#35: Do you really need a VPN?

Posted on July 12, 2024 (Updated July 12, 2024) by ewand

Before widespread internet access, companies would use modems and dial-up services so remote workers could access their internal network as normal, but connecting (slowly) over a phone line. As mobility and broadband became more pervasive, Virtual Private Networks (VPNs) provided a way of accessing data that is held within your place of work – or home, perhaps – when you’re out on the road, establishing an end-to-end secure link over the internet between you and the destination.

At the same time, many of the services we’d rely on moved fully online – like email, shared documents or even business applications, potentially hosted by a 3^rd party like Salesforce, Dropbox, Workday or Microsoft. Each of those would be protected using an encrypted and authenticated SSL/TLS connection, just like any other secure website connection.

What do you still have in your home or in your business premises, which you’d need a VPN to access? For organisations with local services or apps, Microsoft has long championed an automatic VPN back to your company HQ, called DirectAccess, but that is now having the sun set on it in favour of a more modern Always On VPN. Many businesses now are all in the cloud, so have nothing internally to connect to – but even as a home user, there may be some relevance.

Securing the connection

When you link using a VPN, everything between you and the endpoint is encrypted through an established “tunnel”, and therefore invisible to the intervening points on the network.

The invisibility of what’s happening in the tunnel could be useful to the user, for example where there’s a policy denying access to certain websites; if you VPN (and that was allowed) then the network owner wouldn’t know what you were sending up and down the connection since it’s encrypted, and therefore might not be able to block your access.

The VPN model illustrated above has all your internet traffic going back to the VPN endpoint and then out onto the internet from there (so it looks to the website you’re accessing like you’re located wherever the VPN endpoint is). There’s generally a performance penalty in doing this since there are additional “hops” involved, and it also means that whatever you’re getting up to on the public internet will be happening through your company’s firewall or your own home router.

Some VPNs give you the option to split traffic, where it routes only certain data down the VPN tunnel, while everything else just goes out onto the internet from the hotel/airport etc network as usual. That reduces the load on the VPN endpoint and its network (since casual browsing traffic isn’t coming in and out, only stuff destined for the internal network it is attached to), and is a bit quicker for the user since they just get their public internet stuff done nearby.

Some companies – mostly VPN vendors or security consultancies, it must be said – would advise that every time you connect your laptop to a public WiFi network (as found in coffee shops, airports, hotels etc), then woe betide you if you don’t access everything through their subscription VPN service. Such services would say you should routinely connect to their endpoint (in whichever country you want) so that everything between you and their server is encrypted, and the local network provider to you has no clue what you’re doing.

NordVPN, probably the market leader for 3^rd party services, pushes itself heavily through advertising and tie-ups with leading podcasts and credit card companies, etc.

Securing the connection is one thing, however there’s still the small matter of being tracked in everything you do, potentially having unwanted software downloaded, which a 3^rd party VPN might not protect you from, so it’s no silver bullet.

If you don’t use a VPN and you’re accessing a shopping site or online banking, the network provider (eg the Hotel or airport) could see which URL you’re accessing, but since the first thing you’ll do in nearly every browser session is to establish a secure connection between your computer and their website, any prying networking provider would only see that you’re sending gobbledygook data back to a single address out there on the net.

There is a possibility of having a man-in-the-middle attack which steals your data through subterfuge, though there are numerous steps taken to prevent this. If you’re using a VPN then you’re protected, unless you’re unwittingly VPNed into the man in the middle directly, in which case, the whole game’s a bogey.

Pretending to be somewhere you’re not

Some VPN users will use them to appear that they are somewhere else – eg if you’re travelling but want to access a web service which is locked to a given region, like TV streaming services. Lots of Brits in America use VPNs to access the BBC’s iPlayer, for example. There is a “yes, I have a TV license” checkbox, but we all know how effective those kind of prompts are.

Since the traffic from the VPN device or service appears to be from whatever country it’s in, that might be used to circumvent geographic blockers. Streaming companies often have legitimate reasons to restrict access based on where you are (as opposed to just being greedy and horrible).

