31 January 2015
The latest Bromium post ‘The Vicious Cycle of “Assuming Compromise”‘ is absolutely worth reading. The transition from reactive to proactive endpoint protection technology will mitigate some of our principal security risk. But, don’t forget people and processes…
Have a good weekend.
28 January 2015
This question is often asked in the media. Most companies shy away from migrating to Windows 8.1. One reason for this might be because they invested a considerable effort in the migration from Windows XP to Windows 7 only few years before.
Besides great security features like User Access Control, Microsoft introduced the SMB v2 protocol with Windows Vista. SMB v2 allows signing of network packets, which protects against Man-in-the-Middle attacks.
SMB v3 was introduced with Windows 8 and Windows Server 2012. SMB v3 allows encryption of data while it is transferred across the network, which protects against wiretapping.
In addition to SMB signing and encryption, Two Factor authentication will be introduced in Windows 10. Even if this security features would be the only innovations in Windows 10 (the new user interface looks great), I would strongly recommend companies to start the evaluation of Windows 10 as soon as possible.
Watch this YouTube video and form your opinion…
Don’t Panic!
24 January 2014
Bad news for Adobe Flash Player users. A new critical vulnerability (CVE-2015-0311) was found in Adobe Flash Player 16.0.0.28… Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.
In the Adobe Security Bulletin we read ‘We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8 and below.’
Drive-by-download (DbD) attacks are a often used technology to exploit vulnerabilities in programs. In his post ‘How malware works: Anatomy of a drive-by download web attack’ John Zorabedian from SOPHOS gives a detailed description about how DbD attacks work.
The shocking fact is: It’s not even necessary to click a link on the malicious site. If you just load the site the malware download could start, automatically and silently in the background.
The good news is that we could almost completely deactivate this feature, namely without considerable comfort loss. The Security Technical Implementation Guide (STIG) for Internet Explorer 11 shows the direction.
STIG’s are primarily used to secure the information systems of the Departments of Defense, but this should not deter us from using STIGs to secure our systems at home, and of course in our businesses.
STIGs are available from http://www.stigviewer.com/stigs for operating systems, web servers, databases or applications. They are an excellent means to secure the devices that are connected to the internet against malicious attacks. But, be aware that 100% safety could not be achieved.
Applying STIGs to Microsoft operating systems and applications is very easy if you are familiar with the registry editor regedit.exe and the local group policy editor gpedit.msc. Since only standard windows security options are used the recommended settings could be applied to all computers.
Back to the Drive-by-Download attacks. To prevent DbD attacks we have to configure Internet Explorer such that downloads not consented by the user are blocked. Sound’s easy, doesn’t it? We have just to work through the STIG for Internet Explorer 11 and implement the relevant fixes:
The DoD requirements block unconsented downloads from the Restricted Sites Zone and the Internet Zone. Since I would not trust computers in local networks as well I would strongly recommend to block unconsented downloads from all zones.
Implement at least Fixes from Finding Ids V-46705 and V-46643
Implement Fixes from Finding IDs V-46779 and V-46781
Protected Mode protects Internet Explorer from exploited vulnerabilities by reducing the locations Internet Explorer can write to in the registry and the file system. I would recommend to enforce protected mode for all zones.
Implement at least Fixes from Finding IDs V-46685 and V-46681
Implement Fix from Finding ID V-46987
That’s it for today. Please keep in mind that 100% safety could not be achieved, even if you implement the 155 fixes from the IE11 STIG.
Don’t Panic! And have a good weekend.
22 January 2015
Samy’s video ‘Keystroke Sniffer Hides as a Wall Wart, is Scary’ is very worth seeing.
A keystroke sniffer that records and decrypts keystrokes sent from wireless keyboard – simply brilliant, and truly frightening. In offices where business critical information is processed, wireless keyboards should be banned as soon as possible.
What really worries me is that, in the fight against the omnipresent danger from the Internet, we miss the obvious under our fingers.
Enjoy the video.
Don’t panic!
19 January 2015
Once you granted 24h admin rights to a user he is able to grant himself privileges with a just few clicks. Startup scripts give an easy means to do this.
About startup scripts.
With startup scripts Windows offers administrators a powerful tool to run commands at system boot. Scripts are stored in directory %windir%\System32\Group Policy\Machine\Scripts\Startup and executed with system privileges.
But just adding a script to the startup directory is not sufficient to execute the script. Because startup scripts could be easily used to compromise a system they have to be enabled through the Local Group Policy Editor gpedit.msc. And at least for enabling a startup script with gpedit.msc local admin privileges are required.
3 Steps for 24h admins to get admin privileges again.
# addMalUser.ps1 $Domain = "YourDomain $Computer = "YourComputer" $Username = "YourUsername" $Group = [ADSI]"WinNT://$Computer/Administrators,group" $User = [ADSI]"WinNT://$Domain/$Username,user" $Group.Add($User.Path)
Save this script to file addMalUser.ps1. To get the exact values for $Domain, $Computer and $User please run set in a command prompt.
Start gpedit.msc and add script addMalUser.ps1 to the startup scripts.
Gpedit Add Startup Script Dialog (click to enlarge)
Tips for would-be malicious users.
Please note that this operation is recorded in the Security Event Log of your computer.
