Monthly Archives: February 2020

Unless you’ve got an absolutely stellar long-term memory you’re likely one of the millions of people around the world who rely on some type of password reminder or organizer app to be able to remember passwords from time to time. It’s natural that the ones you use regularly are fairly committed to memory, but we all have ones that don’t need to be entered very often. These are the ones where we may well be drawing a blank when it comes time to use them, and where a password reminder app comes in especially handy.

But then there’s the ongoing fact that even the most unique password isn’t going to be 100% failsafe, and being ‘hacked’ does happen to a lot of people. Add to that the fact in today’s increasingly digital world we have more and more passwords to keep track of than ever before and for some people passwords are going to be both untrusted and inconvenient. Here at 4GoodHosting, we can certainly relate as being the leading Canadian web hosting provider AND digital world enthusiasts that we are we can certainly relate to having the sheer volume of passwords adding up big time and being tough to keep track of all of them.

However, it seems that passwords actually might be becoming a thing of the past, and web security experts are venturing their opinions that there may be a more effective – and less demanding – way to ensure that accesses to certain spots aren’t available to just anyone online.

This is what we’re going to discuss in our entry for today – are character and numeric passwords soon to become obsolete, and is there something better and more user-friendly while still equally effective in the works? It seems that there is.

Who’s the ‘FIDO Alliance’

Say the word Fido and most people will immediately think of a less-expensive cell phone provider option, but when it comes to web security development the FIDO Alliance is an acronym for Fast Identity Online Alliance. They’re an authentication standards group dedicated to replacing passwords with a different, faster, and more secure method for folks who want to log into online services reliably and safely without any fuss or need to keep notes on sometimes hundreds of different entries.

What’s noteworthy in all of this is the fact that super-entity Apple has now gotten onboard with the FIDO Alliance and is adding their big-time resources to the quest to make no-password-required secure access a reality sometime in the not-too-distant future. They’re joining a group that already includes Amazon, Facebook, Google, Intel, Microsoft, RSA, Samsung, Qualcomm and VMware. Financial service firms are already in the mix too, like American Express, ING, Mastercard, PayPal, Visa and Wells Fargo.

Rise of the Cloud a Big Factor

In an increasingly cloud-based digital world, FIDO is a key initiative to authentication and one where companies have seen the promise in it quite quickly. If there is going to be a password-less world, what is going to take their place? Good question, and the FIDO Alliance has the answer for you. Since 2012, they’ve been pushing the idea of two-factor authentication for services and apps because passwords and pass codes are always going to be insecure to at least some degree.

To highlight that fact, they rolled out this stat – 81% of all security breaches from hackers can be traced to stolen or poor passwords, and this is something that’s agreed upon by a number of different industry interest groups. (the exact number itself is courtesy of Verizon in the US, that needs to be said). Choosing to rely on username/email address and password – or not having any other choice – means you are rolling the dice as far as password re-usage from other breaches or being exposed to malware as a result of gaining secure access by this means.

WebAuthn at Its Best

Web Authentication API (better known as WebAuthn) has been taking root in this part of the digital world for some time now, and with great success. The WebAuthn specification is already supported – to different degrees – by Chrome, Firefox and Edge browsers and it’s safe to assume new ones coming in the future will be supporting it too. Those browsers also support cloud credential creation using a U2F Token, which can use Bluetooth, NFC or USB to provide two-factor authentication to online services and apps.

It was just two years ago that Apple added experimental support for the WebAuthn protocol on Safari. And at the end of 2019 they added native support for FIDO-compliant security keys. This meant that the security authentication was now able to function with much of the same wide-reaching device connectivity that made Bluetooth the smash hit it was when it arrived on the scene.

It means greater numbers of devices with features and functions can be used to provide authentication. As examples, mobile devices or laptops may use fingerprint readers or facial recognition technology to enable log-in. The key in making this work was determining and implementing a common language that could be leveraged for authentication. Fail to do so and proprietary drivers and software would be required.

FIDO, like Bluetooth, allows application developers and security leaders to enable strong authentication that can encompass a wide range of authentication methods, while making it available for devices with minimal code and no need for proprietary driver of any sort.

It has the potential to mean that digital services from banks, ecommerce sites and others can actually recognize users through their devices, and not having to rely on those users entering correct usernames and passwords.

How it Works

FIDO’s specification enables anyone using it to gain access to an app or online service with a private and public key pair. After the user has registered with an online service, the authenticator device (a server) creates a private/public key pair that is unique to that user. This private key is stored on the user’s device, while the public key is then attached to that device’s identity through whichever online service or app is being utilized.

