Thursday, February 22, 2018

Winter Olympics Cyberattack



The Olympic Games have always been a symbol of global unity and cooperation, mixed in with friendly competition of course. However, this can also mark the games as a target for groups that don’t share that worldview. This year, the Winter Olympics opening ceremony was targeted by a cyberattack focused on disruption and destruction of systems. The attack resulted in the official website being offline for roughly 12 hours, preventing attendees from accessing tickets and information, as well as disrupting the Wi-Fi at the stadium and various news coverage feeds.

Security researchers at Cisco’s Talos group analyzed the malware and have dubbed it Olympic Destroyer. While it is still unclear how the systems became initially infected, Talos has disclosed some details of how the malware operates. The malware is contained within a binary file which is responsible for propagation across the network. It checks the Address Resolution Protocol (ARP) table on the system to discover additional targets, as well as using the Windows Management Instrumentation Query Language (WQL) to run the request "SELECT ds_cn FROM ds_computer" to find other systems. These are carried out using legitimate administrative tools included with Windows, PsExec and WMI. The other function of the binary file is to drop 2 modules, the credential stealers.
 
The stealer modules focus on different types of credentials: a web browser module and a system module. The web browser stealer parses the SQLite file in the registry to access stored credentials for Internet Explorer, Firefox, and Chrome. The system module gathers credentials from the Local Security Authority Subsystem Service (LSASS), a Windows process that enforces security policy for the system. Once credentials have been gathered, the binary file is updated to include the credentials hardcoded in, to be used on newly infected systems for further access.
After reconnaissance, the malware begins a destruction phase to disable the system. Using the Windows command line (cmd.exe), various tasks are carried out to prevent recovery of the system: deletion of all shadow copies on the system, deletion of the wbadmin catalog, using bcdedit to change the boot configuration and disable Windows recovery, and deleting the System and Security Windows Event logs. Finally, the malware stops and disables all Windows services and shuts down the system, preventing it from being restarted in a usable state.

Olympic Destroyer used well-known Sysinternal tools included with Windows, implying the attacker knew the targets were Windows-based. Talos also suggested the attacker knew a “lot of technical details of the Olympic Game infrastructure such as username, domain name, server name, and
obviously password.”

Sources:


https://thehackernews.com/2018/02/p yeongchang-2018-winter-olympics.html

and The CIP from Peraton

Final Public Draft of Special Publication (SP) 800-171A, Assessing Security Requirements for Controlled Unclassified Information

NIST Computer Security Division Releases the Final Public Draft of Special Publication (SP) 800-171A, Assessing Security Requirements for Controlled Unclassified Information


NIST Computer Security Division releases the Final Public Draft of Special Publication (SP) 800-171A, Assessing Security Requirements for Controlled Unclassified Information is now available for public comment.  See below for further details.

Learn about the updates to the Final Draft SP 800-171A on the NIST CSRC website at:
https://csrc.nist.gov/News/2018/NIST-Releases-Final-Draft-SP-800-171A


Below is the link to the Draft SP 800-171A publication record where links to the document, the comment template and other supplemental information is available:
https://csrc.nist.gov/publications/detail/sp/800-171a/draft


Deadline to submit comments to draft SP 800-171A: March 23, 2017

Email comments or questions about this draft document to:
sec-cert@nist.gov

Monday, February 12, 2018

Tips for Tax Time

A 2017 Identity Fraud Study by Javelin Strategy & Research revealed that nearly one in three consumers notified that their data has been breached become victims of identity fraud. With the recent Equifax cyberattack still fresh in our minds, more than 145 million Americans’ names, addresses, birthdates, Social Security numbers and other sensitive information may be at risk. Cybercriminals are crafty and continuously looking for ways to steal your personal information. The Internal Revenue Service (IRS) indicates that phishing schemes continue to lead its “dirty dozen” list of 2017 tax scams. So what is the average American to do? The National Cyber Security Alliance (NCSA) and the Identity Theft Resource Center (ITRC) have once again joined forces to help consumers keep safe during tax season with tips for identifying cyber scams, actionable online safety steps and what to do if you fall victim to tax identity theft.

