Archive for the ‘Tips & Talk’ Category

SSN for authentication is all wrong

October 23rd, 2017 No comments

Unless you were stranded on a deserted island or participating in a zen digital fast chances are youve heard plenty about the massive Equifax breach and the head-rolling fallout. In the flurry of headlines and advice about credit freezes an important part of the conversation was lost: if we didnt misuse our social security numbers, losing them wouldnt be a big deal. Let me explain: most people, and that mainly includes some pretty high-up identity experts that Ive met in my travels, dont understand the difference between identification and verification. In the real world, conflating those two points doesnt often have dire consequences. In the digital world, its a huge mistake that can lead to severe impacts.

Isnt it all just authentication you may ask? Well, yes, identification and verification are both parts of the authentication whole, but failure to understand the differences is where the mess comes in. However, one reason its so hard for many of us to separate identification and verification is that historically we havent had to. Think back to how humans authenticated to each other before the ability to travel long distances came into the picture. Our circle of acquaintances was pretty small and we knew each other by sight and sound. Just by looking at your neighbor, Bob, you could authenticate him. If you met a stranger, chances are someone else in the village knew the stranger and could vouch for her.

The ability to travel long distances changed the equation a bit. We developed documents that provided verification during the initiation phase, for example when you have to bring a birth certificate to the DMV to get your initial drivers license. And ongoing identification like a unique ID and a photo. These documents served as a single identification and verification mechanism. And that was great! Worked fine for years, until the digital age.

The digital age changed the model because rather than one person holding a single license with their photo on it, we had billions of people trying to authenticate to billions of systems with simple credentials like user name and password. And no friendly local villager to vouch for us.

Who are you? Prove it!

This is where the difference between the two really starts to matter. Identification answers the question: Who are you? Your name is an identifier. It could also be an alias, such as your unique employee ID number.

Do you want your name to be private? Imagine meeting another parent at your kids soccer game and refusing to tell them your name for security reasons. How about: Oh your new puppy is so adorable, whats her name? And you respond, If I told you, Id have to kill you. Or you try to find an address in a town with no street signs because the town is super security conscious. Ridiculous, right? Identifiers are public specifically so we can share them to help identify things.

We also want consistency in our identifiers. Imagine if that town had street signs, but changed the names of the streets every 24 hours for security reasons. And uniqueness, if every street had the same name, youd still have a heck of a time finding the right address wouldnt you?

Now that were clear on what the identifier is, we can enumerate a few aspects that make up a really good one:

  • Public
  • Unchanging
  • Unique

In a town or public road, we have a level of trust that the street sign is correct because the local authorities have governance over road signs. Back in our village, we trust Bob is Bob because we can verify him ourselves. But in the digital world, things get pretty tricky how do you verify someone or something youve never met before? Ask them to- Prove It!

We use these two aspects of authentication almost daily when we log into systems with a user ID (identification) and password (verification). How we verify in the real world can be public, unchanging, and unique because its very hard to forge a whole person. Or to switch all the street signs in a town. But verification online is trickier. We need to be able toprovide verification of who we are to a number of entities, many of whom arent great at protecting data. And if the same verification is re-used across entities, and one loses it, attackers could gain access to every site where it was used. This is why experts strongly recommend using unique passwords for every website/app. This goes for those challenge questions too. Which can lead to some fun calls with customer service, Oh, the town where I was born? Its: xja*21njaJK)`jjAQ^. At this point in time our fathers middle name, first pets name, town where we were born, school we went to and address history should be assumed public, using them as secrets for verification doesnt make sense anymore.

If one site loses your digital verification info, no worries. You only used it for that site and can create new info for the next one. What if you couldnt change your password ever? It was permanent and also got lost during the Yahoo! breach? And it was the one you use at your bank, and for your college and car loans, and your health insurance? How would you feel?

So, with that in mind, youd probably agree that the best digital verifiers are:

  • Private
  • Easily changed
  • Unique

Your turn

OK, now that you know the difference between identification and verification and the challenges of verification in a digital world, what do you think – Is your SSN a better identifier or verifier?

Categories: cybersecurity, Data Privacy, Tips & Talk Tags:

Top Five Security Threats Facing Your Business and How to Respond

This post was authored by Ann Johnson, Vice-President, Enterprise Cybersecurity Group

Headlines highlighting how vulnerable we are to cyber threats are now all too commonplace. The statistics on security events and successful network breaches continue a trend that favors attackers. These bad actors are getting faster at network compromise and data theft while their dwell times inside networks have increased to over 200 days according to most of the major annual cybersecurity reports. The result of these voluminous and persistent threats has been hundreds of millions of dollars in lost business alone without counting the long term costs of diminished customer and citizen confidence.

Still organizations may face even greater risks as they try to fend off sophisticated attackers against a backdrop of an ever expanding network footprint.  The new network now includes myriads of personal devices, virtualized workloads, and sensors that represent rapidly increasing points of connectivity as well potential compromise.