Since some VPNs are offering ways to not only defeat the geo-blocking, but potentially provide a way around password sharing restrictions, the arms race will continue where content providers will try to stop people using certain services and VPN services will get smarter at not being blocked.

Further reading

If you’re on the road and want to access stuff back in your home, your broadband router might even have a VPN service built in (though do take care that it’s not using out of date security standards). Another option could be to set up an endpoint with OpenVPN. If you have Synology NAS appliance (and they are very good), you can enable the OpenVPN service relatively easily – see here.

Some other things to check out:

· Should You Use a VPN? – Consumer Reports

· Do I Really Need a VPN at Home? | PCMag

· Is a VPN really worth it? | Tom’s Guide (tomsguide.com)

So, back to the original question – do you really need a VPN?

Probably not. But maybe.

You be the judge.

#33: Securing your Microsoft Account (MSA)

Posted on June 28, 2024 by ewand

At some point, Microsoft might merge the business and consumer identities which underpin all of its online services. The business ID – formerly known as Azure Active Directory, itself being something of a successor to the on-prem AD and the old NT Domains before that – is now Entra ID. Clumsily referred to in some prompts as a work or school account, it’s used for appropriately businessy stuff like logging into Microsoft 365, signing into Partner Center or running a company’s Azure infrastructure.

Consumer authentication takes the form of the somewhat malapropped “Microsoft Account” or MSA, which grew out of a the ID mechanism behind a phalanx of online services: Microsoft Passport (and all of the dreams of Hailstorm and Mesh that were pinned to it). Many users initially created their passport to login to Hotmail (the first big free email service long before Gmail).

Passport became Passport.NET (as everything else got .NETified), before being rebranded as Windows Live ID and then eventually, in 2012, “Microsoft Account”.

Most readers who have had anything to do with Microsoft over the years will have at least one MSA; it’s used to sync Edge profiles, download from the Store, to access OneDrive (the consumer one; not the OneDrive business version which isn’t called OneDrive for Business any more, but is just called OneDrive yet uses an Entra ID to sign in… ya falla?) and many more besides.

As such, there’s quite a lot for baddies to gain if they can access your MSA – just take a look on account.microsoft.com/ and you’ll see lots of potentially pretty sensitive stuff.

It’s worth trying to sign in to old MSAs (with IDs like msn.com, live.com, Hotmail.co.uk etc etc) just to see what kind of egregious spam might be lurking in your inbox or recall old pictures which may have been saved to ~~SkyDrive~~ OneDrive.

ENABLE 2FA TODAY

If you don’t have multi-factor authentication enabled on your MSA, you’re simply asking for trouble. TURN ON TWO FACTOR AUTENTICATION if you haven’t already – go to the Security options of the account.microsoft.com page or see instructions. You could even dispense with password sign-in altogether, since passwords are a bad way of securing anything.

If you’d like to scare yourself just a little, expand one of the sections above and click the view activity button.

[Interesting to see that Russian hackers are purportedly using Internet Explorer – has no one told them how insecure that is these days?] Anyway, are you sure your MSA is secure enough now?

656 – Sign-in around the world

Posted on November 11, 2022 by ewand

Childhood games sometimes revolved around the goodies and the baddies. Early Western movies often had the convention of good guys wearing white hats and villans wearing black; if nothing else, it helped the viewer distinguish who was who in a fast-moving fight scene when the film is shot in monochrome.

White hat and Black hat are also terms given to computer hackers, the black hats being figuratively worn by criminals trying to break in to systems for nefarious gain, whereas the white hat hackers do it so they can report vulnerabilities and make things more secure. As ever with computing, there are also many shades of grey.

In your own technology environment, you probably never see the bad actors until you are dealing with the aftermath of a security breach. Check that your common usernames and passwords are not being circulated around, by using the Password Monitor in Edge and look for known leaks at Have I Been Pwned.

If you use a Microsoft Account (also known as MSA, commonly identified with domains like outlook.com, hotmail.com, live.com etc), then it’s a good idea to make sure it has a complex password and most importantly that muti-factor authentication is enabled. See best practices for managing your MSA.

