• Careful, when Microsoft Support is calling

    Posted over 1 year ago
    by rhalbheer}

    I guess you are aware of the phone scams, when Microsoft support is calling you to tell you that you have an issue on your computer, which needs to be fixed. A Norwegian team was actually able to film that. The whole conversation with the "supporter" is in English (the rest in Norwegian) and is definitely worth looking at - The article (in Norwegian but Bing Translator helps) can be found here: Her prøver Windows-svindlerne å lure kredittkortet fra oss

    Roger

  • Security in 2013 – the way forward?

    Posted over 2 years ago
    by rhalbheer}

    Typically January is the month where we are asked to make predictions on the trends for the New Year. I do not like this as I am an engineer and not a fortune tellerJ. But there are things we know and things we definitely need to drive this year. I would actually put it into the context of typical hygiene of any IT environment.

    Let's try to understand, where we stand today. Contrary to a few years back, we unfortunately see more skilled people in the space looking for either fast money or information. The criminals are more skilled and I guess we see the state actors attacking infrastructures as well. The big change, however, is that these attacks are not what they used to be. Today, they are targeted, executed by highly-skilled people with a clear goal and time. There is no rush but you want to get a bang for the buck. They want to make sure that once they penetrate a network, the probability for getting discovered is low and they want to stay in there as long as possible. This often leads to the fact that customers do not know that they are compromised and once they figure it out, they cannot assess the impact as the attacker is on the network longer than the backups of the logs last…

    To be clear, this is not to scare anybody, this is the reality we have seen in many, many customer networks across the globe in the last one to two years.

    If we look at a typical attack, it often follows similar patterns:

    1. The attacker seeks a way to compromise a first computer. This is often done through social engineering, rarely through a sophisticated technical attack. The attacker distributes USB sticks with infected code, he sends a mail to motivate the user to click on a link etc. All very well-known patterns.
    2. The user executes the malicious code and installs mainly a remote access software allowing the user to take over the machine. Most probably the user needs admin access to get this done (not always)
    3. The attacker downloads the needed tools and gains access to the local cached credentials. Now, the attacker can only do this, if he has administrative privileges – in other words, if the user runs as admin (or the attacker finds a vulnerability locally).
    4. From here on the attacker tries to move laterally (to other user machines) until he finds a higher value credential to move towards a higher-value target.
    5. This chain often ends with a compromised Domain Administrator and therefore a lost Active Directory.

    This describes a fairly typically attack leveraging Pass the Hash. The paper Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques describes this very well. If we look at the mitigations described in this paper and the mitigations, which come from the above mentioned attack pattern, they are actually not too hard to implement – they are in a major part natural for a good network hygiene:

    • Restrict and protect high privileged domain accounts
    • Restrict and protect local accounts with administrative privileges
    • Restrict inbound traffic using the Windows Firewall

    These are kind of the key mitigations, however there are some key recommendations in this paper, which should be implemented:

    • Remove standard users from the local administrators group: For how long do we already talk about this? User Account Control, which came with Windows Vista, was the technology, which would enable this. It is really, really hard with Windows XP!
    • Limit the number and use of privileged domain accounts: To me this goes in the same bucket as the local admin…
    • Configure outbound proxies to deny Internet access to privileged accounts: Why should your Domain Administrator be able to access an obscure server somewhere in a foreign country?
    • Ensure administrative accounts do not have email accounts: Obvious, no? You would be surprised how often we see admins doing daily business tasks with privileged accounts
    • Use remote management tools that do not place reusable credentials on a remote computer's memory: This is a bit harder to do probably but is should and could be done.
    • Avoid logons to less secure computers that are potentially compromised
    • Update applications and operating systems: Patch, patch, patch. And then keep your software to the latest versions. I will come back to this.
    • Secure and manage domain controllers
    • Remove LM hashes

    That's not too hard to do, isn't it? It should be part of your natural, everyday maintenance of you network, shouldn't it?

    One point, which is not mentioned so far is monitoring. This is all about finding the needle in the haystack but it can be done – we (at Microsoft) do it. Why should a machine all of a sudden connect to another country, when it never did it before? There might be reasons for this, but sometimes, there are none. If you read my latest post, you see one of these examples: An Attack via VPN – Really?

