Oil and gas companies within the Middle East and Russia have once again been targeted and attacked by various strains of malware. One of the strains appears to be the third version of the Shamoon worm that ran rampant in 2016, and the other one is known as Seedworm, named after the cyber espionage group that created it.
Shamoon was built as a master boot record eraser that infected Windows® based machines so that once exploited they could not reboot once turned off. Back in 2016, Shamoon spread by using a list of hostnames taken directly from the Active Directory of a compromised host. Version 3 has discarded this method of infection and follows in the footsteps of WannaCry and NotPetya, propagating over compromised networks using the Server Message Block protocol within Windows. 300 servers and 100 personal computers out of a total of 4000 machines have been crippled in the attack against Italian oil and gas contractor Saipem. Luckily no data was lost due to the company backing up their systems, proving the importance of having proper disaster recovery policies in place.
Seedworm has infiltrated more than 30 organizations already, with most of the targets within the Middle East and Russia. Telecommunications and IT services were the main targets due to the fact that agencies could provide the hackers with additional targets to attack, but the second target were businesses in the oil and gas industry. Seedworm uses a tool called Powermud, a custom made script that allows the threat actors to evade detection in systems that Seedworm compromises. Once compromised, Seedworm executes a payload that scans through web browsers and email to steal credentials, giving researchers the opinion that gaining access to victim personal information is the hacker group’s primary goal. Seedworm, also known as MuddWater or Zagos, is well known for constantly changing tactics. By relying on public tools available on repositories such as GitHub allows the group to quickly update and alter operations through only applying small changes to the code.
The security of the gas and oil industries is essential to maintain stability in the nation’s critical infrastructure. As more and more malware strains become increasingly sophisticated in their execution, so should the enforcement of the policies and procedures to defend against them. With the digitization of the industry, over 50 percent of the managers responsible for the protection of the industry have said they are more vulnerable to cyber attacks then ever before.
Sources:
https://thehill.com/policy/cybersecurity/420616-security-firm-unveils-newtactics-of-active-cyber-espionage-group
https://www.bleepingcomputer.com/news/security/shamoon-disk-wiperreturns-with-second-sample-uncovered-this-month/
https://thehackernews.com/2018/12/shamoon-malware-attack.html?m=1
Saturday, December 22, 2018
Logitech Leaves Keystroke Injection Flaw Unaddressed for Months.
Three months ago, security researcher Travis Ormandy from Google Project Zero detailed a significant flaw of which Logitech has finally released a patch. In his September 18th meeting the engineers at Logitech gave the impression that they understood the problem and had a fix in mind and were ready to roll out a patch immediately.
The flaw in the Logitech Options application resides in the users ability to customize the behavior or buttons on their mice and keyboards. This feature is enabled by an app that leaves a WebSocket server on the system that the app is installed upon. That server supports several intrusive commands, auto-starts due to a registry entry, and has a very flimsy authentication method.
Travis details in his report: “The only ‘authentication’ is that you have to provide a Process ID (PID) of a process owned by your user, but you get unlimited guesses so you can brute force it in microseconds.” Once a malicious actor puts in the microseconds of work needed to gain access they can send commands, change options or even send keystrokes. This suggests that the app could be a fantastically powerful attack platform locally or even remotely through the use of keystroke injection attacks.
Injection attacks can give an actor the ability to create other attack vectors within an organization. They can farm information from infected systems like email and contact information, install additional malware like keyloggers or botnets, or even perform a total system take over. An exploit like this can very easily be used to gain additional access to other systems or servers within an organization. In turn, that can easily turn into a massive data breach and/or loss of customer data. Alternatively it can be used to gain banking information or even direct access, turning your keyboard or mouse into a platform to exploit a less security-conscious home user’s banking or credit card information, access medical records or log passwords, or even add them to a botnet.
Ormandy details that the issue was not resolved in the October 1st release of the Options app. After giving Logitech three months to fix the issue, he decided to go public with his bug report. It seems that the bug report had some traction on twitter by Dec 11th pointing out that the problem exists on the Mac versions as well. The patch was released Thursday Dec 13th. Ormandy continues to show skepticism that Logitech will act promptly without the threat of bad publicity.
Sources:
https://www.zdnet.com/article/logitech-app-security-flaw-allowed-keystrokeinjection-attacks/
https://threatpost.com/logitech-keystroke-injection-flaw/139928/
The flaw in the Logitech Options application resides in the users ability to customize the behavior or buttons on their mice and keyboards. This feature is enabled by an app that leaves a WebSocket server on the system that the app is installed upon. That server supports several intrusive commands, auto-starts due to a registry entry, and has a very flimsy authentication method.