If you’d like to scare yourself, take a look at the activity history for your MSA – here – and you’ll probably see lots of attempts to sign in from places you’ve never been to, if it was even possible to have visited them in the timeframe of the activities.

Hopefully all the unrecognized tries to sign in have been denied… maybe it’s a good time to log in to any old Hotmail.com etc accounts you may still have, just to make sure they are secured appropriately?

It used to be considered a good idea to change passwords regularly, but in recent years that has been discouraged. It would be safer to have a long, complex password which is unique for each website or account you use, probably hooked up with a password manager and authenticator app. You could even remove the password altogether and use only multi-factor authentication.

MFA – or 2FA – isn’t perfect, though. El Reg reports on a very real threat to enterprise security, described as “MFA Fatigue” – when an administrator of a system who normally has to use MFA to access it, is bombarded by authentication prompts at times they don’t expect.

Human nature might assume the system is playing up, and eventually hit “Approve” on the MFA screen, to stop the annoyance.

Microsoft’s security prouct group has some advice on how to protect users from MFA Fatigue Attacks and has released a bunch of updates to the Microsoft Authenticator app and the back-end services to hopefully make it less of a threat.

The primary problem with all IT security though, ultimately sits between the keyboard and the chair.

620 – Change your P@ssw0rd!

Posted on March 4, 2022 by ewand

Bad Actors are all over the internet (not just in your local multiplex), mostly aiming to gain access to data and systems for nefarious purposes, though sometimes they try to do good. Data breaches generally start with the weakest link in the chain: PEBKAC, in other words, It’s Your Problem.

Identity protection company SpyCloud reports that more than two-thirds of passwords which have been breached online are still in use and most users still have the same username and password combo across multiple accounts. If you want to keep your own personal identity and data safe, it’s job #1 to make sure you have unique passwords for each website you use, and that the passwords are not made up of guessable words or phrases.

The Edge browser gives you some tools to manage your passwords better – look for the Password Generator, or the drop-down Suggest strong password option, when you’re registering a new sign-in, and it will generate a long and complex password, stored in your account so in future you can be automatically signed in.

Some sites don’t trigger the password generator or suggestion – perhaps due to how they describe or display the password field(s) – so another option is to use a browser extension like btPass – numerous others are available. It simply drops an icon on the browser toolbar and will show a password of varying complexity and length, which can be quickly copied to the clipboard and pasted into password fields. Since some sites don’t like special characters in the password, you can tweak or edit the text it creates.

Security software company F-Secure has launched a free online password generator, if you’d prefer to create your secrets that way.

The Manage passwords option seen in some password drop-downs – also available from the settings menu or by entering edge://settings/passwords into the address bar – gives access to Password Monitor, which warns you if passwords you have saved are known to have been breached, and can display a list of the sites where your previously-set password has been found in a trove of hacked accounts.

You can quickly check the password used and decide to visit the page to change it – assuming the site still exists – or simply ignore it (on the assumption that you’ll be cleaning up and not using the compromised passwords on any sites you still want to actually visit).

If you install Microsoft Authenticator on your phone and sign in with the same account as you use in your browser, the saved passwords will be available through Authenticator too – so having very complex passwords should be no barrier to usability any more.

586 – Pick Up Thy WordPress

Posted on June 25, 2021 by ewand

This tip has been a very long time coming. Back in ToW 479, the subject of running WordPress on Azure was mooted, and it prompted an internal-to-MS conversation about the guidelines for publishing stuff externally.

The extended back story is that there were hundreds of employee blogs which had been published under the technet.microsoft.com and msdn.microsoft.com sites, both of which URLs could trace their birth back to the 1990s, and a project was underway to clean them up and rationalize somewhat.

Initially, guidance to MS bloggers was (basically) “unless you’re an official blog, you have <nn months> to move your stuff elsewhere before it gets deleted.” Certainly, there was to be no new content after the cut-off date.

