When we were creating DataLocker, our main focus was on give you the ability to secure your own files.  We spent a long time working on the encryption logic to make it secure, but we completely forgot to provide you with any information about how we do it, and therefore how secure your data really is.

We hope to answer your questions in this blog post, but if there is anything else you wish to know, please leave us a comment and we will provide an update in a future blog post.

When it comes to cryptography, there are many areas you need to consider, so it always helps to have an expert at hand.  Thankfully we already do.  We can't tell you where our expert used to work, but if you were to speculate where the best place was for a cryptography expert to work, you'd probably be right – but we couldn't possibly confirm.

There are a number of areas you need to consider when working with cryptography:

• Asymmetric vs Symmetric
• Algorithm
• Key length
• Key strength (salt) 
• Unpredictability (IV)

Rather than detailing each of these individually (and you'd probably be better reading through the Wikipedia articles), here are the main points of the DataLocker encryption.  We use the symmetric AES algorithm with a 256 bit key length.  We use unique initialization vectors (IV) for each file to ensure the encryption algorithm is unpredictable.  And for each file, we strengthen the entered passphrase with a unique salt.

What all of this means is that if the same user, uses the same passphrase, on the same machine, to encrypt exactly the same file multiple times, each resulting encrypted file will have different encrypted contents.  Try it!  In fact, if you are using a different piece of encryption technology, and the same passphrase results in the same encrypted file contents, you really need to get the provider to fix it, or you should think about switching to using something else.  Good encryption is hard to write, so you should always prove whatever you are using is working correctly.

We've tried to make DataLocker as secure as possible, and at the same time keeping it as easy to use as we can.  The only thing you need to do is remember your passphrase.

 

Hope this is useful.  If you need more information, or have any other questions, please leave a comment, or send us an email DataLocker_Feedback@AppSense.com.

Doug has already discussed the ‘why’ for DataLocker.  I’m going to write a few posts on the development of DataLocker.

We only had a small team working on the development of DataLocker, and when you are writing native code for each platform, it can get complicated. AppSense has an incredible wealth of experience when it comes to writing software for the Windows platform. We have deep levels of knowledge on pretty much every aspect of the Windows stack; from low-level drivers, all the way up to the top. Couple this experience with a continued drive to develop our skills, and it is no surprise that many of the AppSense developers are (often in their own time) expanding their skill sets on non-Windows platforms.

For me it all started when my dad bought an Amstrad CPC 464; for anyone that remembers this had a tape-drive.  I mainly played games on it and wrote little BASIC programs, but he also bought a word processing application.  After a while, we added a 3” external disk drive.  Getting the disk drive was great, but unfortunately the word processing application still loaded from tape and saved files back to a tape.  After a bit of playing around, I managed to update the word processing application to run from disk, and also load and save files to it.  It was a great feeling, and I’ve never looked back.

I’ve been intrigued by the Mac for a while, so when my wife sold her car (*) to buy me an iMac for my 30^th birthday a few years ago, I jumped at the chance to teach myself Objective-C, and the Cocoa and CocoaTouch frameworks. Picking up a new language, a new framework, on a new platform, and using new development tools can be a bit daunting to start with. But, as you spend more time, you become more fluent; until you find you are no longer translating every new thing back to your ‘native’ tongue.

(*) I paid for the new one ;-).

There are some similarities between the Microsoft / Apple development methods, but there are also many differences. The most fundamental difference I’ve noticed is more about the evolution of a project than the tools themselves:

When developing for Windows, there seem to be a million different ways of achieving the same thing. Often you are not quite sure if you’ve picked the right approach until you get about 90% through, you hit a roadblock, and you have to go back to the start and try a different approach. Windows is a fantastic platform to create software on, and Microsoft has a long track record of bending over backwards to all developers to do stuff, but sometimes this flexibility gives you too many options.

When developing for Mac / iOS, there seems to be only a single way of doing things. You can be completely stuck right at the start. There is no handholding, and until you figure it out, you are completely blocked. But when you do, everything slots into place such that when you get to the end, everything feels right. If, however, you can’t get past that initial hurdle, then you may as well give up.