Travis details in his report: “The only ‘authentication’ is that you have to provide a Process ID (PID) of a process owned by your user, but you get unlimited guesses so you can brute force it in microseconds.” Once a malicious actor puts in the microseconds of work needed to gain access they can send commands, change options or even send keystrokes. This suggests that the app could be a fantastically powerful attack platform locally or even remotely through the use of keystroke injection attacks.
Injection attacks can give an actor the ability to create other attack vectors within an organization. They can farm information from infected systems like email and contact information, install additional malware like keyloggers or botnets, or even perform a total system take over. An exploit like this can very easily be used to gain additional access to other systems or servers within an organization. In turn, that can easily turn into a massive data breach and/or loss of customer data. Alternatively it can be used to gain banking information or even direct access, turning your keyboard or mouse into a platform to exploit a less security-conscious home user’s banking or credit card information, access medical records or log passwords, or even add them to a botnet.
Ormandy details that the issue was not resolved in the October 1st release of the Options app. After giving Logitech three months to fix the issue, he decided to go public with his bug report. It seems that the bug report had some traction on twitter by Dec 11th pointing out that the problem exists on the Mac versions as well. The patch was released Thursday Dec 13th. Ormandy continues to show skepticism that Logitech will act promptly without the threat of bad publicity.
Sources:
https://www.zdnet.com/article/logitech-app-security-flaw-allowed-keystrokeinjection-attacks/
https://threatpost.com/logitech-keystroke-injection-flaw/139928/
Friday, December 21, 2018
Holiday Gift from Microsoft Introducing Windows Sandbox!
If you every attended any of my security talks i talk about the risks of surfacing the web or installing software you not sure of... Well Microsoft gave us a gift this week on the windows 10 Beta Build 18305 they have introduced an great new feature Windows Sandbox !
Windows Sandbox is a new lightweight desktop environment tailored for safely running applications in isolation.
How many times have you downloaded an executable file, but were afraid to run it? Have you ever been in a situation which required a clean installation of Windows, but didn’t want to set up a virtual machine?
At Microsoft, we regularly encounter these situations, so we developed Windows Sandbox: an isolated desktop environment where you can run untrusted software without the fear of lasting impact to your device. Any software installed in Windows Sandbox stays only in the sandbox and cannot affect your host. Once Windows Sandbox is closed, all the software with all of its files and state are permanently deleted.
Windows Sandbox has the following properties:
To install Windows Sandbox, go to Settings > Apps > Apps & Features > Programs and Features > Turn Windows Features on or off, and then select Enable Windows Sandbox.
To start Windows Sandbox, open the Start menu, enter Windows Sandbox and then select it.
For more info and details go here
Windows Sandbox is a new lightweight desktop environment tailored for safely running applications in isolation.
How many times have you downloaded an executable file, but were afraid to run it? Have you ever been in a situation which required a clean installation of Windows, but didn’t want to set up a virtual machine?
At Microsoft, we regularly encounter these situations, so we developed Windows Sandbox: an isolated desktop environment where you can run untrusted software without the fear of lasting impact to your device. Any software installed in Windows Sandbox stays only in the sandbox and cannot affect your host. Once Windows Sandbox is closed, all the software with all of its files and state are permanently deleted.
Windows Sandbox has the following properties:
- Part of Windows – everything required for this feature ships with Windows 10 Pro and Enterprise. No need to download a VHD!
- Pristine – every time Windows Sandbox runs, it’s as clean as a brand-new installation of Windows
- Disposable – nothing persists on the device; everything is discarded after you close the application
- Secure – uses hardware-based virtualization for kernel isolation, which relies on the Microsoft Hypervisor to run a separate kernel which isolates Windows Sandbox from the host
- Efficient – uses integrated kernel scheduler, smart memory management, and virtual GPU
To install Windows Sandbox, go to Settings > Apps > Apps & Features > Programs and Features > Turn Windows Features on or off, and then select Enable Windows Sandbox.
To start Windows Sandbox, open the Start menu, enter Windows Sandbox and then select it.
For more info and details go here
Wednesday, December 5, 2018
Securing a company ... a group of basic steps a company can take
As a security professional, I
understand the importance of using data classification to protect a company. The day of believing that the firewall will
protect you is unreal. Today lots of
companies treat computer security like a tomato, “secure” on the outside but
leave a soft and mushy target on the inside. We need to rethink this and classify our data
based on the risk and value to the company. As users click on emails and bad web sites,
the risk of successful attacks like ransomware and other security breaches
increase.
As a security professional who deals
with this issue regularly, it amazes me that companies do not have a process to
understand what data in the company is more important than another. One of the first steps I undertake as a
consultant is to understand what a company has from both an infrastructure and
data focus.
Does your company have baselines on
your servers and network technology?
Do you know what services are running
on your servers?
