDC, until the upcoming launch of Windows 8 meant it was time to try to win the hearts & minds of app developers, so //build/ became rooted in California in the hope that the groovy kids would build their apps on Windows and Windows Phone. Now that ship has largely sailed, it’s gone back up to the Pacific North West, with the focus more on other areas.

clip_image003Moving on from the device-and-app-centric view that prevailed a few years back (whilst announcing a new way of bridging the user experience between multiple platforms of devices), Build has embraced the cloud & intelligent edge vision which cleverly repositions a lot of enabling technologies behind services like Cortana (speech recognition, cognitive/natural language understanding etc) and vision-based products such as Kinect, HoloLens and the mixed reality investments in Windows. AI took centre stage; for a summary of the main event, see here.

clip_image005The cloud platform in Azure can take data from devices on the edge and process it on their behalf, or using smarter devices, do some of the processing locally, perhaps using machine learning models that have been trained in the cloud but executed at the edge.

With Azure Sphere, there’s a way for developers to build secure and highly functional ways to process data on-board and communicate with devices, so they can concentrate more on what their apps do, and on the data, less on managing the “things” which generate it.

For all of the breakouts at Build and the keynotes on-demand, see here.

Back in the non-cloud city, Google has adopted a similar developer ra-ra method, with its Google I/O conference also taking place in and around San Francisco, also (like WWDC and Build) formerly at Moscone. It happened this past week, too.

Like everyone else, some major announcements and some knock-em dead demos are reserved for the attendees to get buzzed on, generating plenty of external coverage and crafting an image around how innovative and forward thinking the company is.

Google Duplex, shown this week to gasps from the crowd, looks like a great way of avoiding dealing with ordinary people any more, a point picked up by one writer who called it “selfish”.

Does a reliance on barking orders at robot assistants and the increasing sophistication of AI in bots and so on, mean the beginning of the end for politeness and to the service industry? A topic for further consideration, surely.

Tip o’ the Week 421 – Mind your passwords

Posted on by ewand

clip_image001Passwords are a bane of IT usability – everyone chooses a password that’s too simple, until the systems make it too hard, and even the process of password entry is difficult.

So you write your passwords down (srsly, don’t do that), sometimes in an obvious way – there’s a (probably apocryphal) story of a senior healthcare professional who left their laptop (with lots of sensitive data on it, obviously) in a taxi… the standard disk encryption neatly foiled by a Postit note stuck to the lid with their username and password on it…

Corporate domain passwords will generally enforce a certain degree of complexity, frequency of changing, and may even add certificate or token based authentication that needs to be used in combination with other forms – so called secondary or multi-factor authentication (2FA/MFA. It’s getting pretty common now for web sites to offer or even force 2FA, achieved via texting a one-time login code, or using a mobile app to authenticate you. ToW #371 covered how to enable 2FA for your Microsoft Account (MSA) – you really should switch that on.

For most people’s private credentials (used for logging into websites concerned with personal lives rather than work), usernames & passwords – with the odd secret question thrown in – are the main way they’ll access sensitive information from their phone or PC. And forcing the changing of passwords on a very regular basis can be a bad idea, too, as people are more likely to use easily-guessable passwords that are in turn easy for them to remember.

clip_image002

Source: xkcd

The average person, apparently, is many times more likely to fall victim to some sort of computer-related incident than a more traditional robbery. You might be hoodwinked yourself, or through your lax credentials, your account might be compromised and used to scam other unsuspecting punters – as happens regularly on eBay.

The Man on the Clapham omnibus is also likely to use the same username & password for every website or other system they can, even though many know they shouldn’t. It’s easy to recall the same few sets of credentials, rather than having to go and look something up every time. Don’t do this.

If you want to scare yourself into action, have a look on https://haveibeenpwned.com/ and see if your (consumer) email address is on there; chances are, it might have leaked from one of the many high-profile data breaches that have happened over the years. Try entering a common password you might use on https://haveibeenpwned.com/Passwords and it’ll tell you if that password has ever been leaked… and advise you never to use that password again.

Password managers are a way to help combat the issue – so you could have a different password for each site, sometimes even a random password that the password manager itself will generate for you. Examples include 1Password, LastPass, KeePass, Dashlane, eWallet… many will be browser based or have extensions (even for Edge!), so you can log in easily despite the complexity of your passwords.  If the password manager has a cloud-storage vault, make sure it’s encrypted and there’s no way it could be compromised … and make sure you use a suitably complex but easy to remember password to unlock the password manager vault. Quis custodiet ipsos custodes?

If you use a password manager already, it may even have a report you can run to see how well protected you are…

clip_image003

Zoinks!

Summary

  • Use a different password on every website
  • Generate passwords that are long and complex
  • Use a password manager to keep track of the passwords for different websites you use
  • Use 2-Factor Authentication on every site that deals with sensitive or financial information