Home Tags Storage services

Tag: storage services

UK Educational Institutions Turn to DataCore to Overcome Critical IT Challenges

Schools and Universities Reduce Infrastructure Costs, Super-charge Performance and Achieve Higher Availability READING, UK., January 24, 2017 – DataCore Software, a leading provider of Hyper-converged Virtual SAN, Software-Defined Storage and Adaptive Parallel I/O Software, have today announced that a growing number of UK educational institutions are deploying its scalable storage services platform, SANsymphony™ to address their critical IT challenges, increase performance and reduce infrastructure costs.

From leading data and research-rich university seats of learning -... Source: RealWire

Mobile is still the safest place for your data

When I talk to IT managers, I almost always hear fears of mobile devices as conduits for sensitive corporate data to leave the company.
I don’t know why I keep hearing this.

There’s simply no evidence to support this fear.
In fact, there’s solid evidence that says mobile devices are not a significant—or even moderate—risk factor. Every year, I check the Identity Theft Resource Center’s database of personally identifying information (PII) breaches, which require disclosure by both state and federal laws.
I’m sure many losses go unreported, and the database doesn’t cover corporate information not containing PII.

But if mobile devices were a conduit to data loss, they should show up in this database. Mobile-linked breaches haven’t shown up in previous years, and they didn’t show up again in 2016—despite the fact that nearly everyone these days uses a smartphone. What does show up? Paper records, thumb drives, external hard drives, laptops, hacks into databases and storage systems, and successful phishing attempts. Many of the reported breaches involve lost papers, drives, and laptops, where a data thief probably wasn’t involved.

But many involve active hacking of IT systems where data theft is the goal.

And some involve insiders (contractors and ex-employees) steal data to use themselves, bring to new employers, or—least often—sell to others. None of the lost, stolen, or compromised devices were smartphones or tablets.

That’s probably because encrypted devices need not be reported; they’re presumed safe. iPhones and iPads have long encrypted their contents, and professional-grade Android devices have done that in recent years.
In both cases, a simple IT policy can enforce that encryption.
It doesn’t take a fancy mobile security tool; Microsoft Exchange can do the trick. Well, there was one data breach involving a smartphone: A former hospital manager, after resigning, took patient-identifying information by forwarding certain documents such as patient lists to her personal email account.
She had work email set up on her personal smartphone—a common BYOD scenario—and simply forwarded the work emails to her personal email account.

That’s not a mobile-specific issue—she could have done that from a work computer or a home computer. IT’s remedy for this case is the same no matter the device running the email app: Use restricted email accounts where possible and data loss prevention (DLP) tools where not to identify and perhaps prevent such odd email usage.

And don’t distribute PII or other sensitive information in routine documents in the first place! Also not in the breach list were the cloud storage services that IT managers fret about after they’re done worrying about mobile devices: Apple iCloud Drive, Box, Dropbox, Google Drive, and Microsoft OneDrive. But that omission may be misleading because if a lost (unencrypted) laptop has stored the access credentials for such services—which is common—then the data on that cloud drive is available to a data thief, just as the locally stored data is.

The Identity Theft Resource Center database doesn’t go into great detail of each case, but because a lost (unencrypted) laptop is presumed to be a data breach, that breach extends to any data on that laptop, including cloud-accessed data. Still, we didn’t see cases of these popular cloud storage services as the specific vector of a data breach—despite frequent IT fears to the contrary. In this day and age, IT pros have plenty of security threats to deal with.

Active hacking is the biggest threat, of course, and should get the lion’s share of the resources. The client side should be addressed but not dwelled on. Of the clients in use, mobile is the least risky.

Based on the actual risks, a good place to start is securing laptops, then external drives that people use when they don’t have access to a corporate cloud storage service.

Those devices compromise the biggest client risk.

Encryption is your main line of defense for these devices—for cloud storage, too. For the much smaller risk posed by mobile devices, mobile management tools are both mature and effective; there’s no excuse not to have them in place already.

Azure Security Center Now Guards Windows Server 2016 VMs

Microsoft has added Windows Server 2016, its latest server operating system, to the roster of virtual machines supported by its Azure Monitoring Agent cloud-based threat protection offering. With the holidays out of the way, Microsoft has returned to r...

Steganos Safe 18

Having your laptop stolen is traumatic; having the thief gain access to your sensitive documents could be catastrophic.

To avert the possibility of catastrophe, use an encryption tool to protect your most important files. With Steganos Safe 18, you can create any number of encrypted storage containers.
Steganos combines an impressive variety of security options with an interface that's very easy to use.

Your $39.95 purchase lets you install Steganos Safe on up to five PCs.

This is a one-time cost, which is a common model for encryption tools.

Editors' Choice utility Folder Lock also costs $39.95, and Ranquel Technologies CryptoForge goes for $39.70. You'll pay $45 for Cypherix PC, and $59.95 for CryptoExpert. Note, though, that those are single licenses.

The five-license Steganos package is quite a bargain.

In addition to being available a standalone product, Steganos Safe is an integral part of the full Steganos Privacy Suite.

This suite also includes Steganos Password Manager 18 and a number of other useful tools.

What Is Encryption?

Throughout history, rulers and generals have needed to communicate their plans in secret, and their enemies have devoted great resources to cracking their secret communication systems.

A cipher that simply replaces every letter with a different letter or symbol is easy enough to crack based on letter frequency.

France's Louis XIV used a system called The Great Cipher, which held out for 200 years before anyone cracked it.

Father-son team Antoine and Bonaventure Rossignol conceived the idea of encoding syllables rather than letters, and letting multiple code numbers represent the same syllable.

They also included nulls, numbers that contributed nothing to the cipher.

But even this long-unbroken cipher pales in comparison with modern encryption technology.

Advanced Encryption Standard (AES), the US government's official standard, runs blocks of data through multiple transformations, typically using a 256-bit key.

Bruce Schneier's Blowfish algorithm should be even tougher to crack, as it uses a 448-byte key.

Whatever the size of the key, you must get it to the recipient somehow, and that process is the weakest point in the system.
If your enemy obtains the key, whatever its size, you lose. Public Key Infrastructure (PKI) cryptography has no such weakness.

Each user has two keys, a public key that's visible to anybody and a private key that nobody else has.
If I encrypt a file with your public key, you can decrypt it with the private key.

