KNOX Vulnerabilities

There is a lot of buzz going around the discovery that Samsung’s KNOX container has been found to have some vulnerabilities, as reported by the Wall Street Journal Tuesday and  PC World yesterday.  While it is very poor timing for Samsung, considering CES, the huge technology show in Vegas, starts next week, we are confident that Samsung is dedicated to security and will find a fix quickly.

What exactly is the concern? The vulnerabilities found by Israel’s Ben-Gurion University of the Negev indicate that Knox software (when used on a  Samsung Galaxy S4 or Note 3) could allow malicious apps to eavesdrop on data transferred within the secure environment.  The WSJ reports :“Samsung officials told the Journal that the vulnerability was found in developer phones that weren’t “fully loaded with the extra software that a corporate client would use in conjunction with Knox,” the paper reported. So far, the Knox vulnerability has only been discovered on the Galaxy S4.”

The PC World article compared KNOX to our TouchDown, since both are designed to keep data secure – so what does all this mean and how does it work?  TouchDown was specifically designed to keep data secure against this type of data breach.  It keeps corporate data secure through encryption and by keeping it ‘sandboxed’ away from a users personal data on their device (smartphone, laptop, tablet).  It works directly with ActiveSync Exchange and keeps email, contacts, calendar and notes data secure when kept within TouchDown.  Meanwhile Samsung’s KNOX creates a container around several third party apps, with the purpose of keeping data within those apps separate from app data not inside the KNOX container.  The security breach discussed  in the article regards the potential security breach of the KNOX container itself, meaning malware could have access to apps inside the container.  If there are apps inside the container that are not secure, they could potentially be breached. Luckily, TouchDown users can breathe easy, since even if a malware attack did get past the KNOX container it would not be able to breach TouchDown data. So whether you are using  TouchDown in or out of the KNOX container on a Samsung device, your data will remain secure and separate from other data on your device.  If you’re not using TouchDown…what are you waiting for??

What the world thinks of TouchDown for Mac

We are loving the praises that are coming in for TouchDown for Mac…here’s why you NEED to get it NOW:

“Finally an all in-one corporate email, calendar, contact and task management system for the Mac.  The intuative interface has enhanced my workflow and increased producitivity whilst providing a clean and modern user experience.  At last, TouchDown has removed the ‘compromise’ of using a Mac within the corporate world.”  

– Ian Heathcock – Business Development Director   Griffiths Waite UK – http://www.griffiths-waite.co.uk 

 

“After many headaches trying to get Apple Mail to work with my work Exchange account, I had given up getting my work email on a native app.  I have downloaded it, and synced up my work email in less than a minute. The interface is simple, intuitive and best of all, it just works. Thanks so much for the opportunity to try out this amazing application. I look forward to the final release!”

Jessica S

 

“Downloaded your client and have been using it for a couple of days. Here is my feedback about the app:

 * Really Love the UI and the way fonts have been chosen. The option of themes is just awesome.

* One of the main critics of Mac mail has been that a new email is not so obvious to spot. But with TouchDown, with the bold and blue color, it takes just a blink of an eye to spot it.

* Integration with Contacts, Calendar and Notes into one single app is a HUGE one.

* The Calendar UI is also fascinating.

* Loved the option to associate an avatar to any contact in our contacts list.”

Deepak M

 

“Great app. I can finally now get my emails on my mac without having to VPN into my work.”

Eric S

 

“Kudos on the Touchdown beta. It is a FABULOUS first effort, and fulfils a long-held wish for me – a lightweight, Mac-centric Exchange client. Works great with our corporate Office 365 accounts.”

Susan K

 

“I bought my Mac in january and have been very frustrated that I couldn’t get my work email.  I can’t tell you how excited I am to find your product.  “

Cynthia Posey

 

“Great app, worked fantastic, try- love it” 

Deepak C

 

“Touchdown team,

 Thank you, thank you, thank you. It has been a long time since I’ve been able to have the same seamless experience with Exchange email on my Mac environment. Literally years. In 2009, I gave up using Entourage. When I gave up, I knew that I was giving up the messages, mail, notes, tasks, and calendar items that (almost) worked in Entourage. 

 Now, I’m loving that Touchdown brings back these missing real-life Exchange-hosted features on my Mac. 