When considering these trends, it is clear that the traditional means of protecting organizations are not as effective as they once were. Static access controls like firewalls and intrusion prevention systems placed at network ingress and egress points are being easily evaded by attackers because the communications paths in and out of networks are too complex and dynamic. Also broad use of personal devices inside corporate networks has dissolved what used to be a hardened network boundary. We no longer conduct business within a perimeter of highly controlled, corporate-issued end user devices that gain access only under the strictest of authentication and authorization controls. Instead, the modern enterprise enables dynamic communities of employees, contractors, business partners and customers as well as their data and applications, all connected by an agile digital fabric that is optimized for sharing and collaboration.

In today’s networks then, we have to consider that identity is the new perimeter to be protected. Identity in this case does not mean only the device and its physical location but also the data, applications and user information it contains. Given that 60% of all breaches still originate at an endpoint compromised through a phishing scam or social engineering attack, it is no wonder that a risk mitigation strategy with identity at its center, is top of mind for many business and technology leaders.

In fact, cyber security is a boardroom level agenda item today. Business leaders want to ensure that they have in place the investments necessary to protect intellectual property and customer data, keeping their businesses out of the headlines that damage reputation and affect profitability. CIOs and CISOs feel caught between seemingly opposing goals of enabling digital transformation while protecting data and intellectual property at all times. These are concerns they share with their teams in IT and operations who feel equally burdened to balance performance and accessibility with rightful and appropriate resource use. Cybersecurity as we have all come to understand, can be either a critical barrier or key enabler to an organization’s ability to be productive. Current top of mind concerns for protecting the modern enterprise coalesce around 5 key areas: infrastructure, SaaS, devices, identity and response.

  1. Infrastructure – The public cloud offers unlimited potential for scaling business. On-demand compute and storage are only a small portion of the benefits of a highly agile IT environment. Easy access to applications, services and development environments promises to redefine business agility. Naturally, more and more organizations are taking critical workloads to the public cloud. Still the migration to an environment that is provisioned and managed by a non-organizational stakeholder creates new security challenges. So the top of mind question is: “How do I secure my cloud resources?”

Going to the cloud does not mean relinquishing security control or accepting a security posture that is less secure for cloud-hosted workloads relative to premised ones. In fact, the selection of cloud provider can mean having access to the very latest in security technologies, even more granular control and faster response than is possible with security in traditional networks. As a first step, security stakeholders need to understand how sensitive and compliance intense their cloud-hosted workloads and data are.  They should then opt for access controls that limit use to only that which is business appropriate and emulate those access policies already in place for premised workloads. Enrolling in cloud workload access monitoring will also ensure that any events which are a deviation from desired security policies can be flagged as indicators of possible compromise. Cloud users should also be familiar with the security technologies offered by their provider whether native or through partnership. This gives cloud users options for implementing the kind of multi-tiered security architecture required to ensure least privilege access, inspect content and respond to potential threats.

Key takeaways

  • Monitor workload access and security policies in place
  • Identify deviations from security policies and indicators of possible compromise
  • Deploy new security controls appropriate for your cloud environment

2. SaaS – Whether a business is hosting critical workloads in the public cloud or not, its employees are surely using applications there. The convenience and ubiquity of these applications means broad user adoption for the ease of information sharing and collaboration they enable. As a result, important, security and compliance intense data maybe making its way to the public cloud without security stakeholder knowledge. The question from businesses then is:  “How do I protect my corporate data?”

Organizations want to make sure their employees are as productive as they can be. To that end many are allowing them to bring their own devices and even their own applications into the network. This agility comes with some added security risk. Fortunately, there are ways to mitigate it. Ultimately the goal is to derive all of the benefits these SaaS applications offer without violating company use and compliance policies for data sharing and storage. Additionally, firms must ensure that employees’ use of SaaS apps does not unwittingly enable data exfiltration by bad actors. Limiting risk comes down to enacting a few of the basics that ensure safe use. For starters, there’s a need to identify which SaaS applications are in use in the network and whether they are in line with company policy or on a safe list. Granular access rights management will limit the use of even the safe apps to those persons who have a business need for them. Where possible, policies should be in place that require data to be encrypted when at rest, especially if it is being stored in the cloud. Having the ability to periodically update the safe lists of apps and monitor all use, can potentially alert security administrators when those applications which are unsanctioned appear among an organization’s communications. With these types of facilities in place stakeholders maybe be promptly alerted to unsanctioned application use. At times, unwanted application use will be detected. This is the time to block those applications, modify or deprecate privileges allowing access to them and as a further precaution remotely wipe or delete data stored through use of those applications.

Key takeaways

  • Apply rights management, identify unsanctioned apps, contain, classify and encrypt data
  • Be notified of unauthorized data access or attempts
  • Block suspicious apps, revoke unauthorized access and remotely wipe company data

3. Devices – Smartphones, tablets, self- sourced laptops, these are the new network perimeter and at times its weakest links.  Whether owned by the organization or not, they most certainly contain business valuable data that is at high risk. Because mobile devices often connect from public networks and may not have the most up to date protections, these endpoints are popular targets for the installation of botnets or malware. Use of personally sourced devices is a new and seemingly permanent reality prompting organizations to broadly ask “How do I keep company information secure?”

