Protect yourself from iOS and OS X Security breach

The news over the last few days about Apple’s security bug is daunting. While we tend to hate media’s scare tactics when it comes to tech “news,” we do believe that when it comes to mobile security, especially in this case, there is much more harm in NOT updating your iPhone, iPad or Macbook than waiting.

The current security breach is said to allow a hacker to get in between the initial verification handshake connection between the user and the  server (the classic Man-in-the middle attack), enabling the bad guy to show up as  as a trusted server instead of a interfering hacker trying to steal your data. So all those connections you see as secure and encrypted (think bank, children’s school inter web, email, etc) is now open to interference and possible breach of sensitive data such as your family’s detailed information, your bank account numbers, and more.

Ashkan Soltani, who frequently writes about mobile security,  writes in his blog:

“The severity of the problem doesn’t immediately come across in Adam’s blog post, but it’s pretty huge. Effectively, this vulnerability allows a moderately sophisticated attacker to monitor your communications with even the most secure sites and services. Specifically, many of the core programs on iOS and OS X rely on this library for communications, which means ANY app that relies on this library (not just Safari) was vulnerable. For example, when your Calendar or Mail.app synced to Gmail, those communications were vulnerable to eavesdroppers on the network as a result of this error.”

 

image from ashkansoltani.org

The iOS fix for iPads and iPhones is out now so if you use either one of the devices, we highly recommend updating to these versions to get the patch – right now.  For MacBooks, no OS X fix is out yet – so we recommend NOT using Safari until there is a fix – use Firefox or Chrome instead.

 

 

Securing your Email with S/MIME

Today we start an awesome mini-series from one of our support gurus, DragonFly, about how S/MIME works in general, with following tutorials on how to implement S/MIME in TouchDown on iOS, Android and Mac platforms.  Check out today’s tutorial on iOS!

Hi,

Dragonfly from NitroDesk support here. In the following, today I’ll be describing how to import and use S/MIME in Touchdown for iOS. Using this functionality you can sign messages, proving that you are the person sending that particular message, and optionally encrypt them, meaning the email will only be readable by people who you have included in the message. Signing provides you with non-repudiation and potentially detect tampering on the fly and encryption prevents unauthorized viewing of the message. This type of functionality is great for keeping your emails safe and ensuring that information’s coming from the right source. (For more information on how S/MIME works, here’s a good tutorial: http://technet.microsoft.com/en-us/library/aa995740%28v=exchg.65%29.aspx) Just know that to send an encrypted email, you need to have the recipient’s public key and vice versa- these can be verified from within Touchdown when that person sends you a signed message. Here’s what you’ll need before you get started:

First, you’ll need a certificate for S/MIME signing and the latest version of Touchdown. To get a certificate for S/MIME, you’ll want to contact your IT team. Also, keep in mind the only two certificate types Touchdown supports is .pfx and .p12. The certificate would need to include the complete chain to the root certificate authority.

If you have your certificate already in IE, but need to export it to your desktop,Here’s how (in IE):

1. Go into the Settings>Internet Options, and clicking on the Content tab.

2. Click on Certificates, and find the one you want to export

3. Click Export. Make sure you choose the option to export the private key and also to include all certificates in the certification path.

4. Choose a file path, and save it.

5. Don’t forget to  remember the password you use to perform the export. This password prevents anyone else from being able to access the certificate. If you’re having difficulty with this process, contact your IT team and see if there’s another way you should be doing it. As with any operations like this, make sure you are staying within your IT team’s best practices so you stay in alignment with any security policies.

6. Once you have your certificate backed up to a file, send that file to your email as an attachment, and you’re ready to go.

Let’s start with the iOS version.

S/MIME for iOS

In this demo, I show how to send an encrypted email to the ‘welovenitrodesk’ account.

First, I want to ensure that I have my certificate for S/MIME, so I find the email with the attached certificate, and view it in the attachment list.

The attached certificate, note the file type is .pfx. 

After downloading, I click the ‘I’ icon and choose to ‘Import for both.’

Choose Import for Both.

A password prompt appears.

Enter your certificate password here that was created when you generated the certificate. 