One example of this was when we modified the UI code in the iPhone app.  To display the files and folders in the app we use a table view UI control (basically, given a list of items and a bit of logic, it will create table cells with text – i.e. what you see).  We originally wrote the code such that every time we get new information from Dropbox, we had to update our list of items, instruct the table view to re-draw itself, and then provide the details for each item that the table view wanted to show.  This all worked fine, and there is nothing particularly wrong with this, but there is a mechanism called ‘bindings’ that means you can achieve the same thing, but with vastly less code – and any engineer will tell you, the less code you use to solve the same problem, the better.

We added the binding code, and removed our update/instruct logic.  All looked good, and we’d prove it worked in a sample application, but with these changes in place, every time we launched the application, it crashed immediately.  No matter how much logging we added, or how we used the debugger, the app just kept crashing – essentially all we got from the debugger was ‘something went wrong’, and no indication as to why, or where we needed to look to solve it. 

After many hours of head scratching, re-reading the Apple developer documentation, and drinking coffee, we luckily managed to identify the problem.  It turns out that there was a very subtle left over UI association that had been added when we’d developed the original update/instruct solution.  The connection was so slight and so buried away in the developer tool, it was almost impossible to spot.  But, as soon as we’d made this minor tweak, everything sprang to life and it all worked perfectly.  I’m sure I’ll never make this mistake again, but I’m also sure there will be more situations like this.

Hope you’ve enjoyed this post and you’ve like the DataLocker releases.  We will be following up with a few more posts, so stay tuned.

And, we’d love to hear your feedback.

Taken from a more detailed AppSense internal communication from Josh Donelson, here is a very quick summary of the recent AppSense Inner Circle Technical Conference, a dedicated event for the elite technical consultants at our leading Certified Solutions Partners:

The event saw many leading AppSense Certified Solution Partners (CSP’s) send their leading consultants, architects and principals to a dedicated AppSense technical event in Las Vegas.

We presented a range of topics including the User Virtualization (UV) Vision, Advanced Troubleshooting Techniques, and Architectural Best Practices. The event proved to be a huge success, with attendees rating the event highly and over 94% of them committing to attending another event of this type which shows a tremendous amount of support for AppSense and our Community.In one case, a consultant took information presented in a session (troubleshooting) to solve a customer issue real-time, via email; he showed us the fixed environment on his iPad during a break!

The event reinforced that we're on the right track with our current focus and investment. One attendee called the event a "turning point for AppSense in the Channel," and several meetings were committed off of conversations held over the event. Several partners commented that this event makes them even more committed to AppSense, and that they wanted to see even more increased levels of presence from us on a weekly basis to help keep the great momentum and joint success.

Thank you to everyone who attended and helped organize the event.

Today, AppSense opened an exciting new chapter with the introduction of AppSense Labs. Check out Harry Labana's post for the full scoop on AppSense Labs and what it means to both you and us. But in short, Labs is all about giving AppSense a vehicle to innovate and engage with users in a completely new way. To demonstrate that, we are pleased to introduce you to a completely new type of AppSense product: DataLocker.

DataLocker is a simple-to-use set of applications that makes it easy to add an extra layer of security to sensitive files before syncing them to cloud-based services. We all love the convenience that comes with using Dropbox or similar services to keep data in sync between the cloud and all of our devices. We like it so much in fact, that sometimes we make security and privacy trade-offs that we probably shouldn't when it comes to sending personal and corporate information up to the cloud.

What if you didn't have to trade off security for convenience? What if you could take a quick and easy step to secure sensitive files you plan to sync to the cloud but still enjoy easy access from any of your devices? This is the idea behind DataLocker.

The DataLocker suite, which is available for free beginning today, includes native applications for Windows, Mac, iPhone, and iPad. The Windows and Mac clients both have dead simple drag-and-drop interfaces that let you encrypt and store secure files in any local file system or cloud storage location. Since iOS doesn't have a file system, we chose to start by integrating with the most popular cloud storage service: Dropbox. We plan to add additional storage options to the DataLocker iOS application in the future.

