Kudelski Security, the cybersecurity division within the Kudelski Group, announced the launch of its dedicated Microsoft Security services, enabling clients to effectively consume and configure Microsoft security capabilities and add additional monitoring to their Microsoft 365 and Azure environments. This represents the latest expansion of a rapidly growing, cloud-first cybersecurity portfolio that supports digital transformation initiatives of global enterprises using private and public cloud services. In addition to providing a dedicated Microsoft focus, Kudelski Security … More →
Microsoft today released a new version of its open-source PowerToys toolset for Windows 10 with improvements and fixes for issues affecting the search results displayed by the PowerToys Run launcher when running as admin. [...]
Windows 10 includes two disk cleanup features that allow users to free up storage space used by unnecessary system and temporary files. Microsoft is making changes to these features to prevent Windows users from deleting files in the Downloads folder by accident. [...]
Microsoft announced the security baseline draft release for Windows 10 and Windows Server, version 2004, and the intention to add new account password length security policies with the Windows 10 May 2020 Update. [...]
Microsoft Office 365 customers are targeted by a phishing campaign using bait messages camouflaged as notifications sent by their organization to update the VPN configuration they use to access company assets while working from home. [...]
Back when Windows 10 was first released, Microsoft allowed users of Windows 7 or Windows 8.1 to upgrade to Windows 10 for free. Microsoft officially ended the free upgrade offer in December 2017, but a method still works that allows you to upgrade an older version of Windows to Windows 10 for free. [...]
Microsoft released the June 2020 non-security Microsoft Office updates with performance improvements and fixes for issues affecting Windows Installer (MSI) editions of Office 2016, Office 2013, and Office 2010 products. [...]
Microsoft is working on improving the Office 365 Message Encryption (OME) service to reduce the probability that emails with one-time passcodes (OTPs) required to read encrypted messages are marked as spam by mail servers. [...]
A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, May 2020.
EasyJet's disclosure of a "highly sophisticated cyber-attack", which occurred in January 2020, impacting 9 million of their customers was the biggest cybersecurity story of May 2020 in the UK. Although no details about this 'cyber-attack' were disclosed, other than 2,208 customers had their credit card details accessed. Using terms like "highly sophisticated" without providing any actual details of the cyberattack makes one think back to when TalkTalk CEO Dido Harding described a cyber-attack as "significant and sustained cyber-attack" in 2015. In TalkTalk's case, that cyber attack turned out to be a bunch of teenage kids taking advantage of a then 10-year-old SQL injection vulnerability. City A.M. described Dido's responses as "naive", noting when asked if the affected customer data was encrypted or not, she replied: "The awful truth is that I don’t know". Today Dido is responsible for the UK governments Track, Test and Trace application, which no doubt will ring privacy alarms bells with some. Back to the EasyJet breach, all we know is the ICO and the NCSC are supporting UK budget airline, EasyJet said "We take issues of security extremely seriously and continue to invest to further enhance our security environment. There is no evidence that any personal information of any nature has been misused, however, on the recommendation of the ICO, we are communicating with the approximately nine million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing. We are advising customers to be cautious of any communications purporting to come from EasyJet or EasyJet Holidays." It will be interesting to see the DPA enforcement line Information Commission's Office (ICO) adopts with EasyJet, especially considering the current COVID-19 impact on the UK aviation industry. Some security commentators have called ICO a "Toothless Tiger" in regards to their supportive response, an ICO label I've not heard since long before the GDPR came into force. But the GDPR still has a sting its tail beyond ICO enforcement action in the UK, in that individuals impacted by personal data breaches can undertake a class-action lawsuit. So then, it can be no real surprise to law firm PGMBM announce it has issued a class-action claim in the High Court of London, with a potential liability of an eye-watering £18 billion!. If successful, each customer impacted by the breach could receive a payout of £2,000. The 2020 Verizon Data Breach Investigations Report (DBIR) was released, the most valuable annual report in the cybersecurity industry in my humble opinion. The 2020 DBIR used data compiled before COVID-19 pandemic. The report analyses 32,002 security incidents and 3,950 confirmed breaches from 81 global contributors from 81 countries.
86% of data breaches for financial gain - up from 71% in 2019
43% web application (cloud-based) - these attacks have doubled, reflecting the growth in the use of cloud-based services.
67% of data breaches resulted from credential theft, human error or social attacks.
Clearly identified cyber-breach pathways enable a “Defender Advantage” in the fight against cyber-crime
On-going patching successful - fewer than 1 in 20 breaches exploit vulnerabilities
The vast majority of breaches continue to be caused by external actors.
70% with organised crime accounting for 55% of these.
Credential theft and social attacks such as phishing and business email compromises cause the majority of breaches (over 67%), specifically:
37% of credential theft breaches used stolen or weak credentials,
25% involved phishing
Human error accounted for 22%
The 2020 DBIR highlighted a two-fold increase in web application breaches, to 43%, and stolen credentials were used in over 80% of these cases. Ransomware had a slight increase, found in 27% of malware incidents compared to 24% in the 2019 DBIR with 18% of organisations reported blocking at least one piece of ransomware last year. REvil (aka Sodinokibi) hackers are said to have stolen celebrity data from a law firm 'Grubman Shire Meiselas & Sacks'. With 756 gigabytes of personal data, emails, and contract details were taken, including Lady Gaga, Madonna, Elton John, Barbara Streisand, Bruce Springsteen and Mariah Carey to name a few.
LogMeOnce, a password identity management suite provider, has published a detailed interview with myself titled 'Passwords are and have always been an Achilles Heel in CyberSecurity'. In the Q&A I talk about Passwords Security (obviously), Threat Actors, IoT Security, Multi-Factor Authentication (MFA), Anti-Virus, Biometrics, AI, Privacy, and a bit on how I got into a career in Cybersecurity.
Tripwire’s May 2020 Patch Priority Index (PPI) brings together important vulnerabilities from Microsoft, Adobe, SaltStack, and VMware. Up first on the patch priority list this month are patches for VMware vCenter Server and SaltStack Salt. The Metasploit exploit framework has recently integrated exploits for VMware vCenter Server (CVE-2020-3952) and SaltStack Salt (CVE-2020-11652, CVE-2020-11651). Administrators with […]… Read More
Windows 10's May 2020 Update is rolling out to seekers, and it comes with new security features that offer better malware protection, easier logins, and stronger encryption for your wireless connections. [...]
Windows 10's Winget package manager is an excellent tool for installing popular applications, but it only works from the command line. To make it easier to find apps and install them, third-party developers have released front-ends for Windows 10's new package manager. [...]
Microsoft is blocking Windows 10 2004 upgrades due to multiple conflicts caused by older or incompatible display drivers. Microsoft will not allow the May 2020 Update to be installed until these issues are resolved. [...]
Upbound, the company behind open source projects Rook and Crossplane, announced Alibaba Cloud and Microsoft have joined the Crossplane project. Announcements were made from the inaugural Crossplane Community Day, attended by community members from across the ecosystem. “We launched Crossplane over a year ago to bring the same control plane-centric approach pioneered by cloud providers like AWS, Microsoft Azure, and Google Cloud to the enterprise and open source community,” said Bassam Tabbara, Founder and CEO … More →
The Microsoft Build conference is developer heaven. It’s also a great place to learn what’s coming for the rest of us in the Microsoft world, and this year’s conference, virtual though it was, was no different. Microsoft introduced several new features for its cloud service, Azure, leaving no doubt where its priorities now lie. Take…
Nestled within Microsoft’s family of convertible tablet PCs, the Surface Laptop 3 continues to offer a grounded, traditional laptop experience. The new 15-inch display provides a more comfortable viewing experience, and still features Microsoft’s superb build quality, fantastic keyboard, and an excellent display. But as sleek as it may be, the Surface Laptop 3’s conservative feature set is eclipsed by flashy designs from other manufacturers, and its high asking price means its competition is fierce and plentiful. Moreover, its lacklustre battery life (on the AMD models) and skimpy starting storage need improving.
Solid build quality
Excellent thermal management
One of the best laptop keyboards money can buy
Magnetic charging port
No front-facing speakers
Anemic 128GB starting storage
Wonky auto screen brightness adjustment
AMD models have subpar battery life
performance discrepancy between Intel and AMD models
Surface Laptop 3 15-inch specifications
Surface Laptop 3 15-inch
Up to AMD Ryzen 7 3780U or Intel Core i7-1065U for business models
AMD Ryzen 5 3580U
Radeon Vega 9 (AMD) or Iris Pro (Intel)
AMD Radeon Vega 9
Up to 32GB DDR4
Up to 1TB NVMe SSD
128GB NVMe SSD
15-inch, 3:2, 2,946 x 1,664p touchscreen with Surface Pen support
1x USB-A ports
1x Surface port
1x 3.5mm audio jack
Starting at CA$1,599
The Surface Laptop returns for its third reiteration. This time around, Microsoft has added a bigger display, removed the fabric covers from the wristrest, and sourced processors from both Intel and AMD.
The Surface Laptop 3 sources processors from both Intel and AMD. The AMD processors in Microsoft’s Surface Laptop 3s are specifically optimized for these devices. With that said, having more options means more confusion for the buyer, a confusion we should address before we dig into the review.
Microsoft only uses AMD processors –the Ryzen 5 3580U and the Ryzen 7 3780U processors for its consumer Surface Laptop 3 15-inch models. The consumer 13-inch variant, as well as business 13-inch and 15-inch models, all use Intel’s 10th-gen Ice Lake mobile processors.
For its 13-inch and business customers, Microsoft exclusively uses the Intel Core i5-1035G7 or the Core i7-1065G7 processors. Intel variants cost CA$170 more than AMD models at the same RAM and storage capacities. Microsoft doesn’t offer the Intel-based Surface Laptop 3 15-inch on its consumer product page; it can be purchased through its business website.
Our review model features the AMD Ryzen 5 3580U processor, 8GB of RAM, and 128GB of storage.
The only glossy component on the Surface Laptop 3’s metal body is its Microsoft logo. Weighing in at 3.4lbs, the Surface Laptop 3 won’t break your back, although you may want to opt for the 13-inch model if portability is a key concern.
From the lid to the base, the Surface Laptop 3 features sharply chiselled lines for a stoic look.
Coming with a single USB-A and a USB-C port, you’ll need to buy adapters or the Surface Dock if you have multiple devices or need to connect to Ethernet.
Only a charging connector sits on the right edge. The connector latches onto the device magnetically so it won’t yank your laptop off the table if someone trips over the cable. This is also where the Surface Dock connects to.
A large keyboard and glass trackpad populate the interior. Although the Surface Laptop 3 omits a number pad, it allows the keyboard to sit in the center, orienting the typists directly in front of the screen. Microsoft now offers Surface Laptop 3s without the Alcantara fabric materials and instead exposes the raw metal for the palm rest. It’s a shame that even with ample room on the side, Microsoft has not installed upward-facing speakers.
The Surface Laptop 15 sports a 15-inch IPS 2,946 x 1,664p touchscreen. Its 3:2 aspect ratio affords more vertical space for viewing pages and documents.
With a Spyder 5 Pro colorimeter, I measured the display to cover 98 per cent of the sRGB colour gamut, enough for editing pictures for the web. Although it doesn’t support HDR, it did reach an impressive peak brightness of 398nits, bright enough to fend off glare against bright overhead lights. In addition, all Surface displays are factory-calibrated for supreme colour accuracy.
While the screen is eye-candy, the neurotic ambient light sensor got on my nerves. Under a consistent office room lighting condition, the display brightness would randomly ramp up and down. I’m sure this can be addressed through a software update, but the fix doesn’t seem to be present in the latest version of Windows 10 Home (as of May 26, 2020).
Like all Surface devices, the Microsoft Surface Laptop 15 supports the Surface Pen. Because the display doesn’t fold 360-degrees, the pen is more suited to making quick annotations as opposed to sketching.