Do you know what ports are open?
If not, how would you know if you were
compromised?
Do you use a change management system
to approve, test, update systems and record new baselines?
Have you created a portfolio of all the
applications that you use, and who is responsible for them?
For the applications you have running,
do you understand the workflows and interactions between systems?
Have you built a data classification
process that is used by the company? Listing, for example, the following
classifications: Finance data, Human Resources data, Customer data, Public data
etc.? Not all data in a company needs
the same level of protection.
After building a data classification
process, you can next work on the data owners starting to put the data the
company owns into proper classifications.
There is tool that you can use to help
you with this task. For example, in Windows, there is the File Server Resource
Manager (FSRM). One of the features in
FSRM is File Classification Infrastructure
that provides a company insight into their data by automating classification
processes so that the company can manage its data more effectively. Companies can classify files, and apply
policies, based on classification. Example policies include dynamic access
control for restricting access to files, file encryption, and file
expiration. Files can be classified
automatically by using file classification rules, or manually, by modifying the
properties of a selected file or folder.
Until companies start to think about their
data, and what must be protected, companies will continue to see major breaches
to their systems. Infrastructure needs
to be understood. Systems need to be baselined.
And, processes documented. Companies need to train users on what to look
for, and what to do, if they have concerns about possible security incidents. Companies need to train employees on email,
possible attacks and vulnerabilities, and what an employee should do if they
suspect a possible problem.
Companies need to create, and USE data classification systems to
protect and add the appropriate level of security, to those data classifications
that the company agrees are an issue. Companies do not have unlimited resources, so companies
should spend time and money protecting those things that are most important to
the company.
This is the first of a group of blogs
on this topic.
Sunday, December 2, 2018
Vulnerability chain exploits MacOS
Dropbox recently revealed three critical security vulnerabilities in MacOS that would allow execution of arbitrary programs on a target machine triggered just by visiting a webpage. The vulnerabilities were found by the cybersecurity firm Syndis, who were hired for red team exercises on Dropbox’s infrastructure. The three vulnerabilities by themselves were of minimal actual security impact on their own but when chained together could be used to compromise a target machine by simply getting them to visit a webpage.
The first vulnerability found (CVE-201713890) allowed a malicious webpage to force the target machine to mount an arbitrary disk image. This was due to a content identifier conflict in the Safari web browser. When known filetypes are handled in the Safari browser actions are taken to handle the media automatically. Usually this results in things like a media player opening to handle a download or a PDF client opening a document. But due to the same identifier being defined in multiple locations the wrong action was taken when downloading a .smi file.
The second vulnerability (CVE-20184176) starts the execution path of the arbitrary files in the disk image downloaded by the first vulnerability. During creation of a disk image the creator is able to use the bless utility to set specific options. One of those is —openfolder which allows Finder to open an arbitrary folder upon mounting a disk image. By pointing to a bundle file instead of a folder it will be executed when the image is mounted. Being able to launch the application isn’t quite enough though because the Gatekeeper utility prevents unsigned code from actually launching until it is whitelisted.
The third vulnerability (CVE-2018-4175) allows launch of an arbitrary program from the malicious disk image without any security checks. The first step is to include a legitimate signed binary in the image, like the Terminal app. At this point the researchers tried launching a malicious script through the Terminal app but it was still blocked due to the quarantine flag being set. This is set when applications are downloaded from the internet and is cleared when the user explicitly says that the application is safe. By modifying the Info.plist for the bundle they were able to associate a new filetype with the Terminal app. When launching the newly associated filetype the quarantine flag was not checked and code execution was achieved.
This vulnerability chain highlights how a string of seemingly not serious vulnerabilities can often be strung together to achieve a compromise. The vulnerabilities were reported to Apple in February and patched in their March security update.
Sources
https:// thehackernews.com/2018/11/applemacos-zeroday.html
https://blogs.dropbox.com/ tech/2018/11/offensive-testing-tomake-dropbox-and-the-world-asafer-place/
and Peraton
The first vulnerability found (CVE-201713890) allowed a malicious webpage to force the target machine to mount an arbitrary disk image. This was due to a content identifier conflict in the Safari web browser. When known filetypes are handled in the Safari browser actions are taken to handle the media automatically. Usually this results in things like a media player opening to handle a download or a PDF client opening a document. But due to the same identifier being defined in multiple locations the wrong action was taken when downloading a .smi file.
The second vulnerability (CVE-20184176) starts the execution path of the arbitrary files in the disk image downloaded by the first vulnerability. During creation of a disk image the creator is able to use the bless utility to set specific options. One of those is —openfolder which allows Finder to open an arbitrary folder upon mounting a disk image. By pointing to a bundle file instead of a folder it will be executed when the image is mounted. Being able to launch the application isn’t quite enough though because the Gatekeeper utility prevents unsigned code from actually launching until it is whitelisted.
