Category Archives: microsoft

Kudelski Security enables Microsoft clients to simplify their security and compliance strategy

Kudelski Security, the cybersecurity division within the Kudelski Group, announced the launch of its dedicated Microsoft Security services, enabling clients to effectively consume and configure Microsoft security capabilities and add additional monitoring to their Microsoft 365 and Azure environments. This represents the latest expansion of a rapidly growing, cloud-first cybersecurity portfolio that supports digital transformation initiatives of global enterprises using private and public cloud services. In addition to providing a dedicated Microsoft focus, Kudelski Security … More

The post Kudelski Security enables Microsoft clients to simplify their security and compliance strategy appeared first on Help Net Security.

Cyber Security Roundup for June 2020

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, May 2020.

EasyJet's disclosure of a "highly sophisticated cyber-attack", which occurred in January 2020, impacting 9 million of their customers was the biggest cybersecurity story of May 2020 in the UK. Although no details about this 'cyber-attack' were disclosed, other than 2,208 customers had their credit card details accessed.  


Using terms like "highly sophisticated" without providing any actual details of the cyberattack makes one think back to when TalkTalk CEO Dido Harding described a cyber-attack as "significant and sustained cyber-attack" in 2015. In TalkTalk's case, that cyber attack turned out to be a bunch of teenage kids taking advantage of a then 10-year-old SQL injection vulnerability.  City A.M. described Dido's responses as "naive", noting when asked if the affected customer data was encrypted or not, she replied: "The awful truth is that I don’t know". Today Dido is responsible for the UK governments Track, Test and Trace application, which no doubt will ring privacy alarms bells with some. 

Back to the EasyJet breach, all we know is the ICO and the NCSC are supporting UK budget airline, EasyJet said "We take issues of security extremely seriously and continue to invest to further enhance our security environment. There is no evidence that any personal information of any nature has been misused, however, on the recommendation of the ICO, we are communicating with the approximately nine million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing. We are advising customers to be cautious of any communications purporting to come from EasyJet or EasyJet Holidays." 

It will be interesting to see the DPA enforcement line Information Commission's Office (ICO) adopts with EasyJet, especially considering the current COVID-19 impact on the UK aviation industry.  Some security commentators have called ICO a "Toothless Tiger" in regards to their supportive response, an ICO label I've not heard since long before the GDPR came into force. But the GDPR still has a sting its tail beyond ICO enforcement action in the UK, in that individuals impacted by personal data breaches can undertake a class-action lawsuit. So then, it can be no real surprise to law firm PGMBM announce it has issued a class-action claim in the High Court of London, with a potential liability of an eye-watering £18 billion!. If successful, each customer impacted by the breach could receive a payout of £2,000.

The 2020 Verizon Data Breach Investigations Report (DBIR) was released, the most valuable annual report in the cybersecurity industry in my humble opinion. The 2020 DBIR used data compiled before COVID-19 pandemic.  The report analyses 32,002 security incidents and 3,950 confirmed breaches from 81 global contributors from 81 countries.
  • 86% of data breaches for financial gain - up from 71% in 2019 
  • 43% web application (cloud-based) - these attacks have doubled, reflecting the growth in the use of cloud-based services.
  • 67% of data breaches resulted from credential theft, human error or social attacks. 
  • Clearly identified cyber-breach pathways enable a “Defender Advantage” in the fight against cyber-crime 
  • On-going patching successful - fewer than 1 in 20 breaches exploit vulnerabilities
The vast majority of breaches continue to be caused by external actors.
  • 70% with organised crime accounting for 55% of these. 
  • Credential theft and social attacks such as phishing and business email compromises cause the majority of breaches (over 67%), specifically:
    • 37% of credential theft breaches used stolen or weak credentials,
    • 25% involved phishing
    • Human error accounted for 22%
The 2020 DBIR highlighted a two-fold increase in web application breaches, to 43%, and stolen credentials were used in over 80% of these cases. Ransomware had a slight increase, found in 27% of malware incidents compared to 24% in the 2019 DBIR with 18% of organisations reported blocking at least one piece of ransomware last year.

REvil (aka Sodinokibi) hackers are said to have stolen celebrity data from a law firm 'Grubman Shire Meiselas & Sacks'. With 756 gigabytes of personal data, emails, and contract details were taken, including Lady Gaga, Madonna, Elton John, Barbara Streisand, Bruce Springsteen and Mariah Carey to name a few. 

Pitney Bowes was hit with ransomware for the second time in 7 monthsPitney Bowes said attackers breached company systems and accessed “a limited set of corporate file shares” that “contained information used by our business teams and functional groups to conduct business-related activities.” News reports state the Maze ransomware group is behind the attack, threatening to post confidential if Pitney Bowes does not pay up.

Amazon's UK website was defaced with racist abuse,  which appeared on multiple listings on its UK website. Amazon has not disclosed how long the racist language remained on the site, but it sparked outrage on Twitter, Amazon said: "We investigated, removed the images in question and took action against the bad actor".

LogMeOnce, a password identity management suite provider, has published a detailed interview with myself titled 'Passwords are and have always been an Achilles Heel in CyberSecurity'. In the Q&A I talk about Passwords Security (obviously), Threat Actors, IoT Security, Multi-Factor Authentication (MFA), Anti-Virus, Biometrics, AI, Privacy, and a bit on how I got into a career in Cybersecurity.

BLOG
NEWS
VULNERABILITIES AND SECURITY UPDATES
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

    Tripwire Patch Priority Index for May 2020

    Tripwire’s May 2020 Patch Priority Index (PPI) brings together important vulnerabilities from Microsoft, Adobe, SaltStack, and VMware. Up first on the patch priority list this month are patches for VMware vCenter Server and SaltStack Salt. The Metasploit exploit framework has recently integrated exploits for VMware vCenter Server (CVE-2020-3952) and SaltStack Salt (CVE-2020-11652, CVE-2020-11651). Administrators with […]… Read More

    The post Tripwire Patch Priority Index for May 2020 appeared first on The State of Security.

    Microsoft and Alibaba Cloud join Crossplane project implementing the Open Application Model

    Upbound, the company behind open source projects Rook and Crossplane, announced Alibaba Cloud and Microsoft have joined the Crossplane project. Announcements were made from the inaugural Crossplane Community Day, attended by community members from across the ecosystem. “We launched Crossplane over a year ago to bring the same control plane-centric approach pioneered by cloud providers like AWS, Microsoft Azure, and Google Cloud to the enterprise and open source community,” said Bassam Tabbara, Founder and CEO … More

    The post Microsoft and Alibaba Cloud join Crossplane project implementing the Open Application Model appeared first on Help Net Security.

    Surface Laptop 3 15-inch (AMD) review: good, but not outstanding

    Nestled within Microsoft’s family of convertible tablet PCs, the Surface Laptop 3 continues to offer a grounded, traditional laptop experience. The new 15-inch display provides a more comfortable viewing experience, and still features Microsoft’s superb build quality, fantastic keyboard, and an excellent display. But as sleek as it may be, the Surface Laptop 3’s conservative feature set is eclipsed by flashy designs from other manufacturers, and its high asking price means its competition is fierce and plentiful. Moreover, its lacklustre battery life (on the AMD models) and skimpy starting storage need improving.
    Pros

    • Solid build quality
    • Decent performance
    • Excellent thermal management
    • One of the best laptop keyboards money can buy
    • Factory-calibrated display
    • Magnetic charging port
    Cons

    • No front-facing speakers
    • Anemic 128GB starting storage
    • Wonky auto screen brightness adjustment
    • AMD models have subpar battery life
    • performance discrepancy between Intel and AMD models

    Surface Laptop 3 15-inch specifications

    Device Surface Laptop 3 15-inch Review model
    Processor Up to AMD Ryzen 7 3780U or Intel Core i7-1065U for business models AMD Ryzen 5 3580U
    Graphics Radeon Vega 9 (AMD) or Iris Pro (Intel) AMD Radeon Vega 9
    RAM Up to 32GB DDR4  8GB DDR4
    Storage Up to 1TB NVMe SSD 128GB NVMe SSD
    Display 15-inch, 3:2, 2,946 x 1,664p touchscreen with Surface Pen support
    Battery N/A N/A
    Ports
    • 1x USB-C
    • 1x USB-A ports
    • 1x Surface port
    • 1x 3.5mm audio jack
    Weight 3.4lbs (1.54kg)
    Price Starting at CA$1,599 CA$1,599

    Introduction

    The Surface Laptop returns for its third reiteration. This time around, Microsoft has added a bigger display, removed the fabric covers from the wristrest, and sourced processors from both Intel and AMD.

    The Surface Laptop 3 sources processors from both Intel and AMD. The AMD processors in Microsoft’s Surface Laptop 3s are specifically optimized for these devices. With that said, having more options means more confusion for the buyer, a confusion we should address before we dig into the review.

    Microsoft only uses AMD processors –the Ryzen 5 3580U and the Ryzen 7 3780U processors for its consumer Surface Laptop 3 15-inch models. The consumer 13-inch variant, as well as business 13-inch and 15-inch models, all use Intel’s 10th-gen Ice Lake mobile processors.

    For its 13-inch and business customers, Microsoft exclusively uses the Intel Core i5-1035G7 or the Core i7-1065G7 processors. Intel variants cost CA$170 more than AMD models at the same RAM and storage capacities. Microsoft doesn’t offer the Intel-based Surface Laptop 3 15-inch on its consumer product page; it can be purchased through its business website.

    Our review model features the AMD Ryzen 5 3580U processor, 8GB of RAM, and 128GB of storage.

    Design


    The only glossy component on the Surface Laptop 3’s metal body is its Microsoft logo. Weighing in at 3.4lbs, the Surface Laptop 3 won’t break your back, although you may want to opt for the 13-inch model if portability is a key concern.

    From the lid to the base, the Surface Laptop 3 features sharply chiselled lines for a stoic look.

    Coming with a single USB-A and a USB-C port, you’ll need to buy adapters or the Surface Dock if you have multiple devices or need to connect to Ethernet.

    Only a charging connector sits on the right edge. The connector latches onto the device magnetically so it won’t yank your laptop off the table if someone trips over the cable. This is also where the Surface Dock connects to.

    A large keyboard and glass trackpad populate the interior. Although the Surface Laptop 3 omits a number pad, it allows the keyboard to sit in the center, orienting the typists directly in front of the screen. Microsoft now offers Surface Laptop 3s without the Alcantara fabric materials and instead exposes the raw metal for the palm rest. It’s a shame that even with ample room on the side, Microsoft has not installed upward-facing speakers.

    Display

    The Surface Laptop 15 sports a 15-inch IPS 2,946 x 1,664p touchscreen. Its 3:2 aspect ratio affords more vertical space for viewing pages and documents.

    With a Spyder 5 Pro colorimeter, I measured the display to cover 98 per cent of the sRGB colour gamut, enough for editing pictures for the web. Although it doesn’t support HDR, it did reach an impressive peak brightness of 398nits, bright enough to fend off glare against bright overhead lights. In addition, all Surface displays are factory-calibrated for supreme colour accuracy.

    While the screen is eye-candy, the neurotic ambient light sensor got on my nerves. Under a consistent office room lighting condition, the display brightness would randomly ramp up and down. I’m sure this can be addressed through a software update, but the fix doesn’t seem to be present in the latest version of Windows 10 Home (as of May 26, 2020).

    Like all Surface devices, the Microsoft Surface Laptop 15 supports the Surface Pen. Because the display doesn’t fold 360-degrees, the pen is more suited to making quick annotations as opposed to sketching.

    Performance

    As aforementioned, Microsoft decided to source both AMD and Intel processors for the Surface Laptop 3. The 15-inch model features either a 4-core / 8-thread Ryzen 5 3580U or Ryzen 7 3780U Surface Edition processor, earning their names from Microsoft’s partnership with AMD to optimize these chips specifically for the Surface Laptops.

    Both the Ryzen 5 and Ryzen 7 processors use integrated graphics based on AMD’s Vega architecture.

    AMD hasn’t had a significant presence in mobile platforms for years. Frankly, I don’t remember ever seeing an AMD processor in a flagship laptop before 2018. AMD’s return was made possible by a cohort of factors, including Intel’s processor supply constraint and the increasingly competitive performance of AMD’s Ryzen processors.

    Cinebench R20

    Maxon’s Cinebench benchmark measures a processor’s performance using the Cinema4D’s rendering engine. The test measures single and multi-threaded performance.

    Our model with the Ryzen 5 3580U processor produced 1231 points in multi-core performance and 369 in single-core performance. It trails behind the Intel Core i7-1065G7 in the LG gram 17, but its real competitor is the Intel Core i5-1035G7. Unfortunately, we were unable to obtain a laptop using that processor for benchmarking.

    UL PCMark 10

    PCMark 10 tests a system overall performance, not just the processor. Its benchmark suite simulates real-world workloads in spreadsheet processings, word editing, web browsing, video playback, and content creation.


    A score of 3848 once again lags behind the LG gram 17 and its Intel Core i7-1065G7 in the Essentials (8820) and Productivity (6869) suites. Interestingly, the Surface Laptop 3 was able to best the LG gram 17 in Digital content creation (3285) thanks in part to its beefy integrated Vega graphics.

    Geekbench 4

    Geekbench puts the processor through a mix of workload intensities and spits out a score based on the combined total. These include basic arithmetic, image compression, and web processing. It’s a quick and easy benchmark for measuring a processor’s burst performance.

    The Ryzen processor was demolished by the Intel Core i7-1065G7. The Intel chip scored 5663 and 14985 in single and multi-core performance respectively.

    Storage

    CrystalDiskMark paints a snapshot of the disk drive’s performance at varying queue depths and thread count. The most important metric to a consumer mobile device is sequential and random access speeds at low queue depth and low thread count.

    It sucks that a laptop in 2020 still starts with just 128GB of storage. Nevertheless, the Surface Laptop 3’s SSD is not slow by any means, scoring nearly 2GB/s and 31MB/s in sequential and random reads respectively.

    Experience

    Synthetic benchmarks are great at slotting a device on a hierarchy, experience is where it counts.

    Despite what the benchmarks show, even the lowest-end Surface Laptop 3 is blazing fast in everyday productivity.  It easily handled writing, emails, and general multitasking in applications like Google Chrome, PDFs, Outlook, and various business communication tools like Zoom and Cisco Webex Teams. It also competently handled light editing of RAW image files in Adobe Lightroom. Applying spot removal, cropping, and applying distortion transformation were all very speedy.

    Battery life

    This is where the Ryzen mobile processor falls short. my AMD-equipped model struggled to reach a full day of productivity, often hitting power-saving mode at around the 7-hour mark. My day-to-day apps include browser-based applications like the Google suite, watching web conferences, attend remote meetings, and manipulating images.