As aforementioned, Microsoft decided to source both AMD and Intel processors for the Surface Laptop 3. The 15-inch model features either a 4-core / 8-thread Ryzen 5 3580U or Ryzen 7 3780U Surface Edition processor, earning their names from Microsoft’s partnership with AMD to optimize these chips specifically for the Surface Laptops.
Both the Ryzen 5 and Ryzen 7 processors use integrated graphics based on AMD’s Vega architecture.
AMD hasn’t had a significant presence in mobile platforms for years. Frankly, I don’t remember ever seeing an AMD processor in a flagship laptop before 2018. AMD’s return was made possible by a cohort of factors, including Intel’s processor supply constraint and the increasingly competitive performance of AMD’s Ryzen processors.
Maxon’s Cinebench benchmark measures a processor’s performance using the Cinema4D’s rendering engine. The test measures single and multi-threaded performance.
Our model with the Ryzen 5 3580U processor produced 1231 points in multi-core performance and 369 in single-core performance. It trails behind the Intel Core i7-1065G7 in the LG gram 17, but its real competitor is the Intel Core i5-1035G7. Unfortunately, we were unable to obtain a laptop using that processor for benchmarking.
UL PCMark 10
PCMark 10 tests a system overall performance, not just the processor. Its benchmark suite simulates real-world workloads in spreadsheet processings, word editing, web browsing, video playback, and content creation.
A score of 3848 once again lags behind the LG gram 17 and its Intel Core i7-1065G7 in the Essentials (8820) and Productivity (6869) suites. Interestingly, the Surface Laptop 3 was able to best the LG gram 17 in Digital content creation (3285) thanks in part to its beefy integrated Vega graphics.
Geekbench puts the processor through a mix of workload intensities and spits out a score based on the combined total. These include basic arithmetic, image compression, and web processing. It’s a quick and easy benchmark for measuring a processor’s burst performance.
The Ryzen processor was demolished by the Intel Core i7-1065G7. The Intel chip scored 5663 and 14985 in single and multi-core performance respectively.
CrystalDiskMark paints a snapshot of the disk drive’s performance at varying queue depths and thread count. The most important metric to a consumer mobile device is sequential and random access speeds at low queue depth and low thread count.
It sucks that a laptop in 2020 still starts with just 128GB of storage. Nevertheless, the Surface Laptop 3’s SSD is not slow by any means, scoring nearly 2GB/s and 31MB/s in sequential and random reads respectively.
Synthetic benchmarks are great at slotting a device on a hierarchy, experience is where it counts.
Despite what the benchmarks show, even the lowest-end Surface Laptop 3 is blazing fast in everyday productivity. It easily handled writing, emails, and general multitasking in applications like Google Chrome, PDFs, Outlook, and various business communication tools like Zoom and Cisco Webex Teams. It also competently handled light editing of RAW image files in Adobe Lightroom. Applying spot removal, cropping, and applying distortion transformation were all very speedy.
This is where the Ryzen mobile processor falls short. my AMD-equipped model struggled to reach a full day of productivity, often hitting power-saving mode at around the 7-hour mark. My day-to-day apps include browser-based applications like the Google suite, watching web conferences, attend remote meetings, and manipulating images.
Keyboard and trackpad
Microsoft’s excellent keyboard returns on the Surface Laptop 3. The large keycaps have a grippy, powder-like finish that prevents fingerprints from accumulating too quickly. Key actuation is soft, quiet, yet very tactile. I had no problem transitioning from my mechanical keyboard to working on the Surface Laptop 3 all day. The keys are backlit with white backlights, making key searching in the dark a thing of the past.
The glass trackpad is spacious and exceptionally smooth as well. Microsoft has seriously improved its trackpad’s accuracy and reliability over the years. The large slab of glass has a velvety-smooth finish that resembles marble.
Compared to the Surface Pro convertible tablet PCs, I much prefer the one of the Surface Laptop 3 due to its solid base. Its rigidity and weight eliminates keyboard wobble and is easier to rest on my lap.
Thermal, noise and throttling
Long story short, the Surface Laptop demonstrated excellent thermal management, surely due to a robust cooler and processor optimization efforts.
In AIDA64 Extreme’s CPU stress test with the FPU and cache options enabled, the Surface Laptop 3 barely broke 45 degrees after 15 minutes. The temperature was so low that I had initially thought a faulty temperature probe was misreporting the results. My infrared thermometer showed that the bottom of the laptop reached around 40 degrees, proving that the internal temperature readings weren’t far off.
As robust as the cooling solution is, it couldn’t totally channel heat away from the keyboard. The top left quadrant of the keyboard was uncomfortably hot when the laptop was under sustained load during a major Windows update, and was also bothersome when I edited photos in Adobe Lightroom.
Low temperatures mean more than just lower throttling. It also prevents the laptop from turning your legs into roast. In addition, heat also poses a threat to the battery’s longevity.
Despite its tepid load temperatures, the processor’s clock speed still had to throttle from the advertised 3.7GHz boost frequency. At 45C, the Ryzen 5 3580U bounced between 3GHz to 3.4GHz on all cores.
When running day-to-day workloads like web browsing, video streaming, and word processing, the fans are completely inaudible. It’s only during heavy sustained workloads such as batch exports in Lightroom that it starts to whine. Even then, it’s far from annoying.
There’s much to love about the Surface Laptop 3. From the solid build and premium aluminum build, to the brilliant keyboard and picture-perfect display, the Surface Laptop 3 15 has all the marks of a brilliant business device. The USB-C and USB-A ports are enough to juggle multiple devices across the ports without a hub most of the time, although an extra USB-C port on the 15-inch model won’t hurt.
Most of the Surface Laptop 3’s flaws–like the annoying screen brightness issue–can be addressed through software updates. With that said, its base storage needs to be upgraded from 128GB to 256GB. Also, its battery life may struggle to last a single day. This seems like a problem specific to AMD models; other reviews indicate that Intel variants sport a much longer battery life.
Performance-wise, AMD’s new chips proved that it’s capable of keeping pace with Intel’s last-generation i7 mobile processors. It’s regrettable that we aren’t able to test out Intel-based models with similar configurations.
It will be interesting to see if Microsoft will continue to source processors from AMD for its next Surface Laptop refresh. At the time of writing, AMD’s new Ryzen 4000 series mobile processors are showing promising performance and efficiency improvements, earning their position in a variety of business designs like the HP ProBook.
Appdome, a no-code mobile integration and solutions platform, announced that it has joined the Microsoft Intelligent Security Association (MISA), an ecosystem of independent software vendors that have integrated their solutions to better defend against a world of increasing threats. Appdome’s mission has always been to make integrating security and enhanced functionality into mobile apps fast and efficient with its no-code platform. Joining MISA is a natural extension of that mission. Appdome makes it easy to … More →
At the Build 2020 conference, Microsoft announced Project Reunion, rolling its Windows desktop API and the universal windows platform (UWP) into a single package.
In its developer blog post, Microsoft defined four focus areas for app development in the coming years:
Unify app development across the billion Windows 10 devices for all current and future apps;
Leaning into the cloud and enabling new scenarios for Windows apps;
Creating new opportunities for developers to build connected apps using Microsoft 365 integration in the Windows experience; and
Making Windows great for developer productivity.
Project Reunion plays into the first point. It combines desktop app libraries and UWP libraries, given them the ability to communicate and control elements within each other. This unification enables developers to more easily create apps with better interoperability across device types. In addition, it lets developers update existing applications with new functions.
Microsoft introduced the Universal Windows Platform (UWP) in 2016 to attract developers to the then-barren Windows Store. The main goal back then was to provide a common app platform on every device that runs Windows 10. To achieve this goal, Microsoft introduced a common UWP core API that’s identical with Windows 10 devices like desktop, Xbox, IoT, and so on. Cross API compatibility is achieved through API bridges that translate UWP API calls to apps built on Android and iOS.
Win32, on the other hand, is a Windows API that exposes Windows components –Windows shell, user interface, network services and so forth–to the developer. Nearly all Windows desktop applications use Win32 to some extent.
In recent years, Microsoft has been working to add UWP into platforms that were previously incompatible. That effort eventually led to Project Reunion, finally melding the two together into a decoupled API that can be acquired through platform-agnostic package managers like NuGet.
Microsoft Edge 83 update is rolling out in a phased manner, as opposed to a quicker and wider release. Initially, only devices that fall within an "upgrade value range" will receive major feature updates like this, and the approach will help Microsoft in getting focused feedback. [...]
Google has recently started enabling Windows Hello-based payment feature in Chrome for Windows 10. With the new feature, you will be able to use Windows Hello to autofill credit card's CVC numbers, which are found on the back of cards. [...]
Earlier this month, Microsoft announced the Surface Book 3, which is the company's most powerful laptop with dedicated Nvidia GPU support. Just like the previous generation, Surface Book 3 is available in the same 13- and 15-inch version. [...]
Microsoft has released a security advisory to mitigate the NXNSAttack vulnerability in DNS servers that could be used to amplify a single DNS request into a DDoS attack against authoritative DNS servers. [...]
Microsoft announced today the rollout of a series of new features and enhancements to the Microsoft Teams cloud collaboration platform including improvements to meetings and events, productivity, automation, and scheduling. [...]
Windows 10's built-in Microsoft Defender antivirus solution has many advanced hidden features that allow you to customize how the security software works. Unfortunately, most people do not know these settings exist or even how to access them. [...]
Windows 10 users who upgrade to v2004 will finally be able to switch on a longstanding Windows Defender feature that protects users against potentially unwanted applications (PUAs). What are PUAs? Also called PUPs (potentially unwanted programs), PUAs are applications that often cannot be outright classified as malware, but still violate users’ security and privacy interests. Some examples of PUAs: Adware and ad-injectors (software that pushes ads onto users without their permission) Software that tracks how … More →
Graham shares stories of email storms, Carole describes the steps being taken by firms as they try to coax employees back to the office, and special guest Lisa Forte details a hack that has impacted Lady Gaga and other celebrities.
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast with computer security veterans Graham Cluley and Carole Theriault.
The May 2020 Patch Tuesday security updates have recently been released, with 111 patched vulnerabilities related to 12 different Microsoft products, such as Windows, Edge, Visual Studio, and the .NET Framework. The tech giant issued 115 patches in March and 113 in April this year and the May 2020 edition turned out to be the third-largest Patch Tuesday ever seen. This month’s batch did not contain any zero-days.
As always, HeimdalTM Security advises you to apply these patches at your earliest convenience. None of the bugs have been identified as being actively exploited or mentioned until now. Still, if you’re running Windows on your endpoints, it’s high time to get these security flaws patched.
Read on to learn more about the May 2020 Patch Tuesday.
May’s 2020 batch of Microsoft patches, the third-biggest ever released
May is the third month in a row when Microsoft rolled out patches on its operating system and associated software for more than 110 security vulnerabilities. Luckily, there don’t seem to be any zero-day vulnerabilities to be fixed. However, there are certain bugs in Windows that need to be kept in mind and addressed.
At least 16 of the vulnerabilities are marked as “Critical,” indicating they can be abused by cybercriminals to install malware or gain remote control of compromised systems with little to no user intervention.
Significant vulnerabilities to be noted
Below we’ve listed a few instances you should consider.
This month, Microsoft fixed three critical Microsoft Edge vulnerabilities which could enable intruders to execute remote code by tricking users into visiting their specially created website. If abused, these flaws might allow malicious hackers to execute commands with full admin rights on the targeted device. At the same time, a bug in the Color Management Module (ICM32.dll) allows code execution after cybercriminals would have fooled users into accessing infected websites. Also, a remote code execution vulnerability can be noticed in Windows.