The third vulnerability (CVE-2018-4175) allows launch of an arbitrary program from the malicious disk image without any security checks. The first step is to include a legitimate signed binary in the image, like the Terminal app. At this point the researchers tried launching a malicious script through the Terminal app but it was still blocked due to the quarantine flag being set. This is set when applications are downloaded from the internet and is cleared when the user explicitly says that the application is safe. By modifying the Info.plist for the bundle they were able to associate a new filetype with the Terminal app. When launching the newly associated filetype the quarantine flag was not checked and code execution was achieved.
This vulnerability chain highlights how a string of seemingly not serious vulnerabilities can often be strung together to achieve a compromise. The vulnerabilities were reported to Apple in February and patched in their March security update.
Sources
https:// thehackernews.com/2018/11/applemacos-zeroday.html
https://blogs.dropbox.com/ tech/2018/11/offensive-testing-tomake-dropbox-and-the-world-asafer-place/
and Peraton
Friday, November 30, 2018
New breakthroughs in combatting tech support scams
This is an article from Microsoft that i thought was intresting..
Tech support fraud operations typically involve multiple entities including those engaged in marketing, payment processing and call centers. Recent law enforcement successes in India build on a solid track record of global law enforcement taking action to combat the multiple layers of tech support fraud supported by referrals from Microsoft and other industry partners. For example, the U.S. Federal Trade Commission and multiple partners announced 16 separate civil and criminal enforcement actions against tech support fraudsters in May 2017 as part of “Operation Tech Trap.” And, in June 2017, the City of London Police announced the arrest of four individuals engaged in computer software services fraud.
Our work to partner with law enforcement agencies in addressing this problem is driven by a combination of technology and action taken by our customers. In 2014, Microsoft launched an online “report a scam” portal to enable victims to share their tech support fraud experiences directly with our Digital Crimes Unit team. The reports have been a critical starting point for our international investigations and referrals. Our data analytics and innovation team has added additional tools to proactively hunt and pull data from approximately 150,000 suspicious pop-ups daily targeting millions of people and use machine learning to identify those related to tech support fraud.
In addition to making referrals to law enforcement based on this data, we are building what we learn about cybercriminals’ behavior into improved products and services for consumers. Microsoft has built-in protection in Windows 10 which includes more security features, safer authentication and ongoing updates delivered for the supported lifetime of a device. Windows Defender delivers comprehensive, real-time protection against software threats across email, cloud and the web. The SmartScreen filter, built into Windows, Microsoft Edge and Internet Explorer, helps protect against malicious websites and downloads, including many of those frustrating pop-up windows. People who have experienced tech support scams should know they aren’t alone, but there are steps you can take to identify and help defend yourself against criminals looking to impersonate legitimate companies. According to our recently released 2018 global survey, three out of five consumers have experienced a tech support scam in the previous 12 months. Although this reflects movement in the right direction, and a 5-point reduction since 2016, these scams persist and successfully target people across all ages and geographies. The best thing you can do to help protect yourself from fraud is to educate yourself. If you receive a notification or call from someone claiming to be from a reputable software company, here are a few key tips to keep in mind:
On Nov. 27 and 28, over 100 local India law enforcement officials from Gurgaon and Noida raided 16 call center locations identified as engaged in tech support fraud by Microsoft, resulting in 39 arrests so far. These call center operations fraudulently represented themselves as affiliated with a number of respected companies including Microsoft, Apple, Google, Dell and HP. The New York Times reports that Senior Superintendent of Police Ajay Pal Sharma stated “the scammers had extracted money from thousands of victims, most of whom were American or Canadian.” Microsoft alone has received over 7,000 victim reports associated with these 16 locations from over 15 countries.
Anyone may receive an unwanted phone call or experience a pop-up window on your device with a “warning” that your computer has a problem requiring immediate tech support. These messages are often very convincing and use scare tactics to entice consumers into contacting a fraudulent “tech support” call center. Call center operators typically encourage the victim to provide remote access to their device for “further diagnosis” before charging the victim a fee – typically between $150 – $499 – for unnecessary tech support services. In addition to losing money, victims leave their computer vulnerable to other attacks, such as malware, during a remote access session.
This latest raid comes just six weeks after the successful raid operation by the Delhi Cyber Crime Cell of 10 call center locations resulting in the arrest of 24 individuals and the seizure of substantial evidence including call scripts, live chats, voice call recordings and customer records from tech support fraud operations. The case was also registered by the Delhi Cyber Crime Cell on the basis of a complaint by Microsoft.