The Windows and Mac DataLocker applications can be downloaded from the AppSense Labs area on our web site. A universal DataLocker iOS application for iPhone and iPad can be downloaded from the App Store. All are available now, so go give them a try. We think you will find them useful and enjoyable to use.

If you've been following AppSense for a while, you will likely agree that DataLocker is quite a bit different from anything AppSense has ever done. DataLocker is our first Mac application. It's our first iOS application. It's first time we have released a product directly to technology enthusiasts. These are all exciting milestones that we are really proud of. At the same time DataLocker is not the end game for us when it comes to cloud and mobility. It's really the beginning. Stay tuned for more exciting news to come.

In the meantime, enjoy DataLocker and let us know what you think. Feel free to post a comment below or share your thoughts and questions via Twitter using hashtag #DataLocker

If I say Enterprise software company, what kind of thoughts does that conjure up in your mind? Speaking from personal experience it often means big, slow and lot's of inertia. This mind set is often justified as an enterprise requirement in the name of that's what enterprise customers need, slow and steady. I cringe when I hear that. Having been an enterprise customer most of my career, I always wanted more enterprise innovation in combination with performance, reliability, predictability and scalability. I never expected to go as fast as the consumer space, but I also believed that enterprise software had to shift gears to enable more innovative services and products for their users. I truly believed I had to empower my users by innovating as an enterprise IT leader and was why despite all the nay sayers, I was one of the first to implement desktop virtualization at scale for the right reasons.

IMO there is no reason that enterprise IT can't be cool and enabling. As pure consumerization rapidly continues to bring new services to market, enterprises will have no choice but to evolve by adopting the right technologies for their business or become irrelevant over time and immediately start to become the worst technology organizations to work at.

When I joined AppSense back in May of 2011 one of the questions we considered was how could we better innovate? It was clear to us that the world is shifting to a user centric computing model, but as the leaders in user virtualization we wanted to push the envelope and imagine what was possible. We set off scribbling on whiteboards, debating ideas and thinking how to evolve our user virtualization platform. The problem however was, there were so many good ideas, which ones do you pick? We could go down the standard enterprise route of studies, customer validation etc. But how long would that take? Could we really scale that with so many ideas? What would happen if instead we asked ourselves a different set of questions? In our organization we have deep and broad enterprise experience. Using that experience let's become our own customer for a second and ask ourselves how can we make our lives better? What kind of user centric computing "stuff" do we think would be useful or just cool and fun? What if we could build some of the things we liked for ourselves and experimented to learn more? Why not? Wouldn't it be fun to spend a little to learn a lot? We thought so and as result today we announced AppSense Labs.

However, AppSense has a reputation for being very measured and methodical in its product development process. This is a necessity when you are playing a critical role at some of the world's largest companies, and relaxing our standards is simply not an option. At the same time, we recognize that there is a significant shift underway in how people use technology, and it is essential that we find ways to foster a culture of innovation at AppSense that explores the possibilities. We a have a deep team of very sharp technical talent - in the UK and now in Santa Clara - and AppSense Labs is really about giving them the freedom to innovate and take risks alongside the more structured and methodical development of our core enterprise products.

There are no real bounds on the types of things that AppSense Labs will look at, but much of our early focus in centered on the blurring lines between personal and business computing. We see cloud, tablet, and mobile technologies rising in strategic importance, but no one has really figured out the formula for unlocking their full potential or integrating them into enterprise IT infrastructure in a cohesive way. These are areas we are focusing a great deal of attention on - both in terms of strategy and in the types of skills we bring into the organization.

AppSense is known for having one of the deepest pools of Windows talent outside of Redmond, but you will soon see that we have elevated our expertise into new and exciting areas such as Mac, iOS, and Android. This isn't your father's AppSense!

While we expect some of the R&D occurring under AppSense Labs to find its way into our enterprise products, we are challenging the teams to freely experiment in new technology areas and make useful innovations available directly to technology enthusiasts - for free in many cases. This is part of our commitment to our customers and the industry to remain focused on our user virtualization platform and not allowing ourselves to become distracted in areas that don't build upon our user centric vision of the world.