CVE-2020-1056 | Microsoft Edge Elevation of Privilege Vulnerability
Under this scenario, there is an elevation of privilege risk as Microsoft Edge does not fully implement cross-domain policies, which could enable intruders to access and inject data from one domain into another.
Attackers would have to host a malicious website used to exploit the vulnerability. In any case, though, intruders will have no means to force users to access information that is manipulated by the criminals and they would have to trick people into clicking a link that redirects the victims to the attackers’ website.
An intruder who abuses this flaw successfully can escalate privileges in affected versions of Microsoft Edge. This security update addresses the vulnerability by making sure Microsoft Edge enforces cross-domain policies correctly.
Should attackers convince users to access a malicious link, the attackers’ website “could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services”.
This patch fixes a bug by changing how HTTP responses are parsed via Microsoft Edge.
CVE-2020-1096 | Microsoft Edge PDF Remote Code Execution Vulnerability
The CVE-2020-1096 vulnerability refers to the way Microsoft Edge handles objects in memory. More precisely, this vulnerability has the potential to corrupt memory, enabling malicious actors to execute arbitrary code on the machine.
Once successfully exploited, the bug would allow attackers to obtain the same user rights as the victim. Should the current user be logged on with full admin rights, the cybercriminal could completely take over the affected endpoint and perform malicious actions.
This kind of attack could be triggered if users are tricked into accessing the attackers’ website, where malicious PDF content would have to be stored.
CVE-2020-1117 | Microsoft Color Management Remote Code Execution Vulnerability
This bug is connected to the faulty way in which the Color Management Module (ICM32.dll) handles objects in memory. Users with full admin rights are heavily impacted, since the vulnerability would permit malicious hackers to completely take control of the targeted systems, allowing them to “install programs; view, change, or delete data; or create new accounts with full user rights”.
Similar to the abovementioned attack scenarios leveraged by this Patch Tuesday’s addressed vulnerabilities, in this case, users would also have to be fooled into entering malicious websites belonging to the attackers or opening infected email attachments.
The newly released security update corrects the improper way in which Windows handles objects in memory. An intruder who effectively abused the flaw would able to run arbitrary code with elevated rights on a targeted machine. The attacker who has a domain user account may craft a specially designed request to exploit the bug, enabling Windows to run arbitrary code with elevated permissions.
Did you know that 100% of vulnerabilities in Microsoft browsers and 93% in Windows OS can be mitigated by removing local admin rights?
Our unique privileged access management (PAM) tool, Thor AdminPrivilege, allows you to efficiently manage admin rights inside your organization. It is the only solution that enables you to both escalate and de-escalate user privileges and the only tool that automatically de-escalates user rights on infected endpoints (when used in tandem with the Enterprise version of Thor Foresight, Thor Vigilance or Thor Premium).
System admins waste 30% of their time manually managing user rights or installations.
is the automatic Privileged Access Management (PAM) solution
which frees up huge chunks of sys-admin time.
Automate the elevation of admin rights on request;
We would also like to remind you that many of the bugs patched in today’s Microsoft patch batch impact Windows 7 operating systems, which no longer receive security updates unless your company has signed up for the Microsoft’s Windows 7 Extended Security Updates (ESU) paid service. If you are still running Windows 7 on any of your devices, HeimdalTM Security advises you to upgrade to Windows 10.
All of our Thor Foresight Enterprise and X-Ploit Resilience customers are always being provisioned in a timely manner with the latest Microsoft patches (both Windows and 3rd party) in a timely manner. Sign up for a free demo to learn how automated patch management can add a powerful layer of defense to your organization.
Antivirus is no longer enough to keep an organization’s systems secure.
Thor Foresight Enterprise
Is our next gen proactive shield that stops unknown threats before they reach your system.
Machine learning powered scans for all incoming online traffic;
Stops data breaches before sensitive info can be exposed to the outside;
Automatic patches for your software and apps with no interruptions;
Protection against data leakage, APTs, ransomware and exploits;
Away from the deluge of coronavirus cybersecurity news and threats, Virgin Media were found to have left a database open, which held thousands of customer records exposed, and T-Mobile's email vendor was hacked, resulting in the breach of their customers and employees personal data. International hotel chain Marriot reported 5.2 million guest details were stolen after an unnamed app used by guests was hacked. According to Marriots online breach notification, stolen data included guest name, address, email address, phone number, loyalty account number and point balances, employer, gender, birthdays (day and month only), airline loyalty program information, and hotel preferences. It was only on 30th November 2018 Marriott disclosed a breach of 383 million guests. Tony Pepper, CEO at Egress said “Marriott International admitted that it has suffered another data breach, affecting up to 5.2 million people. This follows the well-documented data breach highlighted in November 2018 where the records of approximately 339 million guests were exposed in a catastrophic cybersecurity incident. Having already received an intention to fine from the ICO to the tune of £99m for that, Marriott will be more than aware of its responsibility to ensure that the information it shares and stores is appropriately protected. Not only does this news raise further concerns for Marriott, but it also serves as a reminder to all organisations that they must constantly be working to enhance their data security systems and protocols to avoid similar breaches. It will be interesting to see if further action is taken by the ICO”
On Monday, the RSA Conference 2020will begin, where almost a thousand cyber security companies will showcase their greatest cyber security solutions to thousands of attendees, and where supposedly "The World Talks Security!"
If that's the case, let's talk security -I'd like to ask the entire RSA Conference just 1 simple cyber security question -
Question: Do the companies whose CISOs and cyber security personnel are attending the RSA Conference '20 have any idea exactly who has what privileged access in their foundational Active Directory deployments today?
If they don't, then perhaps instead of making the time to attend cyber security conferences, they should first focus on making this paramount determination, because without it, not ONE thing, let alone their entire organization, can be adequately secured.
If this one simple question posed above isn't clear, here are 5 simple specific cyber security 101 questions to help gain clarity:
Does our organization know exactly -
Q 1. Who can run Mimikatz DCSync against our Active Directory to instantly compromise everyone's credentials?
Q 2. Who can change the Domain Admins group's membership to instantly gain privileged access company wide?
Q 3. Who can reset passwords of /disable use of Smartcards on all Domain Admin equivalent privileged accounts?
Q 4. Who can link a malicious GPO to an(y) OU in Active Directory to instantly unleash ransomware system-wide?
Q 5. Who can change or control who has what privileged access in our Active Directory?
If an organization does not have exact answers to these 5 simple questions today, it has absolutely no idea as to exactly who has what privileged access in its foundational Active Directory, and thus, it has absolutely no control over cyber security.
This is Paramount
If you don't think that having exact answers to these questions is paramount, then you don't know a thing about cyber security.
Just ask the world famous and globally trusted $10 Billion cyber security company CrowdStrike, and here's a quote from them - "A secure Active Directory environment can mitigate most attacks."
Zero out of 1000
There are almost 1000 cyber security companies exhibiting at the RSA Conference 2020, but guess how many of those 1000 companies could help you accurately determine the answers to 5 simple questions asked above? The answer is 0.
Not Microsoft, not EMC, not CrowdStrike, not FireEye, not Cisco, not IBM, not Symantec, not McAfee, not Palantir, not Tanium, not CyberArk, not Centrify, not Quest, not ZScaler, not BeyondTrust, not Thycotic, not Varonis, not Netwrix, not even HP, in fact no company exhibiting at RSA Conference 2020 has any solution that could help accurately answer these simple questions.
That's right - not a single cyber security company in the world (barring one), let alone the entirety of all cyber security companies exhibiting at or sponsoring the RSA Conference 2020 can help organizations accurately answer these simple questions.
The key to being able to answer the leading question above, as well as the five simple cyber security questions posed above lies in having just 1 simple, fundamental cyber security capability - Active Directory Effective Permissions.
There's only 1 company on planet Earth that possesses this key, and its not going to be at the RSA Conference 2020 - this one.
UK Gov agrees to 'limited' Huawei involvement within UK 5G
UK business targeted ransomware continues to rear its ugly head in 2020, this time global foreign exchange firm Travelex's operations were all brought to a shuddering halt after a major ransomware attack took down Travelex's IT systems. Travelex services impacted included their UK business, international websites, mobile apps, and white-labelled services for the likes of Tesco, Sainsburys, Virgin Money, Barclays and RBS. The ransomware in question was named as Sodinokibi, with numerous media reports strongly suggesting the Sodinokibi ransomware infiltrated the Travelex network through unpatched vulnerable Pulse Secure VPN servers, which the National Cyber Security Centre had apparently previously detected and warned Travelex about many months earlier. Could be some truth in this, given the Sodinokibi ransomware is known to infect through remote access systems, including vulnerable Pulse Secure VPN servers. The cybercriminal group behind the attack, also known as Sodin and REvil, demanded £4.6 million in ransom payment, and had also claimed to have taken 5Gb of Travelex customer data. Travelex reported no customer data had been breached, however, its money exchange services remained offline for well over two weeks after reporting the incident, with the firm advising it expected most of its travel exchange services to be back operational by the end of January.
Its seem every month I report a massive data breach due to the misconfiguration of a cloud server, but I never expected one of leading global cloud providers, Microsoft, to be caught out by such a school boy error. Microsoft reported a database misconfiguration of their Elasticsearch servers exposed 250 million customer support records between 5th and 19th December 2019. Some of the non-redacted data exposed included customer email addresses; IP addresses; locations; descriptions of customer support claims and cases; Microsoft support agent emails; case numbers, resolutions and remarks; and confidential internal notes. It is not known if any unauthorised parties had accessed any of the leaked data.
Dallas County Attorney finally applied some common-sense, dropping charges against two Coalfire Red Teamers. The two Coalfire employees had been arrested on 11th September 2019 while conducting a physical penetration test of the Dallas County courthouse. The Perry News quoted a police report which said upon arrest the two men stated, “they were contracted to break into the building for Iowa courts to check the security of the building". After the charges were dropped at the end of January Coalfire CEO Tom McAndrew said, 'With positive lessons learned, a new dialogue now begins with a focus on improving best practices and elevating the alignment between security professionals and law enforcement”. Adding “We’re grateful to the global security community for their support throughout this experience.” BLOG
Support for Windows 7 has ended, leaving Marcy wondering how they can protect themselves
I do a lot of work on a Windows 7 desktop PC that is about five years old. I’m a widow and can’t afford to run out and get a new PC at this time, or pay for Windows 10. If I do stay with Windows 7, what should I worry about, and how can I protect myself? I have been running Kaspersky Total Security for several years, which has worked well so far. Marcy
Microsoft Windows 7 – launched in 2009 – came to the end of its supported life on Tuesday. Despite Microsoft’s repeated warnings to Windows 7 users, there may still be a couple of hundred million users, many of them in businesses. What should people do next?
US agency revealed flaw that could be exploited by hackers to create malicious software
Microsoft is rolling out a security fix to Windows 10 after the US National Security Agency (NSA) warned the popular operating system contained a highly dangerous flaw that could be used by hackers. Reporting the vulnerability represents a departure for the NSA from its past strategy of keeping security flaws under wraps to exploit for its own intelligence needs.
The NSA revealed during a press conference on Tuesday that the “serious vulnerability” could be used to create malicious software that appeared to be legitimate. The flaw “makes trust vulnerable”, the NSA director of cybersecurity, Anne Neuberger, said in a briefing call to media on Tuesday.
Exclusive: former Microsoft contractor says he was emailed login after minimal vetting
A Microsoft programme to transcribe and vet audio from Skype and Cortana, its voice assistant, ran for years with “no security measures”, according to a former contractor who says he reviewed thousands of potentially sensitive recordings on his personal laptop from his home in Beijing over the two years he worked for the company.
The recordings, both deliberate and accidentally invoked activations of the voice assistant, as well as some Skype phone calls, were simply accessed by Microsoft workers through a web app running in Google’s Chrome browser, on their personal laptops, over the Chinese internet, according to the contractor.