That guidance relented somewhat and content from relatively active blogs was migrated to the Microsoft Docs archive though taking a trip through the final posts from the ToW host blog, The Electric Wand, shows that lots of graphical content was not carried across – more of a lift & dump than a lift & shift.

Blogging is a bit old-hat these days but lots of people do still maintain a blog to share stuff they think is interesting; see Scott Hanselman as one example.

Anyway, the solution for Tip o’ the Week was to move to an external website – www.tipoweek.com – which is hosted in Azure and, like about a third of all websites, running under the content management system, WordPress.

Setting up a WordPress site is pretty straightforward, really – though you do have a variety of options on what kind of site you want to build. If you need a complex site with lots of control over it, then you might want to run it in a Virtual Machine or a container. For most of us, though, a simple App Service will suffice. From the home page of your Azure subscription, just Create a resource and search services and marketplace for WordPress, then select the WordPress App Service from the multitude of options you might get.

For more tips on how best to get up and running with WP in Azure, see here.

One retiring Microsoftie (not the shy type, but leaving the company, today in fact), emailed last week to point out that the tipoweek.com website was being flagged in Edge as Not secure. Oh Noes!

This has, in fact, been a niggling issue for a while, since Chrome (and Edge, given its diet of Chromium) instituted a policy of flagging any website that doesn’t use the secure HTTPS protocol & SSL by default.

Secure Sockets Layer, if you’re not overly familiar with it, relies on a way of encrypting data travelling between two points, using a previously-generated pair of mathematically-linked digital keys. If you have one key, you can use it to encrypt data which can only be decrypted by the other key in the pair (ie you can’t even use the same key that encrypted the data to decrypt it again). Typically, one of these keys is publicly accessible and the other is kept private.

One way of sharing a public key is to embed it in a site’s SSL certificate, which is in turn validated by a mutually-trusted third party (called a certificate authority). If you visit the website for an institution like a shop or a bank, then your browser will download the site’s certificate, validate that it’s still current and trusted, then use that public key to encrypt data sent to the site. Since that data can only be decrypted using the corresponding private key, we can validate that the site is not being impersonated.

The whole public/private key encryption process has something of a computational overhead associated with it, but once we have established a secure connection, we could use a faster encryption technique for data sharing by using a single key that can both encrypt and decrypt the same data.

In other words, if I go to a website that presents me a certificate specifically issued for that URL’s domain, I can be sure that the site handing out the cert is who they purport to be. This could be validated by me generating a random set of numbers, encrypting it with the public key and sending that to the site; it would decrypt the gobbledygook with the private key that only it has, and we now both have the same set of data that has been securely shared between us. That would form the symmetric key that we can use for the rest of the connection.

For more detail on these kinds of topics, check out the Cryptography 101 podcast on Hanselminutes.

In Edge, if you want to look at a secure site’s certificate, click on the padlock icon (or the handbag icon as some people once saw it – that meant it was safe to shop) – and click the “Connection is secure” banner, then click the little certificate icon in the upper right.

The trouble is, if you’re hosting a hobby or a community web site, paying for an SSL certificate might seem a bit of overkill; web hosting companies will try to bundle them into domain protection and other security features which might be no big deal for a commercial enterprise but a little stiff for a parish newsletter.

Fortunately, there are alternatives, though they do need a bit of spade work to get up and running. Hanselman (yes, him again) discussed using an extension and an organisation called Let’s Encrypt, whose goal it is to make the web 100% secure. They have issued over 225 million SSL certs, and will generate 3-month-validity certificates free of charge, as an alternative to paying anything from $60-200 a year to a commercial issuer. With a bit of practice, it doesn’t take long to create and manage the certs and if you only need to do it 4 times a year, then it could be time well spent and money well saved.

An alternative method was written up by fellow Microsoftie Andreas Pohl, using a slightly more manual method to create the certificate then import into Azure; if you’re looking for an excuse to get Windows Subsystem for Linux up and running, then this could be it.

Once you have the certificate exported to a file, it’s a matter of a few clicks to import it into the Azure App Service that is running WordPress, set up the bindings appropriately, and you can then flick the switch to make the site only service up content over HTTPS.