While it's exciting for me to talk about all the changes that have taken place at AppSense setting us up for the future, it means little to most people externally. Hence as part of our AppSense Labs announcement we are also simultaneously releasing our first labs offering - DataLocker for free. Check out Doug Lane's blog to learn more. We look forward to your input as we continue to imagine what user centric computing can enable.

Further to AppSense competing in the Australian Corporate Games event, last month AppSense had the pleasure to extend our close and successful partnership with leading AppSense Distributor ETC to become sponsor of the joint ETC and AppSense indoor soccer team in the Netherlands. As the business with ETC continues to develop at a record rate, we look forward to taking our winning in the field to winning on the pitch.

The team, playing in the official KNVB indoor soccer league are looking forward to many successful matches, wins and fun.  We definitely appreciated the support of ETC in this, Thank You!

Unfortunately, last night the game ended on a somewhat bad foot literally; due to an unfortunate collision it turned out (this morning) that Frank aan de Stegge, Director of Marketing BeNeLux broke a toe at the end of the game :-S .  Awww.

Don’t worry - The powers of the AppSense/ETC team spirit and the urge to get back into his silky white kit will have him back in the game in 2-3 weeks..

Thanks again ETC, we look forward to continued success in 2012, both in the field and on the pitch.

Last year cloud was certainly the technology buzzword of choice with software vendors talking about delivering their wares from the big fluffy Internet.  Cloud computing offers an array of marvelous advantages from the basic premise of enterprises not having to physically own or manage the equipment to the ability to rapidly scale and consume more resources as and when required.

One of the things that has aided the adoption of cloud technology is the increased use in mobile devices and the expectations of what users expect to be available on them.  It wasn’t long ago where if you wanted to access your CRM database on the road, you would have to find a wireless network for your laptop, VPN to your organization and connect to whatever solution was in place.  Today however, with solutions such as Salesforce.com and an array of mobile applications it’s possible for an organization to make use of cloud computing to provide easy access to their CRM data from anywhere.

The technology element that has always troubled me when it came to cloud technology was the imitations (at least within the US) with regards to Internet access – a fundamental component of web-based applications.  I was reading a story on Fox News just this morning about how AT&T throttles users bandwidth when they consume too much, even on unlimited data plans and couldn’t help but think that this alone could be a barrier to cloud.  As technology evolves and more content is made cloud-ready users will become increasingly frustrated by the constant roadblocks they run into.

I live in a fairly modern area in South Florida yet the phone and local cable company are the only ones who serve my house.  With the phone company the maximum bandwidth I can get is around 6Mbps and with the cable company it’s around 30.  While the cable company appears to provide a bigger pipe, I have bandwidth caps that prevent me from doing too much and as someone who consistently downloads product builds and test platforms, I dance with this limit regularly.

Is Desktop Virtualization the Savior?

It’s interesting to think of this because back in the day when I first started working with Citrix technologies one of the biggest benefits was its use in client-server environments.  The ability to put a terminal server next to the database and only deliver screen images to the user was sensational.  If you look at the technology and why it was implemented back then, it’s easy to see how it could be used today in order to address Internet issues.

The problem with desktop virtualization however is that nobody wants to see a Windows desktop on their iPhone, nor to they want to run a non-touch friendly CRM application – they want applications which have been designed for their devices.  If desktop virtualization was to evolve however such that phone and touch friendly applications can be “published” to a phone like they were to a desktop that would certainly be significant.

Today, most mobile application developers create native client-based applications and allow them to access various data sources, which is where the data transfer issues come into play.  What if those same application developers took a different approach, instead writing a simplified version of an ICA client.  The vendor would then run the application logic on a cloud computing platform and deliver just a screen image to the device.  I think this could be a significant component to delivering rich enterprise applications to mobile devices - just food for thought…

As always, I’m interested to hear your thoughts and don’t forget to follow me on Twitter.