Today, yet again, I'd like to share with you a simple Trillion $ question, one that I had originally asked more that 10 years ago, and recently asked again just about two years ago. Today it continues to be exponentially more relevant to the whole world.
In fact, it is more relevant today than ever given the paramount role that cyber security plays in business and national security.
So without further adieu, here it is - Who needs WMDs (Weapons of Mass Destruction) Today?
Ans: Only those who don't know that we live in a digital world, one wherein virtually everything runs on (networked) computers.
Why would an entity bother trying to acquire or use a WMD (or for that matter even a conventional weapon) when (if you're smart) you could metaphorically stop the motor of entire organizations (or nations) with just a few lines of code designed to exploit arcane but highly potent misconfigured security settings (ACLs) in the underlying systems on which governments, militaries and thousands of business organizations of the world operate?
Today, all you need is two WDs in the same (pl)ACE and its Game Over.
Puzzled? Allow me to give you a HINT:.
Here’s a simple question: What does the following non-default string represent and why should it be a great cause of concern?
Today, this one little question and the technicality I have shared above directly impacts the cyber security of the entire world.
If you read my words very carefully, as you always should, then you'll find that it shouldn't take an astute cyber security professional more than a minute to figure it out, given that I’ve actually already provided the answer above.
Today, the CISO of every organization in the world, whether it be a government, a military or a billion dollar company (of which there are dime a dozen, and in fact thousands worldwide) or a trillion dollar company MUST know the answer to this question.
They must know the answer because it directly impacts and threatens the foundational cyber security of their organizations.
If they don't, (in my opinion) they likely shouldn't be the organization's CISO because what I have shared above could possibly be the single biggest threat to 85% of organizations worldwide, and it could be used to completely compromise them within minutes (and any organization that would like a demo in their real-world environment may feel free to request one.)
Some of you will have figured it out. For the others, I'll finally shed light on the answer soon.
PS: If you need to know right away, perhaps you should give your Microsoft contact a call and ask them. If they too need some help (they likely will ;-)), tell them it has to do with a certain security descriptor in Active Directory. (There, now that's a HINT the size of a domain, and it could get an intruder who's been able to breach an organization's network perimeter to root in seconds.)
PS2: If this intrigues you, and you wish to learn more, you may want to read this - Hello World :-)
Today is January 06, 2020, and as promised, here I am getting back to sharing perspectives on cyber security.
Cyber Security 101
Perhaps a good topic to kick off the year is by seeking to ask and answer a simple yet vital question - What is Active Directory?
You see, while this question may seem simple to some (and it is,) its one of the most important questions to answer adequately, because in an adequate answer to this most simple question lies the key to organizational cyber security worldwide.
The simple reason for this is that if you were to ask most CISOs or IT professionals, they'll likely tell you that Active Directory is the "phone book" of an organization's IT infrastructure, and while its true that at its simplest, it is a directory of all organizational accounts and computers, it is this shallow view that leads organizations to greatly diminish the real value of Active Directory to the point of sheer irresponsible cyber negligence because "Who really cares about just a phone book?"
In fact, for two decades now, this has been the predominant view held by most CISOs and IT personnel worldwide, and sadly it is the negligence resulting from such a simplistic view of Active Directory that are likely the reason that the Active Directory deployments of most organizations remain substantially insecure and vastly vulnerable to compromise today.
Again, after all, who cares about a phone book?!
Active Directory - The Very Foundationof Organizational Cyber Security Worldwide
If as they say, a "A Picture is Worth a Thousand Words", perhaps I should paint you a very simple Trillion $ picture -
An organization's Active Directory deployment is its single most valuable IT and corporate asset, worthy of the highest protection at all times, because it is the very foundation of an organization's cyber security.
The entirety of an organization's very building blocks of cyber security i.e. all the organizational user accounts and passwords used to authenticate their people, all the security groups used to aggregate and authorize access to all their IT resources, all their privileged user accounts, all the accounts of all their computers, including all laptops, desktops and servers are all stored, managed and secured in (i.e. inside) the organization's foundational Active Directory, and all actions on them audited in it.
In other words, should an organization's foundational Active Directory, or a single Active Directory privileged user account, be compromised, the entirety of the organization could be exposed to the risk of complete, swift and colossal compromise.
Active Directory Security Must Be Organizational Cyber SecurityPriority #1
Today, ensuring the highest protection of an organization's foundational Active Directory deployment must undoubtedly be the #1 priority of every organization that cares about cyber security, protecting shareholder value and business continuity.
For anyone to whom this may still not be clear, I'll spell it out - just about everything in organizational Cyber Security, whether it be Identity and Access Management, Privileged Access Management, Network Security, Endpoint Security, Data Security, Intrusion Detection, Cloud Security, Zero Trust etc. ultimately relies and depends on Active Directory (and its security.)
In essence, today every organization in the world is only as secure as is its foundational Active Directory deployment, and from the CEO to the CISO to an organization's shareholders, employees and customers, everyone should know this cardinal fact.
A roundup of UK focused cyber and information security news stories, blog posts, reports and threat intelligence from the previous calendar month, December 2019.
Happy New Year! The final month of the decade was a pretty quiet one as major security news and data breaches go, given cybers attack have become the norm in the past decade. The biggest UK media security story was saved for the very end of 2019, with the freshly elected UK government apologising after it had accidentally published online the addresses of the 1,097 New Year Honour recipients. Among the addresses posted were those of Sir Elton John, cricketer and BBC 'Sports Personality of the Year' Ben Stokes, former Conservative Party leader Iain Duncan Smith, 'Great British Bakeoff Winner' Nadiya Hussain, and former Ofcom boss Sharon White. The Cabinet Office said it was "looking into how this happened", probably come down to a 'user error' in my view.
An investigation by The Times found Hedge funds had been eavesdropping on the Bank of England’s press conferences before their official broadcast after its internal systems were compromised. Hedge funds were said to have gained a significant advantage over rivals by purchasing access to an audio feed of Bank of England news conferences. The Bank said it was "wholly unacceptable" and it was investigating further. The Times claimed those paying for the audio feed, via the third party, would receive details of the Bank's news conferences up to eight seconds before those using the television feed - potentially making them money. It is alleged the supplier charged each client a subscription fee and up to £5,000 per use. The system, which had been misused by the supplier since earlier this year, was installed in case the Bloomberg-managed television feed failed.
A video showing a hacker talking to a young girl in her bedroom via her family's Ring camera was shared on social media. The hacker tells the young girl: "It's Santa. It's your best friend." The Motherboard website reported hackers were offering software making it easier to break into such devices. Ring owner Amazon said the incident was not related to a security breach, but compromised was due to password stuffing, stating "Due to the fact that customers often use the same username and password for their various accounts and subscriptions, bad actors often re-use credentials stolen or leaked from one service on other services."
Finally, a Microsoft Security Intelligence Report concluded what all security professionals know well, is that implementing Multi-Factor Authenication (MFA) would have thwarted the vast majority of identity attacks. The Microsoft study found reusing passwords across multiple account-based services is still common, of nearly 30 million users and their passwords, password reuse and modifications were common for 52% of users. The same study also found that 30% of the modified passwords and all the reused passwords can be cracked within just 10 guesses. This behaviour puts users at risk of being victims of a breach replay attack. Once a threat actor gets hold of spilled credentials or credentials in the wild, they can try to execute a breach replay attack. In this attack, the actor tries out the same credentials on different service accounts to see if there is a match.
In recent years political motivated cyber-attacks during elections has become an expected norm, so it was no real surprise when the Labour Party reported it was hit with two DDoS cyber-attacks in the run up to the UK general election, which was well publicised by the media. However, what wasn't well publicised was both the Conservative Party and Liberal Democrats Party were also hit with cyber attacks. These weren't nation-state orchestrated cyberattacks either, black hat hacking group Lizard Squad, well known for their high profile DDoS attacks, are believed to be the culprits.
The launch of Disney Plus didn’t go exactly to plan, without hours of the streaming service going live, compromised Disney Plus user accounts credentials were being sold on the black market for as little as £2.30 a pop. Disney suggested hackers had obtained customer credentials from previously leaked identical credentials, as used by their customers on other compromised or insecure websites, and from keylogging malware. It's worth noting Disney Plus doesn’t use Multi-Factor Authentication (MFA), implementing MFA to protect their customer's accounts would have prevented the vast majority of Disney Plus account compromises in my view.
Trend Micro reported an insider stolen around 100,000 customer accounts details, with the data used by cyber con artists to make convincing scam phone calls impersonating their company to a number of their customers. In a statement, Trend Micro said it determined the attack was an inside job, an employee used fraudulent methods to access its customer support databases, retrieved the data and then sold it on. “Our open investigation has confirmed that this was not an external hack, but rather the work of a malicious internal source that engaged in a premeditated infiltration scheme to bypass our sophisticated controls,” the company said. The employee behind it was identified and fired, Trend Micro said it is working with law enforcement in an on-going investigation.
Microsoft released patches for 74 vulnerabilities in November, including 13 which are rated as critical. One of which was for a vulnerability with Internet Explorer (CVE-2019-1429), an ActiveX vulnerability known to be actively exploited by visiting malicious websites.
It was a busy month for blog articles and threat intelligence news, all are linked below.
This week, the famous RSA Conference 2019is underway, where supposedly "The World Talks Security" -
If that's the case, let's talk - I'd like to respectfully ask the entire RSA Conference just 1 simple cyber security question -
Question: What lies at the very foundation of cyber security and privileged access of not just the RSAs, EMCs, Dells, CyberArks, Gartners, Googles, Amazons, Facebooks and Microsofts of the world, but also at the foundation of virtually all cyber security and cloud companies and at the foundation of over 85% of organizations worldwide?
For those who may not know the answer to this ONE simple cyber security question, the answer's in line 1 here.
For those who may know the answer, and I sincerely hope that most of the world's CIOs, CISOs, Domain Admins, Cyber Security Analysts, Penetration Testers and Ethical Hackers know the answer, here are 4 simple follow-up questions -
Q 1. Should your organization's foundational Active Directory be compromised, what could be its impact?
Q 2. Would you agree that the (unintentional, intentional or coerced) compromise of a single Active Directory privileged user could result in the compromise of your organization's entire foundational Active Directory?
Q 3. If so, then do you know that there is only one correct way to accurately identify/audit privileged users in your organization's foundational Active Directory, and do you possess the capability to correctly be able to do so?
Q 4.If you don't, then how could you possibly know exactly how many privileged users there are in your organization's foundational Active Directory deployment today, and if you don't know so, ...OMG... ?!
You see, if even the world's top cyber security and cloud computing companies themselves don't know the answers to such simple, fundamental Kindergarten-level cyber security questions, how can we expect 85% of the world's organizations to know the answer, AND MORE IMPORTANTLY, what's the point of all this fancy peripheral cyber security talk at such conferences when organizations don't even know how many (hundreds if not thousands of) people have the Keys to their Kingdom(s)?!
Today Active Directory is at the very heartof Cyber Security and Privileged Access at over 85% of organizations worldwide, and if you can find me even ONE company at the prestigious RSA Conference 2019 that can help organizations accurately identify privileged users/access in 1000s of foundational Active Directory deployments worldwide, you'll have impressed me.
Those who truly understand Windows Security know that organizations can neither adequately secure their foundational Active Directory deployments nor accomplish any of these recent buzzword initiatives like Privileged Access Management, Privileged Account Discovery, Zero-Trust etc. without first being able to accurately identify privileged users in Active Directory.
Today, to give a hint for the answer to this1 question, I asked possibly the most important cyber security question in the world, one that directly impacts the foundational security of 1000s of organizations worldwide, and thus one that impacts the financial security of billions of people worldwide -
What's the World's Most Important Active Directory Security Capability?