Tuesday, February 6, 2018

The ten immutable laws of security administration revisited and updated

Law #1: If a bad guy can persuade you to run his program on your computer, it’s not solely your computer anymore.

Phishing scams, link bait, hacked software, hacks for software, keygens, screensavers, games, codecs, media files… the list goes on and on. Search for anything online you might wish to download, and odds are extremely good that you will find the majority of the links on the first page of your search results will go to downloads that are for anything other than what you really want to download. Check out torrent sites or other sources for what includes binaries of questionable origin, and I guarantee you that most of those downloads are crawling with badness. Everyone wants something for nothing, and the bad guys are happy to use that to their advantage. Set aside the morality and the legality of downloading copyrighted content without paying for it… is it really worth the risk that your computer won’t be yours anymore?

Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore.

Consider how many “fixes” are “documented” online to correct this behavior or to patch that bug. How many posts consist of “download this file from my site to fix that error” and how many of those sites have nothing at all to do with the vendor of your operating system? This is NOT just a problem for Windows users, so don’t think that all repos can be trusted. When you are considering patching, upgrading, or recompiling your operating system, whether it’s a binary or new source you want to compile from scratch… if you cannot read and understand the code yourself, and it’s not coming from the maker directly, don’t trust it. If it is coming from the vendor, make sure that either the digital signatures or the checksums of the downloads check out okay or abandon the file(s) as bad.

Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.

If they can touch it, they can own it. Any system a bad guy has direct physical access to is his or hers to do with as they please. Don’t leave your computer unlocked when you are away from it. Don’t leave it out in the open in a hotel room when you travel. Ensure your workplace provides adequate physical security for all systems. You know that PC the receptionist uses that is sitting in the elevator lobby which anyone can walk up to? Yeah, if your building is not locked down so you need a badge to even get onto your floor, then that PC needs to be locked away every day at the end of the shift.

Law #4: If you allow a bad guy to run active content on your website, it’s not your website any more.

Limit what can and cannot be uploaded to your website or forums. Quarantine and scan any files that are uploaded by users. Regularly and frequently run security scans of your website and all content, and ensure it cannot be exploited by injection or cross-site scripting. One of the most common ways end users’ machines are infected is by visiting a trusted site that is unaware it is hosting bad things.

 Law #5: Weak passwords trump strong security.

There is no variant of P@ssw0rd or p@$$word or Password1 or even b70w$$@q that hasn’t been used by someone enough times that it won’t be in the first 10,000 passwords tried by a brute force attack. And since it will take less than .007 seconds to go through those 10,000 passwords using even the underpowered processing capabilities of a discount tablet, you really want better. I’m going to let you in on a little secret. All passwords are weak. There is no such thing as a strong password, at least when you measure it up against the strength of a dedicated adversary determined to crack it.
The best thing you can do is use multifactor authentication, period. Whether you use a smart card, or a token, or an app on your mobile phone, even if someone does guess a user’s password (or tricks them into giving it away) without that second factor of authentication, it’s of no use to them. You can even go with biometrics if you have the budget for it, but 2FA using a mobile device can be used from any system, and doesn’t have the SciFi creep factor associated with it!

Law #6: A computer is only as secure as the administrator is trustworthy.

Reference checks, employment checks, credit checks, criminal record checks, background investigations… how far does your HR team take their responsibility of looking into new hires? You may not need to do a full scope background investigation on the receptionist or the delivery driver, but IT sysadmins have access to everything that is on the network. They can read the CEO’s emails, pull the payroll history for anyone in the company, learn just what the secret recipe of the Colonel’s chicken is that makes you crave it fortnightly! Ensure that anyone with privileges to any system is fully checked out before hiring.

