Get Ready for Microsoft Edge Insider

I have been discussing about security for Microsoft Edge and many people told me “Well, what you are saying is true but this website won’t work there”. Same old issue with lazy developers who are not testing their websites and instead placing a message “Sorry please use another browser”. Microsoft is taking bold step by providing maximum supports for standards and to put it simple, all or most of those websites who are saying “Sorry please use different browser” or the one which are not working with Microsoft Edge, should work just fine. I am expressing my concern about new standards and there might be certain security risks (as they already exist in Chrome and Firefox) but we need to observe. Microsoft Edge team, open up the preview build for Microsoft Edge and if you are the one who are not using Microsoft Edge or you are using Microsoft Edge but some websites won’t work well, it is best time to share your issues directly with Microsoft Edge team. For this reason, please take a look at Microsoft Edge Insider and install the latest build for Microsoft Edge. I should explain that these builds are still under test and development and it is there so you could test your websites and see how well they are working and if you see any issue or problem, send feedback, so the product team will look into it and investigate and solve it. It would be best place to share your feedbacks and bugs, so when Microsoft Edge released to the public, it would become your default browser.

I would be asking everyone who has some interest in web and browsers to try it out and share your feedback. I am also asking security community to keep a close eye on Microsoft Edge from security perspective. The current available build in Microsoft Edge Insider website is for evaluation and mainly to see how websites looks like and you might see some features of Microsoft Edge are missing. Don’t worry about it, they will be available in future and you will get a lot of new things. If you have any suggestion which could makes Microsoft Edge better, you may submit them through feedback form inside Microsoft Edge too. There is good news which Microsoft Edge will be available for Windows 7, Windows 8, Windows 8.1 and MacOS too. Windows 10 users will get the latest release of Microsoft Edge automatically once it is finalized.

 Let’s work together to build a better and more secure browser.


Windows Defender Offline in Windows 10

Windows 10 is the most secure operating system ever. It has several new security features which is not available in previous version of Windows and it is has features which are not available in other operating systems like Linux or MacOS. For one example, Windows 10 comes with anti-malware software pre-installed which protects you against malwares out of the box without you having to purchase and install one. I have talked about sophisticated malwares like rootkits and bootkits that are able to place themselves in root or kernel of the operating system so before system boot up, they are able to execute and harm system before antimalware even get started. Windows came with feature known as ELAM and it gives ability for antimalware product to boot up before Windows and protect user’s system. However, let say we have scenario which antimalware could bypass that. It is very rare scenario but we should be prepared. In this case, there is product known as Windows Defender Offline, what it does is you create it on a USB/DVD and boot from USB/DVD (instead of hard drive of your PC). In this case, malware doesn’t have chance to boot up. However, there was small issue here and we might not have empty USB or DVD all the time with us and you have to know it will completely delete everything on USB, so it is not easy to use your personal USB drive with a lot of data on it. Windows 10 solve this issue for you, Windows Defender Offline is part of Windows 10 and to use it, you just have to go to setting and run it and it will restart your PC and boot the system and run scan and there is not need for external storage in Windows 10 to create bootable scanner. There is article in Microsoft website explain using Windows Defender Offline. It makes your job easier, so next time if you believe you have some nasty unknown malwares, you don’t need to go around and look for empty DVD or external USB and figure out how to take backup and then ask yourself about boot the system from USB/DVD in BIOS/UEFI and all you have to do is few clicks to run deep scan before Windows boot up. It makes our jobs as security experts easier, many people used to have difficulty in figuring out how to boot up from USB or DVD and BIOS/UEFI setting is different for each device and sometimes they boot into BIOS/UEFI and they accidently make other changes and cause more troubles.

What is so excited about Windows 10 is things are getting more difficult for hackers and cybercriminals to harm a user who is running Windows 10 and things will get even harder for them in future releases of Windows 10.