Conversely, if I encrypt a file with my private key, the fact that you can decrypt it with my public key proves it came from me—a digital signature.

Getting Started with Steganos Safe

The Steganos encryption utility's installation is quick and simple. Once finished, it shows you a simple main window that has two big buttons, one to create a new safe and one to open a hidden safe.

When a safe is open, it looks and acts precisely like a disk drive. You can move files into and out of it, create new documents, edit documents in place, and so on.

But once you close the safe, its contents become totally inaccessible. Nobody can unlock it without the password, not even Steganos.

Like Editors' Choice tools CertainSafe Digital Safety Deposit Box, AxCrypt, and Folder Lock, Steganos uses AES for all encryption. However, it cranks the key size up from the usual 256 bits to 384 bits.

CryptoExpert and CryptoForge offer four different algorithms, and Advanced Encryption Package goes over the top with 17 choices.

Few users have the knowledge to make an informed choice of algorithm, so I see no problem sticking with AES.

Steganos warns if you try to close a safe while you still have files from the safe open for editing.
In addition to the basic safe, Steganos can optionally create portable safes and cloud safes.
I'll cover each safe type separately.

Create a Safe

The process of creating a new safe for storing your sensitive documents is quite simple, with a wizard that walks you through the steps. You start by assigning a name and drive letter to the safe—the program's main window shows you the name.

By default, Steganos creates the file representing your safe in a subfolder of the Documents folder, but you can override that default to put it wherever you want, including on a network drive.

Next, you define the safe's capacity, from a minimum of 2MB to a maximum that depends on your operating system. Unlike Cypherix PE and CryptoExpert, with Steganos the initial capacity doesn't have to be a hard limit. You can create a safe whose size grows dynamically.

Folder Lock works a bit differently. While you must set a maximum size at creation, it only uses as much space as its current content requires.

A newly created Cypherix volume requires formatting. With Steganos, the safe is ready for use immediately.

The next step is to select a password.
If you've created a master password for
Steganos Password Manager, the password dialog should look familiar.
Steganos rates password strength as you type.
If you wish, you can define the password by clicking a sequence of pictures rather than typing it in.

There's also an option to enter the password using a virtual keyboard.

Folder Lock and InterCrypto Advanced Encryption Package 2016 also offer a virtual keyboard.

Here's a useful option. You can choose to store the password on a removable drive, making that drive effectively the safe's key.

By default, a safe opened in this way closes automatically when you remove the key.
It's not two-factor authentication, as you can still unlock the safe using just the password, but it's certainly convenient.
In a similar situation, you can configure InterCrypto CryptoExpert 8 to require both the master password and the USB key.

Digging into the program's settings, you can simplify the process by disabling advanced wizard options.
If you do so, Steganos chooses default values for each new safe's drive letter and filename.

There's a special option that only appears for safes smaller than 3MB.
If you've chosen an acceptable size, a link appears explaining how you can create a hidden safe.
Steganos can hide a small-enough safe inside a video, audio, or executable file.

After creating the safe, you click it, choose Hide from the menu, and select a carrier file.
Steganos stuffs the entire safe into the carrier, without affecting the carrier's ability to function as a program or audio/video file.

To open it, you click Open a Hidden Safe on the main window, select the carrier, and enter the password. Just don't forget where you hid the safe.

Portable Safes

For additional security, consider creating a portable safe that you only bring out when you need to access it.

The process is similar. You start by selecting the target device, which can be a USB storage device or an optical drive. You define the size and create a password, just as for a regular safe.

But then the process diverges.

Steganos creates and opens what it calls a prepackaging drive, using the drive letter of your choice.
Showing its age, the tool warns that portable safes don't support Windows NT 4.0 or Windows 95/98/Me. You click to open the prepackaging drive and drag the desired files into it. When you click Next, Steganos creates the necessary files on the target device. You're done!

If the size of the portable safe is less than about 512MB, Steganos creates what it calls a SelfSafe by default.

As with the hidden option for regular safes, you won't even see this as a choice if your desired size is too large.

The SelfSafe is a single executable file called SteganosPortableSafe.exe that contains both the necessary decryption code and the data representing the safe's contents. Otherwise, it stores the contents in a folder called Portable_Safe and adds a file called usbstarter.exe.

Either way, launching the file lets you enter the password and open the portable safe.

In testing, I did run into one surprise; a portable safe is not completely portable.
It requires the Steganos encryption engine. You can only open and work with your portable safe on a PC where you've installed the program.

Cloud Safes

As noted, you can open a portable safe on any PC where you've installed Steganos Safe.

Creating a cloud safe is another way to share your encrypted files between PCs.
Steganos supports the cloud storage services Dropbox, Google Drive, or Microsoft OneDrive. Whichever you choose, you must install that cloud service's desktop app.

The help points out that Google Drive and OneDrive must re-sync the entire safe when there's any change, while DropBox can selectively sync changes only.

My test PC didn't have any of the desktop apps installed, and the cloud safe creation dialog reflected this fact.

For testing purposes, I installed the Dropbox app.

As with a regular safe, you select a name and drive letter and then choose the safe's size.

For a cloud safe, you don't get the option to have the safe expand as needed.

Create your password, wait for the safe's initialization, and you're ready to go.

The safe syncs to the cloud each time you close it, and you can use it on any PC that has both Steganos and the proper cloud app installed.

Advanced Features

Click a safe and click Settings to bring up the administration dialog. Here you can change the password, name, and file location for the safe, but that's not all. On the main page of the dialog you can color-code the safe, and choose whether Windows should see it as a local drive or a removable drive. On the Events tab, you can choose whether to open the safe when you log on, and whether to close it on events such as screen saver activation or going into standby.

There's an option to define an action that occurs after the safe opens, and after it closes.

For example, you could configure it to automatically launch a file that resides within the safe after opening it, or automatically make a backup copy after closing it.

Perhaps most interesting is the Safe in a Safe feature.

This defines a separate safe, hidden within the normal safe, occupying a user-defined percentage of available space, and having its own password.

Depending on which password you use to open the safe, you either open the Safe in a Safe, or the original safe that contains it.
Sneaky! But take care.
If you overfill the outer safe, its contents can wipe out the super-secret Safe in a Safe.

Steganos Shredder

It's all well and good to put your most sensitive files into an encrypted safe, but if you leave the unencrypted originals on disk, you haven't accomplished much, security-wise.