Many years ago, risk from mobile devices was ameliorated by installed agents and thick clients that provided security controls right on the device itself in a centralized way. Today, with employee self-sourced devices, the installation of such clients is not always feasible. Still today’s security administrators have to accommodate a heterogeneous end-user device environment comprised of various form factors and OSes while applying consistent and organizationally sanctioned controls to all of them. A cloud-based approach can provide a lot of flexibility and control here. From the cloud, endpoint connectivity to network resources can be centrally managed through security policies that restrict where devices can go based on their security posture, installed protections or location-based access rights. Command of devices from a central location ensures not only consistent policy enforcement but automation so that when anomalous device behaviors or connection patterns are detected, centralized command can restrict access, quarantine the affected device and even wipe it clean so that the threat is fully contained.

Key takeaways

  • Manage company and personal devices to classify and encrypt data to ensure compliance
  • Automatically identify compromised or questionable end points
  • Quickly respond to quarantine, wipe and remediate compromised devices

4. Identity – Despite all of the investments organizations make in security and threat mitigation, identity will be compromised. The latest data tells us that way too many of us click on links and attachments that we should not. From that point on, the bad actor has gained a foothold in the network and may set about moving laterally, looking for sensitive information to steal while impersonating the legitimate user. This common scenario is what makes many businesses ask: “How can I ensure identity protection?”

All of the major cybersecurity reports and indices point to this as the most common component of a data breach – the stolen identity. A security strategy for any organization or business needs to have this as a central tenet. The protection and management of credentials that give resource access to customers, employees, partners and administrators is foundational to sound security practice. Implementing multi-factor authentication broadly for all applications and services is a good starting point. It should nevertheless be complemented by facilities for monitoring authentication and authorization events not only for users but also and especially for privileged users and administrators. This type of monitoring offers the best opportunity to identify attempts by attackers trying to move laterally through privilege escalation. Once flagged as suspicious and anomalous, optional automated response can ensure that access requirements are elevated on the fly and privilege escalation requests are verified as legitimate.

Key takeaways

  • Augment passwords with additional authentication layers
  • Identify breaches early through proactive notification of suspicious behavior
  • Automatically elevate access requirements based on your policy and provide risk-based conditional access

5. Response – Each year organizations are subjected to tens of thousands of security events making the business of protecting critical assets continuous. Given that threat dwell times are 200 plus days, bad actors have ample opportunity to move “low and slow” throughout networks after the initial compromise. Naturally security administrators and stakeholders are left to ask: “How can I better respond to ongoing threats?”

The potency and frequency of today’s cyber threats requires a security strategy build on the assumption of compromise. A network or device may not be breached today but remains at risk so the process of protecting, detecting and responding to a breach is a continuous one. The data that is being exchanged by end points and shuttled among data centers and hybrid clouds contains a lot of information about the security state of those endpoints and resources. The key to unlocking that intelligence is analytics and specifically the type of analytics that is made possible through machine learning. Having the ability to monitor large amounts of traffic and information in a continuous fashion and unearth anomalous behavior is and will be key to shortening the time to detection of a breach or compromise. Behavioral analytics not only tell us what is out of the norm or unwarranted behavior but also informs of good and desired connectivity. By understanding both anomalous and appropriate traffic patterns, organizations can fine-tune access controls that are just right for enabling business yet limiting risk. Further, with continuous analytics the process of determining the right access controls for the environment at a given time can be as dynamic and responsive as users’ access needs.

Key takeaways

  • Use analysis tools to monitor traffic and search for anomalies
  • Use learnings from behavioral analysis to build a map of entity interactions
  • Practice just in time and just enough access control

In summary, security threats maybe common to businesses and organizations of all types but the way they are addressed can vary greatly. In the modern enterprise driven by mobility and cloud, architecting for security represents an opportunity for unprecedented agility.  With a strategy build on identity as the new perimeter and access to continuous processes to protect, detect and respond to threats, a business can be as secure as it is productive.  Watch the On-demand webinar – Top 5 Security threats – with Julia White and myself to hear more about our approach to cybersecurity or visit us at Microsoft Secure to learn more about Security.

Categories: cybersecurity, security, Tips & Talk Tags:

Experts: Don’t blame the victims of youth ‘selfies’

It’s a mistake to blame young people who take sexually explicit photos or videos of themselves when those images end up being redistributed over the Internet, according to experts who gathered in London this week to discuss a new study by the U.K.-based Internet Watch Foundation (IWF).

It’s also a mistake to assume that the images, sometimes referred to as “selfies,” were taken voluntarily by the children who appear in them.

Researchers analyzed sexually explicit pictures taken and supposedly shared by young people, and found that 89.9 percent of the images had been “harvested” from their original upload location and posted to other public sites. Moreover, 100 percent of the images the IWF analyzed depicting children 15 and younger were harvested and posted somewhere else.

The IWF study, which was conducted late last year and funded by Microsoft, analyzed 3,803 photos and videos that were believed to be of children and youth ranging from infants to 20 years old.

“What the IWF went to seek and what they found are quite different,” said Tink Palmer, Chief Executive Officer of the Marie Collins Foundation and moderator of a panel discussion about the emotional and behavioral aspects of producing such images. “We need to focus on definitions and understand that every picture tells a story about what’s happening to the children.”