A few days ago I asked a (seemingly) very simple question ; no I'm not referring to this one, I'm referring to this one here -
Can Anyone (i.e. any Cyber Security Company or Expert) Help Thousands of Microsoft's Customers MITIGATE the Risk Posed by Mimikatz DCSync?
Here's why I did so - While there's a lot of info out there on the WWW about how to use Mimikatz DCSync, and/or how to detect its use, there isn't one other* single correct piece of guidance out there on how to mitigate the risk posed by Mimkatz DCSync.
So, as promised, today I am (literally) going to show you exactly how thousands of organizations worldwide can now easily and demonstrably actually mitigate the very serious cyber security risk posed to their foundational security by Mimikatz DCSync.
In light of what I've shared below, organizations worldwide can now easily mitigate the serious risk posed by Mimikatz DCSync.
First, A Quick Overview
For those who may not know, and there are millions who don't, there are three quick things to know about Mimikatz DCSync.
Mimikatz DCSync, a Windows security tool, is the creation of the brilliant technical expertise of Mr. Benjamin Delpy, whose work over the years has very likely (caused Microsoft a lot of pain ;-) but/and) helped substantially enhance Windows Security.
Mimikatz DCSync targets an organization's foundational Active Directory domains, and instantly gives any attacker who has sufficient privileges to be able to replicate sensitive content from Active Directory, access to literally everyone's credentials!
Thus far, the only guidance out there is on how to DETECT its use, but this is one of those situations wherein if you're having to rely on detection as a security measure, then its unfortunately already TOO late, because the damage has already been done.
Detection Is Hardly Sufficient
They say a picture's worth a thousand words, so perhaps I'll paint a picture for you. Relying on detection as a security measure against Mimikatz DCSync is akin to this -
Lets say a nuclear weapon just detonated in a city, and the moment it did, detection sensors alerted the city officials about the detonation. Well, within the few seconds in which they received the alert, the whole city would've already been obliterated i.e. by the time you get the alert, literally everyone's credentials (including of all privileged users) would've already been compromised!
Make not mistake about it - a single successful use of Mimikatz DCSync against an organization's foundational Active Directory domain is tantamount to a complete forest-wide compromise, and should be considered a massive organizational cyber security breach, the only way to recover from which is to completely rebuild the entire Active Directory forest from the ground up!
This is why detection is grossly insufficient as a security measure, and what organizations need is the ability to prevent the use of Mimikatz DCSync's against their foundational Active Directory domains & thus the ability to mitigate this risk is paramount.
How to Mitigate Mimikatz DCSync The key to mitigating this risk lies in identifying what it technically takes to be able to successfully use Mimikatz DCSync.
Specifically, if you know exactly what privileges an attacker needs to be able to successfully use Mimikatz DCSync against your Active Directory domain, then by ensuring that only highly-trustworthy, authorized individuals (and not a single other individual) actually currently possess those required privileges in your IT infrastructure, you can easily mitigate this risk.
Technically speaking, all that an attacker needs to successfully use Mimikatz DCSync is sufficient Get Replication Changes All effective permissions on the domain root object of an Active Directory domain, so all that organizations need to do is accurately identify exactly who has these effective permissions on the domain root object of each of their Active Directory domains.
While by default only the default administrative Active Directory security groups are granted this permission, since most Active Directory deployments have been around for years, and have likely gone through a substantial amount of access provisioning, in most Active Directory, a lot many more individuals than merely the members of the default AD admin groups may likely have this highly sensitive effective permission granted to them, either directly or via group membership, some of which may be direct, whilst others may be via nested group memberships, resulting in a potentially large and unknown attack surface today.
Now, it is paramount to understand ONE subtle but profound difference here - it is NOT who has what permissions on the domain root that matters, but who has what effective permissions on the domain root that matters, and this difference could be the difference between a $100 B organization being completely compromised or being completely protected from compromise.
The Key - Active Directory Effective Permissions If you've followed what I've shared above, then you'll agree and understand that the key to being able to successfully mitigate the serious risk posed by Mimikatz DCSync lies in being able to accurately determine effective permissions in Active Directory.
In fact Effective Permissions are so important, essential and fundamental to Windows and Active Directory Security, that of the four tabs in all of Microsoft's Active Directory Management Tooling, one entire tab is dedicated to Effective Permissions.
Unfortunately, it turns out that not only is Microsoft's native Effective Permissions Tab not always accurate, it is substantially inadequate, and while I could elaborate on that, I'd rather let you come to the same conclusion yourself, and this ONE glaring inadequacy will be self-evident the moment you attempt to use it to try and find out exactly whom amongst the thousands of domain user account holders in your Active Directory domain(s), actually has the required effective permissions. In fact, the same is true of all tools/scripts that involve the use of Microsoft's APIs to do so, such as this dangerously inaccurate free tool.
Fortunately, in a world whose population is 7,000,000,000+ today, thanks to one (1) inconsequential individual, there's hope...
Finally, How to Easily and Reliably Mitigate the Risk Posed by Mimikatz DCSync
Here's a very short (and perhaps boring but insightful) video on how organizations worldwide can reliably mitigate this risk -
Note: This is NOT intended to demonstrate our unique tooling. It is solely intended to show what it takes to mitigate this serious risk. We have no particular interest in licensing our unique tooling to anyone. As such, over the years, we have NEVER, not once pitched our tooling to anyone; we've had almost 10,000 organizations worldwide knock at our doors completely unsolicited, so I hope that makes this point unequivocally.
Thus, as seen in the short video above, with the right guidance (knowledge) and capability (tooling), organizations worldwide can now easily and reliably mitigate the serious cyber security risk posed by Mimikatz DCSync to their foundational security.
Complete, illustrated, step-by-step details on how to easily and correctly mitigate Mimikatz DCSync can now be found here.
I'll say this one last time - a single successful use of Mimikatz DCSync against an organization's foundational Active Directory is tantamount to a forest-wide compromise and constitutes a massive cyber security breach, which is why mitigation is paramount.
Hello again. Today onwards, as I had promised, it is finally TIME for us to help SAFEGUARD Microsoft's Global Ecosystem.
Before I share how we uniquely do so, or answer this paramount question, or ask more such ones, I thought I'd ask likely the most important question that today DIRECTLY impacts the foundational cyber security of 1000s of organizations worldwide.
HereIt Is -
What Is the 1 Essential Cyber Security Capability Without Which NOT a single Active Directory object, domain, forest or deployment can be adequately secured?
A Hint I'll give you a hint. It controls exactly who is denied and who is granted access to literally everything within Active Directory.
In fact, it comes into play every time anyone accesses anything in any Active Directory domain in any organization worldwide.
Make No Mistake
Make no mistake about it - one simply CANNOT adequately protect anything in any Active Directory WITHOUT possessing this ONE capability, and thus one simply cannot protect the very foundation of an organization's cyber security without possessing this ONE paramount cyber security capability. It unequivocally is as remarkably simple, elemental and fundamental as this.
Only 2 Kinds of Organizations Thus, today there are only two kinds of organizations worldwide - those that possess this paramount cyber security capability, and those that don't. Those that don't possess this essential capability do not have the means to, and thus cannot adequately protect, their foundational Active Directory deployments, and thus by logic are provably and demonstrably insecure.
If you know the answer, feel free to leave a comment below. I'll answer this question right here, likely on July04, 2018.
Given what it is I do, I don't squander a minute of precious time, unless something is very important, and this is very important.
Let me explain why this is so alarming, concerning and so important to cyber security, and why at many organizations (e.g. U.S. Govt., Paramount Defenses etc.), this could've either possibly resulted in, or in itself, be considered a cyber security breach.
Disclaimer: I'm not making any value judgment about Lenovo ; I'm merely basing this on what's already been said.
As you know, Microsoft's been brazenly leaving billions of people and thousands of organizations worldwide with no real choice but to upgrade to their latest operating system, Windows 10, which albeit is far from perfect, is much better than Windows Vista, Windows 8 etc., even though Windows 10's default settings could be considered an egregious affront to Privacy.
Consequently, at Paramount Defenses, we too felt that perhaps it was time to consider moving on to Windows 10, so we too figured we'd refresh our workforce's PCs. Now, of the major choices available from amongst several reputable PC vendors out there, Microsoft's Surface was one of the top trustworthy contenders, considering that the entirety of the hardware and software was from the same vendor (, and one that was decently trustworthy (considering that most of the world is running their operating system,)) and that there seemed to be no* pre-installed drivers or software that may have been written in China, Russia etc.
Side-note: Based on information available in the public domain, in all likelihood, software written in / maintained from within Russia, may still likely be running as System on Domain Controllers within the U.S. Government.
So we decided to consider evaluating Microsoft Surface devices and thus purchased a couple of brand-new Microsoft Surface devices from our local Microsoft Store for an initial PoC, and I decided to personally test-drive one of them -
The very first thing we did after unsealing them, walking through the initial setup and locking down Windows 10's unacceptable default privacy settings, was to connect it to the Internet over a secure channel, and perform a Windows Update.
I should mention that there was no other device attached to this Microsoft Surface, except for a Microsoft Signature Type Cover, and in particular there were no mice of any kind, attached to this new Microsoft surface device, whether via USB or Bluetooth.
Now, you're not going to believe what happened within minutes of having clicked the Check for Updatesbutton!
Windows Update Downloaded and Installed anUntrusted Self-Signed Lenovo Device Driver on Microsoft Surface! -
Within minutes, Windows Update automatically downloaded and had installed, amongst other packages (notably Surface Firmware,) an untrusted self-signed Kernel-mode device-driver, purportedly Lenovo - Keyboard, Other hardware - Lenovo Optical Mouse (HID), on this brand-new Microsoft Surface device, i.e. one signed with an untrusted WDK Test Certificate!
Here's a snapshot of Windows Update indicating that it had successfully downloaded and installed a Lenovo driver on this Surface device, and it specifically states "Lenovo - Keyboard, Other hardware - Lenovo Optical Mouse (HID)" -
We couldn't quite believe this. How could this be possible? i.e. how could a Lenovo driver have been installed on a Microsoft Surface device?
So we checked the Windows Update Log, and sure enough, as seen in the snapshot below, the Windows Update Log too confirmed that Windows Update had just downloaded and installed a Lenovo driver -
We wondered if there might have been any Lenovo hardware components installed on the Surface so we checked the Device Manager, and we could not find a single device that seemed to indicate the presence of any Lenovo hardware. (Later, we even took it back to the Microsoft Store, and their skilled tech personnel confirmed the same finding i.e. no Lenovo hardware on it.)
Specifically, as you can see below, we again checked the Device Manager, this time to see if it might indicate the presence of any Lenovo HID, such as a Lenovo Optical Mouse, and as you can see in the snapshot below, the only two Mice and other pointing devices installed on the system were from Microsoft - i.e. no Lenovo mouse presence indicated by Device Manager -
Next, we performed a keyword search of the Registry, and came across a suspicious Driver Package, as seen below -
It seemed suspicious to us because as can be seen in the snapshot above, all of the other legitimate driver package keys in the Registry had (as they should) three child sub-keys i.e. Configurations, Descriptors and Strings, but this specific one only had one subkey titled Properties, and when we tried to open it, we received an Access Denied message!
As you can see above, it seemed to indicate that the provider was Lenovo and that the INF file name was phidmou.inf, and the OEM path was "C:\Windows\SoftwareDistribution\Download\Install", so we looked at the file system but this path didn't seem to exist on the file-system. So we performed a simple file-system search "dir /s phidmou.*" and as seen in the snapshot below, we found one instance of such a file, located in C:\Windows\System32\DriverStore\FileRepository\.