Law #7: Encrypted data is only as secure as its decryption key.

Which means if the key exchange is weak, or the key itself is, then your encryption is at risk. The only thing worse than an insecure key is using a proprietary algorithm. Stick with commercially recognized encryption protocols, and if you must use and exchange a pre-shared key, do so out of band to the data exchange. In other words, don’t email someone the password to decrypt the file you just emailed them! Call them, text them, send them smoke signals, anything but sending the password using the same method as you sent the data.

Law #8: An out-of-date antimalware scanner is only marginally better than no scanner at all.

I always go one further than this and say it’s worse. If I am on a machine that has no antimalware, I won’t download or install anything that I am not absolutely sure of. I’d say most others would feel the same way. But if antimalware is on the machine, I may not be as circumspect, opting instead to count on the antimalware to keep me safe. Of course, if it is out of date, it’s useless, but that won’t stop me from being stupid!

Law #9: Absolute anonymity isn’t practically achievable, online or offline.

Sure, you can live in a cave and bounce your signal off a neighbor’s insecure Wi-Fi, routing it through three different TOR networks and an open web proxy, then through a Ukrainian satellite before you reach your goal… but wait, this isn’t a Hollywood spy thriller so that isn’t practical or even realistic. There is always a log somewhere, and anything you do online you should assume will stay online forever, and eventually be seen by your grandmother. Don’t be stupid, don’t be rude, and don’t do something your meemaw would be ashamed of!

Law #10: Technology is not a panacea.

There is no firewall that cannot be bypassed. There is no hardening procedure that is bulletproof. There does not exist encryption that cannot be broken given enough CPU cycles, nor is there code written without vulnerabilities. Technology is not a panacea and there is no one solution that can make you 100% guaranteed secure. Work on the human aspect, minimize the opportunities for attackers to find something to exploit, keep up to date on patching and malware definitions, and use a layered defense to do the best you can.


Learn them. Live them. Love them. Make them a part of who you are, and help instill in your users, your friends, and your family an awareness of the same. These ten laws are not just for sysadmins, they are for anyone using technology. But stay tuned!

In future post in this series, we are going to take a look at a related set of laws laid down by Microsoft Director  Scott Culp – The 10 Immutable Laws of Security Administration.


BlueHat IL 2018 - David Weston - Windows: Hardening with Hardware Video

The security features of modern PC hardware are enabling new trust boundaries and attack resistance capabilities unparalleled in software alone. These hardware capabilities help to improve resistance to a wide range of attacks including physical attacks against DMA and disk encryption, kernel and remote code exploits, and even application isolation through virtualization. In this talk, we will review the metamorphosis and fundamental re-architecture of Windows to take advantage of emerging hardware security capabilities. We will also examine in-depth the hardware security features provided by vendors such as Intel, AMD, ARM and others, and explain how Windows takes advantage of these features to create new and powerful security boundaries and exploit mitigations. Finally, we will discuss the new attack surface that hardware provides and review exploit case studies, lessons learned, and mitigations for attacks that target PC hardware and firmware.

Link to Video

Detecting Lateral Movement through Tracking Event Logs

Many recent cyberattacks have been confirmed in which malware infects a host and in turn spreads to other hosts and internal servers, resulting in the whole organization becoming compromised. In such cases, many points need to be investigated. Accordingly, an approach for quickly and thoroughly investigating such critical events, ascertaining the overall picture of the damage as accurately as possible, and collecting facts necessary for devising remedial measures is required.

While the configuration of the network that is targeted by an attack varies depending on the organization, there are some common patterns in the attack methods. First, an attacker that has infiltrated a network collects information of the host it has infected using "ipconfig", "systeminfo", and other tools installed on Windows by default. Then, they examine information of other hosts connected to the network, domain information, account information, and other information using "net" and other tools. After choosing a host to infect next based on the examined information, the attacker obtains the credential information of the user using "mimikatz", "pwdump", or other password dump tools. Then, by fully utilizing "net", "at", or other tools, the attacker infects other hosts and collects confidential information.