Even if you delete the originals, they're not really gone, because their data remains on disk until new data overwrites it.

For true privacy, you must use a secure deletion tool that overwrites file data before deletion, something like this program's file-shredder component.

The easiest way to use the shredder is to right-click a file or folder and choose Destroy from the menu that appears.
Steganos overwrites the file's data once and then deletes it.

This should be sufficient to foil software-based file recovery systems, though it would still be theoretically possible for a hardware-based forensic tool to get back some or all of the data.

Folder Lock, by contrast, lets you choose up to 35 overwrite passes, which is overkill, as there's no added benefit after seven passes.

Launching the full File Shredder from the main window's menu reveals that it does more than just securely delete files.

As with Folder Lock, Steganos can overwrite all the free space on a disk.

Doing so wipes out all traces of previously deleted files, in effect shredding them ex post facto.

This can be a lengthy process, so you may want to use the scheduler to set it for a time when you're not using the computer. You can also schedule daily or weekly free space shredding. Note that if you stop and restart the free space shredding process, it skips quickly past previously shredded areas.

Finally, there's the Complete Shredder nuclear option.

Choose this to completely wipe out all data on a drive, including partition data.

A drive that's been shredded in this way must be formatted before you can do anything with it. Like shredding free space, this process can take quite a while.

By observation, you can't shred the active Windows volume, which makes sense. When I tried, there was no error message, but it did nothing.

Comprehensive Encrypted Storage

Steganos Safe 18 focuses on the singular task of creating encrypted storage containers for your sensitive files, and it does that task very well.
It's easier to use than most of its competitors, and its Safe in Safe and hidden safe options are unique. You can only use its portable safe and cloud safe features on PCs that have the program installed, but your purchase gets you five licenses.

However, Folder Lock does most of what Steganos does, and quite a lot more.
It features include encryption of individual files and folders, secure storage of private data, a history cleaner, and (at an extra cost) secure online backup.

AxCrypt Premium is even easier to use than Steganos, and supports public key cryptography.

And CertainSafe Digital Safety Deposit Box protects your cloud-stored encrypted files against any possibility of a data breach.

These three are our Editors' Choice products for encryption, but Steganos is a worthy contender.

Back to top

PCMag may earn affiliate commissions from the shopping links included on this page.

These commissions do not affect how we test, rate or review products.

To find out more, read our complete terms of use.

Steganos Password Manager 18

Münich-based software publisher Steganos is all about privacy. The company offers encryption, VPN, secure deletion, and other privacy-related tools. Naturally, the lineup includes a password manager. Steganos Password Manager 18 doesn't have the high-end features that typify the very best password managers, though, and even its more mundane features didn't always work in testing.

Your one-time payment of $24.95 gets you licenses to install the application on up to five PCs. The licenses don't expire, but they also don't automatically update to the next version. You can also tie any number of iOS or Android devices to your account. This pricing is a bit hard to compare with the competition. RoboForm Desktop is also a one-time fee, $29.95 in this case, but it doesn't sync across multiple devices. Dashlane costs $39.99 per year and puts no limits on the number of PC, macOS, Android and iOS devices. Just one dollar per month lets you use LastPass Premium on all your devices. And of course, some competitors, such as LogMeOnce Password Management Suite Premium, are completely free.

Getting Started

When you go to download Steganos, you're likely to find that it comes with a trial of the full Steganos Privacy suite. This suite includes, among other things, a file shredder, several forms of encryption, and the Steganos Online Shield VPN. In this review, I focus strictly on the password manager.

Once you've installed the product, it opens to a big, empty window, with instructions on how to proceed. With Steganos, you can create multiple password databases, which it calls keychains. Multiple users on one PC could have their own keychains. But nothing happens until you select New from the File menu, to create your first keychain.

As with most password managers, Steganos starts you off with the creation of a master password. You can type it using a virtual keyboard, or create it using the unusual PicPass feature. I'll go into detail about those below. As you type in your password, Steganos fills in five lock icons, and displays a description of your password's strength. At one lock, it says, "This password can probably be guessed." If you make it to five locks, it declares, "This password cannot be identified by intelligence agencies." Interestingly, it also reports the number of word fragments found in the password.

There's also an option to store the master password on a USB device. This isn't precisely two-factor authentication, since the USB device replaces the master password for authentication. In addition, you can't sync with mobile devices if you choose USB authentication. True Key and LogMeOnce Password Management Suite Ultimate both allow authentication using multiple other factors, without the need for a master password. In fact, passwordless login is the default for LogMeOnce.

Steganos installs the necessary browser extension in Internet Explorer automatically, and there's a menu option to install it in Chrome. Firefox is also supported, but in testing I could not get the extension to load. Even after reinstallation, Firefox reported the extension as corrupt. An Edge extension is in the works, pending approval by Microsoft. True Key by Intel Security is the only competitor I've encountered that has a working extension for Microsoft Edge.

Dashlane, Sticky Password Premium, and most password managers that let you sync your passwords across multiple devices handle syncing internally. Not Steganos. If you want to sync between devices, you must configure it to store your keychain in your existing cloud storage services. It supports Dropbox, Google Drive, and OneDrive, as well as the Europe-centric Magenta Cloud. Setting up the connection is simple enough, and of course your data is encrypted before it's sent to the cloud. Still, this might be a good time to toughen up the password on your cloud storage.

There is one more option for syncing among devices, but it's not something most users would want to mess with. If you choose File export, Steganos saves your data in a portable, shareable form. Importing that data on another PC isn't so tough, but getting it onto an Android or iOS device is a pain.

Password Capture and Replay

Like almost all password managers, Steganos notices when you log in to a secure site and offers to save your credentials. Some products slide in a notification at the top of the browser window, some create a popup within the browser, and others use a totally separate popup. Steganos is among the last group, and I found that its popup consistently got stuck behind the browser. You can give the new entry a friendly name at this time, but you can't assign it to a category.

If you're switching to a new password manager, the ability to import passwords from the product you're leaving behind is a big plus. LastPass can import from more than 30 competitors, and KeePass from nearly 40. Steganos imports from just two, KeePass 2.34 and 1Password; to me these seem like odd choices.