Here's that exact location on the file-system, and as evidenced by the Created date and time for that folder, one can see that this folder (and thus all of its contents), were created on April 01, 2018 at around 1:50 am, which is just around the time the Windows Update log too confirmed that it had installed the Lenovo Driver -
When we opened that location, we found thirteen items, including six drivers -
Next, we checked the Digital Signature on one of the drivers, PELMOUSE.SYS, and we found that it was signed using a self-signed test Windows Driver certificate, i.e. the .sys files were SELF-SIGNED by a WDKTestCert and their digital signatures were NOT OK, in that they terminated in a root certificate that is not trusted by the trust provider -
Finally, when we clicked on the View Certificate button, as can be seen below, we could see that this driver was in fact merely signed by a test certificate, which is only supposed to be used for testing purposes during the creation and development of Kernel-mode drivers. Quoting from Microsoft's documentation on Driver Testing "However, eventually it will become necessary to test-sign your driver during its development, and ultimately release-sign your driver before publishing it to users." -
Clearly, the certificate seen above is NOT one that is intended to be used for release signing, yet, here we have a Kernel-mode driver downloaded by Windows Update and installed on a brand new Microsoft surface, and all its signed by is a test certificate, and who knows who wrote this driver!
Again, per Microsoft's guidelines on driver signing, which can also be found here, "After completing test signing and verifying that the driver is ready for release, the driver package has to be release signed", and AFAIK, release signing not only requires the signer to obtain and use a code-signing certificate from a code-signing CA, it also requires a cross cert issued by Microsoft.
If that is indeed the case, then a Kernel-mode driver that is not signed with a valid code-signing certificate, and one whose digital signature does not contain Microsoft's cross cert, should not even be accepted into the Windows Update catalog.
It is thus hard to believe that a Windows Kernel-Mode Driver that is merely self-signed using a test certificate would even make it into the Windows Update catalog, and further it seems that in this case, not only did it make it in, it was downloaded, and in fact successfully installed onto a system, which clearly seems highly suspicious, and is fact alarming and deeply-concerning!
How could this be? How could Windows Update (a trusted system process of the operating system), which we all (have no choice but to) trust (and have to do so blindly and completely) have itself installed an untrusted self-signed Lenovo driver (i.e. code running in Kernel-Mode) on a Microsoft Surface device?
Frankly, since this piece of software was signed using a self-signed test cert, who's to say this was even a real Lenovo driver? It could very well be some malicious code purporting to be a Lenovo driver. Or, there is also the remote possibility that it could be a legitimate Lenovo driver, that is self-signed, but if that is the case, its installation should not have been allowed to succeed.
To us, this is unacceptable, alarming and deeply concerning, and here's why.
We just had, on a device we consider trustworthy (, and could possibly have engaged in business on,) procured from a vendor we consider trustworthy (considering that the entire world's cyber security ultimately depends on them), an unknown, unsigned piece of software of Chinese origin that is now running in Kernel-mode, installed on the device, by this device's vendor's (i.e. Microsoft's) own product (Windows operating system's) update program!
We have not had an opportunity to analyze this code, but if it is indeed malicious in any way, in effect, it would've, unbeknownst to us and for no fault of ours, granted System-level control over a trusted device within our perimeter, to some entity in China.
How much damage could that have caused? Well, suffice it to say that, for they who know Windows Security well, if this was indeed malicious, it would've been sufficient to potentially compromise any organization within which this potentially suspect and malicious package may have been auto-installed by Windows update. (I've elaborated a bit on this below.)
In the simplest scenario, if a company's Domain Admins had been using this device, it would've been Game Over right there!
This leads me to the next question - we can't help but wonder how many such identical Surface devices exist out there today, perhaps at 1000s of organizations, on which this suspicious unsigned Lenovo driver may have been downloaded and installed?
This also leads me to another very important question - Just how much trust can we, the world, impose in Windows Update?
In our case, it just so happened to be, that we happened to be in front of this device during this Windows update process, and that's how we noticed this, and by the way, after it was done, it gave the familiar Your device is upto date message.
Speaking which, here's another equally important question - For all organizations that are using Windows Surface, and may be using it for mission-critical or sensitive purposes (e.g. AD administration), what is the guarantee that this won't happen again?
I ask because if you understand cyber security, then you know, that it ONLY takes ONE instance of ONE malicious piece of software to be installed on a system, to compromise the security of that system, and if that system was a highly-trusted internal system (e.g. that machine's domain computer account had the "Trusted for Unconstrained Delegation" bit set), then this could very likely also aid perpetrators in ultimately gaining complete command and control of the entire IT infrastructure. As I have already alluded to above, if by chance the target/compromised computer was one that was being used by an Active Directory Privileged User, then, it would be tantamount to Game Over right then and there!
Think about it - this could have happened at any organization, from say the U.S. Government to the British Government, or from say a Goldman Sachs to a Palantir, or say from a stock-exchange to an airline, or say at a clandestine national security agency to say at a nuclear reactor, or even Microsoft itself. In short, for absolutely no fault of theirs, an organization could potentially have been breached by a likely malicious piece of software that the operating system's own update utility had downloaded and installed on the System, and in 99% of situations, because hardly anyone checks what gets installed by Windows Update (now that we have to download and install a whopping 600MB patch every Tuesday), this would likely have gone unnoticed!
Again, to be perfectly clear, I'm not saying that a provably malicious piece of software was in fact downloaded and installed on a Microsoft Surface device by Windows Update. What I'm saying is that a highly suspicious piece of software, one that was built and intended to run in Kernel-mode and yet was merely signed with a test certificate, somehow was automatically downloaded and installed on a Microsoft Surface device, and that to us is deeply concerning, because in essence, if this could happen, then even at organizations that may be spending millions on cyber security, a single such piece of software quietly making its way in through such a trusted channel, could possibly instantly render their entire multi-million dollar cyber security apparatus useless, and jeopardize the security of the entire organization, and this could happen at thousands of organizations worldwide.
With full respect to Microsoft and Mr. Nadella, this is deeply concerning and unacceptable, and I'd like some assurance, as I'm sure would 1000s of other CEOs and CISOs, that this will never happen again, on any Surface device, in any organization.
In our case, this was very important, because had we put that brand new Surface device that we procured from none other than the Microsoft Store, into operation (even it we had re-imaged it with an ultra-secure locked-down internal image), from minute one, post the initial Windows update, we would likely have had a potentially compromised device running within our internal network, and it could perhaps have led to us being breached.
If I Were Microsoft, I'd Send a Plane Dear Microsoft, we immediately quarantined that Microsoft Surface device, and we have it in our possession.
If I were you, I'd send a plane to get it picked up ASAP, so you can thoroughly investigate every little aspect of this to figure out how this possibly happened, and get to the bottom of it! (Petty process note: The Microsoft Store let us keep the device for a bit longer, but will not let us return the device past June 24, and the only reason we've kept it, is in case you'd want to analyze it.) Here's why. At the very least, if I were still at Microsoft, and in charge of Cyber Security -
I'd want to know how an untrusted Kernel-mode device driver made it into the Windows Catalog
I'd want to know why a Microsoft Surface device downloaded a purportedly Lenovo driver
I'd want to know how Windows 10 permitted and in fact itself installed an untrusted driver
I'd want to know exactly which SKUs of Microsoft Surface this may have happened on
I'd want to know exactly how many such Microsoft Surface devices out there may have downloaded this package
Further, and as such, considering that Microsoft Corp itself may easily have thousands of Surface devices being used within Microsoft itself, if I were still with Microsoft CorpSec, I'd certainly want to know how many of their own Surface devices may have automatically downloaded and installed this highly suspicious piece of untrusted self-signed software.
In short, Microsoft, if you care as deeply about cyber security as you say you do, and by that I'm referring to what Mr. Nadella, the CEO of Microsoft, recently said (see video below: 0:40 - 0:44) and I quote "we spend over a billion dollars of R&D each year, in building security into our mainstream products", then you'll want to get to the bottom of this, because other than the Cloud, what else could be a more mainstream product for Microsoft today than, Microsoft Windows and Microsoft Surface ?! -
Folks, the only reason I decided to publicly share this is because I care deeply about cyber security, and I believe that this could potentially have impacted the foundational cyber security of any, and potentially, of thousands of organizations worldwide.
Hopefully, as you'll agree, a trusted component (i.e. Windows Update) of an operating system that virtually the whole world will soon be running on (i.e. Windows 10), should not be downloading and installing a piece of software that runs in Kernel-mode, when that piece of software isn't even digitally signed by a valid digital certificate, because if that piece of software happened to be malicious, then in doing so, it could likely, automatically, and for no fault of its users, instantly compromise the cyber security of possibly thousands of organizations worldwide. This is really as simple, as fundamental and as concerning, as that.
All in all, the Microsoft Surface is an incredible device, and because, like Apple's computers, the entire hardware and software is in control of a single vendor, Microsoft has a huge opportunity to deliver a trustworthy computing device to the world, and we'd love to embrace it. Thus, it is vital for Microsoft to ensure that its other components (e.g. Update) do not let the security of its mainstream products down, because per the Principle of Weakest Link, "a system is only as secure as is its weakest link."
For those may not know what Active Directory Security is (i.e. most CEOs, a few CISOs, and most employees and citizens,) suffice it to say that global security may depend on Active Directory Security, and thus may be a matter of paramount defenses.
Most respectfully, Sanjay
PS: Full Disclosure: I had also immediately brought this matter to the attention of the Microsoft Store. They escalated it to Tier-3 support (based out of New Delhi, India), who then asked me to use the Windows Feedback utility to share the relevant evidence with Microsoft, which I immediately and dutifully did, but/and I never heard back from anyone at Microsoft in this regard again.
PS2: Another small request to Microsoft - Dear Microsoft, while at it, could you please also educate your global customer base about the paramount importance of Active Directory Effective Permissions, which is the ONE capability without which not a single object in any Active Directory deployment can be adequately secured! Considering that Active Directory is the foundation of cyber security of over 85% of all organizations worldwide, this is important. Over the last few years, we've had almost 10,000 organizations from 150+ countries knock at our doors, and virtually none of them seem to know this most basic and cardinal fact of Windows Security. I couldn't begin to tell you how shocking it is for us to learn that most Domain Admins and many CISOs out there don't have a clue. Can you imagine just how insecure and vulnerable an organization whose Domain Admins don't even know what Active Directory Effective Permissions are, let alone possessing this paramount capability, could be today?
As we get ready to bid farewell to 2017, it may be fitting to recap notable happenings in Active Directory Security this year.
This appears to have been the year in which the mainstream Cyber Security community finally seems to have realized just how important and in fact paramount Active Directory Security is to cyber security worldwide, in that it appears that they may have finally realized that Active Directory is the very heart and foundation of privileged access at 85% of organizations worldwide!
I say so only because it appears to have been in this year that the following terms seem to have become mainstream cyber security buzzwords worldwide - Privileged User, Privileged Access, Domain Admins, Enterprise Admins, Mimikatz DCSync, AdminSDHolder, Active Directory ACLs, Active Directory Privilege Escalation, Sneaky Persistence in Active Directory, Stealthy Admins in Active Directory, Shadow Admins in Active Directory, Domain Controllers, Active Directory Botnets, etc. etc.
Active Directory Security Goes Mainstream Cyber Security
Here are the 10 notable events in Active Directory Security that helped it get mainstream cyber security attention this year -
Since the beginning on the year, i.e. January 01, 2017, Mimikatz DCSync, an incredibly and dangerously powerful tool built by Benjamin Delpy, that can be used to instantly compromise the credentials of all Active Directory domain user accounts in an organization, including those of all privileged user accounts, has been gaining immense popularity, and appears to have become a must-have tool in every hacker, perpetrator and cyber security penetration-tester's arsenal.
On May 15, 2017, the developers of BloodHound introduced version 1.3, with the objective of enhancing its ability to find privilege escalation paths in Active Directory that could help find out "Who can become Domain Admin?" From that point on, Bloodhound, which is massively inaccurate, seems to have started becoming very popular in the hacking community.