After entering the correct password (This is set up during certificate exporting from your browser, for help with this  please contact your IT team) it will tell you your certificate has been saved.

Saved certificate message. 

Now that I have a certificate, I’m ready to send the account  welovenitrodesk an encrypted message:

I click on the tools/options icon and enable Encryption and signing.

Tools icon to enable encryption signing.

Enable signing and encryption for the email.

I send the email. If you suddenly see this message (see below), it means you didn’t validate the recipient’s public certificate key from a signed message. (This can also be done over the GAL if your company supports it.) Remember how I said earlier that to send an encrypted email, you need the recipient’s public key? Now I just need to fetch it. Thankfully, a while back welovenitrodesk sent me a signed message, which contains the key.

Oops!

I find the email where welovenitrodesk sent me the key, and click on the lock icon.

Welovenitrodesk sent me a signed message.

I click ‘verify signature’ and it verifies.

Now I can send that encrypted message!

The second time, I attempt to send the encrypted message again. This time it comes through.

Back in welovenitrodesk, after having imported the public certificate and the welovenitrodesk certificate, I check the encrypted message, and am able to successfully decrypt it.

The signed and encrypted email.

Clicking on the lock icon, I can confirm that it is indeed signed and encrypted.

Hope this helps you get a better understanding on how to use S/MIME functionality with Touchdown for  iOS. If you have any questions, please feel free to contact us at  iossupport@nitrodesk.com for any iOS queries. Be sure to check in on Monday for Part II, SMIME for Android. Thanks for reading!

What the world thinks of TouchDown for Mac

We are loving the praises that are coming in for TouchDown for Mac…here’s why you NEED to get it NOW:

“Finally an all in-one corporate email, calendar, contact and task management system for the Mac.  The intuative interface has enhanced my workflow and increased producitivity whilst providing a clean and modern user experience.  At last, TouchDown has removed the ‘compromise’ of using a Mac within the corporate world.”  

– Ian Heathcock – Business Development Director   Griffiths Waite UK – http://www.griffiths-waite.co.uk 

 

“After many headaches trying to get Apple Mail to work with my work Exchange account, I had given up getting my work email on a native app.  I have downloaded it, and synced up my work email in less than a minute. The interface is simple, intuitive and best of all, it just works. Thanks so much for the opportunity to try out this amazing application. I look forward to the final release!”

Jessica S

 

“Downloaded your client and have been using it for a couple of days. Here is my feedback about the app:

 * Really Love the UI and the way fonts have been chosen. The option of themes is just awesome.

* One of the main critics of Mac mail has been that a new email is not so obvious to spot. But with TouchDown, with the bold and blue color, it takes just a blink of an eye to spot it.

* Integration with Contacts, Calendar and Notes into one single app is a HUGE one.

* The Calendar UI is also fascinating.

* Loved the option to associate an avatar to any contact in our contacts list.”

Deepak M

 

“Great app. I can finally now get my emails on my mac without having to VPN into my work.”

Eric S

 

“Kudos on the Touchdown beta. It is a FABULOUS first effort, and fulfils a long-held wish for me – a lightweight, Mac-centric Exchange client. Works great with our corporate Office 365 accounts.”

Susan K

 

“I bought my Mac in january and have been very frustrated that I couldn’t get my work email.  I can’t tell you how excited I am to find your product.  “

Cynthia Posey

 

“Great app, worked fantastic, try- love it” 

Deepak C

 

“Touchdown team,

 Thank you, thank you, thank you. It has been a long time since I’ve been able to have the same seamless experience with Exchange email on my Mac environment. Literally years. In 2009, I gave up using Entourage. When I gave up, I knew that I was giving up the messages, mail, notes, tasks, and calendar items that (almost) worked in Entourage. 

 Now, I’m loving that Touchdown brings back these missing real-life Exchange-hosted features on my Mac. 

 Keep up the good work,”

-Kent H

 

“Thanks for working on a Mac client. Touchdown is an amazing utility.”

Sirish K

 

“So far, the worst thing I can say is TouchDown keeps all my work email and calendars close at hand. <sigh> No more claiming that I didn’t bring my work computer home…”

Keith P

 

“Hi guys!