Dashlane, LastPass, Password Boss Premium, and True Key don't just import passwords stored insecurely in your browsers. They also delete those passwords from the browser, and turn off browser-based password capture. Alas, Steganos doesn't import from browsers at all.

When you revisit a secure site, the default behavior is for Steganos to automatically fill in the saved credentials. You can turn off this behavior and manually call on the browser extension when you want it to fill in the data. As is typical, if you have multiple sets of credentials saved, it offers a menu.

While most websites use standard login screens, easily understood by password managers, some of them march to a different drummer. If you run into a login that Steganos doesn't capture automatically, you can do it manually. Just sign out, reenter your credentials, and (in Chrome) choose "Save form to keychain" from the toolbar button's menu. In testing, I found that in IE the equivalent Save Form button did not work. LastPass, Sticky Password, and RoboForm Everywhere 7 have a similar ability to capture passwords on demand.

Many password managers turn your data into a menu of saved websites. Just click the toolbar button and choose a site to both navigate there and log in. With Steganos, you open the main application window and launch from there.

The Steganos application must be running any time you want to use its browser extensions. That's a bit different from many competing products. I kept accidentally shutting it down, when all I really wanted to do was get it out of the way. The correct way to handle that situation is to minimize the application down to its tiny desktop widget. From the widget, you can restore the main window, or drag/drop the username and password for the selected login.

Password Generator

When you're editing one of your saved password entries, you can invoke the built-in password generator to provide a strong new password. However, it's up to you to go to the site and put your new password in place. Steganos doesn't automatically offer the password generator when you're setting up a new online account, either.

The password generator defaults to creating 16-character passwords, which is good. But it only uses uppercase letters, lowercase letters, and digits, by default. I advise adding special characters to the mix. Interestingly, Steganos seeds its random number generator before each password generation event by using your own mouse movements.

Organizing Passwords

As noted, you can assign a friendly name at the time Steganos captures a set of login credentials. That name is what appears in the main window's password list. When you click an item in the list, its details appear at right. You can click Edit to change those details—all except the friendly name. To change that name, you must right-click it in the list.

To start, all your passwords simply appear directly below the root of the tree. If you prefer a more organized approach, you can create any number of categories, which become branches in the tree display. You can even create nested categories, something that few password managers allow. RoboForm, Sticky Password, and LastPass 4.0 Premium are among the few that permit multilevel categories.

I assumed that organizing my saved logins would be a simple matter of dragging them in to the desired category, the way you do with LastPass. It's not. Instead, you right-click the entry and select its new location in the tree.

Portable Edition

With LastPass, Dashlane 4, LogMeOnce, and other Web-centric password managers, you can log into your password database from any computer. Steganos requires installation of its app on a PC, and doesn't make your cloud-connected database available without it.

However, if you anticipate needing to use the app on an unfamiliar computer, you can create a portable edition on any USB device. Just select the keychain, select the device, and you're done. Any future changes you make in the main app don't appear in the portable edition, so you should recreate the portable edition frequently. In addition, all the data in the portable edition is read-only.

PicPass and Virtual Keyboard

Some people have no trouble remembering a strong password based on a favorite song or quote. Others are more visual, and for those people Steganos offers PicPass. When you choose to define or redefine your master password using PicPass, you start with a grid of 36 photos or 36 symbols. You proceed to click on as many of the pictures as you think you can remember, and then repeat that same pattern of picture-clicks.

However, there's a catch. The 36 pictures correspond to the 10 digits and 26 uppercase letters, and your fancy pattern of clicks gets translated into a mundane password like 1UB3OX. Steganos doesn't hide this fact; it even offers to display the generated password. Yes, you can make the PicPass process tougher by having Steganos scramble the picture locations, but doing so just makes it harder for you to get the right sequence. It doesn't make the password itself more resistant to brute-force cracking.

Limited Web Form Filling

Steganos lets you store a very limited set of personal data, little more than name, address, email, phone, and birthdate. There's no option to store multiple profiles such as you get with LastPass, Dashlane, and others. And there's certainly no ability to create multiple instances of data fields the way you can in RoboForm. You can enter data for any number of bank accounts and credit cards, and sync these between your devices, but the app does not use these to fill Web forms.

In testing, I found that the Web form-filling feature worked correctly in Chrome, but didn't work in Internet Explorer. In some cases, it immediately filled personal data into the form's fields. In other cases, I had to select "Fill form now" from the toolbar button's menu.

Mobile Options

If you want to use Steganos for logging into secure sites on your mobile devices, you must configure your account to use one of its cloud storage options. Install the free Steganos Mobile Privacy from the Google Play store or Apple App Store, connect it with your cloud storage, and enter your master password. You're ready to go.

I installed the app on a Nexus 9, just to get a feel for it. The PC edition's tree display is absent, so you have to either dig down to the entry you want or use the handy search box. Tapping an entry opens the corresponding website in the app's internal browser and logs you in. There's no integration with other browsers installed on the device.

Like the portable edition, the mobile edition is read-only. If you want to add or edit password entries, credit card data, or anything else, you must do it on your PC. But if all you want is quick mobile access to your secure websites, it does the job.

You Can Do Better

It's nice to see a password manager that charges a one-time fee rather than a per-year subscription, but there are disadvantages, too. That yearly subscription pays other vendors for things like server space to hold your encrypted data. With Steganos Password Manager 18, you supply that storage yourself, in the form of an account with one of the big cloud storage providers. Steganos also lacks the advanced features found in the very best password managers. In testing, even the simpler features it does contain didn't always work perfectly.

If the low, one-time price really resonated with you, you're probably better off getting one of our top free password managers instead. For those willing to pay a bit, we've identified several password managers worthy of the title Editors' Choice. LastPass 4.0 Premium costs just a dollar a month, and it has tons of features. LogMeOnce Password Management Suite Ultimate 5.2 beats all the competition feature-wise, with some security elements not found in any competitor. Dashlane 4 goes for streamlined ease of use, with advanced features including an actionable password strength report, secure password sharing, and account inheritance.

Back to top

PCMag may earn affiliate commissions from the shopping links included on this page. These commissions do not affect how we test, rate or review products. To find out more, read our complete terms of use.