    Keyboard and trackpad

    Microsoft’s excellent keyboard returns on the Surface Laptop 3. The large keycaps have a grippy, powder-like finish that prevents fingerprints from accumulating too quickly. Key actuation is soft, quiet, yet very tactile. I had no problem transitioning from my mechanical keyboard to working on the Surface Laptop 3 all day. The keys are backlit with white backlights, making key searching in the dark a thing of the past.

    The glass trackpad is spacious and exceptionally smooth as well. Microsoft has seriously improved its trackpad’s accuracy and reliability over the years. The large slab of glass has a velvety-smooth finish that resembles marble.

    Compared to the Surface Pro convertible tablet PCs, I much prefer the one of the Surface Laptop 3 due to its solid base. Its rigidity and weight eliminates keyboard wobble and is easier to rest on my lap.

    Thermal, noise and throttling

    Long story short, the Surface Laptop demonstrated excellent thermal management, surely due to a robust cooler and processor optimization efforts.

    In AIDA64 Extreme’s CPU stress test with the FPU and cache options enabled, the Surface Laptop 3 barely broke 45 degrees after 15 minutes. The temperature was so low that I had initially thought a faulty temperature probe was misreporting the results. My infrared thermometer showed that the bottom of the laptop reached around 40 degrees, proving that the internal temperature readings weren’t far off.

    As robust as the cooling solution is, it couldn’t totally channel heat away from the keyboard. The top left quadrant of the keyboard was uncomfortably hot when the laptop was under sustained load during a major Windows update, and was also bothersome when I edited photos in Adobe Lightroom.

    Low temperatures mean more than just lower throttling. It also prevents the laptop from turning your legs into roast. In addition, heat also poses a threat to the battery’s longevity.

    Despite its tepid load temperatures, the processor’s clock speed still had to throttle from the advertised 3.7GHz boost frequency. At 45C, the Ryzen 5 3580U bounced between 3GHz to 3.4GHz on all cores.

    When running day-to-day workloads like web browsing, video streaming, and word processing, the fans are completely inaudible. It’s only during heavy sustained workloads such as batch exports in Lightroom that it starts to whine. Even then, it’s far from annoying.

    Conclusion

    There’s much to love about the Surface Laptop 3. From the solid build and premium aluminum build, to the brilliant keyboard and picture-perfect display, the Surface Laptop 3 15 has all the marks of a brilliant business device. The USB-C and USB-A ports are enough to juggle multiple devices across the ports without a hub most of the time, although an extra USB-C port on the 15-inch model won’t hurt.

    Most of the Surface Laptop 3’s flaws–like the annoying screen brightness issue–can be addressed through software updates. With that said, its base storage needs to be upgraded from 128GB to 256GB. Also, its battery life may struggle to last a single day. This seems like a problem specific to AMD models; other reviews indicate that Intel variants sport a much longer battery life.

    Performance-wise, AMD’s new chips proved that it’s capable of keeping pace with Intel’s last-generation i7 mobile processors. It’s regrettable that we aren’t able to test out Intel-based models with similar configurations.

    It will be interesting to see if Microsoft will continue to source processors from AMD for its next Surface Laptop refresh. At the time of writing, AMD’s new Ryzen 4000 series mobile processors are showing promising performance and efficiency improvements, earning their position in a variety of business designs like the HP ProBook.

    Appdome joins Microsoft Intelligent Security Association to better defend against increasing threats

    Appdome, a no-code mobile integration and solutions platform, announced that it has joined the Microsoft Intelligent Security Association (MISA), an ecosystem of independent software vendors that have integrated their solutions to better defend against a world of increasing threats. Appdome’s mission has always been to make integrating security and enhanced functionality into mobile apps fast and efficient with its no-code platform. Joining MISA is a natural extension of that mission. Appdome makes it easy to … More

    The post Appdome joins Microsoft Intelligent Security Association to better defend against increasing threats appeared first on Help Net Security.

    Microsoft Reunion makes Windows devwork a little easier

    At the Build 2020 conference, Microsoft announced Project Reunion, rolling its Windows desktop API and the universal windows platform (UWP) into a single package.

    In its developer blog post, Microsoft defined four focus areas for app development in the coming years:

    • Unify app development across the billion Windows 10 devices for all current and future apps;
    • Leaning into the cloud and enabling new scenarios for Windows apps;
    • Creating new opportunities for developers to build connected apps using Microsoft 365 integration in the Windows experience; and
    • Making Windows great for developer productivity.

    Project Reunion plays into the first point. It combines desktop app libraries and UWP libraries, given them the ability to communicate and control elements within each other. This unification enables developers to more easily create apps with better interoperability across device types. In addition, it lets developers update existing applications with new functions.

    Microsoft introduced the Universal Windows Platform (UWP) in 2016 to attract developers to the then-barren Windows Store. The main goal back then was to provide a common app platform on every device that runs Windows 10. To achieve this goal, Microsoft introduced a common UWP core API that’s identical with Windows 10 devices like desktop, Xbox, IoT, and so on. Cross API compatibility is achieved through API bridges that translate UWP API calls to apps built on Android and iOS.

    Win32, on the other hand, is a Windows API that exposes Windows components –Windows shell, user interface, network services and so forth–to the developer. Nearly all Windows desktop applications use Win32 to some extent.

    In recent years, Microsoft has been working to add UWP into platforms that were previously incompatible. That effort eventually led to Project Reunion, finally melding the two together into a decoupled API that can be acquired through platform-agnostic package managers like NuGet.

    Windows 10 users get protection against PUAs

    Windows 10 users who upgrade to v2004 will finally be able to switch on a longstanding Windows Defender feature that protects users against potentially unwanted applications (PUAs). What are PUAs? Also called PUPs (potentially unwanted programs), PUAs are applications that often cannot be outright classified as malware, but still violate users’ security and privacy interests. Some examples of PUAs: Adware and ad-injectors (software that pushes ads onto users without their permission) Software that tracks how … More

    The post Windows 10 users get protection against PUAs appeared first on Help Net Security.

    Smashing Security #178: Office pranks, meat dresses, and robocop dogs

    Graham shares stories of email storms, Carole describes the steps being taken by firms as they try to coax employees back to the office, and special guest Lisa Forte details a hack that has impacted Lady Gaga and other celebrities.

    All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast with computer security veterans Graham Cluley and Carole Theriault.

    Patch Tuesday: Microsoft Fixes 111 Vulnerabilities. Some Allow Remote Code Execution and Admin Rights Abuse

    The May 2020 Patch Tuesday security updates have recently been released, with 111 patched vulnerabilities related to 12 different Microsoft products, such as Windows, Edge, Visual Studio, and the .NET Framework. The tech giant issued 115 patches in March and 113 in April this year and the May 2020 edition turned out to be the third-largest Patch Tuesday ever seen. This month’s batch did not contain any zero-days.

    As always, HeimdalTM Security advises you to apply these patches at your earliest convenience. None of the bugs have been identified as being actively exploited or mentioned until now. Still, if you’re running Windows on your endpoints, it’s high time to get these security flaws patched.

    Read on to learn more about the May 2020 Patch Tuesday.

    May’s 2020 batch of Microsoft patches, the third-biggest ever released

    May is the third month in a row when Microsoft rolled out patches on its operating system and associated software for more than 110 security vulnerabilities. Luckily, there don’t seem to be any zero-day vulnerabilities to be fixed. However, there are certain bugs in Windows that need to be kept in mind and addressed.

    At least 16 of the vulnerabilities are marked as “Critical,” indicating they can be abused by cybercriminals to install malware or gain remote control of compromised systems with little to no user intervention.

    Significant vulnerabilities to be noted

    Below we’ve listed a few instances you should consider.

    This month, Microsoft fixed three critical Microsoft Edge vulnerabilities which could enable intruders to execute remote code by tricking users into visiting their specially created website. If abused, these flaws might allow malicious hackers to execute commands with full admin rights on the targeted device. At the same time, a bug in the Color Management Module (ICM32.dll) allows code execution after cybercriminals would have fooled users into accessing infected websites. Also, a remote code execution vulnerability can be noticed in Windows.

    • CVE-2020-1056 | Microsoft Edge Elevation of Privilege Vulnerability

    Under this scenario, there is an elevation of privilege risk as Microsoft Edge does not fully implement cross-domain policies, which could enable intruders to access and inject data from one domain into another.

    Attackers would have to host a malicious website used to exploit the vulnerability. In any case, though, intruders will have no means to force users to access information that is manipulated by the criminals and they would have to trick people into clicking a link that redirects the victims to the attackers’ website.

    An intruder who abuses this flaw successfully can escalate privileges in affected versions of Microsoft Edge. This security update addresses the vulnerability by making sure Microsoft Edge enforces cross-domain policies correctly.

    Should attackers convince users to access a malicious link, the attackers’ website “could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services”.

    This patch fixes a bug by changing how HTTP responses are parsed via Microsoft Edge.

    • CVE-2020-1096 | Microsoft Edge PDF Remote Code Execution Vulnerability

    The CVE-2020-1096 vulnerability refers to the way Microsoft Edge handles objects in memory. More precisely, this vulnerability has the potential to corrupt memory, enabling malicious actors to execute arbitrary code on the machine.

    Once successfully exploited, the bug would allow attackers to obtain the same user rights as the victim. Should the current user be logged on with full admin rights, the cybercriminal could completely take over the affected endpoint and perform malicious actions.

    This kind of attack could be triggered if users are tricked into accessing the attackers’ website, where malicious PDF content would have to be stored.

    • CVE-2020-1117 | Microsoft Color Management Remote Code Execution Vulnerability

    This bug is connected to the faulty way in which the Color Management Module (ICM32.dll) handles objects in memory. Users with full admin rights are heavily impacted, since the vulnerability would permit malicious hackers to completely take control of the targeted systems, allowing them to “install programs; view, change, or delete data; or create new accounts with full user rights”.

    Similar to the abovementioned attack scenarios leveraged by this Patch Tuesday’s addressed vulnerabilities, in this case, users would also have to be fooled into entering malicious websites belonging to the attackers or opening infected email attachments.

    The newly released security update corrects the improper way in which Windows handles objects in memory. An intruder who effectively abused the flaw would able to run arbitrary code with elevated rights on a targeted machine. The attacker who has a domain user account may craft a specially designed request to exploit the bug, enabling Windows to run arbitrary code with elevated permissions.

    Did you know that 100% of vulnerabilities in Microsoft browsers and 93% in Windows OS can be mitigated by removing local admin rights?

    Our unique privileged access management (PAM) tool, Thor AdminPrivilege™, allows you to efficiently manage admin rights inside your organization. It is the only solution that enables you to both escalate and de-escalate user privileges and the only tool that automatically de-escalates user rights on infected endpoints (when used in tandem with the Enterprise version of Thor Foresight, Thor Vigilance or Thor Premium).

    Heimdal Official Logo

    System admins waste 30% of their time manually managing user rights or installations.

    Thor AdminPrivilege™

    is the automatic Privileged Access Management (PAM) solution
    which frees up huge chunks of sys-admin time.
    • Automate the elevation of admin rights on request;
    • Approve or reject escalations with one click;
    • Provide a full audit trail into user behavior;
    • Automatically de-escalate on infection;
    Try it for FREE today Offer valid only for companies.

    Bottom Line

    We would also like to remind you that many of the bugs patched in today’s Microsoft patch batch impact Windows 7 operating systems, which no longer receive security updates unless your company has signed up for the Microsoft’s Windows 7 Extended Security Updates (ESU) paid service. If you are still running Windows 7 on any of your devices, HeimdalTM Security advises you to upgrade to Windows 10.

    All of our Thor Foresight Enterprise and X-Ploit Resilience customers are always being provisioned in a timely manner with the latest Microsoft patches (both Windows and 3rd party) in a timely manner. Sign up for a free demo to learn how automated patch management can add a powerful layer of defense to your organization.

    Heimdal Official Logo

    Antivirus is no longer enough to keep an organization’s systems secure.

    Thor Foresight Enterprise

    Is our next gen proactive shield that stops unknown threats
    before they reach your system.
    • Machine learning powered scans for all incoming online traffic;
    • Stops data breaches before sensitive info can be exposed to the outside;
    • Automatic patches for your software and apps with no interruptions;
    • Protection against data leakage, APTs, ransomware and exploits;
    Try it for FREE today Offer valid only for companies.

    The post Patch Tuesday: Microsoft Fixes 111 Vulnerabilities. Some Allow Remote Code Execution and Admin Rights Abuse appeared first on Heimdal Security Blog.

    Cyber Security Roundup for May 2020

    A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, April 2020.

    As well reported, UK foreign exchange firm Travelex business operations were brought to a standstill after its IT systems were severely hit by the Sodinokibi ransomware at the start of the year. It was reported that
     REvil group were behind the attack and had stolen 5Gbs of customer personal data, and then demanded $6 million (£4.6m) in ransom. The Wall Street Journal reported in April 2020 that Travelex had reached a deal, paying $2.3 million (£1.84m) in Bitcoin to the cybercriminals. This sort of response incentivises future ransomware activity against all other businesses and could lead to an inflation of future cyber-extortion demands in my opinion.

    Cognizant, a US large digital solutions provider and IT consultancy, was reportedly hit by the Maze ransomware.  Maze, previously known as the 'ChaCha' ransomware, like the Travelex attack, not only encrypts victim's files but steals sensitive data from the IT systems as well. Enabling the bad guys to threaten the publishing of the stolen data if the organisation cough up to their cyber-extortion demands, so the bad guys are very much rinsing and repeating lucrative attacks.

    Microsoft wrote an excellent blog covering the 'motley crew' of ransomware payloads  The blog covers ransomware payloads said to be straining security operations especially in health care, Microsoft warned, urging security teams to look for signs of credential theft and lateral movement activities that herald attacks.

    Researchers continue to be busy in exposing large sensitive datasets within misconfigured cloud services.  In April researchers reported 14 million Ring user details exposed in misconfigured AWS open database, fitness software Kinomap had 42 million user details exposed in another misconfigured database, and Maropost had 95 million users exposed, also in a misconfigured database.

    Nintendo confirmed 160,000 of its users' accounts had been accessed, exposing PII and Nintendo store accounts. The gaming giant Nintendo said from April, its user's accounts were accessed through the Nintendo Network ID (NNID), which is primarily used for Switch gaming. The company is unaware exactly how the intrusion had occurred, saying it “seems to have been made by impersonating login to “Nintendo Network ID. “If you use the same password for your NNID and Nintendo account, your balance and registered credit card / PayPal may be illegally used at My Nintendo Store or Nintendo eShop. Please set different passwords for NNID and Nintendo account,” Nintendo said. In response to these issues the company has abolished user’s ability to log into their Nintendo account via NNID and passwords for both NNID and Nintendo accounts are being reset and the company is recommending multi-factor authentication be set up for each account.  The account breaches weren't the only cyber issue affecting Nintendo in April, it reported that a bot, dubbed 'Bird Bot' was used by a reseller to buy up Nintendo Switches before customers could make their Switch purchase from Nintendo. The bot using reseller benefits at the expense of consumers, in buying up all available Switches directly from Nintendo, they are able to sell them on for higher prices, so making a quick and easy tidy profit, due to the current high demand of Switches and lack of supply.