On June 08, 2017, CyberArk a Billion+ $ cyber-security company, and the self-proclaimed leader in Privileged Account Security, introduced the concept of Shadow Admins in Active Directory, as well as released a (massively inaccurate) tool called ACLight to help organizations identify all such Shadow Admins in Active Directory deployments worldwide.
On June 14, 2017, Sean Metcalf, an Active Directory security enthusiast penned an entry-level post "Scanning for Active Directory Privileges and Privileged Accounts" citing that Active Directory Recon is the new hotness since attackers, Red Teamers and penetration testers have realized that control of Active Directory provides power over the organization!
On July 11, 2017, Preempt, a Cyber Security announced that they had found a vulnerability in Microsoft's implementation of LDAP-S that permits the enactment of an NTLM relay attack, and in effect could allow an individual to effectively impersonate a(n already) privileged user and enact certain LDAP operations to gain privileged access.
On July 26, 2017, the developers of (massively inaccurate) BloodHound gave a presentation titled An ACE Up the Sleeve - Designing Active Directory DACL Backdoors at the famed Black Hat Conference USA 2017. This presentation at Black Hat likely played a big role in bringing Active Directory Security to the forefront of mainstream Cyber Security.
Also on July 26, 2017, a second presentation on Active Directory Security at the Black Hat Conference titled The Active Directory Botnet introduced the world to a new attack technique that exploits the default access granted to all Active Directory users, to setup command and control servers within organizations worldwide. This too made waves.
On September 18, 2017, Microsoft's Advanced Threat Analytics (ATA) Team penned a detailed and insightful blog post titled Active Directory Access Control List - Attacks and Defense, citing that recently there has been a lot of attention regarding the use of Active Directory ACLs for privilege escalation in Active Directory environments. Unfortunately, in doing so Microsoft inadvertently ended up revealing just how little its ATA team seems to know about the subject.
On December 12, 2017, Preempt, a Cyber Security announced that they had found a flaw in Microsoft's Azure Active Directory Connect software that could allow Stealthy Admins to gain full domain control. They also suggested that organizations worldwide use their (massively inaccurate) tooling to find these Stealthy Admins in Active Directory.
Helping Defend Microsoft's Global Customer Base ( i.e. 85% of Organizations Worldwide )
Folks, since January 01, 2017, both, as former Microsoft Program Manager for Active Directory Security and as the CEO of Paramount Defenses, I've penned 50+ insightful blog posts to help educate thousands of organizations worldwide about...
...not just the paramount importance of Active Directory Security to their foundational security, but also about how to correctlysecure and defend their foundational Active Directory from every cyber security risk/challenge covered in points 1- 9 above.
I trust you're well. Today, I just wanted to take a few minutes to answer a few questions that I've been asked so many times.
Here are the answers to the Top-5 questions I am frequently asked -
You're the CEO of a company (Paramount Defenses), so why do you blog so often, and how do you have time to do so?
Good question. This is a bit of a unique situation, in that whilst I am the CEO of a company, I am also a subject matter expert in Active Directory Security (simply by virtue of my background) and thus I feel that it is my civic duty to help organizations understand the paramount importance of securing their foundational Active Directory deployments.
In fact, over the last 7+ years, I've penned 150+ blog posts on Active Directory Security (here) and Cyber Security (here) on various topics such as Active Directory Privilege Escalation, the OPM Breach, Kerberos Token Bloat, Eff Perms, AdminSDHolder, Mimikatz DCSync, Sneaky Persistence, How to Correctly Identify Stealthy Admins in Active Directory, How to Correctly Identify Shadow Admins in Active Directory etc. and most recently on Active Directory Botnets.
As to how I have the time to do so, that's actually not that difficult. We have a world-class team at Paramount Defenses, and I've been able to delegate a substantial amount of my CEO-related work amongst our executive leadership team.
Speaking of which, how big is Paramount Defenses?
At Paramount Defenses, we believe that less is more, so our entire global team is less than a 100 people. For security reasons, 100% of our staff are U.S. Citizens, and to-date, the entirety of our R&D team are former Microsoft employees.
If by how big we are, you meant how many organizations we impact, today our unique high-value cyber security solutions and insights help adequately secure and defend thousands of prominent organizations across six continents worldwide.
Why is it just you (and why aren't your employees) on Social Media (e.g. LinkedIn, Facebook, Twitter etc.)?
The simple answer to this question - For Security Reasons.
At Paramount Defenses, we care deeply about cyber security, so we also strive to lead by example in every way.
As it pertains to cyber security, we have found that the presence of an organization's employees on social-media almost always results in excessive information disclosure that could be very valuable for hackers and various other entities who may have malicious intent, so our corporate policies do not permit a social media presence.
Also, we're not huge fans of Twitter, and we certainly don't care about being on Facebook. We do like and appreciate LinkedIn, and in fact, we lead the world's largest community of Active Directory Security Professionals on LinkedIn.
You see, the Crown Jewels of cyber security reside in Active Directory, and if they're compromised, its Game Over. By Crown Jewels, I'm referring to privileged access, or as commonly known, Domain Admin equivalent accounts.
It is a fact that 100% of all major recent cyber security breaches (except Equifax) involved the compromise of a single Active Directory privileged user account. Such accounts are Target #1 for hackers, which is why it is so very important that organizations be able to exactly identify and minimize the number of such privileged accounts in Active Directory.
Now, when it comes to identifying privileged user accounts in Active Directory, most organizations focus on enumerating the memberships of their default administrative groups in Active Directory, and that's it. Unfortunately, that's just the Tip of the Iceberg, and we have found that most of them do not even seem to know that in fact there are FAR many more accounts with varying levels of elevated admin/privileged access in Active Directory than they seem to know about.
This isn't a secret; its something you know if you've ever heard about Active Directory's most powerful and capable cyber security feature - Delegation of Administration. The truth is that at most organizations, a substantial amount of delegation has been done over the years, yet no one seems to have a clue as to who has what privileged access. Here's why.
In fact, Active Directory privileged access accounts have been getting a lot of attention lately, because so many cyber security experts and companies are starting to realize that there exists a treasure-trove of privileged access in Active Directory. Thus, recently many such cyber security expert and companies have started shedding light on them (for example, one, two, three etc.), and some have even started developing amateur tools to identify such accounts.
What these experts and companies may not know is that their amateur tools are substantially inaccurate since they rely on finding out "Who has what Permissions in Active Directory" WHEREAS the ONLY way to correctly identify privileged user accounts in Active Directory is by accurately finding out "Who has what Effective Permissions in Active Directory?"
On a lighter note, I find it rather amusing that for lack of knowing better, most cyber security experts and vendors that may be new to Active Directory Security have been referring to such accounts as Stealthy Admins, Shadow Admins etc.
To make matters worse, there are many prominent vendors in the Active Directory space that merely offer basic Active Directory Permissions Analysis/Audit Tooling, yet they mislead organizations by claiming to help them "Find out who has what privileged access in Active Directory," and since so many IT personnel don't seem to know better, they get misled.
Thus, there's an imperative need to help organizations learn how to correctly audit privileged users in Active Directory.
Consequently, the intention of my blogging is to HELP thousands of organizations and cyber security experts worldwide UNDERSTAND that the ONLY correct way to identify privileged users in Active Directory is by accurately determining effective permissions / effective access in Active Directory. There is only ONE correct way to accomplish this objective.
Why have you been a little hard on Microsoft lately?
Let me begin by saying that I deeply love and care for Microsoft. It may appear that I may have been a tad hard on them, but that is all well-intentioned and only meant to help them realize that they have an obligation to their global customer base to adequately educate them about various aspects of cyber security in Windows, particularly the most vital aspects.
In that regard, if you truly understand cyber security in Windows environments, you know that Active Directory Effective Permissions and Active Directory Effective Access play an absolutely paramount role in securing Windows deployments worldwide, and since Active Directory has been around for almost two decades by now, one would expect the world to unequivocally understand this by now. Unfortunately, we found that (as evidenced above) no one seems to have a clue.
You may be surprised if I were to share with you that at most organizations worldwide, hardly anyone seems to even know about what Active Directory Effective Permissions are, let alone why they're paramount to their security, and this a highly concerning fact, because this means that most organizations worldwide are operating in the proverbial dark today.
It is upon looking into the reason for this that we realized that in the last decade, it appears that (for whatever reason) Microsoft may not have educated its global customer based about Active Directory Effective Permissions at all - Proof.
Thus, it is in the best interest of organizations worldwide that we felt a need to substantially raise awareness.
As to how on earth Microsoft may have completely forgotten to educate the world about this, I can only guess that perhaps they must've gotten so involved in building their Cloud offering and dealing with the menace of local-machine credential-theft attack vectors that they completely seem to have missed this one paramount aspect of Windows security.
Fortunately for them and the world, we've had our eye on this problem for a decade know and we've been laser-focused. Besides, actions speak louder than words, so once you understand what it is we do at Paramount Defenses, you'll see that we've done more to help secure Microsoft's global customer base than possibly any other company on the planet.
Those who understand what we've built, know that we may be Microsoft's most strategic ally in the cyber security space.
Finally, the most important reason as to why I do, what I do is because I care deeply and passionately about cyber security.
(A Must-Read for all CEOs, CFOs, CIOs, CISOs, Board Members & Shareholders Today)
Today was supposed to be an exciting Friday morning at a Multi-Billion $ organization since the world's top Cloud Computing companies were going to make their final pitches to the company's C-Suite today, as it was considering moving to the "Cloud."
With Cloud Computing companies spending billions to market their latest Kool-Aid to organizations worldwide (even though much of this may actually not be ready for mission-critical stuff), how could this company too NOT be considering the Cloud?
The C-Suite Meeting
Today was a HUGE day for this multi-billion dollar company, for today after several months of researching and evaluating their choices and options, the company's leadership would finally be deciding as to which Cloud Computing provider to go with.
This meeting is being chaired by the Chairman of the Board and attended by the following organizational employees -
Chief Executive Officer (CEO)
Chief Financial Officer (CFO)
Chief Information Officer (CIO)
Chief Information Security Officer (CISO)
Also in attendance are about a dozen Vice Presidents, representing Sales, Marketing, Research and Development etc.
After breakfast, the presentations began at 9:00 am. The organization's CIO kicked off the meeting, rattling off the numerous benefits that the company could enjoy by moving to the Cloud, and minutes later the Vice President of Cloud Computing from the first Cloud Computing company vying for their business started his presentation. His presentation lasted two hours.
The C-Suite then took a break for lunch.
The next presentation began at 1:00 pm and was expected to last till about 4:00 pm. The Vice President of Cloud Computing from the second Cloud Computing company had started her presentation and was almost an hour into it, when all of a sudden this happened...
... the CISO's assistant unexpectedly entered the room, went straight to the CISO and whispered something into his ear.
Everyone was surprised, and all eyes were on the CISO, who grimly asked his assistant - "Are you 100% sure?" He said "Yes."
Houston, We Have a Problem
The CISO walked up to the CIO and whispered something into his ear. The CIO sat there in complete shock for a moment!
He then gathered himself and proceeded to request everyone except the C-Suite to immediately leave the conference room.
He told the Vice President of this Cloud Computing company - "Hopefully, we'll get back to you in a few weeks."
He then looked at the CEO and the Chairman of the Board, and he said - "Sir, we have a problem!"
The CEO asked the CIO - "What's wrong? What happened?"
The CIO replied - "Sir, about 30 minutes ago, an intruder compromised the credentials of each one of our 20,000 employees!"
The CEO was almost in shock, and just couldn't believe what he had just heard, so he asked - "Everyone's credentials?!"
The CIO replied - "I'm afraid yes Sir, yours, mine, literally everyone's, including that of all our privileged users!"
The CEO could sense that there was more bad news, so he asked - "Is there something else I should know?"