Our work to partner with law enforcement agencies in addressing this problem is driven by a combination of technology and action taken by our customers. In 2014, Microsoft launched an online “report a scam” portal to enable victims to share their tech support fraud experiences directly with our Digital Crimes Unit team. The reports have been a critical starting point for our international investigations and referrals. Our data analytics and innovation team has added additional tools to proactively hunt and pull data from approximately 150,000 suspicious pop-ups daily targeting millions of people and use machine learning to identify those related to tech support fraud.
In addition to making referrals to law enforcement based on this data, we are building what we learn about cybercriminals’ behavior into improved products and services for consumers. Microsoft has built-in protection in Windows 10 which includes more security features, safer authentication and ongoing updates delivered for the supported lifetime of a device. Windows Defender delivers comprehensive, real-time protection against software threats across email, cloud and the web. The SmartScreen filter, built into Windows, Microsoft Edge and Internet Explorer, helps protect against malicious websites and downloads, including many of those frustrating pop-up windows. People who have experienced tech support scams should know they aren’t alone, but there are steps you can take to identify and help defend yourself against criminals looking to impersonate legitimate companies. According to our recently released 2018 global survey, three out of five consumers have experienced a tech support scam in the previous 12 months. Although this reflects movement in the right direction, and a 5-point reduction since 2016, these scams persist and successfully target people across all ages and geographies. The best thing you can do to help protect yourself from fraud is to educate yourself. If you receive a notification or call from someone claiming to be from a reputable software company, here are a few key tips to keep in mind:
- Be wary of any unsolicited phone call or pop-up message on your device.
- Microsoft will never proactively reach out to you to provide unsolicited PC or technical support. Any communication we have with you must be initiated by you.
- Do not call the phone number in a pop-up window on your device and be cautious about clicking on notifications asking you to scan your computer or download software. Many scammers try to fool you into thinking their notifications are legitimate.
- Never give control of your computer to a third party unless you can confirm that it is a legitimate representative of a computer support team with whom you are already a customer.
- If skeptical, take the person’s information down and immediately report it to your local authorities
Starwood Guest Reservation Database Security Incident - Marriott
30 November 2018
Marriott values our guests and
understands the importance of protecting personal information. We have taken
measures to investigate and address a data security incident involving the
Starwood guest reservation database. The investigation has determined that
there was unauthorized access to the database, which contained guest
information relating to reservations at Starwood properties on or before
September 10, 2018. This notice explains what happened, measures we have taken,
and some steps you can take in response.
On September 8, 2018, Marriott
received an alert from an internal security tool regarding an attempt to access
the Starwood guest reservation database. Marriott quickly engaged leading
security experts to help determine what occurred. Marriott learned during the
investigation that there had been unauthorized access to the Starwood network
since 2014. Marriott recently discovered that an unauthorized party had copied
and encrypted information, and took steps towards removing it. On November 19,
2018, Marriott was able to decrypt the information and determined that the
contents were from the Starwood guest reservation database.
Marriott has not finished
identifying duplicate information in the database, but believes it contains
information on up to approximately 500 million guests who made a reservation at
a Starwood property. For approximately 327 million of these guests, the
information includes some combination of name, mailing address, phone number,
email address, passport number, Starwood Preferred Guest (“SPG”) account
information, date of birth, gender, arrival and departure information,
reservation date, and communication preferences. For some, the information also
includes payment card numbers and payment card expiration dates, but the
payment card numbers were encrypted using Advanced Encryption Standard
encryption (AES-128). There are two components needed to decrypt the payment
card numbers, and at this point, Marriott has not been able to rule out the
possibility that both were taken. For the remaining guests, the information was
limited to name and sometimes other data such as mailing address, email
address, or other information. Marriott reported this incident to law
enforcement and continues to support their investigation. We have already begun
notifying regulatory authorities.
Go here
for more information
Tuesday, November 27, 2018
Major Online Ad Fraud Operation
National Cyber Awareness System:
11/27/2018 12:09 PM EST
Original
release date: November 27, 2018
Systems Affected
Microsoft Windows
Overview
This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). DHS and FBI are releasing this TA to provide information about a major online ad fraud operation—referred to by the U.S. Government as "3ve"—involving the control of over 1.7 million unique Internet Protocol (IP) addresses globally, when sampled over a 10-day window.
Description
Online advertisers desire premium websites on which to publish their ads and large numbers of visitors to view those ads. 3ve created fake versions of both (websites and visitors), and funneled the advertising revenue to cyber criminals. 3ve obtained control over 1.7 million unique IPs by leveraging victim computers infected with Boaxxe/Miuref and Kovter malware, as well as Border Gateway Patrol-hijacked IP addresses.