For such conventional attack methods, limited set of tools are used in many different incidents. The many points that need to be investigated can be dealt with quickly and systematically by understanding typical tools often used by such attackers, and what kind of and where evidence is left.

For such use of tools, the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) extracted tools used by many attackers by investigating recently confirmed cases of targeted attacks. Then, a research was conducted to investigate what kind of logs were left on the server and clients by using such tools, and what settings need to be configured to obtain logs that contain sufficient evidential information. This report is a summary of the results of this research.
The details of traces (event logs and forensic architecture) generated upon execution of the tools are compiled in "Tool Analysis Result Sheet" and published on GitHub.

Tool Analysis Result Sheet
https://jpcertcc.github.io/ToolAnalysisResultSheet/


https://jpcertcc.github.io/ToolAnalysisResultSheet/

https://github.com/JPCERTCC/ToolAnalysisResultSheet

This repository summarizes the results of examining logs recorded in Windows upon execution of the 49 tools which are likely to be used by the attacker that has infiltrated a network.
Tool Analysis Result Sheet is created in HTML and can be checked from the following URL.

A report that outlines and usage of this research is published below. When using Tool Analysis Result Sheet, we recommend you to check the report.


We hope this document is useful in incident investigation.
Article was copied from the Japan Computer Emergency Response Team Coordination Center

Friday, February 2, 2018

Cisco VPN Danger

Earlier this week Cisco revealed a major vulnerability affecting devices configured with their WebVPN clientless VPN software. This VPN software is featured in the Secure Sockets Layer (SSL) of numerous Cisco hardware devices. Companies around the world use WebVPN so that their employees can connect to the corporate intranet from the outside. The successful exploitation of this vulnerability could have potentially devastating consequences for an organization.
When WebVPN functionality is enabled, devices are vulnerable to a flaw that allows hackers to "double-free" memory on the system. To accomplish this, an attacker submits custom crafted XML messages to the WebVPN interface of the target device. The messages instruct the system to free a specific memory address multiple times, which may lead to memory leakage, giving an attacker the power to write malicious commands to memory. With this power an attacker has the ability to execute arbitrary code, monitor traffic, and corrupt memory. This flaw can even be exploited for the purposes of a DDoS attack by forcing the system to continuously reboot itself.


Figure 1: Affected Cisco Devices

Link: http://securityaffairs.co/wordpress/68424/security/cisco-asa-critical-flaw.html

The vulnerability has been labeled CVE-2018-0101 and has been given a 10/10, or critical rating, on the Common Vulnerability Scoring System (CVSS) scale. WebVPN is often enabled on edge firewalls, meaning that is possible for an attacker to exploit this from the outside over the Internet. Although this vulnerability seems simple to exploit, successfully crafting the necessary XML messages would require a deep understanding of the system memory layout of an affected device. Patches for the vulnerability have been released; however it is the responsibility of the company to make sure they are applied. We have yet to observe any exploits built to take advantage of this flaw, but this warning should not be taken lightly as successful exploitation would likely lead to massive consequences.

Sources:
• https://arstechnica.com/information-technology/2018/01/cisco-drops-a-mega- vulnerability-alert-for-vpn-devices/
• http://searchsecurity.techtarget.com/news/252434117/Critical-Cisco-ASA- vulnerability-patched-against-remote-attacks


Source CIP report

Thursday, February 1, 2018

Changes to Office and Windows servicing and support

This is a summary of a blog post on Microsoft site the full article can be found here.