    Let me add a few final comments:

    • A lot of customers we find compromised are surprised that they have unpatched machines (well, some of them have unpatched machines and are not surprised…). Implement a strong patch management process, involving not only the Microsoft product suite. Ours is the easiest to keep up-to-date. I did not say it is easy, I said it is the easiest based on the technology, the update mechanism and the information we provide. That's not only me saying this, a lot of customers telling me this.
    • Get off Windows XP! That's probably the number 1 thing which keeps me up at night. There are too many Windows XP out there. Windows XP is more than a decade old! Think back, how you used the Internet a decade ago and then think again about the ability of Windows XP to protect you. It does not anymore. It was a great OS, it is rock-solid and just works – but it is out of date! I have two slides showing the evolution of the Internet and the evolution of the threat landscape as well as the evolution of security in Windows since Windows 95. If you are interested, I am happy to share.
    • Implement network isolation: At Microsoft IT, we use IPSec Authentication to segment the network and isolate trusted from less trusted from untrusted systems. This is a technology, which is out there since ages – use it.

    Therefore, if you think about network hygiene in 2013, look at the points above and get started. It is basically just normal maintenance of your network. Just do it

    Roger

  • There it is – the security Silver bullet

    Posted over 7 years ago
    by rhalbheer}

    I love that: There is finally software that is free of bugs and completely secure. Hmm, this kind of reminds me of the world-famous marketing campaign of a big software company which called itself "unbreakable". However, let's be fair:

    There is an article out there called 11 open-source projects certified as secure. I quote from there "Coverity, which creates automated source-code analysis tools, announced late Monday its first list of open-source projects that have been certified as free of security defects." This is nonsense and we all know it. This is for different reasons: Static source code analysis will never ever be able to find all vulnerabilities. Additionally the threat landscape changes. Even if we would be able to say "the software is secure" (which we will never be), this will be different tomorrow. Criminals are probably among the cleverest people when it comes to finding new ways of attacking our systems. Ways, we have never thought of when we planned for the system.

    So, I tried to confirm the above statement on the websites of Coverty: http://www.coverity.com/index.html and http://scan.coverity.com/index.html and could not find the same statement, which I think is not bad – otherwise I would have doubted their capacity.

    Actually, Michael Howard commented on that as well: "Open-source projects certified as secure" – huh?

    So, to summarize: I am not in the position to assess the quality of Coverty's capabilities and the quality of their tools and processes. The only think I know for sure is that this article is crap

    Roger

    BTW: Stop looking for the Security Silver Bullet – I do not want to lose my job J J

  • Microsoft Account: Enable Two-Step Verification

    Posted over 1 year ago
    by rhalbheer}

    We could even talk about two-factor authentication in my opinion. The idea is, that whenever you logon from an untrusted PC, you will be asked to use a second factor (or step). In my case, which I show below, I use the Authenticator app on my phone, which is similar to an RSA SecureID.

    How to set it up? Fairly easy:

    Logon to your Microsoft Account (formerly LiveID) on https://account.live.com .

    There you have all your account settings. Go to your Security Info:

    And choose Set up two-step verification, which will guide you through the wizard:

    Once you are done, get back to your Security Info and choose Authenticator App:

    In the meantime, download the Authenticator App to your phone as in the next screen you can pair them:

    Done! Enjoy the additional layer of security J

    Roger

  • Unique in the Crowd – False sense of Privacy

    Posted over 1 year ago
    by rhalbheer}

    This morning, I was reading a very interesting article called Unique in the Crowd: The privacy bounds of human mobility. This is the abstract:

    We study fifteen months of human mobility data for one and a half million individuals and find that human mobility traces are highly unique. In fact, in a dataset where the location of an individual is specified hourly, and with a spatial resolution equal to that given by the carrier's antennas, four spatio-temporal points are enough to uniquely identify 95% of the individuals.

    Before we go deeper into the subject, the situation above reminded me of Monty Phyton's Life of Brian:

    <iframe width="420" height="315" src="http://blogs.technet.com//www.youtube.com/embed/jVygqjyS4CA" frameborder="0" allowfullscreen></iframe>

    But now back to the subject. The example above, to me, just shows one of the key challenges we face, when we look at all the data, which is generated about us. If this data starts to get analyzed for behavior patterns, even the most innocent data all of a sudden might become very sensitive. If you look at the Big Data scenario, in my opinion it gets even worse as then we start to correlate non-identifiable information and very fast we will run into privacy-related issues.

    Let's take the example above: They are able to uniquely identify the individuals based on their pattern how they move. Additionally, you could look at the data to figure out, where they were most – and typically you can fairly easily find out where they work and live. This means, that you can fairly fast (with a little additional effort) not only identify such patterns but even link that pattern to a name and all the doors are now open to "abuse" this data for any kind of purposes.

    All these issue do not scare me from a security perspective at the moment but from a privacy approach – and for most consumers, there is no real difference

    Roger