 Keep up the good work,”

-Kent H

 

“Thanks for working on a Mac client. Touchdown is an amazing utility.”

Sirish K

 

“So far, the worst thing I can say is TouchDown keeps all my work email and calendars close at hand. <sigh> No more claiming that I didn’t bring my work computer home…”

Keith P

 

“Hi guys!

I have downloaded and tried TouchDown for Mac and I love it!

A clean and simple Active Sync who do work perfect with office 365!”

Robin J

 

“First and foremost a big Thank You! About time we got a decent mail client for the Mac platform. As an SMB IT Consultant for the past 20 or so years I hear from end users that they’re ‘OK’ with Mac’s mail client, from the admin side it’s pitiful. Just the fact that you’ve added encryption and security is huge! Now I have another awesome tool in my box to share with concerned clients.”

Jeff A

 

Thanks to all our amazing customers!

 

 

 

 

 

 

Why TouchDown for Mac?

Today we get to hear straight from the mind of our developer himself!

Why TouchDown for Mac?

Some of you may wonder why NitroDesk, traditionally a mobile email product developer, would build a Mac version of TouchDown. TouchDown has traditionally been available on mobile platforms Android and iOS, but Mac is really a desktop platform. So what gives?

Last year when we switched from a pure android shop to build an iOS version, it forced some of us to start using Macs as our desktops (it’s hard to build an iOS app on a Windows desktop). Initially we got by installing parallels on the Mac and with using Outlook.  We also had the native Mac client syncing our emails. But eventually we got tired of having to switch between Mac and Windows just to do everything unrelated to development (performance issues due to the two OSs, and the fact that we use Eclipse on Windows to build our android app was another reason – there are several legacy reasons why we could not switch to Eclipse on the Mac). So, we  switched from Parallels to BootCamp to dual boot Win8 and Mac on the same computer. That made life easy in some ways (we could actually boot back and forth and get the job done – Eclipse would actually run in Win8 on bootcamp). Personally the best windows PC I have used is a Mac PowerBook Retina (shhh, don’t tell anyone).

This was a good move in a sense. This helped us focus on one platform at a time. The pain of rebooting to switch from iOS to Android was enough to prevent our minds from wandering.

But it caused a couple of problems

• We would get a notification of emails on our mobile devices as soon as mail arrived. However, if the mail required us to write a reply from a computer, we had to wait and wait until Mac Email finally received the message. This was most frustrating for email junkies like us who needed to finish responding so we could move on to the next task.
• Tooling around in the Mac partition, we discovered this:

Every email received in the Mac Mail app was in plain view in Windows, when using Boot camp. While promiscuous sharing like this between platforms was just great when we need to copy files over from one platform to another, we were not too thrilled with the implications of this (each .emlx file contains the received message in base 64 encoding), which had some serious implications – consider this not too uncommon scenario:

Your CFO is traveling with a MacBook Air and an iPad. You have spent some serious coin on an MDM that would protect the email content on the iPad (probably even mandated the use of TouchDown and an MDM on your iPad). So your corporate data is more secure than Fort KNOX, with a GATE around it. Lose that iPad? You can whip out your cannon and do a remote wipe on it, disable it and nuke it to kingdom come. BUT what happens when he loses the MacBook Air? The MacBook probably syncs with either outlook or Mac Mail. It has waaay more data (no control on email history to download to it) than the mobile device you just nuked. This time around, all you can do is pray for the finder to simply format it rather than trying to get the data out.

YES, laptops are MOBILE!  And Macs are vulnerable when they have a partition!

Consider this other scenario:

Your employees use Macs. Every email they send or receive is in that directory in plain text. Any application they may have downloaded from the internet (you can side load applications with no restriction on what they can do) can contain a Trojan which looks for the Mac Mail directory, enumerating, reading and decoding emails, contacts, calendar, notes etc, looking for passwords, credit-card numbers, (PHI if you are a hospital).

This was indeed an OH CRAP moment for us. We have been working hard for the past five years to protect your corporate information, and still we haven’t done enough for our corporate customers.

Hence TouchDown for Mac.

With TouchDown for Mac, all the data in the application is encrypted, so no other application can read or decode it easily. Without explicit user action, none of the email data or attachments can leak outside the protected sandbox we place around it.  And no, They cannot be viewed in Windows if you dual boot.  Boot away 🙂 “And there’s more!”