    April was a busy month for security updates, Microsoft released security patches fixing 113 vulnerabilities on Patch Tuesday and an out-of-band patch for Teams found by researchers at CyberArk. Patch Tuesday for a quiet one for Adobe, though they released fixes for 21 critical vulnerabilities in illustrator and Bridge at the end of the month.  Oracle released a huge 397 fixes for 450 CVEs in over 100 products, which I think is a new record for a patch release!  

    Sophos said it and its customers were attacked when a previously unknown SQL injection vulnerability in their physical and virtual XG Firewall units was exploited. “The attack affected systems configured with either the administration interface (HTTPS admin service) or the user portal exposed on the WAN zone. In addition, firewalls manually configured to expose a firewall service (e.g. SSL VPN) to the WAN zone that shares the same port as the admin or User Portal were also affected,Sophos said.

    There were security critical patch releases for Mozilla Firefox, Chrome (twice), and for 8 Cisco products. A bunch of VMware patches for including a CVSS scored 10 (highest possible) in vCenter, a critical in vRealize Log Insight and a critical cross-site scripting vulnerability in ESXi 6.5 and 6.7. And finally, on the patch front, Intel decided to discontinue multiple products, as it was unable to keep ahead of patch their vulnerabilities.

    Stay safe, safe home and watch for the scams.

    BLOG
    NEWS

    AWARENESS, EDUCATION AND THREAT INTELLIGENCE

      Cyber Security Roundup for April 2020

      A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, March 2020.

      The UK went into lockdown in March due to the coronavirus pandemic, these are unprecedented and uncertain times. Unfortunately, cybercriminals are taking full advantage of this situation, both UK citizens and 
      businesses have been hit with a wave of COVID-19 themed phishing emails, and scam social media and text messages (smishing). Which prompted warnings by the UK National Cyber Security Centre and UK Banks, and a crackdown by the UK Government.
      Convincing COVID-19 Scam Text Message (Smishing)

      I have not had the opportunity to analyse a copy of the above scam text message (smishing), but it looks like the weblink displayed is not as it appears. My guess is the link is not part of the gov.uk domain, but the attacker has used an international domain name homograph attack, namely using foreign font characters to disguise the true address of a malicious website that is linked.

      I was privileged to be on The Telegraph Coronavirus Podcast on 31st March, where I was asked about the security of video messaging apps, a transcript of what I advised is here. Further coronavirus cybersecurity advice was posted on my blog, on working from home securely and to provide awareness of coronavirus themed message scams.  It was also great to see the UK payment card contactless limit increased from £30 to £45 to help prevent coronavirus spread.

      March threat intelligence reports shone a light to the scale of the cybercriminal shift towards exploiting COVID-19 crisis for financial gains. Check Point Global Threat Index reported a spike in the registration of coronavirus themed domains names, stating more than 50% of these new domains are likely to be malicious in nature. Proofpoint reports for more 80% of the threat landscape is using coronavirus themes in some way.  There has been a series of hacking attempts directly against the World Health Organisation (WHO), from DNS hijacking to spread a malicious COVID-19 app to a rather weird plot to spread malware through a dodgy anit-virus solution

      Away from the deluge of coronavirus cybersecurity news and threats, Virgin Media were found to have left a database open, which held thousands of customer records exposed, and T-Mobile's email vendor was hacked, resulting in the breach of their customers and employees personal data.  

      International hotel chain Marriot reported 5.2 million guest details were stolen after an unnamed app used by guests was hacked. According to Marriots online breach notification, stolen data included guest name, address, email address, phone number, loyalty account number and point balances, employer, gender, birthdays (day and month only), airline loyalty program information, and hotel preferences. It was only on 30th November 2018 Marriott disclosed a breach of 383 million guestsTony Pepper, CEO at Egress said “Marriott International admitted that it has suffered another data breach, affecting up to 5.2 million people. This follows the well-documented data breach highlighted in November 2018 where the records of approximately 339 million guests were exposed in a catastrophic cybersecurity incident. Having already received an intention to fine from the ICO to the tune of £99m for that, Marriott will be more than aware of its responsibility to ensure that the information it shares and stores is appropriately protected. Not only does this news raise further concerns for Marriott, but it also serves as a reminder to all organisations that they must constantly be working to enhance their data security systems and protocols to avoid similar breaches. It will be interesting to see if further action is taken by the ICO”

      Five billion records were found to be exposed by UK security company Elasticsearch.  Researchers also found an Amazon Web Services open MongoDB database of eight million European Union citizen retail sales records was left exposed, which included personal and financial information.  And Let’s Encrypt revoked over 3 million TLS certificates due to a bug which certification rechecking

      March was another busy month for security updates, patch Tuesday saw Microsoft release fixes for 116 vulnerabilities and there was an out-of-band Microsoft fix for 'EternallDarkness' bug on 10th March, but a zero-day exploited vulnerability in Windows remained unpatched by the Seattle based software giants.  Adobe released a raft of security patches, as did Apple (over 30 patches), Google, Cisco, DrayTek, VMware, and Drupal.

      Stay safe, safe home and watch for the scams.

      BLOG
      NEWS
        VULNERABILITIES AND SECURITY UPDATES
          AWARENESS, EDUCATION AND THREAT INTELLIGENCE

          Cyber Security Roundup for March 2020

          A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, February 2020.

          Redcar and Cleveland Borough Council became the latest UK organisation to become the victim of a mass ransomware attack which started on 8th February.  The north-east Council's servers, PCs, mobile devices, websites and even phone lines have been down for three weeks at the time of writing. A Redcar and Cleveland councillor told the Guardian it would take several months to recover and the cost is expected to between £11m and £18m to repair the damage done. A significant sum for the cash-strapped council, which confirmed their outage as ransomware caused 19 days after the attack. The strain of ransomware involved and the method initial infiltration into the council's IT systems has yet to be confirmed.


          The English FA shut down its investigation into allegations Liverpool employees hacked into Manchester City's scouting system. The Manchester club also made news headlines after UEFA banned it from European competition for two years, a ban based on alleged stolen internal email evidence obtained by a hacker.  Read The Billion Pound Manchester City Hack for further details.

          The UK government said GRU (Russian military intelligence) was behind a massive cyber-attack which knocked out more than 2,000 websites in the country of Georgia last year, in "attempt to undermine Georgia's sovereignty". Foreign Secretary Dominic Raab described it as "totally unacceptable".

          The United States deputy assistant secretary for cyber and communications, Robert Strayer, said he did not believe the UK government's January 2020 decision to allow Huawei limited access to UK's 5G infrastructure was final. 'Our understanding is that there might have been some initial decisions made but conversations are continuing," he told the BBC. Read The UK Government Huawei Dilemma and the Brexit Factor for more on UK government's Huawei political, economic and security debate.

          Following Freedom of Information requests made by Viasat, it reported UK government employees had either lost or stolen 2,004 mobiles and laptops between June 2018 and June 2019.

          According to figures by the FBI, cybercriminals netted £2.7bn ($3.5bn) from cyber-crimes report 2019, with phishing and extortion remaining the most common method of scamming people. These FBI reported cybercrime losses have tripled over the past 5 years. The FBI concluded that cyber scam techniques are becoming more sophisticated, making it harder for original people to tell "real from fake".  A new Kaspersky report backs up the FBI, finding a 9.5% growth in financial phishing during the final quarter of 2019.

          The Labour party is facing data protection fines of up £15m for failing to protect their members' personal data. The Information Commissioner's Office confirmed the Labour Party would be the focus of their investigation since it is legally responsible for securing members' information as the "data controller".

          This month's cloud misconfiguration breach award goes to french sports retail giant Decathlon, after 123 million customer records were found to be exposed by researchers at vpnMentor .  Leaked data included employee usernames, unencrypted passwords and personally identifiable information (PII) including social security numbers, full names, addresses, mobile phone numbers, addresses and birth dates. “The leaked Decathlon Spain database contains a veritable treasure trove of employee data and more. It has everything that a malicious hacker would, in theory, need to use to take over accounts and gain access to private and even proprietary information,” said vpnMentor.

          If you have a 'Ring' smart camera doorbell (IoT) device then may have noticed Two-Factor Authentication (2FA) was mandated in February.  Ring's stance of enforcing a strengthening of security may be related to several recent high-profile home camera hack reports.
          Ring: An IoT device's security improved by mandated 2FA

          The facial recognition company Clearview AI advised a hacker stole its client list database. The firm works with law enforcement agencies and gained notoriety after admitting it had scrapped billions of individuals photos off the internet.

          BLOG
          NEWS
          VULNERABILITIES AND SECURITY UPDATESAWARENESS, EDUCATION AND THREAT INTELLIGENCE

          The ONE Question NO ONE knows the Answer to at RSA Conference 2020

          Hello,

          On Monday, the RSA Conference 2020 will begin, where almost a thousand cyber security companies will showcase their greatest cyber security solutions to thousands of attendees, and where supposedly "The World Talks Security!"

          If that's the case, let's talk security -  I'd like to ask the entire RSA Conference just 1 simple cyber security question -

          Question: Do the companies whose CISOs and cyber security personnel are attending the RSA Conference '20 have any idea exactly who has what privileged access in their foundational Active Directory deployments today?


          If they don't, then perhaps instead of making the time to attend cyber security conferences, they should first focus on making this paramount determination, because without it, not ONE thing, let alone their entire organization, can be adequately secured.



          Unequivocal Clarity

          If this one simple question posed above isn't clear, here are 5 simple specific cyber security 101 questions to help gain clarity:

              Does our organization know exactly -
          • Q 1.  Who can run Mimikatz DCSync against our Active Directory to instantly compromise everyone's credentials?
          • Q 2.  Who can change the Domain Admins group's membership to instantly gain privileged access company wide?
          • Q 3.  Who can reset passwords of /disable use of Smartcards on all Domain Admin equivalent privileged accounts?
          • Q 4.  Who can link a malicious GPO to an(y) OU in Active Directory to instantly unleash ransomware system-wide?
          • Q 5.  Who can change or control who has what privileged access in our Active Directory?

          If an organization does not have exact answers to these 5 simple questions today, it has absolutely no idea as to exactly who has what privileged access in its foundational Active Directory, and thus, it has absolutely no control over cyber security.




          This is Paramount

          If you don't think that having exact answers to these questions is paramount, then you don't know a thing about cyber security.


          Just ask the world famous and globally trusted $10 Billion cyber security company CrowdStrike, and here's a quote from them - "A secure Active Directory environment can mitigate most attacks."




          Zero out of 1000

          There are almost 1000 cyber security companies exhibiting at the RSA Conference 2020, but guess how many of those 1000 companies could help you accurately determine the answers to 5 simple questions asked above? The answer is 0.


          Not Microsoft, not EMC, not CrowdStrike, not FireEye, not Cisco, not IBM, not Symantec, not McAfee, not Palantir, not Tanium, not CyberArk, not Centrify, not Quest, not ZScaler, not BeyondTrust, not Thycotic, not Varonis, not Netwrix, not even HP, in fact no company exhibiting at RSA Conference 2020 has any solution that could help accurately answer these simple questions.

          That's right - not a single cyber security company in the world (barring one), let alone the entirety of all cyber security companies exhibiting at or sponsoring the RSA Conference 2020 can help organizations accurately answer these simple questions.




          The Key

          The key to being able to answer the leading question above, as well as the five simple cyber security questions posed above lies in having just 1 simple, fundamental cyber security capability - Active Directory Effective Permissions.


          There's only 1 company on planet Earth that possesses this key, and its not going to be at the RSA Conference 2020 - this one.



          Thanks,
          Sanjay.

          Cyber Security Roundup for February 2020

          A roundup of UK focused cyber and information security news stories, blog posts, reports and threat intelligence from the previous calendar month, January 2020.

          After years of dither and delay the UK government finally nailed its colours to the mast, no not Brexit but Huawei, permitting 'limited use' of the Chinese Telecoms giant's network appliances within the UK's new 5G infrastructure. Whether this is a good decision depends more on individual political persuasion than national security interest, so just like Brexit the general view on the decision is binary, either its a clever compromise or a complete sell out of UK national security. I personally believe the decision is more about national economics than national security, as I previously blogged in 'The UK Government Huawei Dilemma and the Brexit Factor'. The UK government is playing a delicate balancing to safeguard potentially massive trade deals with both of the world's largest economic superpowers, China and United States. An outright US style ban Huawei would seriously jeopardise billions of pounds worth of Chinese investment into the UK economy. While on the security front, Huawei's role will be restricted to protect the UK's critical national infrastructure, with Huawei's equipment banned from use within the core of the 5G infrastructure. The UK National Cyber Security Centre (NCSC) published a document which provides guidance to high risk network providers on the use of Huawei tech.
          UK Gov agrees to 'limited' Huawei involvement within UK 5G

          UK business targeted ransomware continues to rear its ugly head in 2020, this time global foreign exchange firm Travelex's operations were all brought to a shuddering halt after a major ransomware attack took down Travelex's IT systems. Travelex services impacted included their UK business, international websites, mobile apps, and white-labelled services for the likes of Tesco, Sainsburys, Virgin Money, Barclays and RBS. The ransomware in question was named as Sodinokibi, with numerous media reports strongly suggesting the Sodinokibi ransomware infiltrated the Travelex network through unpatched vulnerable Pulse Secure VPN servers, which the National Cyber Security Centre had apparently previously detected and warned Travelex about many months earlier. Could be some truth in this, given the Sodinokibi ransomware is known to infect through remote access systems, including vulnerable Pulse Secure VPN servers. The cybercriminal group behind the attack, also known as Sodin and REvil, demanded £4.6 million in ransom payment, and had also claimed to have taken 5Gb of Travelex customer data. Travelex reported no customer data had been breached, however, its money exchange services remained offline for well over two weeks after reporting the incident, with the firm advising it expected most of its travel exchange services to be back operational by the end of January.

          The same Sodinokibi criminal group behind the Travelex attack also claimed responsibility for what was described by German automotive parts supplier Gedia Automotive Group, as a 'massive cyber attack'. Gedia said it would take weeks to months before its IT systems were up and running as normal. According to analysis by US cyber security firm Bad Packets, the German firm also had an unpatched Pulse Secure VPN server on its network perimeter which left it exposed to the ransomware attack. Gedia patched their server VPN on 4th January.