Authentication occurs when the client server sends an electronic challenge to the user’s device. The client’s private keys will only be admissible after they are unlocked locally on the device by the user. That local unlock is made possible by a secure action such as a biometric reader (fingerprint scan or facial recognition being common and already-seen examples), entering a PIN, speaking into a microphone, or inserting a second–factor device.

 

FIDO and U2F

U2F is an open-authentication standard that sets internet users up to securely access web-based resources instantly with one security key instantly and no need for drivers or client software. FIDO2 is the latest generation of the U2F protocol.

As you might expect, the other mega-giant, Google, is involved as well. Last April they joined the Alliance and many of you will know that Google has already added two-factor authentication specification for Android 7 devices and up.

The industry consensus is that FIDO authentication protocol is more than sufficiently secure and allows a lot of flexibility because of wide-ranging industry support. For Mac users, there is a smart card on the way from a company called Jamf that will allow users to sign into Mac devices from the cloud using elliptic-curve cryptography pairing keys in much the same way.

All of which promises to be good news for those of you who would never be able to commit all your passwords to memory, but aren’t particularly keen about sifting through them in a password app and then copy / pasting them into the field. In fact, we should look to this trend as one that really should take off in a big way over the course of the next couple of years.

Shouldn’t come as much of a surprise that Google Chrome continues to be the world’s most preferred web browser, and there doesn’t seem to be much of a risk of it relinquishing that title anytime soon. Sure, there’s going to be plenty of iPhone users that will be perfectly fine with Safari when web browsing with their mobile devices, but even most of them will probably spend more than a little time using Chrome on their notebook or desktop. One thing’s for sure, both of them (along with Firefox) have definitely left the now-obsolete Internet Explorer in the dust.

 

Which is the way it should be, but it’s still true that even Google’s super-popular web browser hasn’t avoided having a few glitches as it’s been progressively rolled out. Here at 4GoodHosting, we imagine we’re just the same as any good Canadian web hosting provider in that we understand that a person’s web browser of-choice is going to be very relevant in regards to how well they experience the websites and other dynamic multimedia content that’s offered by those of people like the very same clients we have. It’s for that reason we’ve decided that a brief overview of the extensive Chrome 80 version update is a worthwhile topic of discussion for this week’s blog.

 

So let’s get to it.

 

Ambitious and Extensive Offering

 

Chrome 😯 arrived a week and some back, and it’s been promoted most notably as promising to put the clamps on cookies while patching 56 vulnerabilities at the same time. Making this happen has reportedly cost Google about 48k to address the vulnerabilities to ‘bugs’, with 10 specific ones being prioritized as ‘high risk’. Half of those 10 were submitted by engineers of Google’s own Project Zero team.

 

Chrome updates in the background, so by relaunching their browser most users can complete the upgrade. If a manual update is needed, then select ‘About Google Chrome’ from the Help menu under the vertical ellipsis at the upper right. You’ll then see a tab showing that the browser has been updated or displays the download process before making a “relaunch” button available.

 

Limiting Function of ‘Cookies’

 

This is a huge part of what makes the Chrome 80 update such a big deal, and especially for anyone who feels a little put off about how their computer seems to ‘know so much about them.’

 

Google had already promised it would find a way to restrict cookies. For those of you who may not know what a ‘Cookie’ is, they are small bits of code websites rely on to identify individual users. This is done using the SameSite standard. SameSite was designed to give web developers a way to control which cookies can be sent by a browser – under certain conditions.

 

The Chrome 80 update will mean that Google will begin enforcing SameSite, and Cookies distributed from a third-party source – ones not initiated by the site the user is currently visiting – must be correctly set and will now only be accessible over secure connections. It’s also reported that enforcement of the new cookie classification system in Chrome 80 will commence later in February, and we should remember that Google generally prefers to roll out new features and other changes in stages, to verify things are working as expected before making them available to their enormous pool of users. The company has stated this week of Feb. 17 is going to be the switch-on-SameSite salvo, so we may get news of that today or tomorrow in confirmation.

 

Another aspect of Chrome 80 is that cookies without a SameSite definition will be considered as first-party only by default; third-party cookies – ones from an external ad distributor tracking users as they wander the web – won’t be sendable.

 

It’s believed that the idea behind this is an aggressive push by Google to motivate site makers and other cookie distributors to get behind the SameSite standard, and that this is important and advisable based on Google Chrome being the industry leader for web browsers. We’ll keep in mind that SameSite is not Google’s answer to the increasing anti-tracking positions being offered by rivals like Mozilla and Microsoft. However, Google is quick to tout SameSite’s better, security prowess, and especially for preventing cross-site request forgery (CSRF) attacks,

 

A Cease to Notification Nagging

 

Chrome 80 is implementing the quieter notifications that Google promised last month too. Instead of letting sites place pop-ups on the page requesting permission to send notifications, following the Chrome 80 update you’ll instead see an alarm bell icon with a strike-through near the right edge of the address bar. We’re one of the many who’ve found notification pop ups to be very annoying, so this is very likely going to be extremely well received.