Servicing extensions for Windows 10


Windows 10 is being adopted rapidly by organizations of all sizes, and as customers deploy the product they are implementing a modern servicing methodology we refer to as Windows as a service.
Many customers – including MARS, Independence Blue Cross, and Accenture – have made significant progress in moving to Windows as a Service, but some have requested an extension to the standard 18 months of support for Windows 10 releases.  To help these customers, we are announcing an additional six months of servicing for the Enterprise and Education editions of Windows 10, versions 1607, 1703, and 1709. (Additional servicing for Windows 10, version 1511 was announced in November.)  This extension will be offered via normal channels.  The chart below outlines the impact of these extensions for each of the last four Windows 10 releases.
Release
Release date
End of support
End of additional servicing for Enterprise, Education
Windows 10, version 1511
November 10, 2015
October 10, 2017
April 10, 2018
Windows 10, version 1607
August 2, 2016
April 10, 2018
October 9, 2018
Windows 10, version 1703
April 5, 2017
October 9, 2018
April 9, 2019
Windows 10, version 1709
October 17, 2017
April 9, 2019
October 8, 2019
We will also offer additional paid servicing options for Windows 10 Enterprise and Education releases starting with Windows 10 version 1607. For more information, contact your Microsoft account team.
Office 2019
Last year at Ignite, we announced Office 2019 – the next perpetual version of Office that includes apps (including Word, Excel, PowerPoint, and Outlook, and Skype for Business) and servers (including Exchange, SharePoint, and Skype for Business). Today we’re pleased to share the following updates:
  • Office 2019 will ship in H2 of 2018. Previews of the new apps and servers will start shipping in the second quarter of 2018.
  • Office 2019 apps will be supported on:
    • Any supported Windows 10 SAC release
    • Windows 10 Enterprise LTSC 2018
    • The next LTSC release of Windows Server
  • The Office 2019 client apps will be released with Click-to-Run installation technology only. We will not provide MSI as a deployment methodology for Office 2019 clients. We will continue to provide MSI for Office Server products.
Office 2019 will provide 5 years of mainstream support and approximately 2 years of extended support. This is an exception to our Fixed Lifecycle Policy to align with the support period for Office 2016. Extended support will end 10/14/2025

Tuesday, January 30, 2018

Data Privacy Day 2018 – Live From LinkedIn Event Highlights

In honor of Data Privacy Day – an international effort held annually on Jan. 28 to generate awareness about the importance of respecting privacy, safeguarding data and enabling trust – the National Cyber Security Alliance (NCSA) hosted a daylong event streamed live from LinkedIn’s offices in San Francisco, CA, on Thursday, Jan. 25. The event showcased fast-paced, cutting-edge discussions and TED-style talks with leading experts focusing on what businesses and consumers must know about privacy.

The day's discussions focused on the following privacy hot topics:
  • Looking Into a Crystal Ball: What Your Data Says About You
  • Five Things You Can Do to Manage Your Privacy Now
  • What You Should Know About the Internet of Me and Your Privacy
  • Tracking My Location – Business Uses and Consumer Choices
  • Staying Competitive – Why Privacy Is Good for Your Business
  • The Problem With Your Online Privacy
  • Balancing Act: Privacy and Innovation
  • What's an Algorithm Got to Do With It?


Missed the event? Check out the full video here – and the full event recap, including photos, here

Monday, January 29, 2018

Tax Identity Theft Awareness Week


Tax Identity Theft Awareness Week is January 29 to February 2, and many federal agencies are offering information and resources to help consumers learn to protect themselves from tax-related identity theft and Internal Revenue Service (IRS) imposter scams.

NCCIC/US-CERT encourages consumers to review IRS publication Taxes.Security.Together. and NCCIC/US-CERT Tip Preventing and Responding to Identity Theft. Users can also participate in a series of free webinars and chats on avoiding tax identity theft, hosted by the Federal Trade Commission, IRS, Department of Veterans Affairs, and others

Tuesday, January 23, 2018

Apple Releases Multiple Security Updates


Original release date: January 23, 2018

Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

NCCIC/US-CERT encourages users and administrators to review Apple security pages for the following products and apply the necessary updates:

Monday, January 22, 2018

Save up to 60% on SQL Server 2017 learning resources

SQL Server 2017 gives you the power to build modern applications using the language of your choice, on-premises and in the cloud, on Windows, Linux, and Docker containers. In two new titles from Microsoft Press, explore the concepts and methodologies of managing SQL Server databases with hands-on practice to become a more experienced—and more efficient—database administrator.

