Security

HeartBleed

Posted by

0

News and concerns about the HeartBleed Virus are abuzz in the tech community right now. Here is what you need to know to protect yourself:

In terms of TouchDown users:

“TouchDown does not use OpenSSL for connections to the server (it may be used for other encryption purposes), and hence is not directly affected by HeartBleed.  However, if TouchDown runs on a platform that uses OpenSSL for communication, or connects to a server which is using OpenSSL for hosting connections, the users could be affected. Patches for the platform as well as servers should be obtained from the respective vendors”

We have knowledge of only one Android platform that is supposed to be affected, Android 4.1.1 (please see here for more information: http://googleonlinesecurity.blogspot.co.uk/2014/04/google-services-updated-to-address.html )

If your clients are connecting directly to a Microsoft Exchange server, the is no vulnerability that we know of, since Exchange As far as we know does not employ OpenSSL.
If your clients connect through a non-microsoft gateway or email server, please contact the server vendor for patch information.

Mashable Has a great list of who was affected, what patches there are, etc:

“Some Internet companies that were vulnerable to the bug have already updated their servers with a security patch to fix the issue. This means you’ll need to go in and change your passwords immediately for these sites. Even that is no guarantee that your information wasn’t already compromised, but there’s also no indication that hackers knew about the exploit before this week. The companies that are advising customers to change their passwords are doing so as a precautionary measure.

Although changing your password regularly is always good practice, if a site or service hasn’t yet patched the problem, your information will still be vulnerable.

Also, if you reused the same password on multiple sites, and one of those sites was vulnerable, you’ll need to change the password everywhere. It’s not a good idea to use the same password across multiple sites, anyway.”

So far, obvious sites where password changes are recommended are : Instagram, Pinterest, Google, Yahoo, Gmail, Yahoo Mail,  Etsy, GoDaddy, DropBox, Github and Minecraft.  For more information, look at the Mashable list here  or check with the specific vendor.

Never sign in through Facebook or Twitter.  Create good passwords that are strong, and change them often.

 

 

How S/MIME Encryption works, Part II

Posted by

0

As promised, here is part two of our S/MIME encryption series (how to encrypt your email on TouchDown for Android) by our awesome support master, Dragonfly:

First off, I open the email with the certificate attached. Entering the attachment list, I download and long press it to bring up a menu, and choose ‘import certificate.’

1392838742551
Long press on the attached certificate.

1392838748262
Choose import certificate.

I enter the password.

1392838754090
Enter the password.

1392838759967
This menu pops up, make any changes you want, and hit Ok. Contact your IT team if you’re not sure if you need to choose any of these settings.

Now I have the certificate imported, and can send out signed or encrypted emails. As I want to send an encrypted email to welovenitrodesk, I’ll grab their public key in an email they sent to me.

1392838771989
The signed email from welovenitrodesk. I apparently can’t spell sign.

I click on the key icon in the top right, and am prompted to validate the certificate, which I do. Now I have their public key in my store.

1392838777326
Click Validate.

1392838782964
The certificate is valid.

Now I compose an email to them and click the menu button, and choose ‘options’.

1392838788105
The device I used for this doesn’t have a menu button, so Touchdown generates a soft one. Different devices will look different, but it usually isn’t too hard to find the menu key on the compose screen. (If you don’t see a soft menu button, and are on a device running Android 3.x or above, you want to be using Touchdown HD instead of Touchdown for Smartphones.). Optionally you can also press the Options button on the blue toolbar.

1392838798493
Choose to sign and encrypt it.

And just like that, I’ve sent welovenitrodesk a signed and encrypted message.

Meanwhile, in welovenitrodesk, the signed/encrypted message decrypts perfectly.

Hope this helps users get a better understanding on how to use S/MIME functionality with Touchdown for Android. If you have any questions, please feel free to contact us at support@nitrodesk.com for any iOS queries. Thanks for reading!

Securing your Email with S/MIME

Posted by

1

Today we start an awesome mini-series from one of our support gurus, DragonFly, about how S/MIME works in general, with following tutorials on how to implement S/MIME in TouchDown on iOS, Android and Mac platforms.  Check out today’s tutorial on iOS!