Microsoft funded the IWF to repeat and expand similar research done three years ago. IWF’s 2012 study found that of the 12,000-plus images taken and shared by youth and examined by the IWF, 88.15 percent had migrated to “parasite websites” where people sometimes paid to download them. As part of our child online protection strategy, Microsoft was interested in learning whether the 2012 trend was continuing, and whether there was more to be gleaned regarding the content’s commercial availability.

What the IWF learned from the new study, however, was very different. The 2014 set of supposed selfies featured much younger children, thus making it all but impossible to refer to the images as “self-produced.” Indeed, experts agreed the latest content could be divided into three categories: (1) truly self-generated, (2) by-products of online “grooming,” and (3) results of outright coercion or “sextortion.”

“With the under 10 (year olds), we have to believe something coercive is going on,” said Professor Sonia Livingstone of the Department of Media and Communications at the London School of Economics. “It’s just another way that an already at-risk group is being further victimized.”

IWF was unable to ascertain (nor was such a determination in scope) the category into which each image might fall. The latest results are shocking and disturbing because of the younger-aged children and the heightened explicit sexual nature of the acts. In 2012, not a single image included a child believed to be 13 or younger, IWF said.

The London event, co-hosted by IWF and Microsoft, featured a second panel where experts discussed guidance for parents and educators, as well as ongoing technological efforts. The group offered advice for parents about webcams and how they operate, noting they’re no longer “a device that balances on top of a computer monitor.” They also called out simple messages for children, including “privates are private” and “speak up and tell someone” if something or someone makes them uncomfortable online or elsewhere. The event brought together 100 policymakers, child safety advocates, technology industry representatives and others to discuss the findings and to begin to chart a way forward.

All agreed the research indicated that different analyses and potential mitigation paths were required for the images involving older children versus those featuring children under 13. IWF agreed. “It is indisputable that coercion of young people to produce and/or share sexual content online must be referred to as a form of child sexual abuse,” said Sarah Smith, IWF’s lead researcher on the project. The content produced by the older age groups, meanwhile, could be regarded as more traditional “sexting.”

For our part, Microsoft will seek to create and deploy appropriate technology to help address the issue. In fact, as part of the U.K. government’s #WePROTECT Children Online initiative, Microsoft is leading a technology project about self-generated indecent images among youth. In addition, we will continue to raise awareness, help educate the public, and continue to partner with organizations like the IWF to ensure strategies and proposed “solutions” are research-based. Microsoft has agreed to again sponsor similar research by the IWF this year.

To read Part 1 of this two-part blog, which focuses on the study results and some Microsoft suggested guidance for parents, click here. To learn more about staying safer online generally, see this website.





Part 1: New data on youth “nudes” show disturbing trend

Young people around the globe are taking and sharing nude photos and videos of themselves, and the phenomenon appears to be occurring among younger and younger age groups, according to results from a new study sponsored by Microsoft.

Data released today by the UK-based Internet Watch Foundation (IWF) show 17.5 percent of the more than 3,800 sexually explicit photos and videos analyzed by IWF late last year were produced by young people believed to be under the age of 15. Meanwhile, 7.5 percent, or 286 images, were assessed as featuring children 10 or younger.

Even more startling is the severity of the content. The majority (72.4 percent) of the images depicting individuals believed to be 16-20 years old was classified as “Category C,”[1] with 27.6 percent deemed “Category B or A.” In sharp contrast, 46.9 percent of the images analyzed as featuring children 15 and under constituted Category A and B.

Print“The findings tell a distinctively different story from the research conducted in 2012,” said IWF Chief Executive Officer Susie Hargreaves. “However, our message around the ease at which content can be ‘lost’ online remains the same. Ninety percent of the imagery had been taken from its original upload location and copied to somewhere else. Whilst the 2012 study provided valuable insight into the increasing accessibility of sexual content depicting young people, this research reveals younger children and in some cases more explicit sexual behavior than we previously saw.”

Indeed, 85.9 percent of the images and videos assessed as depicting youth under 15 were taken via webcam captures from a personal computer or laptop. Just 8.5 percent were taken with a mobile phone, challenging the belief that the majority of “sexting” photos are captured via cell phone. IWF reported that, among this age group, 1.8 percent of the images were shot with a traditional digital camera.

I first learned of IWF’s work analyzing “indecent self-generated imagery among youth” some 18 months ago when Microsoft was refreshing its child online protection strategy. As noted, IWF had conducted a similar study in 2012 when it reviewed more than 12,000 nude images and videos taken and shared by youth. Those results showed that 88.15 percent of the content had migrated to so-called “parasite websites” where people downloaded the images, sometimes for a fee, and in all instances probably unbeknownst to the original explicit selfie-taker. IWF stresses there was “not a single instance” three years ago where a child was assessed as being 13 years of age or younger.

We approached IWF to see if the research had been repeated or was set to be re-run. An opportunity for collaboration emerged and the current research’s photos and images were analyzed over September, October and November 2014. We asked, in particular, that IWF examine the commercial aspects of the data given the 2012 results. A piece of “good news” from the current study is that only 1.7 percent of the 2014 data-set was assessed as being “commercially available.”