The CIO replied - "Sir, 15 minutes ago, the intruder logged on as an Enterprise Admin, disabled the accounts of each one of our privileged users, and used Group Policy to deploy malicious software to each one of our 30,000 domain-joined computers! By now, he could have stolen, exfiltrated and destroyed the entirety of our digital assets! We may have lost literally everything!"
The CEO was shocked! They'd just been breached, and what a massive breach it was - "How could this have happened?"
The CIO turned to the CISO, who stepped in, and answered the question - "Sir, an intruder used a tool called Mimikatz DCSync to basically request and instantly obtain the credentials of every single user from our foundational Active Directory deployment."
The CEO asked - "What is Active Directory?"
The CISO replied - "Sir, simply put, it is the very foundation of our cyber security"
The CEO then asked - "Wait.Can just anyone request and extract credentials from Active Directory?"
The CISO replied - "Sir, not everyone can. Only those individuals whose have sufficient access to do so, and by that I mean, specifically only those who have Get-Replication-Changes-All effective-permissions on the domain root object, can do so."
The CEO then said - "This does not sound right to me. I'm no technical genius, but shouldn't we have known exactly who all have this, whatever you just said, er yes that Get-Replication-Changes-All effective permissions in our Active Directory?!"
The CISO replied - "Sir, it turns out that accurate determination of effective permissions in Active Directory is actually very difficult, and as a result it is almost impossible to figure out exactly who has this effective permissions on our domain root!" The CEO figured it out - "So you're saying that the intruder had compromised the account of someone who was not on your radar and not supposed to have this access, but actually did, and the intruder used that access to steal everyone's credentials?"
The CISO replied - "That's right. It appears we did not know that this someone had sufficient access (i.e. effective permissions) to be able to replicate secrets from Active Directory, because it is very difficult to accurately figure this out in Active Directory."
The CEO was furious! - "You're kidding right?! Microsoft's spent billions on this new fad called the "Cloud", yet it doesn't even have a solution to help figure out something as vital as this in Active Directory? How long has Active Directory been around ?!
The CISO replied - "Seventeen years."
The CEO then said in disbelief - "Did you just 17 years, as in S-E-V-E-N-T-E-E-N years?! Get Satya Nadella on the line now! Perhaps I should #REFRESH his memory that we're a customer, and that we may have just lost a few B-I-L-L-I-O-N dollars!"
This is for Real
Make NO mistake about it. As amusing as it might sound, the scenario shared above is very REAL, and in fact today, most business and government organizations worldwide that operate on Active Directory have no idea as to exactly who has sufficient effective permissions to be able to replicate secrets out of their Active Directory. None whatsoever!
We can demonstrate the enactment of this exact scenario, and its underlying cause, to any organizations that wishes to see it.
This Could've Been (and Can Be) Easily Prevented
This situation could easily have been prevented, if this organization's IT personnel had only possessed the ability to adequately and accurately determine effective permissions in their foundational Active Directory deployments.
Unfortunately, Mimikatz DCSync is just the Tip of the Iceberg. Today most organizations are likely operating in the dark and have no idea about the actual attack surface, and thus about exactly who can create, delete and manage the entirety of their domain user accounts, domain computer accounts, domain security groups, GPOs, service connection points (SCPs), OUs etc. even though every insider and intruder could try and figure this out and misuse this insight to compromise their security.
Technically speaking, with even just minimal education and the right tooling, here is how easy it is for organizations to figure this out and lock this down today, i.e. to lock this down before an intruder can exploit it to inflict colossal damage - RIGHT HERE.
Oh, and you don't need to call Microsoft for this, although you certainly can and should. If you do, they'll likely have no answer, yet they might use even this to pitch you their latest toy, Microsoft ATA, and of course, their Cloud offering, Microsoft Azure.
Wait, weren't these C*O discussing the Cloud (and likely Microsoft Azure) just a few hours (and a few billion dollars) ago?!
Unfortunately, given the massive scale of this breach, the company did not survive the attack, and had to declare bankruptcy. The C*Os of this company are still looking for suitable employment, and its shareholders ended up losing billions of dollars.
All of this could've been prevented, if they only knew about something as elemental as this, and had the ability to determine this.
The moral of the story is that while its fine to fall for the latest fad, i.e. consider moving to the "Cloud" and all, but as AND while you consider and plan to do so, you just cannot let you on-prem cyber defenses down even for a moment, because if you do so, you may not have a company left to move to the Cloud. A single excessive effective permission in Active Directory is all it takes.
I'll say this one more time and one last time - what I've shared above could easily happen at almost any organization today.
PS: If this sounds too simple and high-level i.e. hardly technical, that is by intent, as it is written for a non-technical audience. This isn't to showcase our technical depth; examples of our technical depth can be found here, here, here, here, hereetc.etc.
Here's why - Mimikatz DCSync, which embodies the technical brilliance of a certain Mr. Benjamin Delpy, may be the simplest example of how someone could attack Active Directory ACLs to instantly and completely compromise Active Directory. On the other hand, Gold Finger, which embodies the technical expertise of a certain former Microsoft employee, may be the simplest example of how one could defend Active Directory ACLs by being able to instantly identify/audit effective permissions/access in/across Active Directory, and thus lockdown any and all unauthorized access in Active Directory ACLs, making it impossible for an(y) unauthorized user to use Mimikatz DCSync against Active Directory.
PS3: They say to the wise, a hint is enough. I just painted the whole picture out for you. (You may also want to read this & this.)
You'll want to read this short blog post very carefully because it not only impacts Microsoft, it likely impacts you, as well as the foundational security of 85% of all business and government organizations worldwide, and it does so in a positive way.
A Quick and Short Background
From the White House to the Fortune 1000, Microsoft Active Directory is the very foundation of cyber security at over 85% of organizations worldwide. In fact, it is also the foundation of cyber security of almost every cyber security company worldwide.
Active Directory is the Foundation of Cyber Security Worldwide
The entirety of an organization's building blocks of cyber security, including the user accounts used by the entirety its workforce, as well as the user accounts of all its privileged users, the computer accounts of the entirety of its computers, and the security groups used to provision access to the entirety of its IT resources, are stored, managed and protected in Active Directory.
During the past few years, credential-theft attacks aimed at the compromise of an organization's privileged users (e.g. Domain Admins) have resulted in a substantial number of reported and unreported breaches at numerous organizations worldwide. In response, to help organizations combat the menace of these credential-theft attacks, Microsoft has had to make substantial enhancements to its Windows Operating Systems as well as acquire and introduce a technology called Microsoft ATA.
These enhancements have made it harder for perpetrators to find success with traditional credential-theft attacks, so they've started focusing their efforts on trying to find ways to attack the Active Directory itself, as evidenced by the fact that in the last year alone, we've seen the introduction of Mimikatz DCSync, BloodHound and recently the advent of Active Directory Botnets.
Make no mistake about it. There's no dearth of opportunity to find ways to exploit weaknesses in Active Directory deployments because there exists an ocean of access within Active Directory, and sadly due to an almost total lack of awareness, education, understanding and tooling, organizations have no idea as to exactly what lies within their Active Directory, particularly in regards to privileged access entitlements, and thus today there likely are 1000s of privilege escalation paths in most Active Directory deployments, waiting to be identified and exploited. All that perpetrators seem to lack today is the know-how and the tooling.
Unfortunately, since the cat's out of the bag, perpetrators seem to be learning fast, and building rapidly, so unless organizations act swiftly and decisively to adequately lock-down vast amount of access that currently exists in their foundational Active Directory deployments, sadly the next big wave of cyber breaches could involve compromise of Active Directory deployments.
Clearly, Microsoft Has No Answers
It gives me absolutely no pleasure to share with you that unfortunately, and sadly as always, Microsoft yet again seems to be playing catch-up, and in fact, it has no clue or any real answers, ideas or solutions to help organizations in this vital regard.
Here's Proof - Last week, on September 18, 2017, Microsoft's Advanced Threat Analytics (ATA) Team posted this -
If and when you read it, it will likely be unequivocally clear to you as to just how little Microsoft understands about not just the sheer depth and breadth of this monumental challenge, but about the sheer impact it could have on organizations worldwide!
You see, if you understand the subject of Active Directory Security well enough, then you know that Active Directory access control lists (ACLs) today don't just impact organizational security worldwide, they likely impact national and global security!
That said, in that post, the best Microsoft could do isconcede that this could be a problem, wonder why organizations might ever need to change AdminSDHolder, falsely assume that it may not impact privileged users, praise a massively inaccurate tool for shedding light on this attack vector, and end by saying - "if you find a path with no obstacles, it probably leads somewhere."
Oh, and the very last thing they tell you that is their nascent ATA technology can detect AD multiple recon methods.
In contrast, here's what they should have said- "We care deeply about cyber security and we understand that left unaddressed, this could pose a serious cyber security risk to our customers. Be rest assured that Microsoft Active Directory is a highly robust and securable technology, and here's exactly how organizations can adequately and reliably identify and lock-down privileged access in their Active Directory deployments, leaving no room for perpetrators to identify and exploit any weaknesses."
The reason I say that should've been the response is because if you know enough about this problem, then you also know that it can actually be completely and sufficiently addressed, and that you don't need to rely on detection as a security measure.
BTW, to appreciate how little Microsoft seems to understand about this huge cyber security challenge, you'll want a yardstick to compare Microsoft's response with, so here it is (; you'll want to read the posts) - Active Directory Security School for Microsoft.
Er, I'm really sorry but you are Microsoft, a US$ 550 Billion corporation, not a kid in college. If the best you can do concerning such a profoundly important cyber security challenge is show how little you seem to know about and understand this problem, and only have detection to offer as a solution, frankly, that's not just disappointing, that's deeply concerning, to say the least.
Further, if this is how little you seem to understand about such a profoundly important cyber security challenge concerning your own technology, I cannot help but wonder how well your customers might actually be protected in your recent Cloud offering.
Fortunately There's Help and Good News For Microsoft
I may appear to be critical of Microsoft, and I do still believe that they ought to at least have educated their customers about this and this huge cyber security challenge, but I also love Microsoft, because I've been (at) Microsoft, so I'm going to help them.
To my former colleagues at Microsoft I say - "Each one of us at Microsoft are passionate, care deeply and always strive to do and be the best we can, and even though I may no longer be at Microsoft, (and I still can't believe how you missed this one), luckily and fortunately for you, we've got this covered, and we're going to help you out."
So, over the next few days, not only am I going to help reduce the almost total lack of awareness, education and understanding that exists at organizations today concerning Active Directory Security, I am also going to help organizations worldwide learn just how they can adequately and swiftly address this massive cyber security challenge before it becomes a huge problem.
What Constitutes a Privileged User in Active Directory
How to Correctly Audit Privileged Users/Access in Active Directory
How to Render Mimikatz DCSync Useless in an Active Directory Environment
How to Easily Identify and Thwart Sneaky Persistence in Active Directory
How to Easily Solve The Difficult Problem of Active Directory Botnets
The World's Top Active Directory Permissions Analysis Tools(and Why They're Mostly Useless)
The Paramount Need to Lockdown Access Privileges in Active Directory
How to Attain and Maintain Least Privileged Access (LPA) in Active Directory
How to Securely Delegate and Correctly Audit Administrative Access in Active Directory
How to Easily Secure Active Directory and Operate a Bulletproof Active Directory Deployment
You see, each one of these Active Directory security focused objectives can be easily accomplished, but and in order to do so, what is required is the capability to accurately audit effective access in Active Directory. Sadly, let alone possessing this paramount cyber security capability, Microsoft doesn't even seem to have a clue about it.
Each one of these posts is absolutely essential for organizational cyber security worldwide, and if you know of even one other entity (e.g. individual, company etc.) on the planet that can help the world address each one of these today, do let me know.
Together, we can help adequately secure and defend organizations worldwide and deny perpetrators the opportunities and avenues they seek to compromise our foundational Active Directory deployments, because we must and because we can.