Archive for the ‘microsoft security’ tag
In response to a security breach, Dropbox promised to add an optional new layer of security known as two factor authentication. If you want to add two factor authentication to your own app but don’t know where to start, you’re in luck: Authy is a Y Combinator backed startup launching today that makes it easy to add optional two factor authentication to your application. You just add some API calls to your app and your users will be able to use their phones as a second layer of authentication.
Two factor authentication means you need something extra besides just a password to access a site or service – something you have, something you know or something you are. Something you have could be a security card or a hardware dongle. Something you are could be proved with biometrics, like a thumb print or retina scan. Something you know could be your mother’s maiden name, a security question or a particular image. In the case of Authy, it’s a combination something users have, their cell phones, and something they know: a number generated by Authy.
Users can get the required number, called a token, from Authy either through SMS or by installing an app. You can find out more about how the process works on the Authy site.
Authy was founded and developed by Daniel Palacio. For the past two years Palacio has been working as a penetration tester – one those people who get paid to spend their days (or nights or both) trying to find ways to break security systems. Before that he worked for Microsoft on the Windows security team (*cue jokes about Microsoft security* – OK, are we done now? Alright, moving on…).
Palacio tells me that he was sick of everything relying on only passwords for authentication. And though he uses a unique password for every site and service he use, he knows he can’t expect everyone on the internet to do the same. “We know we’re not all going to go around with hardware token, we’re not all going to use different passwords for every site,” Palacio says. “So what are we going to do? Two factor is next best thing.”
Authy started as a personal project to add a two factor authentication to another app Palacio was working on, but then he realized that he could make it into a service that anyone could use. He says he was particularly influenced by Twilio, a company that provides an API for adding SMS and voice features into your apps. “We built our API around Twillio, I always loved how you could do SMS in five minutes,” he says.
Like any other form of security, two-factor authentication isn’t perfect. Your phone could be lost or stolen. And if lots of sites all started using Authy, what would happen if it were cracked? I asked Palacio about this and he points out that even if Authy were compromised, a criminal would still need your password to access your sites.
If you get a new phone, you can request a reset number from Authy that can be used to reinstall the app. If you changed numbers as well as phones you can request the reset number be sent to your e-mail address. The service will send a confirmation message to your old number and if it doesn’t hear back in 24 hours, and no one tries to access anything using your old Authy app during that time, you can then change your number in the system and add the app to your new phone.
I’d want to see this reviewed by some security experts before I used it, but it’s a cool idea and could join companies like SendGrid, Twillio and New Relic in this growing category of nearly invisible apps that help developers build better products.
The PC crapware problem has finally gotten bad enough that Microsoft is now charging users to fix it.
For $99 Microsoft is now offering to strip consumers’ Windows PCs of all unnecessary software pre-installed by PC makers, AllThingsD reports. Affectionally dubbed “crapware”, the software is installed by PC makers in exchange for cash from vendors and is almost universally hated by owners of new Windows PCs.
This makes the removal program an arrangement bordering on a racket: PC makers get paid to put the software on computers, and Microsoft gets paid to remove it. Perhaps this questionable situation is part of the reason Microsoft never made it a priority to advertise the offer, even though its been around since 2010.
To be fair, as Microsoft PR pointed out to VentureBeat over the phone, the $99 fee is more than just crapware removal. Also included in the offer are things like Windows 7 and Microsoft Security Essentials installation, data transfer, and 90 days of free phone support.
The program is offered via its Microsoft Stores, of which there are a disappointing sixteen. It’s an expansion of Microsoft’s “Signature” initiative, wherein Microsoft sells consumer crapware-free PCs directly to consumers. That program has been around since 2009, though its never been very well publicized. (Paul Thurott first reported on it back in February.)
A better solution? Prevent the software from being installed in the first place.
Filed under: VentureBeat
Microsoft Security Essentials Updates with Better Performance, Virus Detection, and Interface Changes [Microsoft Security Essentials]
Antivirus software is somewhat of a necessity if you’re a Windows user, but the software you choose really does matter, and one app might not be enough. Security expert Brandon Gregg believes that your best bet is a combination of Microsoft Security Essentials (our pick) and a free or open-sourced product. Here’s why. More »
This morning, a Microsoft security software program started deleting Google’s Chrome browser from users’ computers.
So far, Microsoft reports that around 3,000 users were affected.
The company has acknowledged the mistake and issued a fix to the software that caused the issue. A Microsoft spokesperson stated, “We apologize for the inconvenience this may have caused our customers.”
The security software in question, Microsoft Security Essentials (MSE), had accidentally flagged Chrome as malware. Specifically, MSE thought Chrome was PWS:Win32/Zbot, a trojan that would steal passwords.
Users began reporting the issue at around 8 a.m. The first user to identify the issue wrote in the Google help forums, “This morning, after I started up the PC, a Windows Security box popped up and said I had a security problem that needed to be removed. I clicked the Details button and saw that it was “PWS:Win32/Zbot”. I clicked the Remove button and restarted my PC. Now I do not have Chrome. It has been removed or uninstalled.”
Microsoft now tells us that MSE versions 1.113.672.0 and higher include an update that will prevent Chrome from being flagged. If you’re an MSE user and the software has already blocked or removed Chrome from your PC, you will need to manually update Microsoft Security Essentials then reinstall Chrome. The official Google blog has detailed step-by-step instructions on how to do that, and Microsoft has the latest MSE virus and spyware definition updates available online, as well.
A Google spokesperson wrote in response to Windows and Chrome users’ complaints about the issue that, although the software’s hypersensitivity caused some rather significant issues for many users today, the same users should still “be cautious when allowing exceptions in antivirus or protection software; there are legitimate trojans that are included in the MS Security update, Zbot included.”
Neither company gave any indication that the incident was either intentional or malicious. We’re waiting to hear back from Microsoft as to why Chrome was flagged in the first place.