Microsoft Edge is the Most Secure Browser in Windows 10

Recently, there was discussion about browser security and people asked me what is the most secure browser in the world. To answer to your question, we should say that security for web browser is not only about the web browser but it also depends on the operating system too. So, if you are using Windows 10, the most secure browser for it, is Microsoft Edge. It is the only browser based on Universal Windows Platform or UWP. It is successor for Windows Desktop application and it is the most compatible and adapted application for Windows 10. It is superior in term of security and how it interacts with Windows and all apps running on isolated environment and sandbox and provides superior protection for users. Other browsers including Internet Explorer, Chrome and Firefox are based on Desktop Application and they are following security principles but because they are not UWP, they won’t be as secure as Microsoft Edge (which is UWP). In addition, Microsoft Edge is the only browser supporting Application Guard out of the box. Meaning, you could run Microsoft Edge as virtual application and even there is some sophisticate 0-days attacks, perform such attack on Microsoft Edge when it is on Application Guard won’t harm your Windows and we won’t face issue of taking browser could take over entire system and running Microsoft Edge on Application Guard is easy and it could be managed by Group Policy. In addition, Microsoft Edge comes with certain protection and defense in depth mechanism which are unique to Microsoft Edge and is not available on Firefox and Chrome. Some people might complain that why Microsoft Edge is not supporting all web standards. One of the reasons could be due to security issue and if standard pose any risk to Windows or it doesn’t fulfill all security requirements yet, it won’t be implemented into the browser’s code. Microsoft policy is quality over quantity, it is important to provide secure and stable browser rather than showing off we are supporting how many standards. We have to ask whether this supported standard pass all qualification criteria or not? How do you feel, if standard which might put your system at risk is supported to just make sure your website is being displayed? In addition, Microsoft Edge extensions are being offered directly from Windows Store and until today, there wasn’t any report of malicious incident from Microsoft Edge extensions which is proof of its security. In term of security, Internet Explorer is also superior to Firefox and Chrome, since it has better interaction with Windows security ecosystem, but it is recommended to use Internet Explorer just for compatibility issues. Microsoft Edge has version for Android and iOS and it is going to support other operating systems. We couldn’t provide you with detail explanation its security on these operating systems but it provides you with Microsoft powerful SmartScreen filter which is great protection against malicious and phishing websites. You may try Microsoft Edge on your Android and iOS and see how it works and it is expected it has a good protection similar to other browsers in these platforms. Microsoft announced, it will support chromium engine which to enhance support for web standards and this brings us a bit concern in term of security as we already observed security issues with this engine. If Microsoft manage to adapt chromium in Microsoft Edge in a way to have control over security and could provide a process to manage and maintain it with respect to security and following Security Development Lifecycle’s principles, then it would be successful move. We will monitor development of upcoming version of Microsoft Edge using chromium and share details our security thoughts about it. I am requesting security experts worldwide to investigate Microsoft Edge chromium and report all security concerns through Feedback Hub app in Windows 10.

Why Microsoft Forcing Updates in Windows 10?

There are new improvements in the way Windows 10 updating your system. You won’t be able to disable Windows Update easily like turn it off. You have option to delay installing update but it won’t be easy to turn off Windows Update. There is feature called Active Hour when you could set do not restart your PC during those times. There are people who complained about new Windows Update mechanism and saying Microsoft forcing update and it cause us problem or they even file complain against Microsoft. It is important to view Microsoft’s decision on download and install update automatically and why it is important to have this feature while make it hard to disable Windows Update.

If you don’t get the latest update, it put your system at risk. While you want to see whether you have to update your system or not. Hackers are using the latest hacking techniques to break into your system and in this case, you have to spend a lot more on defending your system and cost of damage would be a lot higher. In the other word, when your system is not update it is like you place a red carpet with a welcome message for hackers. You need update to enhance security in your system and block hackers and improve your system capabilities. Update is a most for the system and forcing user to install the latest update is right decision. However, the biggest concern would be reliability of the update and Microsoft is testing updates before release to make sure it won’t harm users and all applications will be worked as expected. However, there has been negative experience with updates which consider as unexpected issues and in all those cases Microsoft tool responsibilities and solve them and users could always contact Microsoft for issues related to updates. Therefore, disabling and ignoring updates brings more harm to the system compare to case when you update your system and force to stop using it for a while. In addition, you could always plan for a time where you don’t use your system. We are in area of cloud and you could plan to move some of your tasks on your phone or cloud and let your system install update for you or just give yourself break and give a break to your system for update. Remember, while you are making decision to whether install update or not, there are hackers looking for systems which are connected to internet but they are not update and if your system is on this category, then prepare for hackers to take over your system and use it for criminal purposes.

Privacy in Account Associated with Your Phone

You are using a mobile phone which is running one of the following operating systems like iOS (Apple), Android, Windows Mobile (Microsoft) or other phones. You might notice that if you want to start working with your phone or if you want to get full experience for your phone, then you will need to connect to account which are as follow:

Windows Mobile: Microsoft Account

Android: Google Account

iOS: Apple ID

Having account is not a bad thing, you could use account to locate or lock your phone, if it has been stolen. You will need account to install apps and let say if you format your phone (reset it), just by sign in with your account, you would be able to reinstall all your apps and you don’t have issue like forgot what you have installed or you paid for an app and you miss the key and so on. It gives you cool backup capability, so if you format your phone, you could get back all your data and if you bought new phone, you just enter your account and you will have all your applications and data on new phone. Accounts are giving you new experience and I have seen people who setup account but they forgot about it or they asked the phone sale person, to setup account for them (which is not a good idea). Today, our phones are useless without account and I haven’t seen anyone who is using any of modern phones without associating them with any account. In the other hand, we are in era where we are using our phones more than before and our phones are personal and it means we are giving them more data and it means if privacy law aren’t under control, then companies would know a lot about us. Just check out apps which you have been installed on your Mobile Device. From the name of apps, we could see who you are, for example if you have a lot of apps related to music editing and creating, it means you have strong interest in music, if you have a lot of apps about architecture, then it means you are an architect and so on. Also note that when you just search something in your phone, it is associated with your account and put all those keywords and sentences together, they would know what are you looking for and so on. Also note that we are normally enable location (it is optional) which are giving you access to certain apps. For example, you will need location to be on so you could use Google Map to find destination. Now, combine your location is on because you are using Google Map and you search for certain keywords and having such data gives them power to see what you have in your mind. Think about what you have searched so far, we tend to trust our Mobile Device and Internet more than anyone else. That is why we are using password which won’t even share it with our closest friends and family. However, you should take note that all of these are being shared with companies’ servers and if privacy is not there, they will know everything about you. In the United Nation Human Right council, it has been declared that we should fight against torture. Well, they don’t need to torture anymore, they just need permission to access their account and they will get all data they need. Wait, don’t delete your account, even if you delete it, your data still will be kept and you couldn’t erase your past. So the smart way would be asking your government for transparency and restrict privacy regulation which Europe GDPR did a great job on this case.