I have downloaded and tried TouchDown for Mac and I love it!

A clean and simple Active Sync who do work perfect with office 365!”

Robin J

 

“First and foremost a big Thank You! About time we got a decent mail client for the Mac platform. As an SMB IT Consultant for the past 20 or so years I hear from end users that they’re ‘OK’ with Mac’s mail client, from the admin side it’s pitiful. Just the fact that you’ve added encryption and security is huge! Now I have another awesome tool in my box to share with concerned clients.”

Jeff A

 

Thanks to all our amazing customers!

 

 

 

 

 

 

Android Security issues – but not for TouchDown!

Yesterday developer Sebastian Guerrero Selma was able to use Firefox to lift data from the local storage on an Android device – and even to access stored data within the browser itself.  As Androidcummunity.com described in a blog article yesterday, passwords and other private information can be taken using file:// syntax.  If a user visits a site that has potent javascript code, their password and other information will be sent on to the hacker who created the code – without the user ever being aware of their loss of privacy. The article cites SD Card files, like your pictures and documents, to be the kind of personal information you would not want anyone to get a hold of – I can’t imagine someone having access to photos of my kids! Other apps also store information on one’s device, so this could potentially allow hackers entry on to all the information on your device.  Luckily, TouchDown doesn’t allow any access from anywhere.  That’s right, TouchDown does not allow any other App to access information stored within TouchDown.  (We love that!)  And while that means you can’t instantly post a picture from an email to Facebook, it DOES mean that your information is safe.   I prefer my email, contacts, calendar and to-do list PRIVATE.

The bad news about “single click” logins

We are all super busy, running from one place to the next, texting our spouse as we walk to the car and sending an email at the red traffic light (only at a red traffic light, correct?)  So yes, it is tempting to give in to all those supposed time savers like ‘one click’  log-ins.  But do they make your information vulnerable?  Craig Young from Tripwire thinks so.Young reports that the popular  ‘weblogin,’  which allows users to use their Google account credentials as authentication for third-party apps may seem secure because its not sharing the username and password itself; instead it creates a token to represent the your login details.  Google Apps are very popular across businesses of any almost any size due to their low cost, apparent security and ease of access.  However, the use of Google Apps on mobile devices (In this case, an Android device) was demonstrated to have some vulnerabilities by Young at this month DefCon21.

To demonstrate, Young created an Android app that asks for access to the user’s Google account to display stocks from Google Finance.  Once you grant the app permission, the app creates a token to access the data. This makes you feel safe and secure because its not passing on your actual username and password.  However, the evil app sends the issued token to the hacker who created it, who can then directly paste it into a web session, providing access to everyone of your Google Services.   No, not just the Google Finance App you gave permission to use, but Google Calendar, Google Docs, and even your Gmail.  Ooops.

It gets worse if you are an administrator for a Google Service – once the hacker can get into your information they can change your passwords and otherwise take control of every account which you administer, not to mention read private company data.  Which gets me to the more important point: Why is anyone who is remotely concerned about the safety of their email data not using a self-contained email service that doesn’t allow web-logins, single clicks and other vulnerability causing services?  If you are the owner, manager, or client/patient of a business, are you concerned about what security holes the business’ employees are causing when they ‘sign in with Facebook’ or “Google one click” on their Android device while watching their sons T-ball game?  We have to balance our thirst for ease of access with our need to not only keep our information private, but that of our clients and our work’s clients.  Mobile devices are what allow us the freedom to balance work and play, to multi-task, to keep every client and friend in constant contact.  But it is so easy to forget about workplace ethics (including security) wen we’re enjoying that Corona at the Park, checking email to keep up, but taking shortcuts to ‘make it easier.’

So stop using shortcuts, and most importantly, use self-contained data environments (especially for email) that don’t allow other applications on  your mobile device to interact with it.  If it’s too easy for you to access, its probably too easy for someone else to access too.

 

 

 

Who is Hijacking your email account?