SPECIAL OFFER: For a limited time, save 50% when you buy either SQL Server 2017 Administration Inside Out or SQL Server 2017 Administration Inside Out (Video). Even better? Add both products to cart and save 60% on your purchase*! Use discount code SQL2017 during checkout to apply discount.
 

PowerShell Core 6.0: Generally Available (GA) and Supported!

How to disrupt attacks caused by social engineering ( copied from Microsoft Secure Blog)

 5: Stages of a phishing attack

  • Phase 1: Threat actor targets employee(s) via phishing campaign
  • Phase 2: An employee opens the attack email which allows the threat actor access to load the malicious payload or compromise the user identity
  • Phase 3: The workstation is compromised, threat actor persists malware, threat actor gathers credentials
  • Phase 4: Threat actors use stolen credentials to move laterally and gain unsolicited access and compromise key infrastructure elements
  • Phase 5: Threat actors exfiltrate PII and other sensitive business data

There is a great article on this topic here

Saturday, January 20, 2018

ISACA member only offer


 
Start off 2018 with these brand-new, member-exclusive ISACA offers:
 
 
NEW! GDPR Data Protection Impact Assessments—Free for a limited time.
 
Plus, as a valued ISACA Member, you'll save US $200 off our newest Virtual Training course: Cybersecurity for Auditors.
 

2017 data breaches


Winter Olympics Targeted in Wake of Russia Ban


Malicious documents have been discovered in the inboxes of several organizations involved in the Winter Olympics in Pyeongchang, South Korea. The initial target of the email was icehockey@pyeongchang2018.com, but several other organizations also involved with the event were included in the BCC line of the email. The email contained a document titled "Organized by Ministry of Agriculture and Forestry and Pyeongchang Olympics.doc" written out in Korean, which upon opening initialized a macro that opens a PowerShell script containing malware. The script was hidden in the document as an image file by using an open source steganography tool. Upon analysis of the PowerShell script, it was determined that the code allowed a set schedule to occur at certain times to initialize certain tasks and establish an encrypted channel from the victim’s computer to the attacker’s server, which was located remotely.
As of right now, no perpetrator has been discovered, but researchers believe that the attackers’ motive was mainly to gather intelligence about any information regarding the Olympics and the organizations behind the event. Despite no confirmed suspect, it is found to be suspicious that these attacks have occurred in the wake of Russia’s hacks of Olympic emails. A Russian hacking organization associated with the Russian government had hacked and released emails associated with the International Olympic Committee in what is believed to be a response to the Olympic ban Russia was given, keeping them from participating in the 2018 Olympics taking place in Pyeongchang.

Going by the name Fancy Bear, the hacker group gathered fame from attacking the World Anti-Doping Agency back in 2016 in response to their country being banned from the Olympics after several Russian Olympians were discovered to be using banned substances. Fancy Bear posted medical information on their website of non-Russian athletes who were also taking substances in the pretense that allowing countries to have athletes take prescription medications such as anti-inflammatory medication as a double standard.

The hacks on the Winter Olympics came in the form of phishing campaigns to target very specific people, including Canadian lawyer Richard McLaren and Colorado lawyer Richard Young. Both worked together in investigating Russian cheating techniques. With the Olympics only a month away, more attacks from Russia and other countries with motive to disrupt the games are expected, and the International Olympic Committee is keeping a close eye on possible breaches and attack vectors.