 

Users will be able to manually engage the new notification UI using an option in Settings > Advanced > Privacy and security > Site Settings > Notifications. Toggle the “Use quieter messaging (blocks notification prompts from interrupting you)” switch and you’ll immediately have activated the pop-up blocker.

 

Google has said it would also automatically enable the quieter UI for some, and a new feature where users who repeatedly deny notification requests will be auto-enrolled in it. Google will automatically silence some sites too, and ones that fish extremely hard for notification enrolments are going to be targeted.

 

Tab groups are also expected to debut in Chrome 80, but as of this writing it seems that feature has yet to be entirely rolled out yet. For those of you who’ll be eager to see it this is where you’ll be able to confirm:

 

• The option to turn it on is behind chrome://flags: Search for Tab Groups, change the setting at the right to Enabled, and relaunch the browser –

 

Google is claiming that the feature should begin rolling out to users with Chrome 80, but it may not be in final form until March’s Chrome 81 which is scheduled to arrive on March 17, 20202. When it does, users should be able to right-click tabs and choose new menu items to create groups, assign tabs to them or remove tabs from those groups.

 

On least thing to note for the Chrome 80 update is that it will allow for effective blocking of employees trying to install external add-ons. Administrators can call on the BlockExternalExtensions policy to stop the practice.

Stick your head around pretty much any corner and there’s bound to be something about the ever wider reaches of cloud computing and what it promises to entail for the future in the digital world. The ability to utilize non-physical storage and then share data with requiring access to this storage has really been a game changer. Now with good usually comes at least a little not-so-good, and – surprise, surprise – cloud computing is no exception. However, if there was a ‘do over’ button would anyone press it and go back to the times of exclusively physical location storage and access?

Not a chance.

Cloud computing is going to be one of the centerpieces of modern computing technology for the foreseeable future, so we are going to need to accept and overcome a few bumps in the road along the say. Increased security risks are at everyone’s forefront in the digital realm these days, and here at 4GoodHosting we’re like any reputable Canadian web hosting provider in that we’re making enterprise-level security measures standard with most of our web hosting packages.

And while we’re huge fans of cloud computing, our expertise is in web hosting and we don’t claim to know much if anything about security risks related to cloud computing. However, research is something we ARE very proficient with and as such we’re always happy to dig into topics that our customers are likely to find relevant to what they do on a day-to-day business on the World Wide Web.

Cloud with Caution

And so here we are in a brand new decade and there’s going to be no one surprised with the fact that enterprises continue to feed their clouds with increasingly sensitive information. However, it would seem doing is increasingly risky and decision makers are being urged to move forward with caution. A recent study logged from anonymous data from 30 million enterprise cloud users found that roughly 26 percent of files analysed in the cloud now contain sensitive data, and the trend has been for this to increase some 23% year over year.

This becomes potentially problematic when you consider that 91% of cloud services do not encrypt data upon entering cloud storage. That means of every 10 or so entries, more than 9 aren’t guarded well – if guarded at all – sitting in the cloud.

Now, to be fair, data loss protection (DLP) software does exist and a lot of it is quite good and reasonably effective. However, it’s also estimated that only 37% of cloud service providers say they are utilising DLP. Add next that nearly 80% of them also access to enterprise-approved cloud services from personal devices, and – perhaps more alarmingly – a quarter of companies report having sensitive data downloaded from the cloud to an unmanaged personal device.

Spotty Security and Risk Management

It’s not that the current infrastructures in place are bad, and more that they’re insufficient and spotty with how and where they’ve been rolled out. Gaps in data visibility and shielding continue to mean that certain networks look very inviting to breach attempts and non-compliance.

A recent survey found that 93% of cloud storage providers agree that the responsibility to secure data in the clouds is theirs. However, many of these same respondents say there is an emerging trend in the industry where there are simply not enough individuals with the skills required to put the right infrastructure in place and maintain it. SaaS (software as a service) is new, but it’s not that new and to some degree it’s hard to believe this assertion.

It IS fair to say, however, that technology and training continues to be outpaced by cloud’s aggressive enterprise growth. The expression ‘growing pains’ may be very appropriate here.

Smart Reactionary / Precautionary Measures

So what are the recommendations for anyone with above-average concerns about sensitive data of theirs being stored in the cloud?