Code Reuse a Peril for Secure Software Development

The amount of insecure software tied to reused third-party libraries and lingering in applications long after patches have been deployed is staggering. It’s a habitual problem perpetuated by developers failing to vet third-party code for vulnerabilities, and some repositories taking a hands-off approach with the code they host. This scenario allows attackers to target one overlooked component flaw used in millions of applications instead of focusing on a single application security vulnerability. The real-world consequences have been demonstrated in the past few years with the Heartbleed vulnerability in OpenSSL, Shellshock in GNU Bash, and a deserialization vulnerability exploited in a recent high-profile attack against the San Francisco Municipal Transportation Agency. These are three instances where developers reuse libraries and frameworks that contain unpatched flaws in production applications. Related Posts Adobe Patches Flash Zero Day Under Attack October 26, 2016 , 11:24 am Dyn Confirms DDoS Attack Affecting Twitter, Github, Many Others October 21, 2016 , 10:01 am Threatpost News Wrap, June 17, 2016 June 17, 2016 , 11:15 am Security researchers at Veracode estimate that 97 percent of Java applications it tested included at least one component with at least one known software vulnerability. “The problem isn’t limited to Java and isn’t just tied to obscure projects,” said Tim Jarrett senior director of security, Veracode. “Pick your programming language.” Gartner, meanwhile, estimates that by 2020, 99 percent of vulnerabilities exploited will be ones known by security and IT professionals for at least one year. Code Reuse Saves Time, Invites Bugs According to security experts, the problem is two-fold. On one hand, developers use reliable code that at a later date is found to have a vulnerability. Second, insecure code is used by a developer who doesn’t exercise due diligence on the software libraries used in their project. “They’ve heard the warnings and know the dangers, but for many developers open source and third-party components can be a double-edge sword – saving time but opening the door to bugs,” said Derek Weeks, vice president and DevOps advocate at Sonatype. In an analysis of 25,000 applications, Sonatype found that seven percent of components had at least one security defect tied to the use of an insecure software component. Repositories GitHub, Bitbucket, Python Package Index and NuGet Gallery are essential tools helping developers find pre-existing code that adds functionality for their software projects without having to reinvent the wheel. Java application developers, for example, rely on pre-existing frameworks to handle encryption, visual elements and libraries for handling data. “Software is no longer written from scratch,” Weeks said. “No matter how new and unique the application, 80 percent of the code used in a software application relies on third-party libraries or components.” He said enterprises are more reliant on the software supply chain than ever before. But he says many of the go-to open-source repositories that make up that supply chain are not vetted libraries of reliable code. Rather, they are warehouses with a varying percentage of outdated projects with security issues. According to an analysis of Sonatype’s own Central Repository in 2015, developers had made 31 billion download requests of open source and third-party software components, compared to 17 billion requests the year before. And when Sonatype analyzed its own code library, it found 6.1 percent of code downloaded from its Central Repository had a known security defect. Weeks says Sonatype’s is doing better than other repositories that offer no tools, no guidance and no red flags to prevent developers from using frameworks with faulty code. “There is no Good Housekeeping Seal of Approval for third-party code.” “Faulty code can easily spawn more problems down the road for developers,” said Stephen Breen, a principal consultant at NTT Com Security. “Even when development teams have the best intentions, it’s easy for developers working under tight deadlines to not properly vet the third-party code used in their software.” Breen said when insecure code is unknowingly used to build a component within a software program, problems snowball when that component is used inside other larger components. One example of vulnerable third-party code reused repeatedly is a deserialization flaw in Apache Commons Collections (commons-collections-3.2.1.jar) – first reported in 2015 and patched in November of the same year. Source: Veracode Breen found there are still 1,300 instances of the old vulnerable version of the Commons Collections lurking inside Java applications using Spring and Hibernate libraries and hosted across multiple open source code repositories. “The developer knows they are picking Spring or Hibernate for their development project. They don’t take it to the next level and realize they are also getting Common Collections,” Breen said. “That Common Collections library is then used by thousands more projects.” According to Veracode, Apache Commons Collections is the sixth-most common component used in Java applications. It found that the unpatched versions of the software was in 25 percent of 300,000 Java applications scanned. Even more challenging for developers is updating those applications that are using the vulnerable version of libraries and frameworks since flaws were patched. “Think of it like a faulty airbag. Carmakers used those faulty airbags in millions of vehicles. Now it’s the carmaker on the hook to fix the problem, not the airbag maker,” Weeks said. Leaky Apps, Bad Crypto, Injection Flaws Galore Veracode said the Apache Common Collection example is the tip of the iceberg. When Veracode examined vulnerabilities tied to insecure code it found application information leakage, where user or application data can be leveraged by an attacker, is the most prevalent type of vulnerability, accounting for 72 percent of third-party code flaws. Second are cryptographic issues representing 65 percent of vulnerabilities. That was followed by Carriage Return Line Feed (CRLF) injection flaws and cross site scripting bugs. Source: Veracode Compounding the problem is an increased dependency on open-source components used in a wide variety of software products. The federal government is typical. It has an open-source-first policy as do many private companies. Relying on third-party libraries shortens development time and can improve the safety and quality of their software projects, Weeks said. “Not only does code reuse save time but it also allows developers to be more innovative as they focus on creating new functionality and not writing encryption libraries from scratch,” Weeks said. Done correctly, code reuse is a developer’s godsend, he said. For those reasons, security experts say it’s time for the industry to stop and consider where code originates. Sonatype, which markets and sells code verification services, promotes the idea of documenting software’s supply chain with what it calls a “software bill of materials.” That way developers can better scrutinize open-source frameworks before and after they are used; making it easier to update those applications that are using vulnerable old versions of libraries. Sonatype said it found one in 16 components it analyzed had a vulnerability that was previously documented, verified and with additional information available on the Internet. “I can’t imagine any other industry where it’s okay that one in 16 parts have known defects.” The problem is that among developers there is a mix of denial and ignorance at play. “Developers choose component parts, not security,” Weeks said. It should be the other way around. “If we are aware of malicious or bad libraries or code, of course we want to warn our users,” said Logan Abbott, president of SourceForge, a software and code repository. “We scan binaries for vulnerabilities, but we don’t police any of the code we host.” Repositories Say: ‘We’re Just the Host’ Repositories contacted by Threatpost say their platforms are a resource for developers akin to cloud storage services that allow people to store and share content publicly or privately. They don’t tell users what they can and cannot host with their service. They say rooting out bugs in software should be on shoulders of developers – not repositories. Writing good vulnerability-free code starts at getting good code from healthy repositories with engaged users. “We think of ourselves as the Home Depot of repositories,” said Rahul Chhabria, product manager for Atlassian Bitbucket. “We provide the tools, material and platform to get the job done right.” Chhabria said Bitbucket offers a range of tools to help sniff out bad or insecure components such as the third-party tool SourceClear for scanning dependency chains. It also offers Bitbucket Pipelines that allows for cloud-based team development of software projects and simplifies peer review. GitHub is one of the largest repositories; it hosts 49 million public and private projects for its 18 million users. It does not scan or red flag insecure code hosted on its platform, according to Shawn Davenport, VP of security at GitHub. Instead developers can use third party-tools such as Gemnasium, Brakeman and Code Climate for static and dependency analysis. “There is a lot of hidden risk out there in projects,” Davenport said. “We do our best to make sure our developers know what tools are available to them to vet their own code.” He estimates a minority GitHub developers take advantage of software scanning and auditing tools. “Unfortunately security isn’t a developers first priority.” Other repositories told Threatpost they intentionally take a hands-off approach and say expecting them to police their own software isn’t feasible, not part of their mission and nothing they plan to do. They point out, flawed or not, developers want access to all code – even older components. “An implementation of a library in one framework might not be a security risk at all,” Breen said. He points out developers often temporarily revert to those old libraries as stopgaps should an updated version break a project. Automated Scanning to the Rescue? One attempt at nipping the problem at the bud is the used of automated security vulnerability and configuration scanning for open source components. By 2019, more than 70 percent of enterprise DevOps initiatives will incorporate automated scanning, according to Gartner. Today only 10 percent of packages are scanned. The Node.js Foundation, an industry consortium designed to promote the Node.js platform, relies on a more community-based approach via the Node.js Security Project. The goal is to provide developers a process for discovering and disclosing security vulnerabilities found in the Node.js module ecosystem. According to Node.js the approach is a hybrid solution that consists of a database of vulnerabilities and a community communication channel for vetting and disclosing vulnerable code. “It’s not a story about security professionals solving the problem, it’s about how we empower development with the right information about the (software) parts they are consuming,” Weeks said. “In this case, the heart of the solution lies with development, and therefore requires a new approach and different thinking.”