Never mind! Only very few organizations are scanning security events on user workstations. Those which tolerate 24h admin rights are certainly not amongst them.
Have Fun with 24h Admin Rights!
17 January 2015
If you work in the IT group of a (large) enterprise you have certainly heard statements like
Generally IT groups quickly come forward with some tools because they don’t want to slow-down business and, very often before business puts too much pressure on them.
A very easy solution it to grant the user admin privileges for 12 or 24 hours. Procedures like the following are very popular:
This sounds pretty secure, doesn’t it? Unfortunately all this is just window-dressing. We create potential security holes of barn door size which could be used by a malicious insider to attack the entire network.
Just some comments on the apparently secure procedures above. A user with administrative privileges
To be honest, there is no secure way to remove local admin privileges from a user except by reinstallation of his computer, but …
Wrong Way!
This 24h admin rights discussion is in my opinion a matter of leadership. The response of the IT leaders and the business leaders to such requests should be a crystal clear No, because we put business on risk. And the IT groups have to find ways to support the users in a timely manner.
By the way, from an economical point of view it does not make sense if highly paid experts install software on their computers. That’s just waste of creativity. Maybe this is a good argument for business leaders to refuse the next request for 24 hours admin rights.
Have a good weekend.
15 January 2015
Reducing the Effectiveness of Pass-the-Hash [5], a report compiled by the Network Components and Application Division of the NSA/CSS, is very recommendable for all Windows network administrators and designers.
The design guidelines given in chapter 3 give the foundations for secure operations of Windows networks. Strictly implemented they hamper the propagation of attacks through the network.
I am in no doubt, that the impact of the Sony Attack would have been far smaller, if this guidelines would have been implemented.
Enjoy reading, and, have a good day.
13 January 2015
The answer is: It definitely makes sense.
Okay, this sounds strange because it’s not very likely that a desktop computer will be lost. But if your computer is stolen, the thief has full access to the data stored on the disk, even if he could not login to your system.
An attacker has just to boot a Linux from a USB stick and to mount the Windows hard disk into the Linux filesystem. This will allow him to read the information stored on your computer, credit card statements, insurance policies, or scanned love letters.
But the worst is yet to come. The thief has access to your hashed Windows passwords. These are stored in the SAM (System Account Manager) database in directory C:\windows\system32\config\sam. The SAM is locked when Windows is online, but could be easily read when mounted into a Linux System. Very strong passwords are paying off in such case…
Don’t Panic, and have a good day.
Sunset on Rhine Ferry Leverkusen, 11/28/2014
10 January 2015
In his report SME security on a shoestring budget Vladimir Jirasek aptly describes the state of the SME (Small- and Medium-sized Enterprises): They are the motors of economy! And increasingly susceptible to cyber-attacks, because they have only very limited IT budgets to spent.
Fortunately Microsoft provides lots of advice and free tools to help SME in the struggle against cyber-attacks. In addition lots of open software tools are available which help to boost security. Vladimir Jirasek discusses some of the fundamental built-in security measures for the safe operation of computers.
But the course towards security is set upon purchase of the computer. Please see below for my recommendations for Microsoft Windows-based computers
I strongly recommend to buy a computer with a 64-bit Windows operating system, preferably Windows 8.1. Even with 4 GB Ram only, a 64-bit operating system makes sense because some security features like Enhanced Protection Mode in Internet Explorer require 64-bit processes.
Other security features, e.g. ASLR (Address Space Layout Randomization), which guards against buffer overflow attacks, work far more effective in a 64-bit environment.
Please check in advance whether your applications are 64-bit ready. Most of the 32-bit apps work without problems with a 64-bit windows.
The 64-bit Windows versions are normally available at no extra costs with a new computer. Please ask your reseller.
In the professional versions of Windows Vista, 7 and 8 is Microsoft’s drive encryption feature BitLocker included. If BitLocker is activated you have to enter a passphrase at boot time to release the drive. In the event of theft or loss a third party could not access the information on the drive because he does not know the passphrase to release the drive. BitLocker could be used to protect other storage devices as well.
The additional costs for the professional versions are at approx. 40 US$ if you buy a new computer.
With 64-bit Windows Professional the gain in security is high at moderate additional costs. I would recommend this choice even for home users.
That’s it for today. Have a nice Weekend.
8 January 2015
In the past weeks I read a lot about Pass-the-Hash (PtH) attacks, the Zeus botnet and other frightening attack vectors.
For example in PtH attacks, access to specially protected files and registry settings is required. Standard users have very limited or no access to this system objects. If an attacker hijacks your computer he will take all your privileges, in the best case administrative privileges for your computer only, but, in the worst case, administrative privileges for a network.
I think a good New Year’s resolution would be to do everyday work with standard user accounts, and to use accounts with administrative privileges only when required.
If you are managing a company network please avoid login to member servers and workstations with a domain administrator account. Windows stores your password in the computer’s SAM (Security Accounts Manager). Thus it could be attacked by a malicious user …
You will not gain 100% safety, but you will become a lot safer than if you don’t take basic security precautions.
That’s it for today. The only thing left for me to say is …
How To Become a Better Writer—Best Epic Fantasy Books
Composed thoughts, Penned & Compiled
Australian Pub Project, Established 2013
A blog about knowledge sharing, collective intelligence and enterprise collaboration.
IT Security Matters 