Microsoft offers completely passwordless authentication for online apps

Phone-based authentication is the way forward instead.

Article intro image

Applications using Azure Active Directory (AD) to authenticate—a category that includes Office 365, among other things—will soon be able to stop using passwords entirely.

Azure AD accounts can already use the Microsoft Authenticator app for two factor authentication, combining a password with a one-time code. With the new passwordless support, authentication is handled entirely by the app; the app itself represents "something you have," and this is combined with either biometric authentication or a PIN. Passwords have a long, problematic history; while they can be very strong, if suitably long and suitably random, human passwords are often short, non-random, and reused across multiple sites. App-based authentication avoids this long-standing weakness.

Enabling two-factor authentication is just one of the things that organizations can do to improve their security. To that end, Microsoft has extended "Microsoft Security Score," a tool used to assess organizational policy and provide guidance on measures that can be taken to harden an organization against attack. Secure Score already spans Office 365 and Windows security features; to these, Microsoft has added Azure AD, Azure Security Center, and Enterprise Mobility Suite, covering a wider range of settings and options.

Read 2 remaining paragraphs | Comments

Windows Defender Advanced Threat Protection coming to Windows 7 and 8.1

(credit: Jerry Raia)
Windows Defender Advanced Threat Protection (ATP), Microsoft’s security software that combines end-point security and data collection with cloud analytics, has hitherto been unique to Windows 10. But no longer; Microsoft announc…

(credit: Jerry Raia)

Windows Defender Advanced Threat Protection (ATP), Microsoft's security software that combines end-point security and data collection with cloud analytics, has hitherto been unique to Windows 10. But no longer; Microsoft announced today that it's bringing the same features to Windows 7 and Windows 8.1.

Coming this summer, the Endpoint Data and Response (EDR) portions of ATP will be available for these older operating systems, allowing their health and status to be managed through the cloud interface. This will be paired with either third-party anti-virus for endpoint protection or Windows Defender/System Center Endpoint Protection.

This move shows the contradictory position Microsoft finds itself in. On the one hand, Microsoft wants enterprises to deploy and use ATP, as it continues to build its cloud-based device management and monitoring software. On the other hand, Redmond wants those same companies to upgrade to Windows 10. This creates a tension: having ATP as a Windows 10 exclusive feature makes Windows 10 more attractive—Microsoft says that security is one of the major reasons enterprises cite for moving to the new operating system—but with many organizations still having Windows 7 and Windows 8.1 systems that they need to support, the inability to monitor those machines makes ATP less attractive.

Read 1 remaining paragraphs | Comments

Azure Confidential Computing will keep data secret, even from Microsoft

Enlarge / The Trusted Execution Environment means that, even if the application and operating system are compromised, the green code and data can’t be accessed. (credit: Microsoft)
Microsoft announced today a new feature coming to its Azure cloud pl…

Enlarge / The Trusted Execution Environment means that, even if the application and operating system are compromised, the green code and data can't be accessed. (credit: Microsoft)

Microsoft announced today a new feature coming to its Azure cloud platform named "Confidential Compute." The feature will allow applications running on Azure to keep data encrypted not only when it's at rest (in storage) or in transit (over a network) but when it's being computed on in-memory. This ability to encrypt data when it's in-use means that it can be kept secure even from Microsoft's administrators, government warrants, and hackers.

Confidential Computing will have two modes: one is built on virtual machines, while the other uses the SGX ("Software Guard Extensions") feature found in Intel's recently introduced Skylake-SP Xeon processors. Both modes will allow applications to ringfence certain parts of their code and data so that they operate in a "trusted execution environment" (TEE). Code and data that are inside a TEE cannot be inspected from outside the TEE.

The virtual machine mode uses the Virtual Secure Mode (VSM) functionality of Hyper-V that was introduced in Windows 10 and Windows Server 2016. With VSM, most parts of an application will run in a regular virtual machine atop a regular operating system. The protected, TEE parts will run in a separate virtual machine containing only a basic stub operating system (enough that it can communicate with the regular VM) and only those parts of the application code that need to handle the sensitive data.

Read 4 remaining paragraphs | Comments

Windows Defender Advanced Threat Protection uses cloud power to figure out you’ve been pwned

New service can detect network breaches by spotting unusual system behavior.

WDATP can detect anomalous behavior even when the malware scanner doesn't find anything wrong. (credit: Microsoft)

Microsoft is beefing up Windows Defender, the anti-malware program that ships with Windows 10, to give it the power to tell companies that they've been hacked after it has happened.

Attacks that depend on social engineering rather than software flaws, as well as those taking advantage of unpatched zero-day vulnerabilities, can evade traditional anti-malware software. Microsoft says that there were thousands of such attacks in 2015, and that on average they took 200 days to detect, and a further 80 days to contain, giving attackers ample time to steal data, and incurring average costs of $12 million per incident. The catchily named Windows Defender Advanced Threat Protection is designed to detect this kind of attack, not by looking for specific pieces of malware, but rather by detecting system activity that looks out of the ordinary.

For example, a social engineering attack might encourage a victim to run a program that was attached to an e-mail, or execute a suspicious looking PowerShell command. The Advanced Persistent Threat (APT) software that's typically used in such attacks may scan ports, connect to network shares to look for data to steal, or to remote systems to seek new instructions and exfiltrate data. Windows Defender Advanced Threat Protection can monitor this behavior and see how it deviates from normal, expected system behavior. The baseline is the aggregate behavior collected anonymously from more than 1 billion Windows systems. If systems on your network start doing something that the "average Windows machine" doesn't, WDATP will alert you.

Read 6 remaining paragraphs | Comments