Symantec Norton Security Premium (2017)

You absolutely need antivirus protection for your Windows boxes—that's a given.

But a full-scale security suite does much more than just protect against the various types of malware.
Symantec Norton Security Premium contains virtually every security component you can imagine, and a number of them are Editors' Choice products in their own right.
It lets you install Norton security on up to 10 Windows, Android, macOS, and iOS devices.
If you need to protect a large collection of diverse devices, look no further. A 10-license one-year subscription for Norton Security Premium costs $89.99, and includes 25GB of hosted online backup.

Bitdefender Total Security Multi-Device 2017 gives you five licenses for that price, or ten for $10 more. Kaspersky is a little more expensive, with five licenses for $99.99.

And for the same price as Norton, McAfee lets you install protection on every device in your household. Required ReadingMy typical pattern when reviewing a security product line is to start with the standalone antivirus and then summarize the antivirus review as part of my review of the full security suite.
If there's an even bigger mega-suite in the mix, I summarize the entry-level suite review. However, I'm going to take a different path this time. This product has precisely the same excellent security components as Symantec Norton Security Deluxe.

These include top-scoring antivirus, award-winning Android security, no-hassle firewall, consistently accurate phishing protection, a full security suite for macOS, and more.

The Premium edition adds five more licenses along with parental control and online backup, neither of which is tightly coupled to the suite's other components. Please read my review of the Deluxe edition first, then come back here for my evaluation of the added Premium features. Online and Local BackupSecurity suite vendors like to promote that their products include online backup—it gives them a nice check mark in the features table. However, all too many of them simply offer a branded version of some partner product that their users could get for free directly from the partner.

Check Point ZoneAlarm Extreme Security 2017 offers 5GB of backup space that you could just as easily get directly from IDrive, for example. Norton's Windows-specific backup component is a completely in-house product, and sells separately for $49.99 per year. PCMag's Max Eddy didn't think much of Norton Online Backup, comparing it unfavorably with other standalone backup services.

But compared with backup components in other security suites, it looks pretty good. The online backup component comes pre-configured with a default backup set that defines what to back up, where to store backed-up files, and when to run the backup.
It includes files in and below the Documents folder for each user, but specifically omits possibly massive video files and email files by default. You can edit this backup set to fit your own needs, or create any number of additional backup sets. The default destination for your backed-up files is Norton's secure online storage, but you can also back up locally. While CD/DVD backup was removed in this edition due to low usage, any other drive that shows up in Windows Explorer is a fair target.

That includes local hard drives, remote drives, network drives, and even some cloud storage services.

The backup system in Kaspersky Total Security doesn't come with online storage, but you can link it to your Dropbox account. By default, backup occurs automatically when your computer is idle.

That's probably best for ongoing maintenance, but you may want to manually launch the first backup when you're done with your system for the day, as the first time can take a while.
Subsequent backups only transmit new and changed files, so they run much faster. You can also schedule a backup set to run on a weekly or monthly schedule. You can also choose to throttle back the bandwidth used for backup, an option that's only needed if you don't choose to back up during idle time. The restore feature also comes pre-configured with logical defaults.
It restores files from the most recent backup (though you can choose another) to their original locations (though you can select a different destination).

By default, it waits for you to search out the file or files you want to recover. You can optionally browse all backed-up files, or restore the entire backup set.

And you can access your backup sets as if they were local files and folders by opening the Norton Backup Drive in Windows Explorer. Webroot SecureAnywhere Internet Security Complete also offers 25GB of hosted storage for backing up and syncing files.
It keeps up to ten versions of files and lets you create links to securely share backed-up files.

BullGuard Premium Protection also lets you share files from its 25GB of online backup. Norton just keeps the latest version, and secure sharing has been dropped in the current version.

Few consumers actually used the feature, and it made overall security more complex, according to my Symantec contact. The fanciest backup system in the world won't help if it never gets used. Norton makes backup almost effortless, which is as it should be. Parental ControlYour Norton Security Premium subscription also includes Symantec Norton Family Premier, a $49.99 value if purchased separately. Yes, the combined price of Norton Online Backup and Norton Family Premier is greater than the price of this entire suite, and much greater than the $10 you spend to upgrade from Norton Family Delux.