Hi,

Dragonfly from NitroDesk support here. In the following, today I’ll be describing how to import and use S/MIME in Touchdown for iOS. Using this functionality you can sign messages, proving that you are the person sending that particular message, and optionally encrypt them, meaning the email will only be readable by people who you have included in the message. Signing provides you with non-repudiation and potentially detect tampering on the fly and encryption prevents unauthorized viewing of the message. This type of functionality is great for keeping your emails safe and ensuring that information’s coming from the right source. (For more information on how S/MIME works, here’s a good tutorial: http://technet.microsoft.com/en-us/library/aa995740%28v=exchg.65%29.aspx) Just know that to send an encrypted email, you need to have the recipient’s public key and vice versa- these can be verified from within Touchdown when that person sends you a signed message. Here’s what you’ll need before you get started:

First, you’ll need a certificate for S/MIME signing and the latest version of Touchdown. To get a certificate for S/MIME, you’ll want to contact your IT team. Also, keep in mind the only two certificate types Touchdown supports is .pfx and .p12. The certificate would need to include the complete chain to the root certificate authority.

If you have your certificate already in IE, but need to export it to your desktop,Here’s how (in IE):

1. Go into the Settings>Internet Options, and clicking on the Content tab.

2. Click on Certificates, and find the one you want to export

3. Click Export. Make sure you choose the option to export the private key and also to include all certificates in the certification path.

4. Choose a file path, and save it.

5. Don’t forget to  remember the password you use to perform the export. This password prevents anyone else from being able to access the certificate. If you’re having difficulty with this process, contact your IT team and see if there’s another way you should be doing it. As with any operations like this, make sure you are staying within your IT team’s best practices so you stay in alignment with any security policies.

6. Once you have your certificate backed up to a file, send that file to your email as an attachment, and you’re ready to go.

Let’s start with the iOS version.

S/MIME for iOS

In this demo, I show how to send an encrypted email to the ‘welovenitrodesk’ account.

First, I want to ensure that I have my certificate for S/MIME, so I find the email with the attached certificate, and view it in the attachment list.

IMG_0007
The attached certificate, note the file type is .pfx. 

After downloading, I click the ‘I’ icon and choose to ‘Import for both.’

IMG_0008
Choose Import for Both.

A password prompt appears.

IMG_0009
Enter your certificate password here that was created when you generated the certificate. 

After entering the correct password (This is set up during certificate exporting from your browser, for help with this  please contact your IT team) it will tell you your certificate has been saved.

IMG_0010
Saved certificate message. 

Now that I have a certificate, I’m ready to send the account  welovenitrodesk an encrypted message:

I click on the tools/options icon and enable Encryption and signing.

IMG_0011
Tools icon to enable encryption signing.

IMG_0012
Enable signing and encryption for the email.

I send the email. If you suddenly see this message (see below), it means you didn’t validate the recipient’s public certificate key from a signed message. (This can also be done over the GAL if your company supports it.) Remember how I said earlier that to send an encrypted email, you need the recipient’s public key? Now I just need to fetch it. Thankfully, a while back welovenitrodesk sent me a signed message, which contains the key.

IMG_0016
Oops!

I find the email where welovenitrodesk sent me the key, and click on the lock icon.

IMG_0017
Welovenitrodesk sent me a signed message.

I click ‘verify signature’ and it verifies.

IMG_0018

Now I can send that encrypted message!

The second time, I attempt to send the encrypted message again. This time it comes through.

Back in welovenitrodesk, after having imported the public certificate and the welovenitrodesk certificate, I check the encrypted message, and am able to successfully decrypt it.

IMG_0020

The signed and encrypted email.

Clicking on the lock icon, I can confirm that it is indeed signed and encrypted.

Hope this helps you get a better understanding on how to use S/MIME functionality with Touchdown for  iOS. If you have any questions, please feel free to contact us at  iossupport@nitrodesk.com for any iOS queries. Be sure to check in on Monday for Part II, SMIME for Android. Thanks for reading!

Another fix against Streak

Posted by

0

As soon as we at TouchDown heard about Streak, we created an ‘Intervention against Streak‘ so that TouchDown users would NOT have their emails tracked unknowingly.  Meanwhile, across the pond (Wales, to be exact) @Lukeberry99 was working away on a fix as well. Check him out on Twitter!   I love when the good guys work on shutting down the bad guys.  In Luke’s words, “Streak shouldn’t exist.” We couldn’t agree more!  See our fix  here

Happy Valentines Day – and happy private emailing.

Google allows the public to snoop – and TouchDown has the fix

Posted by

0

Have you heard the buzz today about  Streak, the Google Chrome extension that works through Gmail and  allows anyone that sent you an email to secretively see if you’ve opened and read that mail ?  Oh, yes, anyone using Streak can send  you an email, and be notified without your knowledge or permission  that you have read that email.  We here at TouchDown think it is crucial to maintain the privacy and security of your private data, so we’ve developed an instant fix.   Yup – as in use it now (if you’re a lucky beta tester) and use it as soon as the very next Android and iOS release for the rest of you.  Just use your TouchDown email (If you don’t have a TouchDown account go to our website (www.NitroDesk.com), and if someone tries to track you with Streak, this is what you’ll see:  (see screenshot below) .  Oh yeah.

tdintervene

TouchDown: Always here to protect your data, no matter what crazy things people think of next to try to steal it.