Parents who may be aware of this pattern of youth behavior are often confused by it. Others are hard-pressed to believe their kids would take part. To get some perspective, we’ve produced a new factsheet and offer some general guidance:

  • Talk to kids. Ask what they do online—favorite sites, games and activities. Be inquisitive, not judgmental. Let what’s learned serve as a basis for “house rules” on technology and web use.
  • Get help from technology. Family safety settings can help block harmful content, limit information-sharing and manage website access. Tell your children if you use these features and explain they’re intended to help keep them safe.
  • Discuss sexting—even if it’s uncomfortable. Start conversations early, and talk about peer pressure to sext. Listen for signs of coercion. Discuss risks and keep perspective.

To launch the research, Microsoft and IWF are co-hosting an event today at our London offices. “Youth selfies: The real picture – New insights and a way forward,” is bringing together parents, educators, policymakers and others to hear the data and discuss possible tools and resources. In Part 2 of this two-part blog, I’ll recap the event, perspectives shared and advice given. Meantime, to learn more about online safety generally, please visit this website.

[1] IWF’s category classifications are set out in the UK Sentencing Council’s Sexual Offences Definitive Guideline. Category C is defined as no sexual activity, but a prominent focus on the naked genitalia of the individuals shown. Category B includes sexual activity shy of any actual sex act, while Category A includes sex acts and other highly graphic sexual displays.

Safer Internet Day 2015: This year, “Do 1 (More) Thing” to stay safer online

February 10th, 2015 No comments

One year ago today, Microsoft asked people across the globe to #Do1Thing to stay safer and more secure online by taking what may have been a first step toward safeguarding their digital lifestyles. Today, on Safer Internet Day 2015, we want everyone to add to last year’s pledges and #Do1MoreThing to become cyber savvy. In addition, we’re launching new interactive resources for young people on the Microsoft YouthSpark Hub to further encourage safer online habits and practices.

Our goal is to help educate, engage and inspire people to better protect themselves and others online –all rooted firmly in the spirit of the Safer Internet Day 2015 theme: “Let’s create a better Internet together.” The hope is that each person’s one (more) thing will become a long-lasting best practice that will be shared with others and, in turn, lead to an ever-increasing number of safer online behaviors. Research shows that such effects can help create safer online experiences for every individual and a more secure online ecosystem for all.

privacy_IconLast year, some of the most popular “1 Thing” pledges included positive practices such as always using a four-digit PIN (personal identification number) to lock mobile devices; promises to convert to and use “strong” passwords for all devices and accounts and trying to refrain from constant phone-checking and instead “be present” in personal interactions. This year, visitors to the new online safety section of the Microsoft YouthSpark Hub may be further inspired by other online safety tips and ideas as well. One of my favorite parts of the new website is the opening section, designed to pull young people into the site, calling on them to: “Be awesome in real life and online.” From there, youth can explore comic strips, respond to polls and quizzes, and learn interesting facts and figures.

In addition, Microsoft is proud to again help sponsor the official U.S. Safer Internet Day 2015 event being held today in California. Managed by, “Safer Internet Day 2015: Actions & Activism Toward a Better Net and World” is bringing together youth leaders, educators, policymakers, parents, Internet safety experts and representatives from the technology industry to focus not just on problems, but also on solutions for building a safer and better Internet.

When asked about this year’s theme, Larry Magid, co-director of said Safer Internet Day’s “Let’s create a better Internet together” theme “reminds us that online and mobile safety are much more than just the absence of danger, but the presence of positive actions to improve not just the Internet but the world at large. It’s also a recognition that we’re in this together. Everyone— kids, parents, young adults, seniors, corporations, organizations and governments—has a stake and a role to play in making the Internet an even better tool for empowering the world’s citizens.”

Building on its near 20-year history in online safety, Microsoft remains committed to doing its part to help grow and shape a better and safer Internet for youth and, indeed, everyone.

For more information about staying safer and more secure online, I invite you to visit this site.

HOW TO: Report the Microsoft phone scam

September 18th, 2014 No comments

If someone calls you from Microsoft technical support and offers to help you fix your computer, mobile phone, or tablet, this is a scam designed to install malicious software on your computer, steal your personal information, or both.

Do not trust unsolicited calls. Do not provide any personal information.

You can report this scam to the following authorities:

Whenever you receive a phone call or see a pop-up window on your PC and feel uncertain whether it is from someone at Microsoft, don’t take the risk. Reach out directly to one of our technical support experts dedicated to helping you at the Microsoft Answer Desk. Or you can simply call us at 1-800-426-9400 or one of our customer service phone numbers for people located around the world.

What to do if your antivirus subscription has expired

September 16th, 2014 No comments

Phil asks:

I’m new to Windows 8.1. Now that my free security software has expired, how do I go about making Windows Defender my choice security method?

Windows Defender is included with Windows 8 and Windows 8.1 and helps protect your PC against malware (malicious software). Many new computers come with free subscriptions to antivirus software and other security programs from companies other than Microsoft. If the subscription runs out and you don’t want to pay for it, you need to:

  1. Fully uninstall the non-Microsoft security software that came with your computer.
  2. Make sure Windows Defender is turned on.

To uninstall the security software that came with your computer, check the software’s Help file.

Make sure Windows Defender is turned on in Windows 8

  1. Swipe in from the right edge of the screen and tap Search (or if you’re using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, and then click Search).
  2. In the Search box, type Windows Defender.
  3. Tap or click the Windows Defender icon.
  4. Go to Settings, and make sure that Turn on real-time protection (recommended) is selected.
  5. Tap or click Save Changes.