          Leeds based medical tech company Tissue Regenix halted its US manufacturing operation after unauthorised party accessed its IT systems. To date there hasn't been any details about the nature of this cyber attack, but a manufacturing shutdown is a hallmark of a mass ransomware infection. Reuters reported shares in the company dropped 22% following their cyber attack disclosure.

          London based marine consultancy company LOC was hacked and held to be ransom by cybercriminals. It was reported computers were 'locked' and 300Gb of company data were stolen by a criminal group, investigations on this hack are still ongoing.

          Its seem every month I report a massive data breach due to the misconfiguration of a cloud server, but I never expected one of leading global cloud providers, Microsoft, to be caught out by such a school boy error. Microsoft reported a database misconfiguration of their Elasticsearch servers exposed 250 million customer support records between 5th and 19th December 2019. Some of the non-redacted data exposed included customer email addresses; IP addresses; locations; descriptions of customer support claims and cases; Microsoft support agent emails; case numbers, resolutions and remarks; and confidential internal notes. It is not known if any unauthorised parties had accessed any of the leaked data.

          Cyber attacks against the UK defence industry hit unprecedented highs according government documentation obtained by Sky News. Sky News revealed the MoD and its partners failed to protect military and defence data in 37 incidents in 2017 and 34 incidents in first 10 months of 2018, with military data exposed to nation-level cyber actors on dozens of occasions.

          It was another fairly busy month for Microsoft patches, including an NSA revealed critical flaw in Windows 10. January also saw the end of security updates support for Windows 7 and Windows Server 2008, unless you pay Microsoft extra for extended support.

          According to a World Economic Forum (WEF) study, most of the world's airports cybersecurity is not up to scratch. WEF reported 97 of the world’s 100 largest airports have vulnerable web and mobile applications, misconfigured public cloud and dark web leaks. Findings summary were:

          • 97% of the websites contain outdated web software.
          • 24% of the websites contain known and exploitable vulnerabilities.
          • 76% and 73% of the websites are not compliant with GDPR and PCI DSS, respectively.
          • 100% of the mobile apps contain at least five external software frameworks.
          • 100% of the mobile apps contain at least two vulnerabilities.
          Elsewhere in the world, it was reported a US Department of Defence contractor had its web servers (and thus its websites) taken down by the Ryuk ransomware. Houston-based steakhouse Landry advised it was hit by a point-of-sale malware attack which stole customer payment card data. Stolen customer payment card data taken from a Pennsylvania-based convenience store and petrol station operator was found for sale online. Ahead of the Superbowl LIV Twitter and Facebook accounts for 15 NFL teams were hacked. The hacking group OurMine took responsibility for the NFL franchise attacks, which said it was to demonstrate internet security was "still low" and had to be improved upon. Sonos apologised after accidentally revealing hundreds of customer email addresses to each other. And a ransomware took a US Maritime base offline for 30 hours.

          Dallas County Attorney finally applied some common-sense, dropping charges against two Coalfire Red Teamers. The two Coalfire employees had been arrested on 11th September 2019 while conducting a physical penetration test of the Dallas County courthouse. The Perry News quoted a police report which said upon arrest the two men stated, “they were contracted to break into the building for Iowa courts to check the security of the building". After the charges were dropped at the end of January Coalfire CEO Tom McAndrew said, 'With positive lessons learned, a new dialogue now begins with a focus on improving best practices and elevating the alignment between security professionals and law enforcement”. Adding “We’re grateful to the global security community for their support throughout this experience.”


          BLOG
          NEWS
          VULNERABILITIES AND SECURITY UPDATES
          AWARENESS, EDUCATION AND THREAT INTELLIGENCE

          I’m still on Windows 7 – what should I do?

          Support for Windows 7 has ended, leaving Marcy wondering how they can protect themselves

          I do a lot of work on a Windows 7 desktop PC that is about five years old. I’m a widow and can’t afford to run out and get a new PC at this time, or pay for Windows 10. If I do stay with Windows 7, what should I worry about, and how can I protect myself? I have been running Kaspersky Total Security for several years, which has worked well so far. Marcy

          Microsoft Windows 7 – launched in 2009 – came to the end of its supported life on Tuesday. Despite Microsoft’s repeated warnings to Windows 7 users, there may still be a couple of hundred million users, many of them in businesses. What should people do next?

          Continue reading...

          Microsoft rolls out Windows 10 security fix after NSA warning

          US agency revealed flaw that could be exploited by hackers to create malicious software

          Microsoft is rolling out a security fix to Windows 10 after the US National Security Agency (NSA) warned the popular operating system contained a highly dangerous flaw that could be used by hackers. Reporting the vulnerability represents a departure for the NSA from its past strategy of keeping security flaws under wraps to exploit for its own intelligence needs.

          The NSA revealed during a press conference on Tuesday that the “serious vulnerability” could be used to create malicious software that appeared to be legitimate. The flaw “makes trust vulnerable”, the NSA director of cybersecurity, Anne Neuberger, said in a briefing call to media on Tuesday.

          Related: Skype audio graded by workers in China with 'no security measures'

          Continue reading...

          Skype audio graded by workers in China with ‘no security measures’

          Exclusive: former Microsoft contractor says he was emailed login after minimal vetting

          A Microsoft programme to transcribe and vet audio from Skype and Cortana, its voice assistant, ran for years with “no security measures”, according to a former contractor who says he reviewed thousands of potentially sensitive recordings on his personal laptop from his home in Beijing over the two years he worked for the company.

          The recordings, both deliberate and accidentally invoked activations of the voice assistant, as well as some Skype phone calls, were simply accessed by Microsoft workers through a web app running in Google’s Chrome browser, on their personal laptops, over the Chinese internet, according to the contractor.

          Continue reading...

          Who Needs WMDs (Weapons of Mass Destruction) Today ?

          Folks,

          Today, yet again, I'd like to share with you a simple Trillion $ question, one that I had originally asked more that 10 years ago, and recently asked again just about two years ago. Today it continues to be exponentially more relevant to the whole world.

          In fact, it is more relevant today than ever given the paramount role that cyber security plays in business and national security.


          So without further adieu, here it is - Who needs WMDs (Weapons of Mass Destruction) Today?


          Ans: Only those who don't know that we live in a digital world, one wherein virtually everything runs on (networked) computers.


          Why would an entity bother trying to acquire or use a WMD (or for that matter even a conventional weapon) when (if you're smart) you could metaphorically stop the motor of entire organizations (or nations) with just a few lines of code designed to exploit arcane but highly potent misconfigured security settings (ACLs) in the underlying systems on which governments, militaries and thousands of business organizations of the world operate?

          Today, all you need is two WDs in the same (pl)ACE and its Game Over.


          Puzzled? Allow me to give you a HINT:.

          Here’s a simple question: What does the following non-default string represent and why should it be a great cause of concern?
          (A;;RP;;;WD)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCRCWDWOSW;;;DA)(A;CI;RPWPCRLCLOCCRCWDWOSDSW;;;BA)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;EA)(A;CI;LC;;;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU) (A;CI;RPWDLCLO;;;WD)(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU) (OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(A;;RC;;;RU)(OA;CIIO;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)

          Today, this one little question and the technicality I have shared above directly impacts the cyber security of the entire world.


          If you read my words very carefully, as you always should, then you'll find that it shouldn't take an astute cyber security professional more than a minute to figure it out, given that I’ve actually already provided the answer above.


          Today, the CISO of every organization in the world, whether it be a government, a military or a billion dollar company (of which there are dime a dozen, and in fact thousands worldwide) or a trillion dollar company MUST know the answer to this question.


          They must know the answer because it directly impacts and threatens the foundational cyber security of their organizations.

          If they don't, (in my opinion) they likely shouldn't be the organization's CISO because what I have shared above could possibly be the single biggest threat to 85% of organizations worldwide, and it could be used to completely compromise them within minutes (and any organization that would like a demo in their real-world environment may feel free to request one.)

          Some of you will have figured it out. For the others, I'll finally shed light on the answer soon.

          Best wishes,
          Sanjay


          PS: If you need to know right away, perhaps you should give your Microsoft contact a call and ask them. If they too need some help (they likely will ;-)), tell them it has to do with a certain security descriptor in Active Directory. (There, now that's a HINT the size of a domain, and it could get an intruder who's been able to breach an organization's network perimeter to root in seconds.)

          PS2: If this intrigues you, and you wish to learn more, you may want to read this - Hello World :-)

          What is Active Directory? (Cyber Security 101 for the Entire World)

          Folks,

          Today is January 06, 2020, and as promised, here I am getting back to sharing perspectives on cyber security.


          Cyber Security 101

          Perhaps a good topic to kick off the year is by seeking to ask and answer a simple yet vital question - What is Active Directory?

          You see, while this question may seem simple to some (and it is,) its one of the most important questions to answer adequately, because in an adequate answer to this most simple question lies the key to organizational cyber security worldwide.

          The simple reason for this is that if you were to ask most CISOs or IT professionals, they'll likely tell you that Active Directory is the "phone book" of an organization's IT infrastructure, and while its true that at its simplest, it is a directory of all organizational accounts and computers, it is this shallow view that leads organizations to greatly diminish the real value of Active Directory to the point of sheer irresponsible cyber negligence because  "Who really cares about just a phone book?"

          In fact, for two decades now, this has been the predominant view held by most CISOs and IT personnel worldwide, and sadly it is the negligence resulting from such a simplistic view of Active Directory that are likely the reason that the Active Directory deployments of most organizations remain substantially insecure and vastly vulnerable to compromise today.

          Again, after all, who cares about a phone book?!




          Active Directory - The Very Foundation of Organizational Cyber Security Worldwide

          If as they say, a "A Picture is Worth a Thousand Words", perhaps I should paint you a very simple Trillion $ picture -


          An organization's Active Directory deployment is its single most valuable IT and corporate asset, worthy of the highest protection at all times, because it is the very foundation of an organization's cyber security.

          The entirety of an organization's very building blocks of cyber security i.e. all the organizational user accounts and passwords used to authenticate their people, all the security groups used to aggregate and authorize access to all their IT resources, all their privileged user accounts, all the accounts of all their computers, including all laptops, desktops and servers are all stored, managed and secured in (i.e. inside) the organization's foundational Active Directory, and all actions on them audited in it.

          In other words, should an organization's foundational Active Directory, or a single Active Directory privileged user account, be compromised, the entirety of the organization could be exposed to the  risk of complete, swift and colossal compromise.



          Active Directory Security Must Be Organizational Cyber Security Priority #1

          Today, ensuring the highest protection of an organization's foundational Active Directory deployment must undoubtedly be the #1 priority of every organization that cares about cyber security, protecting shareholder value and business continuity.


          Here's why - A deeper, detailed look into What is Active Directory ?


          For anyone to whom this may still not be clear, I'll spell it out - just about everything in organizational Cyber Security, whether it be Identity and Access Management, Privileged Access Management, Network Security, Endpoint Security, Data Security, Intrusion Detection, Cloud Security, Zero Trust etc. ultimately relies and depends on Active Directory (and its security.)



          In essence, today every organization in the world is only as secure as is its foundational Active Directory deployment, and from the CEO to the CISO to an organization's shareholders, employees and customers, everyone should know this cardinal fact.

          Best wishes,
          Sanjay.

          Cyber Security Roundup for January 2020

          A roundup of UK focused cyber and information security news stories, blog posts, reports and threat intelligence from the previous calendar month, December 2019.

          Happy New Year!  The final month of the decade was a pretty quiet one as major security news and data breaches go, given cybers attack have become the norm in the past decade. The biggest UK media security story was saved for the very end of 2019, with the freshly elected UK government apologising after it had accidentally published online the addresses of the 1,097 New Year Honour recipients.  Among the addresses posted were those of Sir Elton John, cricketer and BBC 'Sports Personality of the Year' Ben Stokes, former Conservative Party leader Iain Duncan Smith, 'Great British Bakeoff Winner' Nadiya Hussain, and former Ofcom boss Sharon White. The Cabinet Office said it was "looking into how this happened", probably come down to a 'user error' in my view.

          An investigation by The Times found Hedge funds had been eavesdropping on the Bank of England’s press conferences before their official broadcast after its internal systems were compromised. Hedge funds were said to have gained a significant advantage over rivals by purchasing access to an audio feed of Bank of England news conferences. The Bank said it was "wholly unacceptable" and it was investigating further. The Times claimed those paying for the audio feed, via the third party, would receive details of the Bank's news conferences up to eight seconds before those using the television feed - potentially making them money. It is alleged the supplier charged each client a subscription fee and up to £5,000 per use. The system, which had been misused by the supplier since earlier this year, was installed in case the Bloomberg-managed television feed failed.

          A video showing a hacker talking to a young girl in her bedroom via her family's Ring camera was shared on social media. The hacker tells the young girl: "It's Santa. It's your best friend." The Motherboard website reported hackers were offering software making it easier to break into such devices. Ring owner Amazon said the incident was not related to a security breach, but compromised was due to password stuffing, stating "Due to the fact that customers often use the same username and password for their various accounts and subscriptions, bad actors often re-use credentials stolen or leaked from one service on other services."


          Ransomware continues to plague multiple industries and it has throughout 2019, even security companies aren't immune, with Spanish security company Prosegur reported to have been taken down by the Ryuk ransomware.

          Finally, a Microsoft Security Intelligence Report concluded what all security professionals know well, is that implementing Multi-Factor Authenication (MFA) would have thwarted the vast majority of identity attacks. The Microsoft study found reusing passwords across multiple account-based services is still common, of nearly 30 million users and their passwords, password reuse and modifications were common for 52% of users. The same study also found that 30% of the modified passwords and all the reused passwords can be cracked within just 10 guesses. This behaviour puts users at risk of being victims of a breach replay attack. Once a threat actor gets hold of spilled credentials or credentials in the wild, they can try to execute a breach replay attack. In this attack, the actor tries out the same credentials on different service accounts to see if there is a match.

          BLOG
          NEWS 
          VULNERABILITIES AND SECURITY UPDATES
          AWARENESS, EDUCATION AND THREAT INTELLIGENCE

          Cyber Security Roundup for November 2019

          In recent years political motivated cyber-attacks during elections has become an expected norm, so it was no real surprise when the Labour Party reported it was hit with two DDoS cyber-attacks in the run up to the UK general election, which was well publicised by the media. However, what wasn't well publicised was both the Conservative Party and Liberal Democrats Party were also hit with cyber attacks. These weren't nation-state orchestrated cyberattacks either, black hat hacking group Lizard Squad, well known for their high profile DDoS attacks, are believed to be the culprits.