…and all the nice tweaks and productivity measures we have added to our mobile apps, and a future resplendent with new ways to work with your corporate email account. (GTD, MYN ? anyone?)

…and PUSH email with an exchange client without being limited to an IMAP connection.

…and the ability for you to import SMIME certs to the application sandbox (not the whole computer) and have touchdown use those to encrypt and sign your emails.

…and the ability to set your OOF.

…and the fact that it may even be a viable solution for implementing the Direct Project (http://directproject.org/content.php?key=overview) – Physicians love Macs (at least mine does), and if we can get them to communicate via secure email, we would have done some good.

Well then, Why NOT TouchDown for Mac!

-g

The bad news about “single click” logins

We are all super busy, running from one place to the next, texting our spouse as we walk to the car and sending an email at the red traffic light (only at a red traffic light, correct?)  So yes, it is tempting to give in to all those supposed time savers like ‘one click’  log-ins.  But do they make your information vulnerable?  Craig Young from Tripwire thinks so.Young reports that the popular  ‘weblogin,’  which allows users to use their Google account credentials as authentication for third-party apps may seem secure because its not sharing the username and password itself; instead it creates a token to represent the your login details.  Google Apps are very popular across businesses of any almost any size due to their low cost, apparent security and ease of access.  However, the use of Google Apps on mobile devices (In this case, an Android device) was demonstrated to have some vulnerabilities by Young at this month DefCon21.

To demonstrate, Young created an Android app that asks for access to the user’s Google account to display stocks from Google Finance.  Once you grant the app permission, the app creates a token to access the data. This makes you feel safe and secure because its not passing on your actual username and password.  However, the evil app sends the issued token to the hacker who created it, who can then directly paste it into a web session, providing access to everyone of your Google Services.   No, not just the Google Finance App you gave permission to use, but Google Calendar, Google Docs, and even your Gmail.  Ooops.

It gets worse if you are an administrator for a Google Service – once the hacker can get into your information they can change your passwords and otherwise take control of every account which you administer, not to mention read private company data.  Which gets me to the more important point: Why is anyone who is remotely concerned about the safety of their email data not using a self-contained email service that doesn’t allow web-logins, single clicks and other vulnerability causing services?  If you are the owner, manager, or client/patient of a business, are you concerned about what security holes the business’ employees are causing when they ‘sign in with Facebook’ or “Google one click” on their Android device while watching their sons T-ball game?  We have to balance our thirst for ease of access with our need to not only keep our information private, but that of our clients and our work’s clients.  Mobile devices are what allow us the freedom to balance work and play, to multi-task, to keep every client and friend in constant contact.  But it is so easy to forget about workplace ethics (including security) wen we’re enjoying that Corona at the Park, checking email to keep up, but taking shortcuts to ‘make it easier.’

So stop using shortcuts, and most importantly, use self-contained data environments (especially for email) that don’t allow other applications on  your mobile device to interact with it.  If it’s too easy for you to access, its probably too easy for someone else to access too.

 

 

 

Who is Hijacking your email account?

 

Black Hat 2013 happened in Las Vegas yesterday – for those of you who don’t speak geek, Black Hat is the annual conference where top computer security officials and hackers get together to chat.  And this years conference even featured a certain general from the NSA.  There was some definite discord in the crowd as he spoke.  But I digress.

By now you all know how obsessed we are with your email security here at TouchDown and why we use encryption that is not vulnerable to the many exploits out there.   What I always find most interesting at Black Hat is all the ways hackers (technological wizards who are pushing the envelope, sometimes for good, sometimes for bad) find out that a user’s information is not secure… Well, at this years Black Hat some interesting tidbits have already come to the surface (and luckily, their exploits does not apply to TouchDown !)

Some of the world’s leading computer security researchers weighed in on security issues and  in somewhat eyebrow raising news, Ben Smyth and Alfredo Pironti of the French National Institute for Research in Computer Science and Control (INRIA) explained how it is possible to utilize some loose ends in popular webbased email services.  The  TLS (Transport Layer Security) technology encrypts and secures website connections, and some of web-based email services have an inherent flaw in the TLS.  When a user goes to log out, it is possible to block this action when the ‘log-out’ request is sent TO the server side –  at which point an un-authorized user can inject an unencrypted TCP FIN message to close the connection. The server-side therefore never gets the request and is unaware of the abnormal termination, and your information is now vulnerable.  YOU get a message saying that you are logged out (you aren’t) and walk away.