And thus display the handbag of security to anyone who visits.

569 – Password migration

Posted on March 5, 2021 by ewand

One of the problems with free software and particularly free services, is that at some point, they might stop being free. The path of freely-provided online services is littered with companies who gave their service away to get the users, then grappled with the reality that more users means more costs to deliver the service – and if they don’t get enough income from whatever sources they can, the free ride will come to an end. Just look at Photobucket. And every web site that makes you whitelist them in your ad-blocker before you can continue.

The latest in a line of what-used-to-be-free but is now tightening its belt is LastPass, an excellent password manager that has a lot of users but may end up with a good few fewer. The day after the Ides of March, LastPass Free will only allow use on a single device type, so if you currently use it to sync passwords across desktops and tablets or mobiles, then you need to start paying (and maybe you should) or stick to either mobile or desktop.

As soon as the company announced its plans, the web sprung up many articles offering “what is the best alternative to…” type advice. Only a few weeks ago, ToW#561 espoused the virtues of cleaning up your passwords, featuring LastPass and also trailing some features that were coming to an alternative that you might already be using to provide 2 factor authentication on your phone – Microsoft Authenticator.

It’s fairly easy to switch to using Authenticator on your device to also sync passwords and to provide the Auto-Fill function which plugs in usernames/passwords not only to sites on your mobile browser but to other apps too. If you already have a load of passwords set up in LastPass or other locations, there are methods to export them and then import the data into Authenticator.

In the case of LastPass, you sign into the Vault (either through the browser plugin or directly on their website) and under Advanced Options, select the Export function. It will immediately drop a lastpass_export.csv file into your Downloads folder; be very careful with this file as it contains all your usernames & passwords in clear text.

You can get these passwords into Authenticator either by copying the file to your phone (Not a Good Idea) and importing from there, or by installing the Microsoft Autofill extension for Chrome into Edge (remember, Edge is a Chromium browser under the hood), then click on Settings and choose the Import data feature.

Now navigate to your Downloads folder and choose the lastpass_export file. It might take a little while to complete, but when it’s done, make sure you go back to the Downloads folder and hard-delete that CSV file (ie select the file, hold the SHIFT key down and press the Delete key – this makes sure it doesn’t go to the recycle bin). You definitely don’t want that file being left behind, or copied or synced anywhere that is not encrypted.

The LastPass browser extension (like other password managers) remains potentially useful on the desktop as it can help to sync passwords between profiles (eg the Work and Personal profile of Edge, if both have the extension installed and logged in using the same LastPass account), or even between browsers – in the cases you might want to use Chrome for some things and Edge for others.

Edge on the PC does have password sync capabilities, though not quite with the same level of flexibility –

Edge will let you sync passwords, favourites etc if you’re using a Microsoft Account (eg outlook.com) for your Personal profile, and it may do if you have a Microsoft 365 account for your Work Profile.

In a twist of fate, if you pay for a Microsoft 365 Family or a small business environment rather than using the free Microsoft Account, your subscription lacks the Azure Information Protection feature that is required to allow syncing. In which case, a 3^rd party password sync feature may be your best option, even if you choose to use Authenticator on your mobile device, and perhaps do a periodic export/import from LastPass to keep your mobile passwords in sync.

Or best of all, just install the Autofill extension into multiple profiles (or Edge & Chrome), signing into the extension using the same Microsoft Account, to keep the passwords in sync. Tidy.

561 – Password clean up

Posted on December 28, 2020 by ewand

As most of us look to put 2020 firmly behind us and take some down-time over the festive season, there may be a list of jobs which get left to this time of year – filling out the annual tax return, maybe, or clearing out that drawer with miscellaneous stuff in it.

You could set your sights higher, even – like gathering all the papers scattered throughout your house (user guides, receipts, utility bills etc etc) and putting them in one place, as recommended by Getting Things Done guru, David Allen.