 

Black Hat 2013 happened in Las Vegas yesterday – for those of you who don’t speak geek, Black Hat is the annual conference where top computer security officials and hackers get together to chat.  And this years conference even featured a certain general from the NSA.  There was some definite discord in the crowd as he spoke.  But I digress.

By now you all know how obsessed we are with your email security here at TouchDown and why we use encryption that is not vulnerable to the many exploits out there.   What I always find most interesting at Black Hat is all the ways hackers (technological wizards who are pushing the envelope, sometimes for good, sometimes for bad) find out that a user’s information is not secure… Well, at this years Black Hat some interesting tidbits have already come to the surface (and luckily, their exploits does not apply to TouchDown !)

Some of the world’s leading computer security researchers weighed in on security issues and  in somewhat eyebrow raising news, Ben Smyth and Alfredo Pironti of the French National Institute for Research in Computer Science and Control (INRIA) explained how it is possible to utilize some loose ends in popular webbased email services.  The  TLS (Transport Layer Security) technology encrypts and secures website connections, and some of web-based email services have an inherent flaw in the TLS.  When a user goes to log out, it is possible to block this action when the ‘log-out’ request is sent TO the server side –  at which point an un-authorized user can inject an unencrypted TCP FIN message to close the connection. The server-side therefore never gets the request and is unaware of the abnormal termination, and your information is now vulnerable.  YOU get a message saying that you are logged out (you aren’t) and walk away.

What makes it worse is that this attack attack does not rely on software being installed on your computer or some other sort of more obvious way of snooping. All that has to happens is that someone (the bad guy) gets between your computer and and the server, with something as simple as a controlled router or even a wireless hotspot – the “Man in the Middle” Attack.  Its possible because the user receives feedback that the sign-out request has been successfully executed, where in actuality the server is unaware of the user’s request, so the attacker can now access email without the users knowledge.

The way the researchers explained it:

“In essence, we block encrypted messages that are sent over the network to de-synchronize authorisation: we force Gmail and Hotmail [Outlook.com] to display on your browser the page that announces that you have successfully signed-out, whilst ensuring that your browser maintains authorisation with Gmail and Hotmail [Outlook.com]. Given such an announcement, you should be assured that you are secure, in particular, a hacker should not be able to access your email, even if you [log out and] leave your computer unattended. However, we can violate this basic security premise and access your Gmail and Hotmail [Outlook.com] accounts just by reloading the web page.”

This of course caused quite the stir at Black Hat, because the services mentioned by the researchers such as Google and Microsoft are extremely popular.  Smyth and Pironti went so far as to say that:

“…shared machines – even un-compromised computers – cannot guarantee secure access to systems operated by Helios (an electronic voting system), Microsoft (including Account, Hotmail, and MSN), nor Google (including Gmail, YouTube, and Search).”

Now this “Man in the middle” type of attack is not a new one by any means, but the ease of which this can happen wasn’t apparent to most, especially with services that are considered by the masses as secure and private.  We’ll be reporting more from Black Hat later this week…and continuing to write emails using TouchDown.

 

 

 

Outlook on the go?

Yesterday Microsoft released an iOS version of their Outlook Web App (OWA) …have you tried it? Probably not, unless you have a subscription to Office 365.  Yes, its super cool that Microsoft offers these apps for free, but free with a price tag of Office 365 subscription just  isn’t….free.  But I digress.

I do love the fact that Microsoft is developing apps for iOS, Im a big supporter of across platform development.  The UI is pretty good, and is different for the iPad versus the iPhone, as it should be.   The UI utilizes touch gestures as well as voice commands, which is great when you are on the go or using it with one hand.

So, congrats to Microsoft for doing more iOS development – keep going, because the potential is there.  Just be aware that OWA apps are an online client, meaning that they only work online…when your device goes online, it simply mirrors what is on the Office 365 (or any other service you use) server.  When that connection is broken, you can not access  your information.  The security aspects of an online client versus an offline client also differ (more on this in tomorrows post).  And in today’s world of online snooping, I still insist the best way to control the safety of your data is to utilize SMIME and AES encryption with policies such as requiring a PIN.