          The launch of Disney Plus didn’t go exactly to plan, without hours of the streaming service going live, compromised Disney Plus user accounts credentials were being sold on the black market for as little as £2.30 a pop. Disney suggested hackers had obtained customer credentials from previously leaked identical credentials, as used by their customers on other compromised or insecure websites, and from keylogging malware. It's worth noting Disney Plus doesn’t use Multi-Factor Authentication (MFA), implementing MFA to protect their customer's accounts would have prevented the vast majority of Disney Plus account compromises in my view.

          Trend Micro reported an insider stolen around 100,000 customer accounts details, with the data used by cyber con artists to make convincing scam phone calls impersonating their company to a number of their customers. In a statement, Trend Micro said it determined the attack was an inside job, an employee used fraudulent methods to access its customer support databases, retrieved the data and then sold it on. “Our open investigation has confirmed that this was not an external hack, but rather the work of a malicious internal source that engaged in a premeditated infiltration scheme to bypass our sophisticated controls,” the company said. The employee behind it was identified and fired, Trend Micro said it is working with law enforcement in an on-going investigation.

          Security researchers found 4 billion records from 1.2 billion people on an unsecured Elasticsearch server. The personal information includes names, home and mobile phone numbers and email addresses and what may be information scraped from LinkedIn, Facebook and other social media sources.

          T-Mobile reported a data breach of some their prepaid account customers. A T-Mobile spokesman said “Our cybersecurity team discovered and shut down malicious, unauthorized access to some information related to your T-Mobile prepaid wireless account. We promptly reported this to authorities”.

          A French hospital was hit hard by a ransomware attack which has caused "very long delays in care". According to a spokesman, medical staff at Rouen University Hospital Centre (CHU) abandon PCs as ransomware had made them unusable, instead, staff returned to the "old-fashioned method of paper and pencil". No details about the strain of the ransomware have been released.

          Microsoft released patches for 74 vulnerabilities in November, including 13 which are rated as critical. One of which was for a vulnerability with Internet Explorer (CVE-2019-1429), an ActiveX vulnerability known to be actively exploited by visiting malicious websites.

          It was a busy month for blog articles and threat intelligence news, all are linked below.

          BLOG
          NEWS
          VULNERABILITIES AND SECURITY UPDATES
          AWARENESS, EDUCATION AND THREAT INTELLIGENCEHUAWEI NEWS AND THREAT INTELLIGENCE

          A Simple Trillion$ Cyber Security Question for the Entire RSA Conference

          Folks,

          This week, the famous RSA Conference 2019 is underway, where supposedly "The World Talks Security" -



          If that's the case, let's talk -  I'd like to respectfully ask the entire RSA Conference just 1 simple cyber security question -

          Question: What lies at the very foundation of cyber security and privileged access of not just the RSAs, EMCs, Dells, CyberArks, Gartners, Googles, Amazons, Facebooks and Microsofts of the world, but also at the foundation of virtually all cyber security and cloud companies and at the foundation of over 85% of organizations worldwide?

          For those who may not know the answer to this ONE simple cyber security question, the answer's in line 1 here.



          For those who may know the answer, and I sincerely hope that most of the world's CIOs, CISOs, Domain Admins, Cyber Security Analysts, Penetration Testers and Ethical Hackers know the answer, here are 4 simple follow-up questions -


          • Q 1.  Should your organization's foundational Active Directory be compromised, what could be its impact?
          • Q 2.  Would you agree that the (unintentional, intentional or coerced) compromise of a single Active Directory privileged user could result in the compromise of your organization's entire foundational Active Directory?
          • Q 3.  If so, then do you know that there is only one correct way to accurately identify/audit privileged users in your organization's foundational Active Directory, and do you possess the capability to correctly be able to do so?
          • Q 4.  If you don't, then how could you possibly know exactly how many privileged users there are in your organization's foundational Active Directory deployment today, and if you don't know so, ...OMG... ?!

          You see, if even the world's top cyber security and cloud computing companies themselves don't know the answers to such simple, fundamental Kindergarten-level cyber security questions, how can we expect 85% of the world's organizations to know the answer, AND MORE IMPORTANTLY, what's the point of all this fancy peripheral cyber security talk at such conferences when organizations don't even know how many (hundreds if not thousands of) people have the Keys to their Kingdom(s) ?!


          Today Active Directory is at the very heart of Cyber Security and Privileged Access at over 85% of organizations worldwide, and if you can find me even ONE company at the prestigious RSA Conference 2019 that can help organizations accurately identify privileged users/access in 1000s of foundational Active Directory deployments worldwide, you'll have impressed me.


          Those who truly understand Windows Security know that organizations can neither adequately secure their foundational Active Directory deployments nor accomplish any of these recent buzzword initiatives like Privileged Access Management, Privileged Account Discovery, Zero-Trust etc. without first being able to accurately identify privileged users in Active Directory.

          Best wishes,
          Sanjay


          PS: Pardon the delay. I've been busy and haven't much time to blog since my last post on Cyber Security 101 for the C-Suite.

          PS2: Microsoft, when were you planning to start educating the world about what's actually paramount to their cyber security?

          A Trillion $ Cyber Security Question for Microsoft and CISOs Worldwide

          Folks,

          Today, to give a hint for the answer to this 1 question, I asked possibly the most important cyber security question in the world, one that directly impacts the foundational security of 1000s of organizations worldwide, and thus one that impacts the financial security of billions of people worldwide -


          What's the World's Most Important Active Directory Security Capability?




          Those who don't know why this is the world's most important cyber security question may want to connect one, two and three

          I sincerely hope that someone (anyone) at Microsoft, or that some CISO (any ONE) out there, will answer this ONE question.

          Best wishes,
          Sanjay.

          Mimikatz DCSync Mitigation

          Folks,

          A few days ago I asked a (seemingly) very simple question ; no I'm not referring to this one, I'm referring to this one here  -

          Can Anyone (i.e. any Cyber Security Company or Expert) Help Thousands of Microsoft's Customers MITIGATE the Risk Posed by Mimikatz DCSync?

          Here's why I did so - While there's a lot of info out there on the WWW about how to use Mimikatz DCSync, and/or how to detect its use, there isn't one other* single correct piece of guidance out there on how to mitigate the risk posed by Mimkatz DCSync.

          So, as promised, today I am (literally) going to show you exactly how thousands of organizations worldwide can now easily and demonstrably actually mitigate the very serious cyber security risk posed to their foundational security by Mimikatz DCSync.


          In light of what I've shared below, organizations worldwide can now easily mitigate the serious risk posed by Mimikatz DCSync.




          First, A Quick Overview

          For those who may not know, and there are millions who don't, there are three quick things to know about Mimikatz DCSync.


          Mimikatz DCSync, a Windows security tool, is the creation of the brilliant technical expertise of Mr. Benjamin Delpy, whose work over the years has very likely (caused Microsoft a lot of pain ;-) but/and) helped substantially enhance Windows Security.

          Mimikatz DCSync targets an organization's foundational Active Directory domains, and instantly gives any attacker who has sufficient privileges to be able to replicate sensitive content from Active Directory, access to literally everyone's credentials!

          Thus far, the only guidance out there is on how to DETECT its use, but this is one of those situations wherein if you're having to rely on detection as a security measure, then its unfortunately already TOO late, because the damage has already been done.



          Detection Is Hardly Sufficient

          They say a picture's worth a thousand words, so perhaps I'll paint a picture for you. Relying on detection as a security measure against Mimikatz DCSync is akin to this -

          Castle romeo2

          Lets say a nuclear weapon just detonated in a city, and the moment it did, detection sensors alerted the city officials about the detonation. Well, within the few seconds in which they received the alert, the whole city would've already been obliterated i.e. by the time you get the alert, literally everyone's credentials (including of all privileged users) would've already been compromised!

          Make not mistake about it - a single successful use of Mimikatz DCSync against an organization's foundational Active Directory domain is tantamount to a complete forest-wide compromise, and should be considered a massive organizational cyber security breach, the only way to recover from which is to completely rebuild the entire Active Directory forest from the ground up!

          This is why detection is grossly insufficient as a security measure, and what organizations need is the ability to prevent the use of Mimikatz DCSync's against their foundational Active Directory domains & thus the ability to mitigate this risk is paramount.



          How to Mitigate Mimikatz DCSync

          The key to mitigating this risk lies in identifying what it technically takes to be able to successfully use Mimikatz DCSync.

          Specifically, if you know exactly what privileges an attacker needs to be able to successfully use Mimikatz DCSync against your Active Directory domain, then by ensuring that only highly-trustworthy, authorized individuals (and not a single other individual) actually currently possess those required privileges in your IT infrastructure, you can easily mitigate this risk.


          Technically speaking, all that an attacker needs to successfully use Mimikatz DCSync is sufficient Get Replication Changes All effective permissions on the domain root object of an Active Directory domain, so all that organizations need to do is accurately identify exactly who has these effective permissions on the domain root object of each of their Active Directory domains.

          While by default only the default administrative Active Directory security groups are granted this permission, since most Active Directory deployments have been around for years, and have likely gone through a substantial amount of access provisioning, in most Active Directory, a lot many more individuals than merely the members of the default AD admin groups may likely have this highly sensitive effective permission granted to them, either directly or via group membership, some of which may be direct, whilst others may be via nested group memberships, resulting in a potentially large and unknown attack surface today.

          Now, it is paramount to understand ONE subtle but profound difference here - it is NOT who has what permissions on the domain root that matters, but who has what effective permissions on the domain root that matters, and this difference could be the difference between a $100 B organization being completely compromised or being completely protected from compromise.



          The Key - Active Directory Effective Permissions

          If you've followed what I've shared above, then you'll agree and understand that the key to being able to successfully mitigate the serious risk posed by Mimikatz DCSync lies in being able to accurately determine effective permissions in Active Directory.



          In fact Effective Permissions are so important, essential and fundamental to Windows and Active Directory Security, that of the four tabs in all of Microsoft's Active Directory Management Tooling, one entire tab is dedicated to Effective Permissions.

          Unfortunately, it turns out that not only is Microsoft's native Effective Permissions Tab not always accurate, it is substantially inadequate, and while I could elaborate on that, I'd rather let you come to the same conclusion yourself, and this ONE glaring inadequacy will be self-evident the moment you attempt to use it to try and find out exactly whom amongst the thousands of domain user account holders in your Active Directory domain(s), actually has the required effective permissions. In fact, the same is true of all tools/scripts that involve the use of Microsoft's APIs to do so, such as this dangerously inaccurate free tool.

          Fortunately, in a world whose population is 7,000,000,000+ today, thanks to one (1) inconsequential individual, there's hope...



          Finally, How to Easily and Reliably Mitigate the Risk Posed by Mimikatz DCSync

          Here's a very short (and perhaps boring but insightful) video on how organizations worldwide can reliably mitigate this risk -


          Note: This is NOT intended to demonstrate our unique tooling. It is solely intended to show what it takes to mitigate this serious risk. We have no particular interest in licensing our unique tooling to anyone. As such, over the years, we have NEVER, not once pitched our tooling to anyone; we've had almost 10,000 organizations worldwide knock at our doors completely unsolicited, so I hope that makes this point unequivocally.

          Thus, as seen in the short video above, with the right guidance (knowledge) and capability (tooling), organizations worldwide can now easily and reliably mitigate the serious cyber security risk posed by Mimikatz DCSync to their foundational security.

          Complete, illustrated, step-by-step details on how to easily and correctly mitigate Mimikatz DCSync can now be found here.


          I'll say this one last time - a single successful use of Mimikatz DCSync against an organization's foundational Active Directory is tantamount to a forest-wide compromise and constitutes a massive cyber security breach, which is why mitigation is paramount.

          Best wishes,
          Sanjay


          PS: *Here are 4 posts I've previously penned on Mimikatz DCSync - a summary, technical details, a scenario and the question.

          PS2: In days to come, I'll answer this question too.

          WHAT is the ONE Essential Cyber Security Capability WITHOUT which NOT a single Active Directory object or domain can be adequately secured?


          Folks,

          Hello again. Today onwards, as I had promised, it is finally TIME for us to help SAFEGUARD Microsoft's Global Ecosystem.


          Before I share how we uniquely do so, or answer this paramount question, or ask more such ones, I thought I'd ask likely the most important question that today DIRECTLY impacts the foundational cyber security of 1000s of organizations worldwide.



          Here It Is -
          What Is the 1 Essential Cyber Security Capability Without Which NOT a single Active Directory object, domain, forest or deployment can be adequately secured?



          A Hint

          I'll give you a hint. It controls exactly who is denied and who is granted access to literally everything within Active Directory.


          In fact, it comes into play every time anyone accesses anything in any Active Directory domain in any organization worldwide.




          Make No Mistake

          Make no mistake about it - one simply CANNOT adequately protect anything in any Active Directory WITHOUT possessing this ONE capability, and thus one simply cannot protect the very foundation of an organization's cyber security without possessing this ONE paramount cyber security capability. It unequivocally is as remarkably simple, elemental and fundamental as this.



          Only 2 Kinds of Organizations

          Thus, today there are only two kinds of organizations worldwide - those that possess this paramount cyber security capability, and those that don't. Those that don't possess this essential capability do not have the means to, and thus cannot adequately protect, their foundational Active Directory deployments, and thus by logic are provably and demonstrably insecure.


          If you know the answer, feel free to leave a comment below.
          I'll answer this question right here, likely on July 04, 2018.

          Best,
          Sanjay

          Alarming! : Windows Update Automatically Downloaded and Installed an Untrusted Self-Signed Kernel-mode Lenovo Driver on New Surface Device

          Folks,

          Given what it is I do, I don't squander a minute of precious time, unless something is very important, and this is very important.


          Let me explain why this is so alarming, concerning and so important to cyber security, and why at many organizations (e.g. U.S. Govt., Paramount Defenses etc.), this could've either possibly resulted in, or in itself, be considered a cyber security breach.

          Disclaimer: I'm not making any value judgment about Lenovo ; I'm merely basing this on what's already been said.


          As you know, Microsoft's been brazenly leaving billions of people and thousands of organizations worldwide with no real choice but to upgrade to their latest operating system, Windows 10, which albeit is far from perfect, is much better than Windows Vista, Windows 8 etc., even though Windows 10's default settings could be considered an egregious affront to Privacy.

          Consequently, at Paramount Defenses, we too felt that perhaps it was time to consider moving on to Windows 10, so we too figured we'd refresh our workforce's PCs. Now, of the major choices available from amongst several reputable PC vendors out there, Microsoft's Surface was one of the top trustworthy contenders, considering that the entirety of the hardware and software was from the same vendor (, and one that was decently trustworthy (considering that most of the world is running their operating system,)) and that there seemed to be no* pre-installed drivers or software that may have been written in China, Russia etc.

          Side-note: Based on information available in the public domain, in all likelihood, software written in / maintained from within Russia, may still likely be running as System on Domain Controllers within the U.S. Government.

          In particular, regardless of its respected heritage, for us, Lenovo wasn't  an option, since it is partly owned by the Chinese Govt.