How do digital youth of the “app generation” learn, communicate, and express themselves

September 11th, 2014 No comments

I recently had the opportunity to speak with Katie Davis, an assistant professor from the University of Washington Information School to discuss her role and a book she co-authored called, The App Generation: How Today’s Youth Navigate Identity, Intimacy, and Imagination in a Digital World.

The University of Washington is the first to have an Information or iSchool focused on youth and technology. Tell us about the school and your students’ focus of study.

Our digital youth faculty teaches a range of courses and provides research experiences for undergraduate, masters, and PhD students. We aim to prepare world-class digital youth researchers, practitioners who work directly with young people, and innovators who design and create digital tools and services for youth. One of the courses I teach, called Youth Development and Information Behavior in a Digital Age, explores new research on the impact of digital media tools and practices on youth development, including academic development.

How did you become interested in writing about kids’ use of technology and, in particular, apps?

My interest began over 10 years ago, when I was a fourth grade teacher. At that time, technology was becoming increasingly central to young people’s lives, both inside and outside of school. As a teacher, it was clear to me that this trend was only going to get bigger. I started to think about the many implications involved with respect to how young people learn, communicate with other people, and express themselves.

I was fortunate that when I came to Harvard as a doctoral student, my advisor and now co-author, Howard Gardner, was starting to ask similar questions. During the course of our research, we came to an important realization: whereas earlier generations have typically been defined by political or economic events (think of the World Wars, the Great Depression, and the Civil Rights Movement), this generation of young people is defined—and, importantly, defines itself—more by the technologies they use. Apps weren’t part of the cultural zeitgeist when we started our research, but as the iPhone was introduced in 2007 and the slogan “there’s an app for that” became a common saying, we realized that apps served as a fitting metaphor for what we were observing in our research. In our book The App Generation, we alternate between referring to apps metaphorically, to illuminate particular themes in our findings, and literally, to explore how teens use various apps like Snapchat, Instagram, Facebook, and Twitter.

What are the benefits of our app-driven lifestyle, and what might be some of the drawbacks?

In the book, we introduce the idea of an app mentality that many of today’s youth seem to exhibit. The app mentality suggests that whatever human beings might desire should be provided by apps. If the app doesn’t exist, it should be devised by someone right away. If no app can be imagined or created, then maybe the desire simply doesn’t or shouldn’t matter.

We see both positive and negative variations on the app mentality. A world permeated by apps is in many ways a terrific one. Apps are great if they take care of ordinary things and free us up to explore new paths and form deeper relationships. They are great also as they increasingly become tools for productive work, offer us ways to stay connected to our friends and family, and even provide us with avenues for new experiences. When apps are used in this way, they are app-enabling.

But there’s a less optimistic view of apps. There’s a danger that we become overly dependent on apps for the answers, for social connection, for our sense of ourselves. There’s a danger that we look to apps before we look inside ourselves. If this happens—if we start to see more of our apps than ourselves in our experiences, actions, self-expressions—it’s our argument that we have become app-dependent.

How can technology foster and enhance our creativity?  By the same token, does your research indicate that technology can dampen our artistic abilities? 

Digital media can open up new avenues for youth to express themselves creatively. Yet, it’s important to consider the fact that app developers constrain artistic expressions in specific ways. For instance, if you’re using a painting app, your color palette is limited to the hues that the designer programmed into the app. In a music composition app, your tonal range is similarly limited. Of course, sophisticated users can create their own workarounds and break free from the constraints of the underlying code. But realistically, most people will work within the parameters of the original app, and that raises important questions about how such boundaries affect the creative process.

We explored changes in youth creativity over a 20-year time span, analyzing over 350 pieces of visual art produced by high school students and nearly 100 fiction stories written by middle and high school students between 1990 and 2011. Though we were expecting to find that creativity in the visual and literary domains would either rise or fall together, our analysis uncovered a surprisingly divergent pattern. We found that certain dimensions of creativity, such as originality, experimentation, and complexity, have diminished in the literary domain while they’ve increased in the visual domain.

The literary pieces written in recent years tended to be more mundane—there was less experimentation with genre, character types, and setting. Whereas a story from the early 1990s might involve a character who metamorphosed into a butterfly, there was very little such deviation from reality in the more recent pieces. In contrast, the pattern we detected in the visual art was one of increasing experimentation and sophistication. Contemporary artists were more likely to draw on the expansive selection of media at their disposal to create layered works that hold the eye longer with their increased complexity and unexpected composition.

We’ve considered these findings in terms of the role of digital media, though we can only offer our best hypotheses rather than draw a direct connection between technology and changes in youth’s artistic productions. With respect to the visual art findings, we note that digital media provide a wider, easier, and cheaper array of tools for youth to express themselves creatively. In addition, the Internet has expanded access to sources of inspiration as well as opportunities to receive feedback and recognition for one’s artistic productions.