Don’t Trust Padlock and HTTPS on Detecting Phishing Websites

Recently, they are reports of phishing websites are using Digital Certificate and this is alarm for all of us. Initially, I always tell users that for well-known websites including banks and where you need to enter data, make sure it has Digital Certificate, it is little padlock on the top of browser saying that your connection is encrypted and because purchase Digital Certificate used to be expensive and required difficult validations, most phishing websites are gone without Digital Certificate and it was good sign to spot phishing. So, if you visit your online banking website and it doesn’t have nice padlock icon on the top of browser and you didn’t see it start with HTTPS then it is definitely phishing and it is remaining the easy way to spot phishing. But I should express that even if website has padlock icon and start with HTTPS, you should still check the URL and make sure it is really your banking and trusted website. Because phishing websites are able to get Digital Certificate and it means when you visit their websites, they have HTTPS and padlock.

Security professionals are fighting with phishing and we have advance technologies to detect and block phishing websites, but you will need to be extra careful. One good practice would be making sure you type the address of your trusted websites including banks, money transfer, email, etc. correctly and when you visit it and make sure it is really the correct one, then add it to favorite so next time when want to visit your bank, don’t search for it and just click on it from favorite. Even if bank send you email don’t click on the link inside it and use the favorite to access your trusted websites. This is new challenge for our cyberspace and I am already start working on solution for this problem while other security researchers doing the same thing and soon I will share my outcome with industry and you will see inside your browser. Meanwhile, if you ever come across any phishing website, use Report unsafe website option in Internet Explorer or Microsoft Edge and report it.

How to Detect Scams in Public Forms?

Cybercriminals using new ways to steal data, one of the ways I have been seen recently is using public form creating tools like Google Form or Microsoft Form. While using these technologies are very productive and helpful and you don’t have to be expert to create a form and share it online, these could be used for crime purposes. It is always good idea to use these forms for good purposes, for one example I have been using Microsoft Form to organize conferences. In this case instead of asking users to send their name and details by email which would take long time to put them into Excel file and keep track of who is attending or buy a domain and then SSL and create a form which is costly and time consuming, I could just login with my Microsoft Account and create a form easily and quickly, it gives me a website with SSL and good security and I just share it with my community members or those who wanted to attend my conference and they fill up their data, this platform put them all into a nice Excel and I will just save the Excel file and use it for the event to keep track of who is attending and who is not and I could send reminder to email list before event. Meanwhile, I could share feedbacks to the team through the Feedback interface and ask them to make it better.

However, cybercriminals also using this for criminal purposes, in this case they easily create a form in Google or Microsoft Form or other online Form creators, these forms come from reputable domains like Microsoft or Google and they have SSL and in this case user won’t get suspicious but they are asking for information which they shouldn’t ask for and in this case, you should report them as abuse , so Microsoft or Google will take action against them (if it is valid abuse) and you could protect millions of users. They have option at the end of the page to report abuse.

However, the main question is how do we spot abuse? Someone might have posted a form which is valid and legitimate while others might post a form which is real abuse, you will see public forms like Google or Microsoft form as abuse/scam if it has the following conditions:

  • It is asking you about anything related to password: Like enter password, save password, password recovery, etc.
  • It is asking about banking and credit card information: If it asked you to enter your credit card details on a simple textbox, then it is fraud for sure.
  • It is asking irrelevant information: Let say you are attempting to register for a conference , asking for your name, email, phone number and address might be valid, but if they are asking more private information like date of birth, city where you born, your first school, are not valid required information, unless they are related like asking for school when you are organizing educational event and you get such data for statistics.
  • It is claiming to be from Microsoft or Google: because they are using valid Google and Microsoft domain and it has their logo, some people might get fooled that it is coming from these companies, if you see any public form where it has Report Abuse option and claim to be from Microsoft or Google, it is scam.

Therefore, it is always good idea to use public form and you could trust them generally, as I said it is being used for conference, public events and even celebrations, but you have to make sure you are using valid one and don’t fall in trap of scam and make sure report scammers.