          So we decided to consider evaluating Microsoft Surface devices and thus purchased a couple of brand-new Microsoft Surface devices from our local Microsoft Store for an initial PoC, and I decided to personally test-drive one of them -

          Microsoft Surface



          The very first thing we did after unsealing them, walking through the initial setup and locking down Windows 10's unacceptable default privacy settings, was to connect it to the Internet over a secure channel, and perform a Windows Update.

          I should mention that there was no other device attached to this Microsoft Surface, except for a Microsoft Signature Type Cover, and in particular there were no mice of any kind, attached to this new Microsoft surface device, whether via USB or Bluetooth.


          Now, you're not going to believe what happened within minutes of having clicked the Check for Updates button!



          Windows Update
          Downloaded and Installed an Untrusted
          Self-Signed Lenovo Device Driver on Microsoft Surface! -

          Within minutes, Windows Update automatically downloaded and had installed, amongst other packages (notably Surface Firmware,) an untrusted self-signed Kernel-mode device-driver, purportedly Lenovo - Keyboard, Other hardware - Lenovo Optical Mouse (HID), on this brand-new Microsoft Surface device, i.e. one signed with an untrusted WDK Test Certificate!

          Here's a snapshot of Windows Update indicating that it had successfully downloaded and installed a Lenovo driver on this Surface device, and it specifically states "Lenovo - Keyboard, Other hardware - Lenovo Optical Mouse (HID)" -


          We couldn't quite believe this.

          How could this be possible? i.e. how could a Lenovo driver have been installed on a Microsoft  Surface device?

          So we checked the Windows Update Log, and sure enough, as seen in the snapshot below, the Windows Update Log too confirmed that Windows Update had just downloaded and installed a Lenovo driver -


          We wondered if there might have been any Lenovo hardware components installed on the Surface so we checked the Device Manager, and we could not find a single device that seemed to indicate the presence of any Lenovo hardware. (Later, we even took it back to the Microsoft Store, and their skilled tech personnel confirmed the same finding i.e. no Lenovo hardware on it.)

          Specifically, as you can see below, we again checked the Device Manager, this time to see if it might indicate the presence of any Lenovo HID, such as a Lenovo Optical Mouse, and as you can see in the snapshot below, the only two Mice and other pointing devices installed on the system were from Microsoft - i.e. no Lenovo mouse presence indicated by Device Manager -



          Next, we performed a keyword search of the Registry, and came across a suspicious Driver Package, as seen below -


          It seemed suspicious to us because as can be seen in the snapshot above, all of the other legitimate driver package keys in the Registry had (as they should) three child sub-keys i.e. Configurations, Descriptors and Strings, but this specific one only had one subkey titled Properties, and when we tried to open it, we received an Access Denied message!

          As you can see above, it seemed to indicate that the provider was Lenovo and that the INF file name was phidmou.inf, and the OEM path was "C:\Windows\SoftwareDistribution\Download\Install", so we looked at the file system but this path didn't seem to exist on the file-system. So we performed a simple file-system search "dir /s phidmou.*" and as seen in the snapshot below, we found one instance of such a file, located in C:\Windows\System32\DriverStore\FileRepository\.

          Here's that exact location on the file-system, and as evidenced by the Created date and time for that folder, one can see that this folder (and thus all of its contents), were created on April 01, 2018 at around 1:50 am, which is just around the time the Windows Update log too confirmed that it had installed the Lenovo Driver -



          When we opened that location, we found thirteen items, including six drivers -


          Next, we checked the Digital Signature on one of the drivers, PELMOUSE.SYS, and we found that it was signed using a self-signed test Windows Driver certificate, i.e. the .sys files were SELF-SIGNED by a WDKTestCert and their digital signatures were NOT OK, in that they terminated in a root certificate that is not trusted by the trust provider -


          Finally, when we clicked on the View Certificate button, as can be seen below, we could see that this driver was in fact merely signed by a test certificate, which is only supposed to be used for testing purposes during the creation and development of Kernel-mode drivers. Quoting from Microsoft's documentation on Driver Testing "However, eventually it will become necessary to test-sign your driver during its development, and ultimately release-sign your driver before publishing it to users." -


          Clearly, the certificate seen above is NOT one that is intended to be used for release signing, yet, here we have a Kernel-mode driver downloaded by Windows Update and installed on a brand new Microsoft surface, and all its signed by is a test certificate, and who knows who wrote this driver!

          Again, per Microsoft's guidelines on driver signing, which can also be found here, "After completing test signing and verifying that the driver is ready for release, the driver package has to be release signed", and AFAIK, release signing not only requires the signer to obtain and use a code-signing certificate from a code-signing CA, it also requires a cross cert issued by Microsoft.

          If that is indeed the case, then a Kernel-mode driver that is not signed with a valid code-signing certificate, and one whose digital signature does not contain Microsoft's cross cert, should not even be accepted into the Windows Update catalog.

          It is thus hard to believe that a Windows Kernel-Mode Driver that is merely self-signed using a test certificate would even make it into the Windows Update catalog, and further it seems that in this case, not only did it make it in, it was downloaded, and in fact successfully installed onto a system, which clearly seems highly suspicious, and is fact alarming and deeply-concerning!

          How could this be? How could Windows Update (a trusted system process of the operating system), which we all (have no choice but to) trust (and have to do so blindly and completely) have itself installed an untrusted self-signed Lenovo driver (i.e. code running in Kernel-Mode) on a Microsoft Surface device?

          Frankly, since this piece of software was signed using a self-signed test cert, who's to say this was even a real Lenovo driver? It could very well be some malicious code purporting to be a Lenovo driver. Or, there is also the remote possibility that it could be a legitimate Lenovo driver, that is self-signed, but if that is the case, its installation should not have been allowed to succeed.



          Unacceptable and Deeply Concerning

          To us, this is unacceptable, alarming and deeply concerning, and here's why.


          We just had, on a device we consider trustworthy (, and could possibly have engaged in business on,) procured from a vendor we consider trustworthy (considering that the entire world's cyber security ultimately depends on them), an unknown, unsigned piece of software of Chinese origin that is now running in Kernel-mode, installed on the device, by this device's vendor's (i.e. Microsoft's) own product (Windows operating system's) update program!

          We have not had an opportunity to analyze this code, but if it is indeed malicious in any way, in effect, it would've, unbeknownst to us and for no fault of ours, granted System-level control over a trusted device within our perimeter, to some entity in China.

          How much damage could that have caused? Well, suffice it to say that, for they who know Windows Security well, if this was indeed malicious, it would've been sufficient to potentially compromise any organization within which this potentially suspect and malicious package may have been auto-installed by Windows update. (I've elaborated a bit on this below.)

          In the simplest scenario, if a company's Domain Admins had been using this device, it would've been Game Over right there!

          This leads me to the next question - we can't help but wonder how many such identical Surface devices exist out there today, perhaps at 1000s of organizations, on which this suspicious unsigned Lenovo driver may have been downloaded and installed?

          This also leads me to another very important question - Just how much trust can we, the world, impose in Windows Update?

          In our case, it just so happened to be, that we happened to be in front of this device during this Windows update process, and that's how we noticed this, and by the way, after it was done, it gave the familiar Your device is upto date message.

          Speaking which, here's another equally important question - For all organizations that are using Windows Surface, and may be using it for mission-critical or sensitive purposes (e.g. AD administration), what is the guarantee that this won't happen again?

          I ask because if you understand cyber security, then you know, that it ONLY takes ONE instance of ONE malicious piece of software to be installed on a system, to compromise the security of that system, and if that system was a highly-trusted internal system (e.g. that machine's domain computer account had the "Trusted for Unconstrained Delegation" bit set), then this could very likely also aid perpetrators in ultimately gaining complete command and control of the entire IT infrastructure. As I have already alluded to above, if by chance the target/compromised computer was one that was being used by an Active Directory Privileged User, then, it would be tantamount to Game Over right then and there!

          Think about it - this could have happened at any organization, from say the U.S. Government to the British Government, or from say a Goldman Sachs to a Palantir, or say from a stock-exchange to an airline, or say at a clandestine national security agency to say at a nuclear reactor, or even Microsoft itself. In short, for absolutely no fault of theirs, an organization could potentially have been breached by a likely malicious piece of software that the operating system's own update utility had downloaded and installed on the System, and in 99% of situations, because hardly anyone checks what gets installed by Windows Update (now that we have to download and install a whopping 600MB patch every Tuesday), this would likely have gone unnoticed!

          Again, to be perfectly clear, I'm not saying that a provably malicious piece of software was in fact downloaded and installed on a Microsoft Surface device by Windows Update. What I'm saying is that a highly suspicious piece of software, one that was built and intended to run in Kernel-mode and yet was merely signed with a test certificate, somehow was automatically downloaded and installed on a Microsoft Surface device, and that to us is deeply concerning, because in essence, if this could happen, then even at organizations that may be spending millions on cyber security, a single such piece of software quietly making its way in through such a trusted channel, could possibly instantly render their entire multi-million dollar cyber security apparatus useless, and jeopardize the security of the entire organization, and this could happen at thousands of organizations worldwide.

          With full respect to Microsoft and Mr. Nadella, this is deeply concerning and unacceptable, and I'd like some assurance, as I'm sure would 1000s of other CEOs and CISOs, that this will never happen again, on any Surface device, in any organization.

          In our case, this was very important, because had we put that brand new Surface device that we procured from none other than the Microsoft Store, into operation (even it we had re-imaged it with an ultra-secure locked-down internal image), from minute one, post the initial Windows update, we would likely have had a potentially compromised device running within our internal network, and it could perhaps have led to us being breached.



          If I Were Microsoft, I'd Send a Plane

          Dear Microsoft, we immediately quarantined that Microsoft Surface device, and we have it in our possession.


          If I were you, I'd send a plane to get it picked up ASAP, so you can thoroughly investigate every little aspect of this to figure out how this possibly happened, and get to the bottom of it! (Petty process note: The Microsoft Store let us keep the device for a bit longer, but will not let us return the device past June 24, and the only reason we've kept it, is in case you'd want to analyze it.)

          Here's why. At the very least, if I were still at Microsoft, and in charge of Cyber Security -
          1. I'd want to know how an untrusted Kernel-mode device driver made it into the Windows Catalog
          2. I'd want to know why a Microsoft Surface device downloaded a purportedly Lenovo driver
          3. I'd want to know how Windows 10 permitted and in fact itself installed an untrusted driver
          4. I'd want to know exactly which SKUs of Microsoft Surface this may have happened on
          5. I'd want to know exactly how many such Microsoft Surface devices out there may have downloaded this package 

          Further, and as such, considering that Microsoft Corp itself may easily have thousands of Surface devices being used within Microsoft itself, if I were still with Microsoft CorpSec, I'd certainly want to know how many of their own Surface devices may have automatically downloaded and installed this highly suspicious piece of untrusted self-signed software.


          In short, Microsoft, if you care as deeply about cyber security as you say you do, and by that I'm referring to what Mr. Nadella, the CEO of Microsoft, recently said (see video below: 0:40 - 0:44) and I quote "we spend over a billion dollars of R&D each year, in building security into our mainstream products", then you'll want to get to the bottom of this, because other than the Cloud, what else could be a more mainstream product for Microsoft today than, Microsoft Windows and Microsoft Surface ?! -



          Also, speaking of Microsoft's ecosystem, it indeed is time to help safeguard Microsoft's global ecosystem. (But I digress,)



          In Conclusion

          Folks, the only reason I decided to publicly share this is because I care deeply about cyber security, and I believe that this could potentially have impacted the foundational cyber security of any, and potentially, of thousands of organizations worldwide.


          Hopefully, as you'll agree, a trusted component (i.e. Windows Update) of an operating system that virtually the whole world will soon be running on (i.e. Windows 10), should not be downloading and installing a piece of software that runs in Kernel-mode, when that piece of software isn't even digitally signed by a valid digital certificate, because if that piece of software happened to be malicious, then in doing so, it could likely, automatically, and for no fault of its users, instantly compromise the cyber security of possibly thousands of organizations worldwide. This is really as simple, as fundamental and as concerning, as that. 

          All in all, the Microsoft Surface is an incredible device, and because, like Apple's computers, the entire hardware and software is in control of a single vendor, Microsoft has a huge opportunity to deliver a trustworthy computing device to the world, and we'd love to embrace it. Thus, it is vital for Microsoft to ensure that its other components (e.g. Update) do not let the security of its mainstream products down, because per the Principle of Weakest Link, "a system is only as secure as is its weakest link."


          By the way, I happen to be former Microsoft Program Manager for Active Directory Security, and I care deeply for Microsoft.

          For those may not know what Active Directory Security is (i.e. most CEOs, a few CISOs, and most employees and citizens,) suffice it to say that global security may depend on Active Directory Security, and thus may be a matter of paramount defenses.

          Most respectfully,
          Sanjay


          PS: Full Disclosure: I had also immediately brought this matter to the attention of the Microsoft Store. They escalated it to Tier-3 support (based out of New Delhi, India), who then asked me to use the Windows Feedback utility to share the relevant evidence with Microsoft, which I immediately and dutifully did, but/and I never heard back from anyone at Microsoft in this regard again.

          PS2: Another small request to Microsoft - Dear Microsoft, while at it, could you please also educate your global customer base about the paramount importance of Active Directory Effective Permissions, which is the ONE capability without which not a single object in any Active Directory deployment can be adequately secured! Considering that Active Directory is the foundation of cyber security of over 85% of all organizations worldwide, this is important. Over the last few years, we've had almost 10,000 organizations from 150+ countries knock at our doors, and virtually none of them seem to know this most basic and cardinal fact of Windows Security. I couldn't begin to tell you how shocking it is for us to learn that most Domain Admins and many CISOs out there don't have a clue. Can you imagine just how insecure and vulnerable an organization whose Domain Admins don't even know what Active Directory Effective Permissions are, let alone possessing this paramount capability, could be today?

          2017 – The Year The World Realized the Value of Active Directory Security

          Folks,

          As we get ready to bid farewell to 2017, it may be fitting to recap notable happenings in Active Directory Security this year.

          This appears to have been the year in which the mainstream Cyber Security community finally seems to have realized just how important and in fact paramount Active Directory Security is to cyber security worldwide, in that it appears that they may have finally realized that Active Directory is the very heart and foundation of privileged access at 85% of organizations worldwide!


          I say so only because it appears to have been in this year that the following terms seem to have become mainstream cyber security buzzwords worldwide - Privileged User, Privileged Access, Domain Admins, Enterprise Admins, Mimikatz DCSync, AdminSDHolder, Active Directory ACLs, Active Directory Privilege Escalation, Sneaky Persistence in Active Directory, Stealthy Admins in Active Directory, Shadow Admins in Active Directory, Domain Controllers, Active Directory Botnets, etc. etc.