As I have noted in the past, the term "desktop transformation" is often floated in our industry but rarely explained. In the eyes of some, it's a strategic IT initiative. In the eyes of others, it's little more than a marketing buzz phrase. In my view, desktop transformation is a valuable concept to those who take the time to truly define it and relate it to the practical IT challenges they face today.

Over the last several months, we have conducted a series of webinars where we have shared our vision of desktop transformation and invited the key ecosystem partners we see playing a transformational role to join the dialogue.

The next webinar in this series, "Creating a Blueprint for Desktop Transformation," is coming up on Thursday, February 16. In this installment, I'll be joined by David Thornley, senior architect at Citrix AppDNA, to explore how sound analysis and planning can help you:

• Understand your current environment in detail before you decide where to take it
• Rationalize existing applications and preferred deployment methods
• Apply automated application testing, remediation and management to identify and overcome potential deployment challenges upfront
• Model options for application deployment on physical and virtual technologies
• Establish an ongoing framework for managing future change without compromising IT efficiency and control

Whether you are charting your future desktop strategy or looking for ways to accelerate key near-term projects like Windows 7 migration, you will come away with new insights that you can put to work right away.

We have two time slots planned to maximize time zone coverage, so I encourage you to join us:

Creating a Blueprint for Desktop Transformation
February 16, 2012
Session 1: 10 a.m. EDT / 9 a.m. CDT - Register
Session 2: 1 p.m. EDT/ 12 p.m. CDT / 10 a.m. PDT - Register

One of the principal functions of my role within AppSense is looking forward and visualizing the future of our space, namely user virtualization to understand both what it will look like and where we will play.  If we look back over the past 10 years it is amazing just how much has changed with regards to how users interact with their devices and you can almost certainly predict that this is going to continue.

I’ve written about UV before and how it encompasses various elements and moving forward some of these will no doubt become more important than others.  For example, will personalization be important when the enterprise is filled with SaaS based applications given that most user settings will be stored with the application vendor?  And will application entitlement be required when all software is rented and delivered on demand?  While the answers to these and other questions may seem straightforward initially, there is much more to understand.

Today I think its fair to say that most (if not all) enterprise organizations haven’t really wrapped their arms around the SaaS world, in most part due to the lack of applications available.  Yes, there is an abundance of cloud-based software available but when you examine the range of apps that an enterprise organization uses; typically there are only a few standard ones such as Microsoft Office.  These apps are then complimented by an array of bespoke or in-house written ones, which are engrained in the day-to-day lives of the users.  While this isn’t a problem, it does put virtual blinkers on the IT teams within these organizations and prevents them in most cases from planning ahead.

When I speak to forward looking technology folk, most will say that in the cloud world, personalization is irrelevant and I must admit, I would have to agree with them if everything was cloud.  When your organization makes use of Salesforce.com and maybe a couple of other cloud based applications its easy to visualize that the lack of user settings stored on the local device would signal the end of personalization management.  What these individuals fail to grasp however is that they are talking about SaaS applications based on an experience of managing less than a handful.  If the enterprise application set consisted of just 3 or 4 applications today, personalization would be irrelevant anyway irrespective of cloud but alas, this is not the case.

Over the next 10 years, I picture environments becoming more complex as the introduction of SaaS takes hold.  Those organizations that have a mixture of technologies will find managing elements such as user personalization increasingly important as the requirements to bridge the local and cloud worlds becomes prevalent.  While Windows profile management and point solutions will provide lesser value, organizations will turn to implement technologies that can span multiple platforms, delivery mechanisms and vectors.

While I’ve spoken mainly about personalization within this post, UV as a category will effectively change and being able to manage the entire range of elements will be vital.  Managing user data will be more than simply storing data in yet another location or enhancing Windows folder redirection and instead will need to mash together different technologies to provide a rich platform.  Application entitlement will need to move from being an OS specific enhancement to a solution that can intelligently manage resources which are locally installed with those which are not.  And finally, user configuration will need to be able to deal with a vast range of user environments be them different devices, virtual desktops or even home televisions as they adapt and evolve.

In closing, user virtualization in the future is ever as important as it is in the present providing it continuously evolves to manage new and emerging user environments.  As environments grow at a faster pace, point fixes to problems will become less effective and organizations will need to move to complete and comprehensive user management solutions.