With respect to writing, it’s hard to tell if kids are writing less, but the type of writing they do online is often quick, fleeting, and very much tied to the everyday and mundane. These characteristics mirror the patterns we saw in our analysis of youth’s creative writing. It’s also worth noting, for writing at least, the likely influence of our education system’s increasing focus on standardized testing over the last 20 years. Such a focus rewards writing the perfect five-paragraph essay rather than taking risks in one’s writing.

What surprised you when you started researching and writing your book?

My biggest surprise has been hearing teens express real ambivalence toward digital media and its role in their lives. When I talk with teens, I typically ask them to imagine what it would be like to go through a day (then a week, a month, and longer) without their phones, apps, or social media. The initial reaction is fairly standard: what an unpleasant, hard-to-imagine scenario! They’d be disconnected from their networks of friends and followers on Instagram, Facebook, and Twitter; they’d be unable to conduct research for school; and they’d be deprived of the many sources of entertainment they enjoy online and through apps. After going through the list of what they wouldn’t have or be able to do, many teens start to consider what they might gain: uninterrupted, lengthier face-to-face conversations; more time for personal reflection; fewer distractions when doing homework.

This ambivalence toward technology tells me that youth recognize many of the same opportunities and challenges around their digital media use as adults. I think this recognition is a great entry point for family members, teachers, and others who work with and support youth to engage them in conversations about the positive and negative aspects of technology, and through these conversations help one another to use digital media in an app-enabled way.

What can parents, teachers, coaches, and others do to help raise responsible, tech-savvy consumers?

A good place to start is with our own technology use. We should remember that adults are powerful models for youth. They see us tied to our laptops, smartphones, and tablets, and they’re taking note! We have the opportunity to model moderation in technology use, show kids there’s a time to put these devices away and be fully present.

Adults can also provide app-enabled experiences that emphasize open-ended exploration and personal initiative over more structured, top-down, and constrained activities. We’ve sampled a variety of apps—many of them with an educational bent—during the course of researching and writing The App Generation. Apps like Minecraft, Scratch, and Digicubes seem (unfortunately) to be among the minority that encourage open-ended exploration and creation. Others we’ve sampled are packed with a lot of bells and whistles that have little relation to the purported learning objectives and leave little room for users to exercise their own creativity and initiative.

Finally, we think computational skills should be emphasized to a greater degree in K–12 education so that kids are able to modify apps as they wish, even create their own. This is something that the UW iSchool does very well in its Informatics and Master of Science in Information Management programs. The ability to understand how apps and other technologies work constitutes a new—and critical—literacy for this new digital era.

Should industry be thinking how to design responsible products, services and apps that foster being a good digital citizen?

Yes, I think designers have a responsibility to consider how their apps are likely to be used, for good and bad. Of course, it’s impossible to anticipate all the different ways one’s creation might be used or modified.

My iSchool colleague, Professor Batya Friedman, has pioneered an approach to designing technologies and tools that take into account what humans care about. Called value-sensitive design, this approach seeks to account for the values of both direct and indirect stakeholders in a principled and systematic manner throughout the design process. A value-sensitive design approach encompasses more than digital citizenship. Designers could use such an approach to think about app-enablement vs. app-dependence during the design process, and attempt to design so that users are encouraged to use apps in an open-ended way, as non-constrained as possible.

Categories: apps, child safety, family, Tips & Talk Tags:

Get security updates for September 2014

September 9th, 2014 No comments

Microsoft releases security updates on the second Tuesday of every month.

How to check for the latest updates.

This bulletin announces the release of security updates for Windows, Microsoft Office, and other programs.

To get more information about security updates and other privacy and security issues delivered to your email inbox, sign up for our newsletter.





Get advance notice about September 2014 security updates

September 4th, 2014 No comments

Today, the Microsoft Security Response Center (MSRC) posted details about the September security updates.

If you have automatic updating turned on, most of these updates will download and install on their own. Sometimes you may need to provide input for Windows Update during an installation. In this case, you’ll see an alert in the notification area at the far right of the taskbar—be sure to click it.

In Windows 8, Windows will turn on automatic updating during setup unless you choose to turn it off. To check this setting and turn on automatic updating, open the Search charm, enter Turn automatic updating on or off, and tap or click Settings to find it.

Learn how to install Windows Updates in Windows 7.

If you are a technical professional

The Microsoft Security Bulletin Advance Notification Service offers details about security updates approximately three business days before they are released. We do this to enable customers (especially IT professionals) to plan for effective deployment of security updates.

Sign up for security notifications

Congratulations! You’ve won $800,000!!

September 2nd, 2014 No comments

Well, maybe not.

But that’s just one of the many ploys that scammers send in their relentless efforts to part people from their money or sensitive personal information like passwords and account numbers.

Microsoft is asking people to take a survey of their experience with online fraud—what kinds of scams they’ve encountered (including those on mobile devices and Facebook), how concerned they are about online or phone fraud, and what steps they take to protect themselves.

In 2012, Microsoft fielded its first such study, interviewing 1,000 US residents to understand their exposure to, and perception of, online fraud and scams.