          Active Directory Security Goes Mainstream Cyber Security

          Here are the 10 notable events in Active Directory Security that helped it get mainstream cyber security attention this year -


          1. Since the beginning on the year, i.e. January 01, 2017, Mimikatz DCSync, an incredibly and dangerously powerful tool built by Benjamin Delpy, that can be used to instantly compromise the credentials of all Active Directory domain user accounts in an organization, including those of all privileged user accounts, has been gaining immense popularity, and appears to have become a must-have tool in every hacker, perpetrator and cyber security penetration-tester's arsenal.

          2. On May 15, 2017, the developers of BloodHound introduced version 1.3, with the objective of enhancing its ability to find privilege escalation paths in Active Directory that could help find out "Who can become Domain Admin?"  From that point on, Bloodhound, which is massively inaccurate, seems to have started becoming very popular in the hacking community.

          3. On June 08, 2017, CyberArk a Billion+ $ cyber-security company, and the self-proclaimed leader in Privileged Account Security, introduced the concept of Shadow Admins in Active Directory, as well as released a (massively inaccurate) tool called ACLight to help organizations identify all such Shadow Admins in Active Directory deployments worldwide.

          4. On June 14, 2017, Sean Metcalf, an Active Directory security enthusiast penned an entry-level post "Scanning for Active Directory Privileges and Privileged Accounts" citing that Active Directory Recon is the new hotness since attackers, Red Teamers and penetration testers have realized that control of Active Directory provides power over the organization!

          5. On July 11, 2017, Preempt, a Cyber Security announced that they had found a vulnerability in Microsoft's implementation of LDAP-S that permits the enactment of an NTLM relay attack, and in effect could allow an individual to effectively impersonate a(n already) privileged user and enact certain LDAP operations to gain privileged access. 

          6. On July 26, 2017, the developers of (massively inaccurate) BloodHound gave a presentation titled An ACE Up the Sleeve - Designing Active Directory DACL Backdoors at the famed Black Hat Conference USA 2017. This presentation at Black Hat likely played a big role in bringing Active Directory Security to the forefront of mainstream Cyber Security.

          7. Also on July 26, 2017, a second presentation on Active Directory Security at the Black Hat Conference titled The Active Directory Botnet introduced the world to a new attack technique that exploits the default access granted to all Active Directory users, to setup command and control servers within organizations worldwide. This too made waves.

          8. On September 18, 2017, Microsoft's Advanced Threat Analytics (ATA) Team penned a detailed and insightful blog post titled Active Directory Access Control List - Attacks and Defense, citing that recently there has been a lot of attention regarding the use of Active Directory ACLs for privilege escalation in Active Directory environments. Unfortunately, in doing so Microsoft inadvertently ended up revealing just how little its ATA team seems to know about the subject.

          9. On December 12, 2017, Preempt, a Cyber Security announced that they had found a flaw in Microsoft's Azure Active Directory Connect software that could allow Stealthy Admins to gain full domain control. They also suggested that organizations worldwide use their (massively inaccurate) tooling to find these Stealthy Admins in Active Directory.

          10. From January 26, 2017 through December 27, 2017, Paramount Defenses' CEO conducted Active Directory Security School for Microsoft, so that in turn Microsoft could help not just every entity mentioned in points 1- 9 above, but the whole world realize that in fact the key and the only correct way to mitigate each one of the security risks and challenges identified in points 1 - 9  above, lies in Active Directory Effective Permissions and Active Directory Effective Access.





          Helping Defend Microsoft's Global Customer Base
          ( i.e. 85% of  Organizations Worldwide )

          Folks, since January 01, 2017, both, as former Microsoft Program Manager for Active Directory Security and as the CEO of Paramount Defenses, I've penned 50+ insightful blog posts to help educate thousands of organizations worldwide about...


          ...not just the paramount importance of Active Directory Security to their foundational security, but also about how to correctly secure and defend their foundational Active Directory from every cyber security risk/challenge covered in points 1- 9 above.

          This year, I ( / we) ...

          1. conducted 30-days of advanced Active Directory Security School for the $ 650+ Billion Microsoft Corporation

          2. showed thousands of organizations worldwide How to Render Mimikatz DCSync Useless in their Active Directory

          3. helped millions of pros (like Mr. Metcalf) worldwide learn How to Correctly Identify Privileged Users in Active Directory

          4. helped the developers of BloodHound understand How to Easily Identify Sneaky Persistence in Active Directory

          5. helped Microsoft's ATA Team learn advanced stuff About Active Directory ACLs - Actual Attack and Defense

          6. showed CyberArk, trusted by 50% of Fortune 100 CISOs, How to Correctly Identify Shadow Admins in Active Directory

          7. helped cyber security startup Preempt's experts learn How to Correctly Identify Stealthy Admins in Active Directory

          8. helped the presenters of The Active Directory Botnet learn How to Easily Solve the Problem of Active Directory Botnets

          9. helped millions of cyber security folks worldwide understand and illustrate Active Directory Privilege Escalation

          10. Most importantly, I helped thousands of organizations worldwide, including Microsoft, understand the paramount importance of Active Directory Effective Permissions and Active Directory Effective Access to Active Directory Security


          In fact, we're not just providing guidance, we're uniquely empowering organizations worldwide to easily solve these challenges.





          Summary

          All in all, its been quite an eventful year for Active Directory Security (, and one that I saw coming over ten years ago.)

          In 2017, the mainstream cyber security community finally seem to have realized the importance of Active Directory Security.


          Perhaps, in 2018, they'll realize that the key to Active Directory Security lies in being able to accurately determine this.

          Best wishes,
          Sanjay.

          PS: Why I do, What I Do.

          Why I Do, What I Do

          Folks,

          I trust you're well. Today, I just wanted to take a few minutes to answer a few questions that I've been asked so many times.


          Here are the answers to the Top-5 questions I am frequently asked -

          1. You're the CEO of a company (Paramount Defenses), so why do you blog so often, and how do you have time to do so?

            Good question. This is a bit of a unique situation, in that whilst I am the CEO of a company, I am also a subject matter expert in Active Directory Security (simply by virtue of my background) and thus I feel that it is my civic duty to help organizations understand the paramount importance of securing their foundational Active Directory deployments.

            In fact, over the last 7+ years, I've penned 150+ blog posts on Active Directory Security (here) and Cyber Security (here) on various topics such as Active Directory Privilege Escalation, the OPM Breach, Kerberos Token Bloat, Eff Perms, AdminSDHolder, Mimikatz DCSync, Sneaky Persistence, How to Correctly Identify Stealthy Admins in Active Directory, How to Correctly Identify Shadow Admins in Active Directory etc. and most recently on Active Directory Botnets.

            As to how I have the time to do so, that's actually not that difficult. We have a world-class team at Paramount Defenses, and I've been able to delegate a substantial amount of my CEO-related work amongst our executive leadership team.




          2. Speaking of which, how big is Paramount Defenses?

            At Paramount Defenses, we believe that less is more, so our entire global team is less than a 100 people. For security reasons, 100% of our staff are U.S. Citizens, and to-date, the entirety of our R&D team are former Microsoft employees.

            If by how big we are, you meant how many organizations we impact, today our unique high-value cyber security solutions and insights help adequately secure and defend thousands of prominent organizations across six continents worldwide.




          3. Why is it just you (and why aren't your employees) on Social Media (e.g. LinkedIn, Facebook, Twitter etc.)?

            The simple answer to this question - For Security Reasons.

            At Paramount Defenses, we care deeply about cyber security, so we also strive to lead by example in every way.

            As it pertains to cyber security, we have found that the presence of an organization's employees on social-media almost always results in excessive information disclosure that could be very valuable for hackers and various other entities who may have malicious intent, so our corporate policies do not permit a social media presence.

            Also, we're not huge fans of Twitter, and we certainly don't care about being on Facebook. We do like and appreciate LinkedIn, and in fact, we lead the world's largest community of Active Directory Security Professionals on LinkedIn.




          4. What do you intend to accomplish by blogging?

            The intention is to help organizations worldwide understand just how profoundly important Active Directory Security is to organizational cyber security, and how paramount Active Directory Effective Permissions are to Active Directory Security.

            That's because this impacts global security today, and here's why -




            You see, the Crown Jewels of cyber security reside in Active Directory, and if they're compromised, its Game Over. By Crown Jewels, I'm referring to privileged access, or as commonly known, Domain Admin equivalent accounts.

            It is a fact that 100% of all major recent cyber security breaches (except Equifax) involved the compromise of a single Active Directory privileged user account. Such accounts are Target #1 for hackers, which is why it is so very important that organizations be able to exactly identify and minimize the number of such privileged accounts in Active Directory.

            Now, when it comes to identifying privileged user accounts in Active Directory, most organizations focus on enumerating the memberships of their default administrative groups in Active Directory, and that's it. Unfortunately, that's just the Tip of the Iceberg, and we have found that most of them do not even seem to know that in fact there are FAR many more accounts with varying levels of elevated admin/privileged access in Active Directory than they seem to know about.

            This isn't a secret; its something you know if you've ever heard about Active Directory's most powerful and capable cyber security feature - Delegation of Administration. The truth is that at most organizations, a substantial amount of delegation has been done over the years, yet no one seems to have a clue as to who has what privileged access. Here's why.

            In fact, Active Directory privileged access accounts have been getting a lot of attention lately, because so many cyber security experts and companies are starting to realize that there exists a treasure-trove of privileged access in Active Directory. Thus, recently many such cyber security expert and companies have started shedding light on them (for example, one, two, three etc.), and some have even started developing amateur tools to identify such accounts.

            What these experts and companies may not know is that their amateur tools are substantially inaccurate since they rely on finding out "Who has what Permissions in Active Directory" WHEREAS the ONLY way to correctly identify privileged user accounts in Active Directory is by accurately finding out "Who has what Effective Permissions in Active Directory?"

            On a lighter note, I find it rather amusing that for lack of knowing better, most cyber security experts and vendors that may be new to Active Directory Security have been referring to such accounts as Stealthy Admins, Shadow Admins etc.

            To make matters worse, there are many prominent vendors in the Active Directory space that merely offer basic Active Directory Permissions Analysis/Audit Tooling, yet they mislead organizations by claiming to help them "Find out who has what privileged access in Active Directory," and since so many IT personnel don't seem to know better, they get misled.

            Thus, there's an imperative need to help organizations learn how to correctly audit privileged users in Active Directory.

            Consequently, the intention of my blogging is to HELP thousands of organizations and cyber security experts worldwide UNDERSTAND that the ONLY correct way to identify privileged users in Active Directory is by accurately determining effective permissions / effective access in Active Directory. There is only ONE correct way to accomplish this objective.




          5. Why have you been a little hard on Microsoft lately?

            Let me begin by saying that I deeply love and care for Microsoft. It may appear that I may have been a tad hard on them, but that is all well-intentioned and only meant to help them realize that they have an obligation to their global customer base to adequately educate them about various aspects of cyber security in Windows, particularly the most vital aspects.

            In that regard, if you truly understand cyber security in Windows environments, you know that Active Directory Effective Permissions and Active Directory Effective Access play an absolutely paramount role in securing Windows deployments worldwide, and since Active Directory has been around for almost two decades by now, one would expect the world to unequivocally understand this by now. Unfortunately, we found that (as evidenced above) no one seems to have a clue.

            You may be surprised if I were to share with you that at most organizations worldwide, hardly anyone seems to even know about what Active Directory Effective Permissions are, let alone why they're paramount to their security, and this a highly concerning fact, because this means that most organizations worldwide are operating in the proverbial dark today.

            It is upon looking into the reason for this that we realized that in the last decade, it appears that (for whatever reason) Microsoft may not have educated its global customer based about Active Directory Effective Permissions at all - Proof.

            Thus, it is in the best interest of organizations worldwide that we felt a need to substantially raise awareness.

            As to how on earth Microsoft may have completely forgotten to educate the world about this, I can only guess that perhaps they must've gotten so involved in building their Cloud offering and dealing with the menace of local-machine credential-theft attack vectors that they completely seem to have missed this one paramount aspect of Windows security.

            Fortunately for them and the world, we've had our eye on this problem for a decade know and we've been laser-focused. Besides, actions speak louder than words, so once you understand what it is we do at Paramount Defenses, you'll see that we've done more to help secure Microsoft's global customer base than possibly any other company on the planet.

            Those who understand what we've built, know that we may be Microsoft's most strategic ally in the cyber security space.


          Finally, the most important reason as to why I do, what I do is because I care deeply and passionately about cyber security.

          Best wishes,

          A Massive Cyber Breach at a Company Whilst it was Considering the ‘Cloud’

          (A Must-Read for all CEOs, CFOs, CIOs, CISOs, Board Members & Shareholders Today)


          Folks,

          Today was supposed to be an exciting Friday morning at a Multi-Billion $ organization since the world's top Cloud Computing companies were going to make their final pitches to the company's C-Suite today, as it was considering moving to the "Cloud."

          With Cloud Computing companies spending billions to market their latest Kool-Aid to organizations worldwide (even though much of this may actually not be ready for mission-critical stuff), how could this company too NOT be considering the Cloud?



          The C-Suite Meeting

          Today was a HUGE day for this multi-billion dollar company, for today after several months of researching and evaluating their choices and options, the company's leadership would finally be deciding as to which Cloud Computing provider to go with.


          This meeting is being chaired by the Chairman of the Board and attended by the following organizational employees -

          1. Chief Executive Officer (CEO)

          2. Chief Financial Officer (CFO)
          1. Chief Information Officer (CIO)

          2. Chief Information Security Officer (CISO)

           Also in attendance are about a dozen Vice Presidents, representing Sales, Marketing, Research and Development etc.




          Meeting In-Progress

          After breakfast, the presentations began at 9:00 am. The organization's CIO kicked off the meeting, rattling off the numerous benefits that the company could enjoy by moving to the Cloud, and minutes later the Vice President of Cloud Computing from the first Cloud Computing company vying for their business started his presentation. His presentation lasted two hours.

          The C-Suite then took a break for lunch.

          The next presentation began at 1:00 pm and was expected to last till about 4:00 pm. The Vice President of Cloud Computing from the second Cloud Computing company had started her presentation and was almost an hour into it, when all of a sudden this happened...

          ... the CISO's assistant unexpectedly entered the room, went straight to the CISO and whispered something into his ear.

          Everyone was surprised, and all eyes were on the CISO, who grimly asked his assistant - "Are you 100% sure?"  He said "Yes."





          Houston, We Have a Problem

          The CISO walked up to the CIO and whispered something into his ear. The CIO sat there in complete shock for a moment!


          He then gathered himself and proceeded to request everyone except the C-Suite to immediately leave the conference room.