Sources:
https://www.zdnet.com/article/hackers-target-winter-olympics-with-new-custom-built-fileless-malware/

https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/

https://www.buzzfeed.com/kevincollier/russia-banned-from-the-winter-olympics-apparently-is?utm_term=.nia1j99okQ#.jt57IDDBbr

Article was originally posted on CIP report produced by PERATON

Wireless Info System for Emergency Responders (WISER)

This post is a little different than my normal but this is a good tool for Security professionals.


WISER 5.1 is now available on all platforms! Take a quick look at the what's included in this release:

  • CHEMM (“CHEMM 2.0”) has extensive new and updated content, e.g., guidance and reference materials.
  • New Acute Exposure Guideline Levels for airborne chemicals (AEGL) data from the EPA
  • Data updates based on the latest Hazardous Substances Data Bank (HSDB) content.
  • Android 
    • Upgrades for KitKat. OS 4.4 is now required.
    • Protective distance "point into the wind" feature added for devices with a compass.
  • Windows 
    • Completely new installer.
    • Leverages new features of .NET. Version 4.6.1 is now required.
  • Fixes to Emergency Response Guide UN searches (duplicates now displayed) across all platforms
  • Many smaller updates and bug fixes

 

Tutorial Videos

Check out WISER’s new series of YouTube videos. These videos introduce WISER’s functionality, walk through a known substance scenario, and explore WISER’s protective distance mapping feature in detail. Take a look!

Coming Soon

WebWISER enhancements and WISER 5.2, which adds three toxic syndromes (toxidromes) and related content to CHEMM’s Intelligent Syndromes Tool (CHEMM-IST) to all WISER platforms.

Also of Interest

Radiation Emergency Medical Management (REMM) is a great resource for medical management of radiation events, and contains information for First Responders. A mobile version is also available on the Apple App Store and the Google Play Store.

Intel AMT Provides Backdoor

    Intel has been taking a beating lately for the Meltdown and Spectre vulnerabilities discovered in its processor chips. As if that wasn’t enough, a new security flaw was recently discovered in Intel’s Active Management Technology (AMT) that can cause a full system compromise. Even worse, it can bypass many strong security measures.

   AMT is Intel’s technology for allowing IT departments to remotely monitor access and perform maintenance on corporate computers. It allows a system administrator full control of the system, intended for performing IT-related tasks. The system doesn’t even need to be on as long as it is connected to a network and a power source. Systems with Intel vPro-enabled processors, as well as many with Xeon processors, have AMT included.
 
    The flaw in AMT, discovered by researchers at Finnish cyber security company F-Secure, can be exploited with under a minute of physical access to the machine. A reboot is required and then the Intel Management Engine Bios Extension (MEBx), which handles manual AMT configuration, is entered by pressing CTRL-P. Most AMT instances are not provisioned by IT departments and the default password of “admin” will allow access to change the password and disable user notification for remote access. After this is complete, the system can be accessed remotely as long as the attacker is on the same network as the target and provides full control.
 
    Wireless access can also be configured at this point by browsing to http://TARGETIP:16992/wlan.htm” and logging in as “admin” with the new password. Changing the “Wireless Management” option to “Enabled in S0, Sx/AC” will allow remote access over a Wi-Fi network, once again provided the attacker is on the same network. AMT can also be configured to allow remote access from anywhere as long as the system is connected to the internet. Intel’s Client Initiated Remote Access (CIRA) enables systems to connect back to IT management rather than the other way around and can be configured to point to a server controlled by the attacker instead.  
   The severity of this flaw is that AMT can be accessed even with a BIOS password enabled, local firewalls, Bitlocker encryption, and strong password policies. While the physical access needed to initiate the attack is a limiting factor, some clever social engineering or the possibility of an insider threat can still lead to compromise. Basic IT security practices, such as never leaving systems unattended in unsecure locations can help mitigate this attack. Also, it is recommended to disable or set a strong password for AMT on all systems during the provisioning process.