Or just scan them all in then recycle…

Maybe it’s time to finally sort out all the passwords you use for different websites. Even though Multi-Factor Authentication is gradually replacing the need to enter a username & password every time you access a resource, there’s still often a need to create a username and password combo when you sign up for something. If you’ve used Edge or Chrome to remember your passwords, you might find there are many hundreds of them, and being weak carbon-based lifeforms, we’re quite likely to use the same ones for many sites. Naughty!

There are browser addins and other tools you can use to remember the passwords you use, and (using LastPass as an example) can give you the option of generating something strong and unique at the point of signing up on a site, then syncing that username and password back to a central service so you don’t need to re-enter it next time (or remember something truly unmemorable). LastPass recently announced their 2020 stats – they’ve generated 94 million secure passwords and been used to log in more than 10 billion times.

Microsoft Edge offers some password management capabilities – as well as being able to remember passwords within the Edge browser, and sync them between different machines or mobile devices, Edge is also getting to be capable of suggesting and storing complex passwords for new sign-ups.

Edge is beefing up its password security in other ways, offering proactive warnings if your passwords have shown up in databases of leaked credentials (at the moment, this is a test feature in the dev builds). One-by-one, you can use Edge’s “fix leaked passwords” function to check what the existing password is for each site, and then click a button to jump to the site to reset it – in some cases, going straight to the change password part of the site.

Finally, the password sync feature is getting some extra legs – using the Microsoft Authenticator app on your phone and it’s new beta Autofill feature, you can use that app to provide the username/password for website or even mobile app logins. There’s a Chrome extension too, so if you want to switch back and forth between Edge & Chrome on a PC, your passwords will be available to both.

In some senses, storing passwords and allowing them to be automatically filled in feels like a security risk – anyone with access to your unlocked computer or phone could potentially access your online services. Using Autofill and Authenticator, though, the default setup is to require biometric authentication – so you’ll need a fingerprint or camera, or unlocking with a PIN, before the auto-fill will happen.

Also, it’s more important to have complex passwords that are hard to break or guess, and to have different ones for each and every site or app you use.

This is the final ToW for 2020. Let’s hope ’21 brings us all better luck.

In the meantime, have a great holiday season, stay safe, see you on The Other Side!

556 – Using MFA more widely

Posted on November 24, 2020 by ewand

Previous Tips have covered making use of 2FA – or 2 Factor Authentication – with your Microsoft Account (ie your account from Outlook.com/Hotmail/MSN/Passport etc) and how to manage passwords better, so you don’t end up with P@ssw0rd1 for every single one of your website logins. Dealing with passwords can be complicated and since humans are typically weak and seek the path of least resistance, this can often lead to huge security lapses.

So 2FA – or its cousin, Multi-Factor Authentication (MFA) – is a better way to secure things, as a remote system can validate that the user knows something which identifies them (their username & password, secret phrase, date of birth etc etc) but also has something that identifies them too; a security token, smart card, digital certificate or something else that has been issued, or even just a mobile phone that has been registered previously with whatever is trying to validate them.

Although such systems have been around for a while, the average punter in the EU has been more recently exposed to 2FA through a banking directive that requires it for many services that involve transfer of funds, setting up payments or even using credit cards. In some cases, the tech is pretty straightforward – you get a SMS text message with a 6-digit one-time code that you need to enter into the mobile app or website, thus proving you know something (you’re logged in) and you have something (your phone), so validating that it really is you. Or someone has stolen your phone and your credentials…

MFA is stronger than 2FA, as you can combine what you know and what you have, with what you are. An example could be installing a mobile banking app on your phone then enrolling your account number, username & password; the know is your credentials, and the have is a certificate or unique identifier associated with your phone, as it’s registered as a trusted device by the banking service that’s being accessed. Using your fingerprint to unlock the app would add a 3^rd level of authentication – so the only likely way that your access to the service (for transferring funds or whatever) could be nefarious, is if you are physically being coerced into doing it.

2FA and MFA aren’t perfect but they’re a lot better than username & password alone, and Microsoft’s @Alex Weinert this week wrote that it’s time to give up on simpler 2FA like SMS and phone-call based validations, in favour of a stronger MFA approach. And what better way that to use the free Microsoft Authenticator app?