          He told the Vice President of this Cloud Computing company - "Hopefully, we'll get back to you in a few weeks."

          He then looked at the CEO and the Chairman of the Board, and he said - "Sir, we have a problem!"




          Its Over

          The CEO asked the CIO - "What's wrong? What happened?"

          The CIO replied - "Sir, about 30 minutes ago, an intruder compromised the credentials of each one of our 20,000 employees!"


          The CEO was almost in shock, and just couldn't believe what he had just heard, so he asked - "Everyone's credentials?!"

          The CIO replied - "I'm afraid yes Sir, yours, mine, literally everyone's, including that of all our privileged users!"

          The CEO could sense that there was more bad news, so he asked - "Is there something else I should know?"

          The CIO replied - "Sir, 15 minutes ago, the intruder logged on as an Enterprise Admin, disabled the accounts of each one of our privileged users, and used Group Policy to deploy malicious software to each one of our 30,000 domain-joined computers! By now, he could have stolen, exfiltrated and destroyed the entirety of our digital assets! We may have lost literally everything!"

          The CEO was shocked! They'd just been breached, and what a massive breach it was - "How could this have happened?"




          Mimikatz DCSync 

          The CIO turned to the CISO, who stepped in, and answered the question - "Sir, an intruder used a tool called Mimikatz DCSync to basically request and instantly obtain the credentials of every single user from our foundational Active Directory deployment."


          The CEO asked - "What is Active Directory?"

          The CISO replied - "Sir, simply put, it is the very foundation of our cyber security"

          The CEO then asked - "Wait. Can just anyone request and extract credentials from Active Directory?"

          The CISO replied - "Sir, not everyone can. Only those individuals whose have sufficient access to do so, and by that I mean, specifically only those who have Get-Replication-Changes-All effective-permissions on the domain root object, can do so."

          The CEO then said - "This does not sound right to me. I'm no technical genius, but shouldn't we have known exactly who all have this, whatever you just said, er yes that Get-Replication-Changes-All effective permissions in our Active Directory?!"

          The CISO replied - "Sir, it turns out that accurate determination of effective permissions in Active Directory is actually very difficult, and as a result it is almost impossible to figure out exactly who has this effective permissions on our domain root!"

          The CEO figured it out - "So you're saying that the intruder had compromised the account of someone who was not on your radar and not supposed to have this access, but actually did, and the intruder used that access to steal everyone's credentials?"

          The CISO replied - "That's right. It appears we did not know that this someone had sufficient access (i.e. effective permissions) to be able to replicate secrets from Active Directory, because it is very difficult to accurately figure this out in Active Directory."



          The CEO was furious! - "You're kidding right?! Microsoft's spent billions on this new fad called the "Cloud", yet it doesn't even have a solution to help figure out something as vital as this in Active Directory? How long has Active Directory been around ?!

          The CISO replied - "Seventeen years."

          The CEO then said in disbelief - "Did you just 17 years, as in S-E-V-E-N-T-E-E-N years?!  Get Satya Nadella on the line now! Perhaps I should #REFRESH his memory that we're a customer, and that we may have just lost a few B-I-L-L-I-O-N dollars!"




          This is for Real

          Make NO mistake about it. As amusing as it might sound, the scenario shared above is very REAL, and in fact today, most business and government organizations worldwide that operate on Active Directory have no idea as to exactly who has sufficient effective permissions to be able to replicate secrets out of their Active Directory. None whatsoever!


          We can demonstrate the enactment of this exact scenario, and its underlying cause, to any organizations that wishes to see it.




          This Could've Been (and Can Be) Easily Prevented 

          This situation could easily have been prevented, if this organization's IT personnel had only possessed the ability to adequately and accurately determine effective permissions in their foundational Active Directory deployments.


          Sadly, since Microsoft apparently never educated its customers about the importance of Active Directory effective permissions, most of them have no clue, and in fact have no idea as to exactly who can do what across their Active Directory deployments!

          Unfortunately, Mimikatz DCSync is just the Tip of the Iceberg. Today most organizations are likely operating in the dark and have no idea about the actual attack surface, and thus about exactly who can create, delete and manage the entirety of their domain user accounts, domain computer accounts, domain security groups, GPOs, service connection points (SCPs), OUs etc. even though every insider and intruder could try and figure this out and misuse this insight to compromise their security.

          Technically speaking, with even just minimal education and the right tooling, here is how easy it is for organizations to figure this out and lock this down today, i.e. to lock this down before an intruder can exploit it to inflict colossal damage - RIGHT HERE.


          Oh, and you don't need to call Microsoft for this, although you certainly can and should. If you do, they'll likely have no answer, yet they might use even this to pitch you their latest toy, Microsoft ATA, and of course, their Cloud offering, Microsoft Azure.

          Wait, weren't these C*O discussing the Cloud (and likely Microsoft Azure) just a few hours (and a few billion dollars) ago?!




          Fast-Forward Six Months

          Unfortunately, given the massive scale of this breach, the company did not survive the attack, and had to declare bankruptcy. The C*Os of this company are still looking for suitable employment, and its shareholders ended up losing billions of dollars.


          All of this could've been prevented, if they only knew about something as elemental as this, and had the ability to determine this.





          Summary

          The moral of the story is that while its fine to fall for the latest fad, i.e. consider moving to the "Cloud" and all, but as AND while you consider and plan to do so, you just cannot let you on-prem cyber defenses down even for a moment, because if you do so, you may not have a company left to move to the Cloud. A single excessive effective permission in Active Directory is all it takes.


          I'll say this one more time and one last time - what I've shared above could easily happen at almost any organization today.

          Best wishes,

          CEO, Paramount Defenses



          PS: If this sounds too simple and high-level i.e. hardly technical, that is by intent, as it is written for a non-technical audience. This isn't to showcase our technical depth; examples of our technical depth can be found here, here, here, here, here  etc.  etc.



          PS2: Note for Microsoft - This may be the simplest example of "Active Directory Access Control Lists - Attack and Defense."

          Here's why - Mimikatz DCSync, which embodies the technical brilliance of a certain Mr. Benjamin Delpy, may be the simplest example of how someone could attack Active Directory ACLs to instantly and completely compromise Active Directory. On the other hand, Gold Finger, which embodies the technical expertise of a certain former Microsoft employee, may be the simplest example of how one could defend Active Directory ACLs by being able to instantly identify/audit effective permissions/access in/across Active Directory, and thus lockdown any and all unauthorized access in Active Directory ACLs, making it impossible for an(y) unauthorized user to use Mimikatz DCSync against Active Directory.



          PS3: They say to the wise, a hint is enough. I just painted the whole picture out for you. (You may also want to read this & this.)

          PS4: If you liked this, you may also like - How To Easily Identify & Thwart Sneaky Persistence in Active Directory

          Some Help & Good News for Microsoft regarding Active Directory Security


          Folks,

          You'll want to read this short blog post very carefully because it not only impacts Microsoft, it likely impacts you, as well as the foundational security of 85% of all business and government organizations worldwide, and it does so in a positive way.



          A Quick and Short Background

          From the White House to the Fortune 1000, Microsoft Active Directory is the very foundation of cyber security at over 85% of organizations worldwide. In fact, it is also the foundation of cyber security of almost every cyber security company worldwide.


          Active Directory is the Foundation of Cyber Security Worldwide

          The entirety of an organization's building blocks of cyber security, including the user accounts used by the entirety its workforce, as well as the user accounts of all its privileged users, the computer accounts of the entirety of its computers, and the security groups used to provision access to the entirety of its IT resources, are stored, managed and protected in Active Directory.

          During the past few years, credential-theft attacks aimed at the compromise of an organization's privileged users (e.g. Domain Admins) have resulted in a substantial number of reported and unreported breaches at numerous organizations worldwide. In response, to help organizations combat the menace of these credential-theft attacks, Microsoft has had to make substantial enhancements to its Windows Operating Systems as well as acquire and introduce a technology called Microsoft ATA.

          These enhancements have made it harder for perpetrators to find success with traditional credential-theft attacks, so they've started focusing their efforts on trying to find ways to attack the Active Directory itself, as evidenced by the fact that in the last year alone, we've seen the introduction of Mimikatz DCSync, BloodHound and recently the advent of Active Directory Botnets.

          Make no mistake about it. There's no dearth of opportunity to find ways to exploit weaknesses in Active Directory deployments because there exists an ocean of access within Active Directory, and sadly due to an almost total lack of awareness, education, understanding and tooling, organizations have no idea as to exactly what lies within their Active Directory, particularly in regards to privileged access entitlements, and thus today there likely are 1000s of privilege escalation paths in most Active Directory deployments, waiting to be identified and exploited. All that perpetrators seem to lack today is the know-how and the tooling.

          Unfortunately, since the cat's out of the bag, perpetrators seem to be learning fast, and building rapidly, so unless organizations act swiftly and decisively to adequately lock-down vast amount of access that currently exists in their foundational Active Directory deployments, sadly the next big wave of cyber breaches could involve compromise of Active Directory deployments.





          Clearly, Microsoft Has No Answers

          It gives me absolutely no pleasure to share with you that unfortunately, and sadly as always, Microsoft yet again seems to be playing catch-up, and in fact, it has no clue or any real answers, ideas or solutions to help organizations in this vital regard.


          Here's Proof - Last week, on September 18, 2017, Microsoft's Advanced Threat Analytics (ATA) Team posted this -



          If and when you read it, it will likely be unequivocally clear to you as to just how little Microsoft understands about not just the sheer depth and breadth of this monumental challenge, but about the sheer impact it could have on organizations worldwide!

          You see, if you understand the subject of Active Directory Security well enough, then you know that Active Directory access control lists (ACLs) today don't just impact organizational security worldwide, they likely impact national and global security!

          That said, in that post, the best Microsoft could do is concede that this could be a problem, wonder why organizations might ever need to change AdminSDHolder, falsely assume that it may not impact privileged users, praise a massively inaccurate tool for shedding light on this attack vector, and end by saying - "if you find a path with no obstacles, it probably leads somewhere."

          Oh, and the very last thing they tell you that is their nascent ATA technology can detect AD multiple recon methods.


          In contrast, here's what they should have said - "We care deeply about cyber security and we understand that left unaddressed, this could pose a serious cyber security risk to our customers. Be rest assured that Microsoft Active Directory is a highly robust and securable technology, and here's exactly how organizations can adequately and reliably identify and lock-down privileged access in their Active Directory deployments, leaving no room for perpetrators to identify and exploit any weaknesses."

          The reason I say that should've been the response is because if you know enough about this problem, then you also know that it can actually be completely and sufficiently addressed, and that you don't need to rely on detection as a security measure.

          BTW, to appreciate how little Microsoft seems to understand about this huge cyber security challenge, you'll want a yardstick to compare Microsoft's response with, so here it is (; you'll want to read the posts) - Active Directory Security School for Microsoft.



          Er, I'm really sorry but you are Microsoft, a US$ 550 Billion corporation, not a kid in college. If the best you can do concerning such a profoundly important cyber security challenge is show how little you seem to know about and understand this problem, and only have detection to offer as a solution, frankly, that's not just disappointing, that's deeply concerning, to say the least.

          Further, if this is how little you seem to understand about such a profoundly important cyber security challenge concerning your own technology, I cannot help but wonder how well your customers might actually be protected in your recent Cloud offering.





          Fortunately There's Help and Good News For Microsoft

          I may appear to be critical of Microsoft, and I do still believe that they ought to at least have educated their customers about this and this huge cyber security challenge, but I also love Microsoft, because I've been (at) Microsoft, so I'm going to help them.


          To my former colleagues at Microsoft I say - "Each one of us at Microsoft are passionate, care deeply and always strive to do and be the best we can, and even though I may no longer be at Microsoft, (and I still can't believe how you missed this one), luckily and fortunately for you, we've got this covered, and we're going to help you out."

          So, over the next few days, not only am I going to help reduce the almost total lack of awareness, education and understanding that exists at organizations today concerning Active Directory Security, I am also going to help organizations worldwide learn just how they can adequately and swiftly address this massive cyber security challenge before it becomes a huge problem.

          Specifically, in days to come, as a part of our 30-Day Active Directory Security School, you can expect the following posts -


          1. What Constitutes a Privileged User in Active Directory

          2. How to Correctly Audit Privileged Users/Access in Active Directory

          3. How to Render Mimikatz DCSync Useless in an Active Directory Environment

          4. How to Easily Identify and Thwart Sneaky Persistence in Active Directory

          5. How to Easily Solve The Difficult Problem of Active Directory Botnets

          6. The World's Top Active Directory Permissions Analysis Tools (and Why They're Mostly Useless)

          7. The Paramount Need to Lockdown Access Privileges in Active Directory

          8. How to Attain and Maintain Least Privileged Access (LPA) in Active Directory

          9. How to Securely Delegate and Correctly Audit Administrative Access in Active Directory

          10. How to Easily Secure Active Directory and Operate a Bulletproof Active Directory Deployment

          You see, each one of these Active Directory security focused objectives can be easily accomplished, but and in order to do so, what is required is the capability to accurately audit effective access in Active Directory. Sadly, let alone possessing this paramount cyber security capability, Microsoft doesn't even seem to have a clue about it.

          Each one of these posts is absolutely essential for organizational cyber security worldwide, and if you know of even one other entity (e.g. individual, company etc.) on the planet that can help the world address each one of these today, do let me know.

          So, over the next few days, I'll pen the above, and you'll be able to access them at the Active Directory Security Blog.

          Until then, you may want to go through each one of the 20 days of posts that I've already shared there, as well as review this.



          In fact, this cannot wait, so let us begin with the "actual" insight on Active Directory ACLs that all organizations worldwide must have today -


          Together, we can help adequately secure and defend organizations worldwide and deny perpetrators the opportunities and avenues they seek to compromise our foundational Active Directory deployments, because we must and because we can.


          Best wishes,
          Sanjay

          CEO, Paramount Defenses

          Formerly Program Manager,
          Active Directory Security,
          Microsoft Corporation


          PS: Microsoft, you're welcome. Also, I don't need anything from you, except a Thank you note.

          June 2 6/12/2015 Consulting Thought Leadership “Proactively Engaged – Questions Executives Should Ask Their Security Teams ” “-Many breaches occur as a result of executive decisions made w/out full knowledge of the people/processes needed to prevent them; -Offers specific questions that execs should ask to understand and prevent a breach” Jim Aldridge Kyrk Content Finalized Global June 2 6/12/2015 Consulting Thought Leadership “Proactively Engaged – Questions Executives Should Ask Their Security Teams ” “-Many breaches occur as a result of executive decisions made w/out full knowledge of the people/processes needed to prevent them; -Offers specific questions that execs should ask to understand and prevent a breach” Jim Aldridge Kyrk Content Finalized GlobCaching Out: The Value of Shimcache for Investigators