Critical Update From The NSA

June 11th, 2019 by Julie Lough

The NSA Is Urging To Patch Remote Desktop Services On Legacy Versions of Windows

The National Security Agency is urging Microsoft Windows administrators and users to ensure they are using a patched and updated system in the face of growing threats. Recent warnings by Microsoft stressed the importance of installing patches to address a vulnerability in older versions of Windows.

NSA Windows Security Warning

Microsoft has warned that this flaw is potentially “wormable,” meaning it could spread without user interaction across the Internet. We have seen devastating computer worms inflict damage on unpatched systems with wide-ranging impact, and are seeking to motivate increased protections against this flaw.

CVE-2019-0708, dubbed “BlueKeep,” is a vulnerability in Remote Desktop Services (RDS) on legacy versions of the Windows® operating system. The following versions of Windows® are affected:

  • Windows® XP
  • Windows® XP
  • Windows Server® 2003
  • Windows® Vista
  • Windows Server® 2008
  • Windows® 7
  • Windows Server® 2008 R2

What Is A Wormable Virus?

This means that the virus can get into your system without you doing anything like clicking a malicious link. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights without your knowledge.

Any future malware that uses this vulnerability could propagate from one vulnerable computer to another. This is how similar malware like WannaCry spread around the world. Experts are worried that this flaw could be used to fuel a fast-moving malware threat like the WannaCry ransomware attacks of 2017.

Another Problem

Although Microsoft has issued a patch, potentially millions of machines are still vulnerable. This is the type of vulnerability that malicious cyber actors frequently exploit through the use of software code that specifically targets the vulnerability.

For example, the vulnerability could be exploited to conduct denial of service attacks. It is likely only a matter of time before remote exploitation tools are widely available for this vulnerability.

NSA is concerned that malicious cyber actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems.

What Should You Do?

Microsoft has released a critical update for their Remote Desktop Services that impacts multiple Windows versions. The patches are for devices and systems that are both in and out-of-support, which is rare for Microsoft to do. This shows the importance of these patches.

The update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests. To apply the patches, go to the Microsoft Security Update Guide for in-support systems and KB4500705 for out-of-support systems.

Microsoft recommends that customers running one of these operating systems download and install the update as soon as possible.

Does This Mean Even Systems Without Support Can Get The Patch?

Yes, Microsoft is aware that some customers are running versions of Windows that no longer receive mainstream support. This means that you wouldn’t have received any security updates to protect your systems from the CVE-2019-0708 virus.

Given the potential impact to customers and their businesses, Microsoft decided to make security updates available for platforms that are no longer in mainstream support. All Windows updates are available from the Microsoft Update Catalog.

What Should You Do Before We Apply The Update?

It’s recommended that you back up all of your important data first. If you have a reliable backup, and if the patch creates problems, you can still access your data. You should do this before you install any patches.

What If You Can’t Apply The Patches?

If you can’t apply the patch for your system there are other things that you can do:

  • If you don’t need the Remote Desktop Services, you can disable it.
  • Block the TCP port 3389 (this prevents unauthorized requests from the Internet).
  • Enable NLA (Network Level Authentication) for Windows 7 and Windows Server 2008.

Of course, the best thing to do is to contact us. We’ll know exactly what to do.

What Else Should You Know?

If you had updated from Windows 7 to Windows 10 or from Windows servers 2008/2008 R2 to Windows 2016 or 2019, you wouldn’t need to worry. This is why it’s essential to keep your systems up to date.

Soon, on January 14, 2020, support will come to an end for all Windows Server 2008, 2008 R2 equipment and the Windows 7 operating system.

If you’re still using these servers or operating system, it’s crucial to replace them now so that there’s no disruption to your daily operations or loss of data.

Any hardware or software product that reaches its end of life is a potential gateway for hackers to enter through. In addition to the security hazard, there are other reasons why it isn’t a good idea to keep using old equipment such as unresolvable outages.

 


Sign In With Apple

June 6th, 2019 by Julie Lough

Apple IOS 13

Sign In With Apple…Should You Use It?

Apple recently reported that its new “Sign in with Apple” feature will be part of the iOS 13 release in the fall of 2019. It promises to protect your privacy, and authentication experts say it could have an enormous impact on data privacy.

What Is Sign In With Apple?

With Sign In With Apple, you’ll be able to log into your applications. It offers a single-sign-on functionality, much like other sign-in buttons such as Facebook’s, Google’s and Twitter’s.

What Are The Benefits Of Using Apple’s Sign In?

When you sign onto apps, Apple will mask your personal information and email address. But the application will still be able to contact you.

Unlike with Google, Facebook and Twitter, your email won’t be passed on to the developer. You can opt not to allow this, but you won’t be able to use their sign-in service. If you do choose to let Google, Facebook or Twitter track your email, they will also be able to see the applications you use.

Aaron Peck from Oauth explains:

“The way most “sign in with [blank]” systems work is that the app you’re signing in to will get your username on that service and likely also your email address,” he explained. “These apps can sell your email address to advertisers, or correlate your activity between unrelated applications by matching your username.”

Apple solved this problem with its single-use anonymous email address. You’ll be able to share the information you choose with the application. Apple creates a random, anonymous, single-use email address for each application. Apple then forwards emails sent to that address on to you. You have the option of deactivating the single-use email address whenever you want.

By using Sign in with Apple and the single-use email address, your true email address won’t be tracked. Apple is offering this to provide a more private option for use. And they are offering developers a way to provide a fast one-step login without forwarding their user’s data to another company. Apple’s button will also work on websites.

Can You Use Apple’s Sign In With Any Application?