As always, I’m interested in your thoughts and don’t forget to follow me on Twitter.

At the end of January, Remko Weijnen posted a

 

What this Exploit Does Do

Without showing the entire hand, the technique fools the system into launching one process, whilst believing it is another. So, using Excel.exe (which is owned by a Trusted Owner- but equally any of the applications in the office suite could potentially be used to launch this exploit), I can spawn a process (with a number of caveats) to access an otherwise "blocked" executable- whether this executable has been blocked by Group Policy or by using a product such as AppSense Application Manager. For example, you may have set the Prevent access to the command prompt Group Policy setting, or if using AppSense Application Manager may have explicitly denied access to CMD.EXE.

For all intents and purposes this process appears to be the Trojan I have specified, rather than the actual target. Remko specifically used Excel.exe as the target in his video- so although a CMD prompt is available the process appears as if it is Excel.exe in Task Manager, and even is grouped as such on the Start Menu.

What this Exploit Does Not Do

The Exploit, whilst being able to launch a process is still within a gilded cage. The process is in no way elevated- so in a default Windows environment- a Standard User still cannot perform destructive actions on system folders and files, nor read files they do not have permission to read. In the context of AppSense Application Manager, if you launch, for example, CMD Prompt and then try to launch BLOCKEDAPP1.EXE, BLOCKEDAPP1.EXE will still get blocked- you have not escaped the protection intrinsic to Application Manager- merely created another vector to attempt to launch processes from, which will be evaluated and allowed or denied based on the policy.

The video below shows the extent and effect of this exploit in a Windows Server 2003 x86 environment with AppSense Application Manager 8.4 installed:

How to Stop this Exploit

This exploit relies on the fact that the Microsoft Office Suite of applications all include a Compiler inside them (not a separate executable). This is done so Visual Basic for Applications can be used to created Macros, Methods and Functions for use with more demanding use cases of the Suite. The major security hole that including this compiler into the executable introduces is that VBA can talk directly to libraries that are core to the operating system- including the Kernel. To make matters worse, malicious code executed through here is not inspected by Anti-Virus or other software in the same way it would a standalone compiler meaning that the mere inclusion of this is something that Viruses can use to inject code into your environment.

With that said Microsoft dealt with it to an extent by introducing Signatures for Macros and defaulting the Security Policy to Very High- blocking any Macro that did not have a digital signature from a trusted source. This can also be mandated through Group Policy and remains the single most effective environment for prevention of this exploit.

Additionally, if the Prevent Access to the command prompt and Precent access to Registry editing tools Group Policy Objects are enabled launching CMD or Regedit will occur, but immediately be killed off by Windows. 

Having said that, for environments where for whatever reason you cannot accept these basic levels of security, there is a workaround to preventing the specific code witnessed from operating using AppSense Application Manager- but it may impact custom plugins and other tools used within the environment. That workaround is:

• Include a Process Rule for any of the applications which can compile VBA (the majority of the Microsoft Office Suite- all versions) to block Kernel32.dll and scrrun.dll.

This workaround was discovered within hours of the initial post using Rules Analyzer in the AppSense Application Manager console to monitor an affected client, and required no knowledge of the techniques utilized within the code- merely a risk assessment of what preventing this applications from running could have.

The effects of this are seen in the following video:

And an example policy configuration for AppSense Application Manager 8.0 can be found here: Application_Manager_-_Desktop_Template_Configuration_with_VBA_Exploit_Lockdown.zip

Conclusion

I've been deeply impressed by Remko and the community's methodical manner of finding and understanding this technique, and as a company it is certainly something AppSense will be looking to address given that there does not seem to be an existing solution of allowing full access to VBA on the one hand, and preventing access to disruptive techniques that are the domain of hackers, virus writers and Trojan horses on the other. User Virtualization is, and always will be, about the balancing of the needs and wants of Users on the one hand, with the requirements placed upon them by the environments they operate in in the other, and this truly illustrates that struggle in a vivid and engaging way.