Here are 3 things you can – and should – do to increase security of cloud-stored data:

1. Evaluate your data protection strategy for devices and the cloud

Consider the difference between a disparate set of technologies at each control point, along with the advantages of merging them into a single set of policies, workflows, and results

2. Investigate the breadth and risk of shadow IT

Determine your scope of cloud use, and put a primary focus on high-risk services; then move to enabling your approved services and restricting access to any that have the potential of putting data at risk

3. Plan for the future with unified security for your data

Context about devices improves cloud data security, and context about the risk of cloud services improves access policy through the web. Many more efficiencies will exist, while some are yet to be discovered. The smart merging of all these control points will be what will deliver the future of data security when it comes to utilizing all the advantages of cloud storage and access.

In conclusion, a last consideration that you can have is to look a little longer at what sensitive files will be fine in physical storage and better there with all the inherent security that comes with that. Never look at cloud storage as something to be used just because it’s there. If you don’t see a particular set of files as needing the ease accessibility the cloud provides, and they don’t ask much for much space, then perhaps they’re just fine staying stored where they are.

 

It’s not often we choose to use relevant recent software news as the subject for our weekly blog post, and the reason for that is not only because there’s usually plenty more noteworthy news out there, but also because often times these software shortcomings don’t affect a large swath of people. However, any time it’s about anything related to a Windows OS issue then the sheer number of people that rely on that particular operating system make it so that it’s worthy of mention. We’re certain that the software engineers that put out these patches are qualified and have best intentions, but we all get it wrong sometimes.

Here at 4GoodHosting, we’re just the same as any quality Canadian web hosting provider in that we’ll see the value in putting certain news on the billboard – if you will – so long as it will be welcome information for a good many of our customers. Now we’re fairly sure that there’s more than a few of you sitting with a Windows OS device in front of you, so that’s we’ve decided to make the shortcomings of the new Windows patch our topic of discussion this week.

Admittedly it’s not the most engrossing stuff. But if it leads even a few of you to avoid major headaches by skipping this patch and ‘leaving well enough alone’, as the expression goes, then we will have done something for the collective good.

Alright, let’s get to it.

A Not-So-Good Fix for Search Function Bugs?

Windows 10 recently issued forth an update which was promoting itself as being the cure for the long-standing bugs in the search function that have been a real thorn in the side for Microsoft Windows OS users. To get right to the meat of this, what seems to have happened is that in their efforts to find a working fix for the search bugs (which was accomplished), what this patch has actually done has tampered with other parts of the OS and as such introduced a whole manner of new issues.

Hate to be overly critical, but sometimes you just have to call it as it is – this is really quite the mess for Windows 10 users who were simply looking to get past the Search hang up. If you haven’t downloaded the newest Windows 10 patch yet, you might want to avoid doing that altogether.

And here’s that worse case scenario we were talking about – more than a few people have reported installing update KB4532695 – and then receiving a ‘blue screen of death’ for their troubles, meaning their PC is totally locked up and probably needing a trip to see a computer repairman unless you’re something of a computer repair tech yourself.

The bad continues; if a thread on Microsoft’s Answers.com help forum is to be believed, the patch is isn’t done there when it comes to undesirable outcomes; a reported boot failure, disabling audio and the sound card on the PC, rendering Bluetooth useless, or making connection to the Internet and impossibility – even after reboots.

And if you are still booting fine, they may be sluggish and annoyingly slow. Some people described being stuck at the splash screen for a good 5 minutes at least, and only deinstalling the update fixed this for them.

Glitches Too

KB4532695 is something of a failure for other reasons too; while it’s true not everyone is going to experience ALL of this, it’s still expected to be a huge nuisance for a number of people to the extent that the onus is definitely on Microsoft to fix this, and fix it without too much delay.

Fortunately, deinstalling the update IS possible, and it may well be your best choice to do this, put up with poor search functionality for the time being, and wait until a better and more wholesome patch is issued from Seattle.

Search Fix, Any Fix?

We’ve established that this patch does little to solve the sear problems with File Explorer, despite this being the reason for its creation. We will give credit where its due and say the KB4532695 patch DOES resolve issues with right-clicking, and the search bar being unresponsive. However, there are still bugs affecting the bar even after installing this patch. So that’s a negative too

Users have reported having to left-click twice to get the cursor to appear in the place where they’re clicking inside the search bar. Apparently you need to left-click first before a right-click on the search bar has any function.

Obviously not intentional and I’m sure certain individuals have been told to get back to the drawing board without delay – but one things for sure, this new Microsoft search bar issue patch is something of a dud. Not recommended, especially if you can make do until a PROPER and FUNCTIONAL successive patch arrives.