Boaxxe/Miuref
Malware
Boaxxe malware is spread through email attachments and drive-by downloads. The ad fraud scheme that utilizes the Boaxxe botnet is primarily located in a data center. Hundreds of machines in this data center are browsing to counterfeit websites. When these counterfeit webpages are loaded into a browser, requests are made for ads to be placed on these pages. The machines in the data center use the Boaxxe botnet as a proxy to make requests for these ads. A command and control (C2) server sends instructions to the infected botnet computers to make the ad requests in an effort to hide their true data center IPs.
Kovter Malware
Kovter malware is also spread through email attachments and drive-by downloads. The ad fraud scheme that utilizes the Kovter botnet runs a hidden Chromium Embedded Framework (CEF) browser on the infected machine that the user cannot see. A C2 server tells the infected machine to visit counterfeit websites. When the counterfeit webpage is loaded in the hidden browser, requests are made for ads to be placed on these counterfeit pages. The infected machine receives the ads and loads them into the hidden browser.
Impact
For the indicators of compromise (IOCs) below, keep in mind that any one indicator on its own may not necessarily mean that a machine is infected. Some IOCs may be present for legitimate applications and network traffic as well, but are included here for completeness.
Boaxxe/Miuref
Malware
Boaxxe malware leaves several executables on the infected machine. They may be found in one or more of the following locations:
%UserProfile%\AppData\Local\VirtualStore\lsass.aaa%UserProfile%\AppData\Local\Temp lt;RANDOM>.exe%UserProfile%\AppData\Local lt;Random eight-character folder name> lt;original file name>.exe
The HKEY_CURRENT_USER (HKCU) “Run” key is set to the path to one of the executables created above.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run lt;Above path to executable>\
Kovter Malware
Kovter malware is found mostly in the registry, but the following files may be found on the infected machine:
%UserProfile\AppData\Local\Temp lt;RANDOM> .exe/.bat%UserProfile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 lt;RANDOM> lt;RANDOM FILENAME>.exe%UserProfile%\AppData\Local lt;RANDOM> lt;RANDOM>.lnk%UserProfile%\AppData\Local lt;RANDOM> lt;RANDOM>.bat
Kovter is known to hide in the registry under:
HKCU\SOFTWARE lt;RANDOM> lt;RANDOM>
The customized CEF browser is dropped to:
%UserProfile%\AppData\Local lt;RANDOM>
The keys will look like random values and contain scripts. In some values, a User-Agent string can be clearly identified. An additional key containing a link to a batch script on the hard drive may be placed within registry key:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
There are several patterns in the network requests that are made by Kovter malware when visiting the counterfeit websites. The following are regex rules for these URL patterns:
/?ptrackp=\d{5,8}/feedrs\d/click?feed_id=\d{1,5}&sub_id=\d{1,5}&cid=[a-f0-9-]*&spoof_domain=[\w\.\d-_]*&land_ip=\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/feedrs\d/vast_track?a=impression&feed_id=\d{5}&sub_id=\d{1,5}&sub2_id=\d{1,5}&cid=[a-f\d-]
The following is a YARA rule for detecting Kovter:
rule
KovterUnpacked { meta: desc = "Encoded strings in unpacked Kovter
samples." strings: $ = "7562@3B45E129B93" $ = "@ouhKndCny" $ = "@ouh@mmEdctffdsr" $ = "@ouhSGQ" condition: all of them}
Solution
If you believe you may be a victim of 3ve and its associated malware or hijacked IPs, and have information that may be useful to investigators, submit your complaint to www.ic3.gov and use the hashtag 3ve (#3ve) in the body of your complaint.
DHS and FBI advise users to take the following actions to remediate malware infections associated with Boaxxe/Miuref or Kovter:
- Use
and maintain antivirus software. Antivirus software recognizes and protects your
computer against most known viruses. Security companies are continuously
updating their software to counter these advanced threats. Therefore, it
is important to keep your antivirus software up-to-date. If you suspect
you may be a victim of malware, update your antivirus software definitions
and run a full-system scan. (See Understanding Anti-Virus
Software for more information.)
- Avoid
clicking links in email. Attackers have become very skilled at making phishing
emails look legitimate. Users should ensure the link is legitimate by
typing the link into a new browser. (See Avoiding Social
Engineering and Phishing Attacks.)
- Change
your passwords. Your
original passwords may have been compromised during the infection, so you
should change them. (See Choosing and Protecting
Passwords.)
- Keep
your operating system and application software up-to-date. Install software patches
so that attackers cannot take advantage of known problems or
vulnerabilities. You should enable automatic updates of the operating
system if this option is available. (See Understanding Patches and
Software Updates for more information.)
- Use
anti-malware tools. Using a legitimate program that identifies and removes
malware can help eliminate an infection. Users can consider employing a
remediation tool. A non-exhaustive list of examples is provided below. The
U.S. Government does not endorse or support any particular product or
vendor.
