Another reminder to change your passwords, setup Multi-Factor Authentication

by Ed Sparks

Widely reported in the tech media, but well handled and addressed by the company itself, the scope of the recent Cloudflare data leak is somewhat staggering, as the service is so widely used.

A Github page is currently tracking sites affected by the issue, and there's some big names on the list. In fact the list is so long, we recommend changing your passwords on most important sites, and, if not already configured, taking this as an opportunity to setup a password manager and multi-factor authentication.  All of the major services support this now, and Microsoft and Google both have great apps to simplify the process.

We recommend Dashlane and LastPass password managers, and a quick browser search will find detailed information on how to setup two-factor/multi-factor authentication at all the major sites.

Stay safe!

Now with more padlock

by Ed Sparks

We're pleased to report that starting today, our site has now switched to HTTPS.

As has become an industry best-practice, all pages will now be loaded securely via TLS, and any existing links to pages will automatically be redirected to the secure version.

With hacking an ever increasing threat, visiting us over HTTPS site rather than regular old HTTP protects you against many malicious activities, and is an insurance the content has not been altered.

Office 365 / Azure AD Password Synchronization Security

by Ed Sparks

We are often asked by customers how secure it really is to synchronize their passwords to and from Azure AD, be it standalone or as part of Office 365.

Our short answer:

The passwords themselves are never sent over the wire in either direction. In all cases only password hashes are sent.

The longer answer is easily derived and supported both from TechNet articles and various third-party sites. The key take-away is that only the hashes are ever retrieved, additional encryption applied, and then that is sent to Azure AD or back.  The passwords themselves are never used or sent.

From TechNet:

The Active Directory Domain Service stores passwords in form of a hash value representation of the actual user password. The Password hash cannot be used to login to your on-premises network. It is also designed so that it cannot be reversed in order to gain access to the user’s plain text password. To synchronize a password, the Directory Sync tool extracts the user password hash from the on-premises Active Directory. Additional security processing is applied to the password hash before it is synchronized to the Azure Active Directory Authentication service.

When synchronizing passwords using the password sync feature, the plain text version of a user’s password is neither exposed to the password sync tool nor to Azure AD or any of the associated services.

Additionally, there is no requirement on the on-premises Active Directory to store the password in a reversibly encrypted format. A digest of the Windows Active Directory password hash is used for the transmission between the on-premises AD and Azure Active Directory. The digest of the password hash cannot be used to access resources in the customer's on-premises environment.

From A Third-Party

An independent company that makes SharePoint and Office 365 tools also performed their own analysis, down to the packet capture level. What they found was:

The hash over the wire that is captured is not an MD4 hash of clear text password. It is a secure PBKDF2 key derived from SHA256 hash of the MD4 hash (derived from crypto API documented at per RFC 2898.

Read more at their blog post:

Overall we're very confident using this functionality at our customer deployments, and Microsoft have created a well thought out and secure implementation.

Alert! You can now get Cryptolocker just by visiting a Flash-enabled website

by Ed Sparks

The train wreck that is Adobe Flash continues!  As of this writing, it is possible for a website with the right (bad!) Flash content to use a combination of exploit code to infect computers with malware up to and including CryptoLocker (!!) just by visiting the site. No user interaction required.  This is about as bad as it gets, due to the ubiquity of Flash.  Steve Jobs' vendetta against this software was one of the times we fully agreed with him.

Image from ThreatPost

Image from ThreatPost

As is being widely reported, this is due to a (so far) unpatched flaw in the latest versions of Flash Player on Windows, and newly published exploit code by the "Hacking Team." Apparently - get this - hackers broke into the Hacking Team site and are now publishing their hacks, or something. We need to find these people a hobby, or Adobe needs to hire all of them.  

What can you do?  Update Flash the minute a new version is available, but more substantially it would be useful to start looking at the feasibility of broadly disabling it in your browser, as many sites are now switching primarily to HTML 5 content, and the majority of sites still requiring flash are older or advertising based.

Additionally, Administrators and Users can look at enabling the "Click to Play" functionality in many browsers.

More on the subject:

Canadian Public Data in the Public Coud

by Ed Sparks

Customers - particularly in Canada - often wonder if they can legitimately store their data in the public cloud.  The short answer in almost all cases seems to be yes, with British Columbia public-sector (and industries serving them) being a complicated exception. has published a good article on this topic that includes an interview with a computer science doctoral candidate specializing in privacy in Canada.  It's useful reading on the topic and addresses many of the relevant legislation and questions.

When speaking about cloud, the terms “data sovereignty” and “data residency” come up frequently.  Within the private sector, there is still a great deal of FUD (fear, uncertainty, and doubt) about topics such as the Patriot Act.  A fair bit has been written about this topic here on ITBusiness.

The abridged version of the discussion is simply that while private companies may want to keep data in Canada for customer perception or personal comfort reasons, there is no valid regulatory reason not to put data outside of Canada. There is also not much extra protection from U.S. law enforcement.  See “Keeping data here no protection against US” as a good article on the topic.

The question then moves to public sector organizations who have to abide by different regulations and privacy legislation than most private sector companies.  PIPEDA impacts everyone, and needs to be taken very seriously by public sector, but what about regulations such as the Personal Health Information Protection Act (PHIPA) and Municipal Freedom of Information and Protection of Privacy Act (MFIPPA).  Do they limit what public sector organizations can put in the cloud?

The full article is available here.


The shockingly easy way to hack or reset a forgotten Windows password

by Ed Sparks

This trick has been around for years, and long assumed fixed.  Surprisingly, while recently investigating a related issue we discovered this one is still going strong in Windows 7 and 8 (along with Vista, where it originated).

Image Courtesy Icone-gif

Image Courtesy Icone-gif

In what has become known as the "Utilman Trick," if you are able to physically access a system and boot from a Windows install or recovery disk, you can quickly change a file, reboot into the original Windows install and with a few clicks change the password of any account.  You can also create new accounts, and perform all order of administrative management.

While Bitlocker, or physically denying access to the system will obviously solve this, it's shocking that this continues to exist.

The details, and simple process are well documented here at Technibble, among hundreds of other places.

Here it is in a nutshell:

1. Recovery Boot

cd windows\system32
ren utilman.exe utilman.exe.bak
copy cmd.exe utilman.exe

2. Normal boot

net user administrator newpassword

Yes, really!

Two-Factor Authentication Comes of Age

by Ed Sparks

Two-factor Authentication - "something you know, and something you have" - is the number one thing you can do to protect yourself online.  While this used to be a complex and difficult process to setup and utilize, it has now become a relatively common and simple affair thanks to the ubiquity of smartphones and "authenticator apps".  

Lifehacker has just updated their excellent article titled "Here's Everywhere You Should Enable Two-Factor Authentication Right Now"

Check it out, then immediately go and turn on two-factor everywhere you can!  You'll be thankful when the next huge security breach of a major website happens.