What makes it worse is that this attack attack does not rely on software being installed on your computer or some other sort of more obvious way of snooping. All that has to happens is that someone (the bad guy) gets between your computer and and the server, with something as simple as a controlled router or even a wireless hotspot – the “Man in the Middle” Attack.  Its possible because the user receives feedback that the sign-out request has been successfully executed, where in actuality the server is unaware of the user’s request, so the attacker can now access email without the users knowledge.

The way the researchers explained it:

“In essence, we block encrypted messages that are sent over the network to de-synchronize authorisation: we force Gmail and Hotmail [Outlook.com] to display on your browser the page that announces that you have successfully signed-out, whilst ensuring that your browser maintains authorisation with Gmail and Hotmail [Outlook.com]. Given such an announcement, you should be assured that you are secure, in particular, a hacker should not be able to access your email, even if you [log out and] leave your computer unattended. However, we can violate this basic security premise and access your Gmail and Hotmail [Outlook.com] accounts just by reloading the web page.”

This of course caused quite the stir at Black Hat, because the services mentioned by the researchers such as Google and Microsoft are extremely popular.  Smyth and Pironti went so far as to say that:

“…shared machines – even un-compromised computers – cannot guarantee secure access to systems operated by Helios (an electronic voting system), Microsoft (including Account, Hotmail, and MSN), nor Google (including Gmail, YouTube, and Search).”

Now this “Man in the middle” type of attack is not a new one by any means, but the ease of which this can happen wasn’t apparent to most, especially with services that are considered by the masses as secure and private.  We’ll be reporting more from Black Hat later this week…and continuing to write emails using TouchDown.

 

 

 

More on snooping and email security

A few days ago we wrote about Microsoft’s new OWA iOS app, and the difference between offline clients  and online clients.  Today I want to delve in a little more on the aspects of how email security works on mobile devices.

For example, if you are using a subscription service or another source for email (like yahoo, google, office 365, etc) , your request, once you are online, goes to the server.

Your mobile device then mirrors what is on the server for your account (in the case of an online-only service) or downloads them to a unique server in the case of an offline server.  There is sphere of safety if you are using a subscription or email client that uses security, where the email is mostly secure –   but what happens when the email being sent is sent outside of that sphere of safety, to an UNsecure server?   And if someone or something is snooping trying to get information?

Now take an email client that utilizes S/MIME (Secure/Multipurpose Internet Extensions) with EAS policies and AES Encryption.  You compose an email on your device, and send it with S/MIME enabled.  The data is immediately scrambled, and is unreadable as it gets sent to the server.  It now gets sent from the server, to the next mobile device, still unreadable.  As it passes outside through the sphere of security it remains unreadable, safe from any snooping.  Even when it reaches a unsecure server,  it remains secure until the person who it was sent to uses their security certificate and unlocks the email.  Only then is the data readable.  This is the safest for your data to travel, and the ONLY way to secure your data 100%. (excuse the bad sketches – I don’t draw).

If you don’t want to have anyone snooping in your email, are worried about the security of your enterprise data (or even your personal data), use an email client that secures your data every step of the way.

If you have questions how Touchdown utilizes S/Mime, PINS and other protocols to secure data contact us! http://www.nitrodesk.com

Outlook on the go?

Yesterday Microsoft released an iOS version of their Outlook Web App (OWA) …have you tried it? Probably not, unless you have a subscription to Office 365.  Yes, its super cool that Microsoft offers these apps for free, but free with a price tag of Office 365 subscription just  isn’t….free.  But I digress.

I do love the fact that Microsoft is developing apps for iOS, Im a big supporter of across platform development.  The UI is pretty good, and is different for the iPad versus the iPhone, as it should be.   The UI utilizes touch gestures as well as voice commands, which is great when you are on the go or using it with one hand.

So, congrats to Microsoft for doing more iOS development – keep going, because the potential is there.  Just be aware that OWA apps are an online client, meaning that they only work online…when your device goes online, it simply mirrors what is on the Office 365 (or any other service you use) server.  When that connection is broken, you can not access  your information.  The security aspects of an online client versus an offline client also differ (more on this in tomorrows post).  And in today’s world of online snooping, I still insist the best way to control the safety of your data is to utilize SMIME and AES encryption with policies such as requiring a PIN.