Once you have Authenticator set up and running, It’s really easy to add many services or apps to it – let’s use Twitter as an example. If you’re using a browser, go to Settings and look under Security and account access | Security | two-factor authentication.

If you enable 2FA and tick the box saying you want to use an authenticator app, it will ask you for your password again, then show you a QR code which can be used to enrol in the app.

In the Microsoft Authenticator app itself, add an account from the menu in the top right and then choose the option that it’s for “other” – presuming you’ve already have enrolled your Work or school Account (Microsoft/Office 365) and your Personal account (MSA, ie Outlook.com etc).

After tapping the option to add, point your phone at the QR code on the screen and you’re pretty much done; you’ll need to enter a one-time code to confirm it’s all set up – rather than getting an SMS, go into the list of accounts in the Authenticator app home screen, open the account you’ve just added then enter the 6-digit code that’s being displayed. This is the method you’ll use in future, rather than waiting to be sent the 6-digit code by text.

As you can see from the description, there are lots of other 3^rd party apps and websites that support MFA using authenticator apps –

Facebook, go to Settings & Privacy and look under the Two-factor authentication settings.
For adding 2FA to a Google account, go to the Enrol page.
LinkedIn setup for 2FA is here.
Here’s a handy list of other sites/services that support 2FA/MFA, and how…

503 – OneDrive Personal Vault

Posted on November 2, 2019 by ewand

A previously-announced capability of OneDrive has been widely rolling out – the Personal Vault. This is a special area of your OneDrive Personal storage which is invisible until you choose to unlock it, using a second strong factor of authentication (such as 2FA and the Microsoft Authenticator mobile app). On a mobile device, you can use a PIN, fingerprint or facial recognition to provide the additional identity verification.

When you unlock the Personal Vault from the OneDrive app on your PC (eg. right-click on OneDrive’s white cloud icon in your system tray), it appears as a special folder under the root of your personal OneDrive folder list, on PCs where your OneDrive content is synchronised.

Browsing in your OneDrive data folder, you may need to enable Hidden Items in the View tab to even see it.

You can treat it like any other folder, adding files and other folders that are particularly sensitive – scans of important but infrequently-accessed documents like passports, driving licenses and so on.

Why infrequently accessed, you may ask?

When the PV is visible, it will re-lock after 20 minutes of inactivity (or can be locked manually) and would need another 2-factor authentication method to unlock it again (text message, phone-app approval etc). On the PC, when the PV is locked, the “Personal Vault” folder (and therefore everything under it) is completely hidden and therefore any files within it do not exist as far as Windows is concerned.

In fact, the PV isn’t just a hidden folder – it’s treated by Windows as another physical volume that is mounted on the PC for the duration of it being unlocked; a Junction is then created so it can be accessed as if it’s part of your OneDrive data folder. When the PV is locked again, the volume is dismounted and the junction disappears, so there is no way to access the data using the normal file system.

If you had a file in your now-locked PV that you tried to access from the most-recently-used files list in either Windows itself or within an app, you’ll get a jarring “file does not exist” type error rather than a prompt to unlock the PV and the file within.

Maybe apps will in time come to know that a file is in PV, and prompt the user to unlock before opening?

Then again, security through obscurity (the most sophisticated form of protection, right?) might be a good thing here; when the PV is locked, there is no such folder therefore no apps can get access to it without the user taking specific and separate action to unlock it first. Not being seen is indeed a useful tactic.

Personal Vault can be accessed from the PCs or mobile devices through the OneDrive app, or in a browser – at onedrive.com. No Mac support is planned.

Unlike in the PC scenario, the PV folder is always shown and indicates if it’s open or locked based on the icon.

The Web UI offers other help and advice about how to use the Personal Vault effectively.

OneDrive on PC – Setup error 0x8031002c

Enabling Personal Vault for the first time might throw an error if your PC is corporately managed with a BitLocker policy.