That's a great deal. As with Net Nanny, Qustodio Parental Control 2015, and other modern parental control systems, all configuration and reporting takes place online, with a small client app on each Windows, Android, or iOS device, to handle local monitoring and enforcement of House Rules.
Sorry, Mac users, this component isn't for you. To get started, you log in to your Norton account online and create a profile for each child.

The profile includes name, birth year, gender, and an optional photo or avatar. You can also add personal information that you don't want the child to share online. Next, you add a device that the child uses or, if it's a PC, the child's Windows user account. You can install the local Norton Family parental control agent on the current device or email a link. Keep going until you've created a profile for each of your kids; there's no specific limit on the number of child profiles or devices. With that task out of the way, it's time to define House Rules for each profile.

First up is Web Supervision, which manages content filtering.

Based on the child's age, Norton selects from the 47 content categories and determines whether to block those categories or just give the child a warning. You can pick your own custom set of categories and choose to block, warn, or just silently monitor.

ContentWatch Net Nanny 7 is even more flexible, letting you choose allow, block, or warn separately for each category. When Norton blocks access to a site, it displays the reason.

The child can send parents a message explaining the attempt to visit the site, or report that the site is categorized incorrectly.
If a child proceeds to the site despite a warning, parents get notification. Norton actually checks page content if necessary.
I found that it allowed access to a short-story website but blocked its erotic stories.
It filters secure (HTTPS) traffic, so kids won't evade it by using a secure anonymizing proxy.

And it didn't cave to a simple three-word network command that disconnects some less-clever parental control systems.
I couldn't find any sites that should have been blocked but weren't. Forcing Safe Search has become difficult now that popular search portals enforce use of HTTS.

Bitdefender and Trend Micro simply dropped that feature from parental control, though Trend Micro Maximum Security attempts to cover up naughty pictures in search results. Norton has taken a different tack.
Search Supervision enforces Safe Search on Ask, YouTube, Google, Bing, and Yahoo.
It does so using a browser extension, so a clever child might work around this restriction. Your child can turn off Safe Search and briefly see inappropriate links or pictures until the browser extension turns it on again. Video Supervision keeps track of the videos your child watches on YouTube or Hulu.
Social Media Supervision simply tracks the existence of your child's Facebook account and reports if the child used a spurious age to set up the account, or posted personal information. All of the components I've mentioned thus far are enabled by default, but Time Supervision is not.

Turning this feature on automatically schedules when the child can use the device and sets a daily maximum for screen time, based on the child's age.

For example, my imaginary 13-year-old's schedule allowed access from 6 a.m. until 9 p.m. daily, and until 10 p.m. on Friday and Saturday.
Screen time was capped at two hours for weekdays, five hours on the weekend.
If you want to tweak these settings, you must edit each day separately. You can also choose whether to cut off access or just issue a warning. Kids can check their remaining time by clicking the Norton Family icon in the notification area.

There's also an option to send a request for more time.

Android devices can still be used after hours, but Norton prevents all app activity other than calling emergency contacts. Note that time scheduling applies separately to each device the child uses.

The equivalent feature in Net Nanny is cross-device, so your kid can't time out on the PC and just switch to Android. Mobile Parental ControlThree more components become available when you assign an Android device to the child's profile.

Android protection is equivalent to Norton Family Parental Control (for Android). Some mobile parental control systems offer geofencing, meaning you can get notification when your child enters or leaves a specific location. Norton's Location Supervision doesn't do that, but if you enable it the child's device reports its position periodically, and you can view current and past locations on a map. App Supervision lists all non-default apps installed on the child's Android device.
See something you don't like? Just check the box to block use of that app. I couldn't actively test the advanced Text Supervision feature, because my Android test devices all lack cellular data connection. Here's how it works.
In the default Monitored mode, the child can text with any contact that's not specifically blocked. Norton logs all text conversations with unknown contacts. Parents can review the conversations and mark the contact as Blocked or Unmonitored.
In Blocked mode, unknowns can't contact your child at all until and unless you mark them as Unmonitored.
In Unmonitored mode, all contacts not specifically marked as Blocked are permitted, with no logging. If your child uses an iOS device, you can still install Norton's parental control, the equivalent of Norton Family Parental Control (for iPhone). However, there's just not much to it. You do get content filtering, but it only works in the app's internal browser.

During installation, the app explains how to set up Restrictions so your child can't use Safari or Chrome, disable Norton, or download other browsers. Once that's done, you get the full power of Web Supervision. Location Supervision is also available, just as it is on Android.
Video Supervision and Search Supervision both work. However, on an iOS device there's no Time Supervision, Mobile App Supervision, Text Message Supervision, or Social Media supervision.
If you really need full-powered parental control on iOS devices, look to Editors' Choice Kaspersky Safe Kids (for iPhone). Parental Reporting and NotificationSo far I've just talked about how you use Norton to define and enforce House Rules.

The other half of the equation is what Norton calls Activities—the logs of what your children have been up to.

The Activities summary shows the same eight types of supervision, with an overview of the latest activity. You can filter the summary to just look at one device, in which case you'll see a message stating "This feature is not supported" for categories that don't apply to that device. Clicking on one of the panel opens a more detailed view, and in most cases you can drill down even farther.

For example, the Web Supervision summary shows the most-used categories.

Clicking it gets a full list of all sites visited, warned, or blocked.

And clicking a specific site displays that site's categories, a thumbnail, and any message that the child sent.
Search Supervision displays a word cloud of search words in the summary and lists precise search terms when you click. On the Video Supervision summary, you see thumbnails of the videos your child has watched.

Drilling down lists the videos, along with the device used for viewing and a date/time stamp.

And clicking an item in that list lets you view the video's description or jump straight to the video itself. Your Norton Family account can have more than one designated parent—that makes sense, but it's not a common feature. Parents get email notification of quite a few events.

These include visiting a blocked site, sending information that was defined as personal, and installing an app that blocks Norton Family, among other things. You can turn off any or all of these if they get to be too much. As you can see, this is an extremely comprehensive parental control system, its only weakness being the limited iOS support.

As a standalone product, it's an Editors' Choice. A Star-Studded SuiteIf Symantec Norton Security Premium were a movie, it would have a star-studded cast.
Its antivirus component is an Editors' Choice, as is parental control system.

