by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : May 2015
8 GCN MAY 2015 • GCN.COM [BrieFing] Researchers at Cylance said they’ve uncovered a new technique for steal- ing login credentials from any Win- dows device, including those running previews of Windows 10. The approach, dubbed “Redirect to SMB,” allows attackers to steal user credentials by “hijacking communica- tions with legitimate web servers via man-in-the-middle attacks, then send- ing them to malicious SMB (Server Message Block) servers that force them to spit out the victim’s username, domain and hashed password,” wrote Cylance software engineer Brian Wal- lace on the company’s blog. “The Redirect to SMB attack builds on a vulnerability discovered in 1997 by Aaron Spangler, who found that supplying URLs beginning with the word ‘file’ (such as file://1.1 .1 .1/) to Internet Explorer would cause the operating system to attempt to au- thenticate with a SMB server at the IP address 1.1 .1 .1,” Wallace wrote. Attackers would gain access by hav- ing a targeted user click on a malicious email link or harmful ad that connects a system to a server controlled by the at- tackers. The company said the flaw can be found in every version of Windows and could be executed with the use of one of the 31 vulnerable software pack- ages discovered, which include Adobe Reader, Apple QuickTime, Internet Explorer and Windows Media Player. Because many products use HTTP requests to check for software updates, for example, a hacker could intercept such requests and redirect the victim to a malicious SMB server, according to the Vulnerability Notes Database maintained by Carnegie Mellon Uni- versity’s CERT Division. “If the redirect is a file:// URL and the victim is running Microsoft Windows, Windows will automatically attempt to authenticate to the mali- cious SMB server by providing the victim’s user credentials to the server,” the CERT database entry states. “These credentials can then be logged by the malicious server. The credentials are encrypted, but may be ‘brute-forced’ to break the encryption.” Although the Cylance team has pro- vided proof of concept for the flaw, it said there have been no known attacks using Redirect to SMB. Microsoft responded by saying the SMB flaw was not as serious as Cylance claims because of the difficulty attack- ers would have when attempting to take advantage of the vulnerability. “Several factors would need to converge for a ‘man-in-the-middle’ cy- berattack to occur,” Microsoft officials said in a statement to Reuters. “Our guidance was updated in a Security Research and Defense blog in 2009, to help address potential threats of this nature. There are also features in Windows, such as Extended Protec- tion for Authentication, [that enhance] existing defenses for handling network connection credentials.” The CERT division said it is unaware of a full solution but suggested some workarounds: • Consider blocking outbound SMB connections (TCP ports 139 and 445) from the local network to the wide- area network. • Don’t use the NTLM authentication protocol by default in applications. • Use group policies to restrict NTLM traffic. • Use strong passwords and change them frequently. • — Chris Paoli is associate Web edi- tor for 1105 Enterprise Computing Group’s websites. A version of this ar- ticle originally appeared on Redmond- mag.com, a sister site to GCN. Microsoft denies SMB security flaw in Windows BY CHRIS PAOLI README What: A case study by the National Association of State CIOs evaluating California’s CalCloud project. Why: NASCIO’s assessment is based on a series of interviews with three of the top players in CalCloud’s procurement and implementation. NASCIO asked for specifics on how well the process went and what they would do differently. CalCloud Project Director Neeraj Chauhan said the project appears to be a success. “Our cloud infrastructure environment provides a highly available, 100 percent virtual environment to customers through agile, cost- effective, innovative, reliable and secure technology,” he said. And it meets the five most important cloud-computing characteristics: on-demand self- service, resource pooling, broad network access, rapid elasticity and measured service. Chauhan, California Chief Procurement Officer Jim Butler and Carlos Ramos, director of the state’s Department of Technology, said a key lesson they learned is to respect the reality that “communication is king,” especially between CIOs and chief procurement officers. “Early and ongoing communication helps keep everyone on track and brings in two different and very valuable perspectives,” Ramos said. Now that the CalCloud system is up and running, state officials are watching to see who will jump on the bandwagon. Full report: is.gd/GCN_CalCloud 0515gcn_006-012.indd 8 4/30/15 9:34 AM