Sources:





 Article was originally posted on CIP report produced by PERATON

Wednesday, January 17, 2018

Microsoft 365 powered device lab kit


The Microsoft 365 powered device Lab Kit is an updated version of the Windows 10 Deployment and Management lab kit. This lab is designed to help you plan your deployment of modern devices running Windows 10 Enterprise and Office 365 Pro Plus, managed by Enterprise Mobility + Security.
Extending the value of Microsoft 365, Microsoft 365 powered device makes security the top priority, helps ease deployment and management, delivers the latest innovation to users, and provides robust insights that enable IT teams to proactively run and manage their businesses.
This free evaluation lab kit features:

A complete lab environment

The kit includes a pre-configured virtual lab environment with evaluation versions of: 
  • Windows 10 Enterprise, version 1709 (Fall Creators Update)
  • System Center Configuration Manager, version 1702
  • Windows Assessment and Deployment Kit for Windows 10, version 1709
  • Microsoft Deployment Toolkit (8443)
  • Microsoft Application Virtualization (App-V) 5.1
  • Microsoft BitLocker Administration and Monitoring 2.5 SP1
  • Windows Server 2016
  • Microsoft SQL Server 2014
PLUS, the lab can be connected to trials of:
  • Office 365 Enterprise E5
  • Enterprise Mobility + Security

Step-by-step labs

Illustrated lab guides take you through multiple deployment and management scenarios, including:

Servicing

  • NEW! Windows Analytics Update Compliance
  • Servicing Windows 10 with Configuration Manager
  • Servicing Office 365 ProPlus with Configuration Manager

Deployment and management

  • Modern Device Deployment
  • UPDATED! Modern Device Management with AutoPilot
  • UPDATED! Office 365 ProPlus Deployment with Intune
  • BIOS to UEFI Conversion
  • UPDATED! Modern Application Management with Intune
  • Enterprise State Roaming

Security

  • Windows Information Protection
  • Windows Defender Advanced Threat Protection
  • NEW! Windows Defender Application Guard
  • NEW! Windows Defender Exploit Guard
  • NEW! Windows Hello
  • Credential Guard
  • Device Encryption (MBAM)
  • Device Guard - User Mode Code Integrity
  • Remote Access (VPN)

Compatibility

  • Windows App Certification Kit
  • Windows Analytics Upgrade Readiness
  • Browser Compatibility
  • Application Virtualization
  • Desktop Bridges

DOWNLOAD THE MICROSOFT 365 POWERED DEVICE LAB KIT >

Please use a broad bandwidth to download this content to enhance your downloading experience. Lab environment requires a minimum of 16 GB of available memory and 150 GB of free disk space. For optimal performance, 32 GB of available is recommended. Lab expires March 6, 2018. A new version will be published prior to expiration.

Cisco has released security updates to address vulnerabilities affecting multiple products


Original release date: January 17, 2018

Cisco has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit one of these vulnerabilities to take control of an affected system.

NCCIC/US-CERT encourages users and administrators to review the following Cisco Security Advisories and apply the necessary updates:

Tuesday, January 16, 2018

Are you a (ISC)² Members free training Cyber Forensics Incident Recovery Interactive Lab




Cyber Forensics Incident Recovery Interactive Lab
FREE for (ISC)² Members for a Limited Time - $600 Value
(ISC)² has teamed up with Architecture Technology Corporation (ATCorp) to provide our members with a limited opportunity to pilot an interactive, online, cyber forensics lab – a $600 value that is being offered free for members. 
Interactive, Hands-On Learning
This Cyber Forensics Incident Recovery lab gives you a deeper understanding of how to extract evidence from a suspect's hard drive learning detailed file formats used by popular P2P software and methods for extracting information by hand.

You'll learn key concepts, watch demos, work through the hands-on lab and test your knowledge. Following completion of the course, you'll earn 4 CPEs.

Take advantage of this exciting new opportunity – only available to (ISC)² members through April 1st.
 
btn-enroll-free.png
CPE_Logo-Single-175.gif