As a separate product, its Android security app is also an Editors' Choice.
Various components earn excellent scores in independent lab tests and in our own tests.

And it even offers a full security suite for macOS, something few competitors accomplish. Norton Security Premium is an Editors' Choice for cross-platform multi-device suites, and it's a great choice as long as its ten licenses suffice for your needs.
If your household needs security for even more devices, consider our other Editors' Choice in this area, McAfee LiveSafe.
It doesn't score as well as Norton in testing, but you can use it on every device in your household, no limits. Sub-Ratings:Note: These sub-ratings contribute to a product's overall star rating, as do other factors, including ease of use in real-world testing, bonus features, and overall integration of features.Firewall: Antivirus: Performance: Privacy: Parental Control: Back to top PCMag may earn affiliate commissions from the shopping links included on this page.

These commissions do not affect how we test, rate or review products.

To find out more, read our complete terms of use.

GPG Sync simplifies encryption key management

In all the discussion about using encryption, a critical point keeps getting lost: It's difficult to work with, and it's even harder to deploy it at scale. Nowhere is the challenge more evident than in sending secure email. There are many ways to interact and collaborate -- instant messaging, Slack, and so on -- but email still dominates in enterprises.

Even as encryption goes mainstream with secure messaging tools, more websites adopting HTTPS by default, and cloud storage services allowing easier file encryption, sending an encrypted email message is still a challenge. While GPG Sync, a new open source project from First Look Code, doesn't simplify the process of sending encrypted messages, it does "make using encrypted email within an organization less obnoxious for everyone," wrote Micah Lee, a technologist with First Look Code, the software arm of First Look Media. GPG Sync is designed for organizations already doing the heavy lifting by using the public key cryptography implementation GPG (Gnu Privacy Guard) to encrypt email messages. Using GPG is a multistep affair, first creating the user's key, then regularly importing the keys of other users, and verifying the keys actually belong to the correct person. Making sure everyone has the most current key for everyone else is an unwieldy task. New keys are issued to new users as they join, so they need to be imported.
If existing users revoke keys and transition to new keys, other users need to refresh the keys to make sure they are not accidentally using the older keys.

This is the problem GPG Sync solves, by making sure each of the users have up-to-date public keys as defined by a centrally managed list. The project takes a very straightforward approach.

A single trusted person maintains a list of GPG fingerprints used by the organization, which is digitally signed by an "authority key." Each user's copy of GPG Sync recognizes the authority key's fingerprint and knows the URL of where the signed list is stored.

The software automatically makes sure the user has the most current list and references it to refresh all of the nonrevoked keys from a key server.  "Now each member of your organization will have up-to-date public keys for each other member, and key changes will be transitioned smoothly without any further work or interaction," Lee wrote on the project's GitHub page. GPG Sync plays a similar role as S/MIME or certificate authorities in many organizations and is a simpler alternative for organizations that don't want to set up a central authority. It's hard enough using GPG for encrypting emails, so simplifying key management is a real benefit. The caveat is that organizations must already have users set up to encrypt messages with PGP. While there are teams using open source security implementations like OpenPGP, many organizations concerned about encrypted email often prefer commercial offerings, such as Virtru.

The platform sits on top of the organization's existing email system, making it possible for users to send and receive encrypted messages without changing their workflow.
Virtru also provides a secure process for non-Virtru users to access encrypted messages. Projects like GPG Sync are beneficial for the overall open source security ecosystem because they simplify parts of an existing workflow. Making it easier to handle different steps makes the prospect of adopting GPG less daunting. Secure communications suffer from the chicken-and-egg problem. Users like the idea of sending secure messages, but they need to make sure the people they are communicating with are on the same service.
In the world of secure text messaging, users wind up with multiple apps on their mobile devices and have to remember which contact is on which platform to be able to communicate.

Apple encrypting iMessage end-to-end solved that problem for a lot of iOS users, and services like ProtonMail offers free encrypted webmail, but there's still a lot left to do to bring encryption to the masses. 

SMBs Struggle With Employees Using Unapproved Cloud Services

Workers have used unapproved cloud services without informing their IT departments in more than 80 percent of small and midsize businesses, according to a Spiceworks survey. Small and medium-size businesses have major problems in managing their use of cloud applications, according to a survey published on Oct. 12 by Spiceworks, a community for information technology workers.The survey of 338 IT managers found that more than 80 percent of the technology professionals had end users who had "gone behind their backs to set up unapproved cloud services." Almost all of those surveyed thought the security of specific cloud services should be taken into account before allowing employees to use them."I think a lot of times, everyone is used to using consumer-level products, which are not inherently bad, but they can be dangerous," Peter Tsai, IT analyst for Spiceworks, told eWEEK. "IT does not have direct control over who sees what and when, so you are putting sensitive information out there in the wild."The problem of unauthorized cloud services shows that the issue of "shadow IT"—unvetted and unapproved technology—continues to undermine the security of businesses.
Shadow IT used to describe an unapproved wireless router or server set up by employees to help them work, but with the advent of the cloud, the problem has moved online. The IT professionals worried most about cloud storage services and web-based email services, with 35 percent warning that the former, and 27 percent that the latter, were vulnerable to attack. Messaging services and financial applications are the greatest concerns for 9 percent and 8 percent of IT professionals, respectively, according to the survey. Much of the problem for SMBs is that IT departments at the companies tend to be, unsurprisingly, smaller.
IT staff at such firms typically struggle to keep systems up and running, and security often takes a back seat, Tsai said."An IT department of one is not that uncommon," he said. "They have to keep the lights on, keep systems running and configure cloud services."The shortage of staff shows. While 61 percent of IT professionals said that their company adequately invests in data security, less than half conduct regular security audits of their systems and only 28 percent are trying to improve data security.IT professionals can take some basic, low-cost steps to reduce the use of shadow cloud services, Tsai said.

Training can teach workers the dangers of using unapproved services, and establishing a policy can act as a guidepost for employees, he said."Just having a policy and reviewing your policy to make sure that [the use of cloud services] is covered is a good step," he said. "Then, people know they have a course of action and that they actually have rules to follow."Finally, companies should review the cloud services that workers want to use, which can remove the primary reason that employees circumvent security policy, he said.