To work around this and get up and running, try:

Press WindowsKey and type Group Policy, then open the Edit group policy control panel (if you don’t see this or get an error, try running mmc from a WinKey+R prompt, then File | Add/remove Snap-in | Group Policy Object… | Add | Local Computer | Finish | OK)
Expand to the Computer Configuration | Administrative Templates | Windows Components | BitLocker Drive Encryption | Fixed Data Drives node
Double-click on the Choose how BitLocker… setting and update it to Disabled then hit OK
Press WindowsKey+R and type cmd then hold SHIFT+CTRL when pressing ENTER, to run the command prompt with administrative rights
In the ensuing command prompt enter gpupdate /force and, assuming everything runs without blowing up, you can close the command & Group Policy windows down and try enabling Personal Vault again.

Tip o’ the Week #221 – Stay safe on WiFi

Posted on May 23, 2014 by ewand

clip_image002

Following last week’s misty-eyed retrospective on WiFi and Bluetooth, it’s worth pausing a little to pass on a few safety tips too. If you’ve a WiFi network at home which does not have encryption enabled (using a decently strong password – known as a Pre-Shared-Key or PSK – and a modern encryption method, such as WPA2) then you must hang your head in shame immediately, that is, immediately after you go and put a strong password on your WiFi.

What should you call your home WiFi network? Well, if it’s “NETGEAR” or similar, then make sure you call it something else (in case a well-known exploit is found in every NETGEAR router, in which case you’ve just told every kerbside hacker how to break into your network). Also, it’s worth making sure you change the admin password for your router – it’s a piece of cake to find out the default password for well-known routers, such as NETGEAR ones.

How to name your SSID might depend on where you live, if you have any neighbours, if you trust them and so on.

Serial ToW contributor Paul “Woody” Woodman has the mischievous idea of setting his SSID to be something eye-opening – in fact, the WiFi network set up by his phone’s Internet Sharing (as covered in last week’s ToW) has an interesting name…

So, Woody’s on the train, using his phone to connect to the internet, and all the other WiFi users in the same carriage are on their best behaviour…

The Huffington Post wrote about this phenomenon a few years back.

To get a more reliable connection, it’s worth setting your WiFi channel to be something that interleaves well with your neighbours, so you’re not both trying to blast out on Channel 6 – as a guide, check here. Try using a bit of software called inSSIDer to sniff your neighbourhood, see what their networks are called and what channel they’re on, then set yours to something complementary, if you can.

Stay Safe Online

Yvonne Puley made a suggestion about checking what WiFi networks you connect to, after reading a report on the BBC website and seeing an article on the BBC’s Click programme. The gist of the piece is that public WiFi networks – a hotspot set up by your local coffee shop, or even well-known WiFi networks provided by telco’s and the like – are not necessarily all they seem. A simple scam could be for a ne’er-do-well to set up a spoof WiFi network on their own laptop, and the unsuspecting browsers could connect to it and all their online movements could be recorded and tracked. Other hackers could stage a “man in the middle” attack using software that intercepts traffic on legitimate networks and can even decrypt supposedly secured SSL traffic.

In short, there’s no way for you to guarantee that what you do on any public WiFi network is safe from prying eyes. Europol (not to be confused with Interplod, as Arthur Daley might have ventured) says, basically, don’t use public WiFi networks for anything private, like online banking. If you want to scare yourself silly, then watch this Click clip.

clip_image006 Anything that goes over VPN or DirectAccess should be OK, as the encryption mechanisms used are less susceptible to having a breaker on the side. Even when connected back to base using a more secure connection, though, ordinary web surfing and background updating of apps will typically go out via the public WiFi network. It’s worth also making sure you don’t give too much away – like when you first connect to the network, unless you control it, then you don’t want to “find PCs, devices and content” etc.

For more info on this setting, see here. Looking in the PC’s settings at the connection properties (as described in that article) also lets you see what kind of encryption you have running on the network. If you’re connecting to a WEP network (the traditional method for putting a password on a wireless connection), then think twice about trusting it – Wired Equivalent Privacy is anything but, and can be relatively easily cracked.