If you want more information on TouchDown’s secure Email, Calendar, Contacts, etc, read the latest blog post about Encrypted email.  Come visit us at www.nitrodesk.com to see what the buzz about our Secure email that works with Exchange is all about.

Encrypted Email in TouchDown

More and more people are using encrypted email as news about the NSA watching our email and hackers stealing our personal information loom large.  We take the encryption and security of your information very seriously here at NitroDesk, which is why our TouchDown email app uses AES-256 encryption.

SSL and TLS are the main tools that provide the majority of security in the transmission of data over the Internet today. Although these are cited as being “secure,” there is actually quite a range in the level of security that is provided, depending on what encryption technique or cipher is utilized. Like any software, some of these encryption tools are quite weak, while others are very secure.

When choosing an encryption tool for TouchDown, AES  (Advanced Encryption Standard) was the clear and obvious choice for its speed and high level of security. It is based on the Rijndael cipher developed by Belgian cryptographers,  Vincent Rijmen and Joann Daemen.   AES was standardized in 2001 after a 5 year review, and is currently one of the most popular algorithms used in symmetric key cryptography (which, for example, is used for the actual data transmission in SSL and TLS.)   It is also the “gold standard” encryption technique; many security-conscious organizations require that their employees use AES-256 (256-bit AES) for all communications.

AES is based on a design principle known as a substitution-permutation network, and is considered one of the faster encryption methods.  AES is a variant of Rijndael which has a fixed block size of 128 bits, and a key size of 128, 192, or 256 bits. AES was first available in Open SSL starting in 2002, and was the basis of most SSL services in UNIX and Linux environments.    AES is FIPS (Federal Information Processing Standard) certified.

At NitroDesk we recommend ensuring that your server is SSL-enabled, and never accessible through non-SSL connections. TouchDown utilizes HTTPS/SSL for communications with the server when the server is configured for SSL encryption, and utilizes AES-256. This ensures that your information cannot be compromised in transit between your device and the server.  Is your information secure on your device?

Solving Your Problems

TouchDown came about as a solution to a problem, that problem being; when Android phones first came to market there was no viable Exchange Sync client, native or otherwise.  But sometimes solutions have problems, that’s part of the price of progress.  So when you run into problems with TouchDown, you have a number of options to choose from, based on the type of issue you are facing or your preference for how to seek out a solution.

TouchDown E-Mail Technical Support – Support@NitroDesk.com  No matter what version of TouchDown you are using or what device/OS you have it installed on, our crack squad of US-Based support engineers will get you squared away, often the same day.

TouchDown Knowledge Base – If you prefer to sniff out the answer to your questions by yourself, then this is the place to do it.  If you don’t find the answer you are looking for, then you can submit a request from this site which is then handled by our support engineers.

TouchDown Google Group – Sometimes it’s nice to see that your problem isn’t so bad when compared to how others may be suffering, so why not cruise the Google Group to see how good you have it.  Crowd sourcing is an excellent way to find solutions to your problems, or lend a hand to a fellow user who is having the same issue you may have found a solution for.  Our CEO/Developer and I also like to keep an eye on things here to make sure as many people as possible get the help they need.  This is a great place to give feedback too, so come on by and let us know what you think.  Don’t forget to subscribe to the group so you can keep up to speed.

IdeaScale – Want to see a new feature added to TouchDown?  This is the place to let us know what you want to see in upcoming versions of TouchDown and if we can conceivably do it within the constraints of the OS, we will.  In fact, this is the core of our Mission Statement: “Our customers and their aspirations and needs are at the center of everything we do. We know we wouldn’t exist without them and their support and loyalty. The least we can do is build what they need and not what we think is cool.”

NitroDesk YouTube Channel – We host all of our video tutorials, demos and overviews on our YouTube page, so have a look around and stay tuned for new content.  If you want to see something new, just let us know in the comments below.

-Ben

Video Tutorial: TouchDown Personal Edition

Here is the first in our series of videos on How to Maximize Touchdown for your device. This brief video gives a great overview of our newest product, the Personal Edition.  Enjoy!

What kinds of videos would you like to see?

Don’t already have the fabulous Personal Edition of TouchDown? Purchase it at www.Nitrodesk.com