If you want more information on TouchDown’s secure Email, Calendar, Contacts, etc, read the latest blog post about Encrypted email.  Come visit us at www.nitrodesk.com to see what the buzz about our Secure email that works with Exchange is all about.

Encrypted Email in TouchDown

More and more people are using encrypted email as news about the NSA watching our email and hackers stealing our personal information loom large.  We take the encryption and security of your information very seriously here at NitroDesk, which is why our TouchDown email app uses AES-256 encryption.

SSL and TLS are the main tools that provide the majority of security in the transmission of data over the Internet today. Although these are cited as being “secure,” there is actually quite a range in the level of security that is provided, depending on what encryption technique or cipher is utilized. Like any software, some of these encryption tools are quite weak, while others are very secure.

When choosing an encryption tool for TouchDown, AES  (Advanced Encryption Standard) was the clear and obvious choice for its speed and high level of security. It is based on the Rijndael cipher developed by Belgian cryptographers,  Vincent Rijmen and Joann Daemen.   AES was standardized in 2001 after a 5 year review, and is currently one of the most popular algorithms used in symmetric key cryptography (which, for example, is used for the actual data transmission in SSL and TLS.)   It is also the “gold standard” encryption technique; many security-conscious organizations require that their employees use AES-256 (256-bit AES) for all communications.

AES is based on a design principle known as a substitution-permutation network, and is considered one of the faster encryption methods.  AES is a variant of Rijndael which has a fixed block size of 128 bits, and a key size of 128, 192, or 256 bits. AES was first available in Open SSL starting in 2002, and was the basis of most SSL services in UNIX and Linux environments.    AES is FIPS (Federal Information Processing Standard) certified.

At NitroDesk we recommend ensuring that your server is SSL-enabled, and never accessible through non-SSL connections. TouchDown utilizes HTTPS/SSL for communications with the server when the server is configured for SSL encryption, and utilizes AES-256. This ensures that your information cannot be compromised in transit between your device and the server.  Is your information secure on your device?

Remotely wiping your data through TouchDown

Did you know that TouchDown supports the remote wipe command which may be issued by an administrator or a user in the event that the device has been lost or stolen?  This remote wipe process deletes all the corporate data held inside TouchDown as well as any attachments under its control.

Image from nydailynews.com

More on mobile security and secure email

More interesting data from http://www.secnap.com/support/whitepapers/laptop-loss-costs.html indicates laptop security needs to be taken seriously.

In a recent Ponemon study, participating organizations reported that in a 12-month period 86,455 laptops were lost or otherwise went missing. In another study, 53 percent of surveyed mobile professionals carry confidential company information, 65% of those who carry it don’t take steps to protect it.

According to an earlier Ponemon Institute study (conducted independently and sponsored by Intel), The Cost of a Lost Laptop, the average value of a lost laptop is a staggering $49,246.  And what is the cost to YOU if either your  personal information is stole or if you are the one who loses your corporations sensitive data?

Secnap.com reported some interesting findings from The Billion Dollar Lost Laptop Problem report: Out of the 263 laptops per organization that are lost or go missing, on average just 12 laptops were recovered. Forty-three percent of laptops were lost off-site (working from a home office or hotel room); 33 percent lost in transit or travel; and 12 percent were lost in the workplace. Twelve percent of organizations said they don’t know where employees or contractors lose their laptops. Although 46 percent of the lost systems contained confidential data, 30 percent of laptops lost had disc encryption, 29 percent had backup, and just 10 percent had other anti-theft features. Industries that experience the highest rate of laptop loss are education and research; health and pharmaceuticals were next, followed by the public sector. Financial services firms had the lowest loss rate. Laptops with the most sensitive and confidential data are the most likely to be stolen. However, these laptops are also more likely to have disc encryption.

Or take an incident that happened last year, when a worker from Boston Children’s Hospital went to Argentina and had her Laptop stolen at a conference. The laptop was password-protected but not encrypted. A file containing patient information had been sent to the laptop as an email attachment. Even though the file was not saved to the laptop’s hard drive, it was still on the laptop as an email attachment at the time of the theft, exposing over 2000 patient’s medical information. Is your email secure?

How do you protect your data on your laptop?  What is your security plan if it is stolen?