No… only applications that integrate their systems with Apple’s Sign In button. Some may opt not to because they won’t be about to use your information for marketing purposes.

What Phones Can Use iOS 13 & Sign In with Apple?

These are the devices that will be able to use iOS 13:

  • iPhone XS
  • iPhone XS Max
  • iPhone XR
  • iPhone X
  • iPhone 8
  • iPhone 8 Plus
  • iPhone 7
  • iPhone 7 Plus
  • iPhone 6s
  • iPhone 6s Plus
  • iPhone SE
  • iPod touch (7th generation)

Is There Anything Else To Consider When Using Sign in with Apple?

If you are a developer, there may be. There are some concerns surrounding Apple’s terms and conditions for application developers. If they offer Google, Facebook or Twitter’s sign in, they must also offer Sign in with Apple.

And there’s more. According to Reuters:

Apple will expect developers to place their login button above Google’s or Facebook’s.

Apple Inc will ask developers to position a new “Sign on with Apple” button in iPhone and iPad apps above rival buttons from Alphabet Inc’s Google and Facebook Inc, according to design guidelines released this week.

The move to give Apple prime placement is significant because users often select the default or top option on apps […]

Apple’s suggestion to developers to place its login button above rival buttons is part of its “Human Interface Guidelines,” which are not formal requirements to pass App Store review. But many developers believe that following them is the surest way to gain approval.

This means that some app developers won’t have an incentive to actually add the Sign in with Apple feature. But Apple is getting around this by mandating that if developers what to place their app in the Apple App Store, and they already offer a third-party sign in, they must offer Apple’s.

Apple’s terms and conditions don’t require this for applications with a dedicated login system, and those that don’t use third-party buttons from Google or Facebook.

What’s The Benefit For Apple?

Sign in with Apple will improve users’ privacy and provide a far better experience than others.

Will LaSala, director of security services and security evangelist at OneSpan, tells us more:

Apple is going one step further than traditional single sign-on, they are forcing their users to use stronger authentication, such as Apple’s FaceID and TouchID,” he said, noting that Sign in with Apple will ask mobile app users to use the biometrics functions.

The use of adaptive authentication is what should be celebrated – the ability to prevent login tracking or protect a user’s information is a secondary benefit. Any way that we can get users to move to adaptive authentication that is easy and portable across many sites and platforms is a security win for the internet.

Apple is positioning themselves as the privacy provider. So when we want more privacy, Apple hopes we’ll choose to use their technology. It’s a great marketing strategy…something that Apple excels at. We think many people will want to use Sign in with Apple due to its privacy features.


What Is Windows Lite?

March 27th, 2019 by Julie Lough

Is Windows Lite Microsoft’s Answer to Google’s Chrome OS?

Microsoft is working on a new operating system — Lite — with a different look that’s designed for the casual computer user while targeting Google’s Chrome OS  

Windows Lite

Windows Lite is the oft-rumored, highly anticipated stripped-down operating system that Microsoft is reportedly working and could be unveiled sometime in the spring of 2019. What exactly is Windows Lite and why is Microsoft investing in it?

What Is Windows Lite?

Rumors began to surface in late 2018 that Microsoft was working on a new version of its Windows 10 operating system. While details have spotty at best, it appears that Windows Lite is intended to be Microsoft’s latest attempt to compete with Google’s Chrome OS, the driver of its popular Chromebook product line.

Windows Lite reportedly will be faster and leaner than other Windows operating systems. In fact, some reports indicate that the new operating system will be so different from other Windows products that Microsoft may remove the “Windows” name from it altogether.

How Will Windows Lite Work?

The new operating system reportedly will only run apps from the Universal Windows Platform (UWP) downloaded from the Microsoft store. It will also allow progressive web apps, which are applications that are run through an online service but operate like an offline app. Microsoft is exploring whether Lite will eventually be able to support Win32 apps as well.

Windows Lite will also be instantly on and always connected. It will be designed to work with multiple CPUs, providing flexible options for device manufacturers and consumers.

The focus is on building a product that emphasizes simple interactions and maintenance.

It’s expected that Windows Lite will not be available directly to consumers but rather to OEMs as a way to offer an alternative to the increasingly popular Chromebook. Instead, it will come pre-installed on laptops marketed to the home user and students.

The product is designed for users who only need “light” computing without the power, complexity and strength of traditional Windows operating systems. For users who need to write an essay, chat with friends or listen to music, Windows 10 is a bit of overkill.

Will It Look Like Windows?

The Lite OS will likely look very little like Windows. The interface is expected to be cleaner and more modern. The Start button is in the middle of the screen, for example. The search box is reminiscent of Chrome OS, with suggested and pinned applications listed prominently.

That said, there are some familiar components. File Explorer is still there and foundational components like Settings are present at this time.

The divergence from Windows is why some believe that Microsoft will remove the Windows branding entirely from the new product. Why would Microsoft intentionally move away from the established, decades-long Windows brand?

For one, ‘Windows’ carries with it certain expectations about functionality and capabilities. Microsoft may well want to begin reshaping how people think about what an operating system is, what it looks like and its user interface. It could be the beginning of a new direction for the company.

It could also be a way to circumvent the notion that Windows is too complex, complicated or fully featured, attracting those who have sworn off Windows operating systems in the past.

When Will Windows Lite Be Available?

There has been no official announcement or scheduled release date published. Given that hints about the new operating system are beginning to appear in Windows Insider builds, it’s likely that Microsoft is quite far along in its development. One possible target for an unveiling would be at the Microsoft Build 2019 conference in May 2019. Wider testing could begin this summer.