References
Monday, November 12, 2018
There are many frameworks that you can use to protect a company infrastructure
They are many different
approaches to helping a company look at protection of assets and data for a repeatable
process.
There is Cobit
by ISACA, COBIT stands for Control Objectives for Information and Related
Technology. It is a framework created by the ISACA (Information Systems Audit
and Control Association) for IT governance and management. It was designed to
be a supportive tool for managers—and allows bridging the crucial gap between
technical issues, business risks, and control requirements. You can learn about
COBIT here.
The National Institute of Standards and Technology (NIST) SP 800
The NIST SP 800 documents are a series of publications put forth by the
National Institute of Standards and Technology (NIST), which is a
non-regulatory agency of the United States Department of Commerce. The SP 800
series was established in 1990 and has grown quite a bit since then,
encompassing a large, in-depth, and ever-growing set of computer security
documents seen by many as industry leading. Additionally, the NIST SP 800
documents have been well-known to many professionals within the field of
information technology - particularly that of information security -as they
gained additional recognition with the Federal Information Security Management
Act of 2002, known as FISMA. You can see the SP 800 files here.
Cybersecurity Framework Version 1.1 CSF. This voluntary
Framework consists of standards, guidelines, and best practices to manage
cybersecurity-related risk. The Cybersecurity Framework’s prioritized,
flexible, and cost-effective approach helps to promote the protection and
resilience of critical infrastructure and other sectors important to the
economy and national security. You can learn about CSF here.
The ISO/IEC 27000 family of standards helps organizations
keep information assets secure. Using this family of standards will help your
organization manage the security of assets such as financial information,
intellectual property, employee details or information entrusted to you by
third parties. ISO/IEC 27001 is the best-known standard in the family
providing requirements for an information security management system (ISMS). There
are more than a dozen standards in the 27000 family, you can see them here.
Most of us know about MITRE CVE’s
who sole purpose is to provide common vulnerability identifiers called “CVE
Entries.” CVE does not provide severity scoring or prioritization ratings for
software vulnerabilities. However, while separate, the CVSS standard can be
used to score the severity of CVE Entries.
One you might not know about is MITRE ATT&CK™
MITRE also has the ATT&CK™ is a globally-accessible
knowledge base of adversary tactics and techniques based on real-world
observations. The ATT&CK knowledge base is used as a foundation for the
development of specific threat models and methodologies in the private sector,
in government, and in the cybersecurity product and service community. With the creation of ATT&CK, MITRE is
fulfilling its mission to solve problems for a safer world — by bringing
communities together to develop more effective cybersecurity. ATT&CK is
open and available to any person or organization for use at no charge. You can
find out more here.
Friday, November 9, 2018
Windows 10 shortcuts
Copy, paste, and other general keyboard shortcuts
| Press this key | To do this |
|---|---|
| Ctrl + X | Cut the selected item |
| Ctrl + C (or Ctrl + Insert) | Copy the selected item |
| Ctrl + V (or Shift + Insert) | Paste the selected item |
| Ctrl + Z | Undo an action |
| Alt + Tab | Switch between open apps |
| Alt + F4 | Close the active item, or exit the active app |
| Windows logo key + L | Lock your PC |
| Windows logo key + D | Display and hide the desktop |
| F2 | Rename the selected item |
| F3 | Search for a file or folder in File Explorer |
| F4 | Display the address bar list in File Explorer |
| F5 | Refresh the active window |
| F6 | Cycle through screen elements in a window or on the desktop |
| F10 | Activate the Menu bar in the active app |
| Alt + F8 | Show your password on the sign-in screen |
| Alt + Esc | Cycle through items in the order in which they were opened |
| Alt + underlined letter | Perform the command for that letter |
| Alt + Enter | Display properties for the selected item |
| Alt + Spacebar | Open the shortcut menu for the active window |
| Alt + Left arrow | Go back |
| Alt + Right arrow | Go forward |
| Alt + Page Up | Move up one screen |
| Alt + Page Down | Move down one screen |
| Ctrl + F4 | Close the active document (in apps that are full-screen and let you have multiple documents open at the same time) |
| Ctrl + A | Select all items in a document or window |
| Ctrl + D (or Delete) | Delete the selected item and move it to the Recycle Bin |
| Ctrl + R (or F5) | Refresh the active window |
| Ctrl + Y | Redo an action |
| Ctrl + Right arrow | Move the cursor to the beginning of the next word |
| Ctrl + Left arrow | Move the cursor to the beginning of the previous word |