Respondents reported having encountered roughly eight different scams on average, with these as the top four:

  • Scams that promise free things or coupons (44 percent)
  • Fake antivirus alerts that imitate real programs offering virus repair but that download malware instead (40 percent)
  • Phishing scams using fake messages that mimic those of trusted businesses to trick people into revealing personal information (39 percent)
  • Fraud that features a request for bank information or money upfront from someone (such as a “foreign prince”) who needs help transferring large sums of money for a cut of the total (39 percent)

In the new survey, we’re interested in how scams and responses to scams might have changed since 2012. Are there different scams? What are the most common? Where are they most often occurring—on mobile devices? On Facebook?

Results of our last survey showed that nearly everyone (97 percent) took steps to safeguard their computers, but more than half (52 percent) did nothing at all to protect their mobile devices. So we’re particularly interested to see if these numbers have changed.

You can help us fight online scams and fraud by taking our survey.

We will release the results of the survey during National Cyber Security Awareness Month this October. Follow the hashtag #NCSAM to read the story.

5 passwords you should never use

August 29th, 2014 No comments

This is part three of three posts on stronger passwords.

Part 1: Create stronger passwords and protect them

Part 2: Do you know your kids’ passwords?

The news is filled with stories about hackers cracking passwords. You can help avoid being a victim by never, ever using these passwords:

  1. Password. Believe it or not, this is still a common password. Don’t use it.
  2. Letmein. We recommend that you use passphrases that are memorable. Just don’t use this one. It ranks high on several lists of the most-used passwords.
  3. Monkey. This common word appears on many lists of popular passwords. It’s also too short. Make passwords at least eight characters—the longer the better.
  4. Your pet’s name. While you’re at it, don’t use any passwords that can be easily guessed, such as the name of your spouse or partner, your nickname, birth date, address, or driver’s license number.
  5. 12345678. Avoid this and other sequences or repeated characters such as 222222, abcdefg, or adjacent letters on your keyboard (such as qwerty).

Bonus password tips

Don’t use the same password for multiple sites. Cybercriminals can steal passwords from websites that have poor security and then use those same passwords to target more secure environments, such as banking websites.

Change your passwords regularly, particularly those that safeguard your computer, important accounts (like email or Facebook), and sensitive information, like financial and health data.

For more password guidance, see Create strong passwords.


Do you know your kids’ passwords?

August 27th, 2014 No comments

This is the second of two blog posts on password protection. Read Part 1: Create strong passwords and protect them. Whether or not you should know all of your kids’ passwords depends on their age, how responsible they are, and your parenting values. However, kids of any age and responsibility level need to know how to create strong passwords and how to protect those passwords.

Sharing is great, but not with passwords

Your kids should never give their friends their passwords or let them log on to their accounts. Also, be careful sharing your passwords with your kids.

3 strategies for strong passwords

  • Length. Make your passwords at least eight (8) characters long.
  • Complexity. Include a combination of at least three (3) uppercase and/or lowercase letters, punctuation, symbols, and numerals. The more variety of characters in your password, the better.
  • Variety. Don’t use the same password for everything. Cybercriminals can steal passwords from websites that have poor security and then use those same passwords to target more secure environments, such as banking websites.

For more information, see Help kids create and protect their passwords.

Create stronger passwords and protect them

August 25th, 2014 No comments

All week we’ll be posting our best guidance on how to create, protect, and manage your passwords.

Passwords are your first line of defense against hackers. Pick passwords that are difficult to crack but easy for you to remember.

What does “difficult to crack” mean?

Each time cybercriminals hack into a database of passwords, they learn more about the kinds of passwords that people use. (Come back on Friday to read Part 3 of our password series on what passwords you should never, ever use.) Now, even passwords that we think are tricky can be guessed by cybercriminals who’ve harnessed the right technology to crack passwords.

The best passwords are the most unpredictable

Stuart Schechter and other colleagues from Microsoft Research have developed a free online tool that helps you avoid passwords that are predictable. Try the tool.

A strong password:

  • Contains at least eight characters.
  • Does not contain your user name, real name, or company name.
  • Does not contain a complete word.
  • Is significantly different from previous passwords.
  • Is different from passwords that you’ve used on other websites.

Get more advice on how to create strong passwords.

5 ways to protect your password

Once you’ve chosen a strong password, you can protect it from hackers by following a few simple rule:

  1. Don’t share your password with friends.
  2. Never give your password to people who call you on the phone or send unsolicited email, even if they claim to be from Microsoft.
  3. Change your password regularly.
  4. Tell your children not to share your passwords (or theirs) with anyone. Check back tomorrow for more guidance on how to help kids create and protect their passwords.
  5. Evaluate password managers and other password tools carefully.  If they keep all your passwords in the cloud, they should use encryption. If the service has problems, understand that you might be locked out of your accounts.

Learn more about how to protect your passwords.

Why do I have to update my email account information?

August 21st, 2014 No comments

We’ve noticed comments from many of you asking why we want you to verify your Microsoft security information. We’d like to explain why verifying this information is important. To help protect your email account and your personal data, we ask everyone who has a Microsoft account to make sure that the security information associated with their account is correct and up to date. When your security information (like an alternate email address or phone number) is current, we can use it to verify your identity.

For example, if you forget your password or if someone else tries to take over your account, Microsoft uses your security details to help you get back into your account.

If you see a message asking you to update or verify your Microsoft account security information, you have seven days to do it. If you no longer have access to your security information, you will have to fill out a support request.

Get a quick overview of how to add security info to your account