What happened with Target and what you can learn from it

Posted by

0

So it turns out Target was allowing one of their maintenance companies (an HVAC/refrigeration company) to access Target’s database so that no one had to actually come out and show up to log-in to do efficiency updates, it could all be done remotely…this is quite common, and not a problem if you keep your private information separate from your non-private. 

See, hackers unfortunately are often quite smart, and can find vulnerable points of entry into a database, especially a shared database that has several  points of entry.  Find another way besides the obvious  “secure entry point,” and then follow it all the way to the goldmine of private data.  This is what happened in Target’s case.  One of the HVAC’s worker’s credentials was stolen, and the hackers were able to insert the malware through this entry point and access the payment network through the maintenance network.  They were able to put this card-stealing malware on POS (Point of sale) cash registers at various stores, and after verifying it worked and that it was NOT detected, were able to access most of the Target stores nationwide, stealing card numbers in real time.

Visa, MasterCard and other Card payment systems do not require  that retail stores and other payment collectors keep their payment  networks  separate from their other operational networks, but it would kind of make sense, no?  Payment collectors ARE supposed to require a two-factor authentication system for remote login capability, and it appears that Target did not have such a system in place.

Had Target kept their sensitive (Customer financial data) separate from less sensitive operational data, they could still have allowed remote log-ins without putting their customers at risk.  

So the point is twofold:

1)Even as a small company (and Target is HUGE), do not be cheap with the security of your data, especially your customer’s financial data.  Yes, Target saved money in the short term by not buying software that kept their data separate and by having a two-factor authentication system in place.  But the huge financial cost of stolen data ALWAYS outweighs the smaller cost of preventing it in the first place, not to mention the larger cost that is not easily fixed: losing their customer’s trust.  

2) Keep your sensitive data separate. And yes, this goes for you too.  On your phone.  On your laptop (yes, that IS a mobile device).  Your iPad that your kiddo plays with at the dentists office or in the Target shopping cart while you shop.

Whether it’s your own device, or you own a business and need to keep you enterprise’s data safe, use software that helps you achieve separation.  With products as affordable as $20 why are you NOT doing this? Trust me, it will cost a lost more if someone steals your data or your identity.

 

 

KNOX Vulnerabilities

Posted by

0

There is a lot of buzz going around the discovery that Samsung’s KNOX container has been found to have some vulnerabilities, as reported by the Wall Street Journal Tuesday and  PC World yesterday.  While it is very poor timing for Samsung, considering CES, the huge technology show in Vegas, starts next week, we are confident that Samsung is dedicated to security and will find a fix quickly.

What exactly is the concern? The vulnerabilities found by Israel’s Ben-Gurion University of the Negev indicate that Knox software (when used on a  Samsung Galaxy S4 or Note 3) could allow malicious apps to eavesdrop on data transferred within the secure environment.  The WSJ reports :“Samsung officials told the Journal that the vulnerability was found in developer phones that weren’t “fully loaded with the extra software that a corporate client would use in conjunction with Knox,” the paper reported. So far, the Knox vulnerability has only been discovered on the Galaxy S4.”

The PC World article compared KNOX to our TouchDown, since both are designed to keep data secure – so what does all this mean and how does it work?  TouchDown was specifically designed to keep data secure against this type of data breach.  It keeps corporate data secure through encryption and by keeping it ‘sandboxed’ away from a users personal data on their device (smartphone, laptop, tablet).  It works directly with ActiveSync Exchange and keeps email, contacts, calendar and notes data secure when kept within TouchDown.  Meanwhile Samsung’s KNOX creates a container around several third party apps, with the purpose of keeping data within those apps separate from app data not inside the KNOX container.  The security breach discussed  in the article regards the potential security breach of the KNOX container itself, meaning malware could have access to apps inside the container.  If there are apps inside the container that are not secure, they could potentially be breached. Luckily, TouchDown users can breathe easy, since even if a malware attack did get past the KNOX container it would not be able to breach TouchDown data. So whether you are using  TouchDown in or out of the KNOX container on a Samsung device, your data will remain secure and separate from other data on your device.  If you’re not using TouchDown…what are you waiting for??