| Ctrl + Down arrow | Move the cursor to the beginning of the next paragraph |
| Ctrl + Up arrow | Move the cursor to the beginning of the previous paragraph |
| Ctrl + Alt + Tab | Use the arrow keys to switch between all open apps |
| Alt + Shift + arrow keys | When a group or tile is in focus on the Start menu, move it in the direction specified |
| Ctrl + Shift + arrow keys | When a tile is in focus on the Start menu, move it into another tile to create a folder |
| Ctrl + arrow keys | Resize the Start menu when it's open |
| Ctrl + arrow key (to move to an item) + Spacebar | Select multiple individual items in a window or on the desktop |
| Ctrl + Shift with an arrow key | Select a block of text |
| Ctrl + Esc | Open Start |
| Ctrl + Shift + Esc | Open Task Manager |
| Ctrl + Shift | Switch the keyboard layout when multiple keyboard layouts are available |
| Ctrl + Spacebar | Turn the Chinese input method editor (IME) on or off |
| Shift + F10 | Display the shortcut menu for the selected item |
| Shift with any arrow key | Select more than one item in a window or on the desktop, or select text in a document |
| Shift + Delete | Delete the selected item without moving it to the Recycle Bin first |
| Right arrow | Open the next menu to the right, or open a submenu |
| Left arrow | Open the next menu to the left, or close a submenu |
| Esc | Stop or leave the current task |
Windows logo key keyboard shortcuts
| Press this key | To do this |
|---|---|
| Windows logo key | Open or close Start |
| Windows logo key + A | Open Action center |
| Windows logo key + B | Set focus in the notification area |
| Windows logo key + C |
Open Cortana in listening mode
Notes
|
| Windows logo key + Shift + C | Open the charms menu |
| Windows logo key + D | Display and hide the desktop |
| Windows logo key + Alt + D | Display and hide the date and time on the desktop |
| Windows logo key + E | Open File Explorer |
| Windows logo key + F | Open Feedback Hub and take a screenshot |
| Windows logo key + G | Open Game bar when a game is open |
| Windows logo key + H | Start dictation |
| Windows logo key + I | Open Settings |
| Windows logo key + J | Set focus to a Windows tip when one is available. When a Windows tip appears, bring focus to the Tip. Pressing the keyboard shortcuts again to bring focus to the element on the screen to which the Windows tip is anchored. |
| Windows logo key + K | Open the Connect quick action |
| Windows logo key + L | Lock your PC or switch accounts |
| Windows logo key + M | Minimize all windows |
| Windows logo key + O | Lock device orientation |
| Windows logo key + P | Choose a presentation display mode |
| Windows logo key + R | Open the Run dialog box |
| Windows logo key + S | Open search |
| Windows logo key + T | Cycle through apps on the taskbar |
| Windows logo key + U | Open Ease of Access Center |
| Windows logo key + V | Cycle through notifications |
| Windows logo key + Shift + V | Cycle through notifications in reverse order |
| Windows logo key + X | Open the Quick Link menu |
| Windows logo key + Y | Switch input between Windows Mixed Reality and your desktop |
| Windows logo key + Z | Show the commands available in an app in full-screen mode |
| Windows logo key + period (.) or semicolon (;) | Open emoji panel |
| Windows logo key + comma (,) | Temporarily peek at the desktop |
| Windows logo key + Pause | Display the System Properties dialog box |
| Windows logo key + Ctrl + F | Search for PCs (if you're on a network) |
| Windows logo key + Shift + M | Restore minimized windows on the desktop |
| Windows logo key + number | Open the desktop and start the app pinned to the taskbar in the position indicated by the number. If the app is already running, switch to that app. |
| Windows logo key + Shift + number | Open the desktop and start a new instance of the app pinned to the taskbar in the position indicated by the number |
| Windows logo key + Ctrl + number | Open the desktop and switch to the last active window of the app pinned to the taskbar in the position indicated by the number |
| Windows logo key + Alt + number | Open the desktop and open the Jump List for the app pinned to the taskbar in the position indicated by the number |
| Windows logo key + Ctrl + Shift + number | Open the desktop and open a new instance of the app located at the given position on the taskbar as an administrator |
| Windows logo key + Tab | Open Task view |
| Windows logo key + Up arrow | Maximize the window |
| Windows logo key + Down arrow | Remove current app from screen or minimize the desktop window |
| Windows logo key + Left arrow | Maximize the app or desktop window to the left side of the screen |
| Windows logo key + Right arrow | Maximize the app or desktop window to the right side of the screen |
| Windows logo key + Home | Minimize all except the active desktop window (restores all windows on second stroke) |
| Windows logo key + Shift + Up arrow | Stretch the desktop window to the top and bottom of the screen |
| Windows logo key + Shift + Down arrow | Restore/minimize active desktop windows vertically, maintaining width |
| Windows logo key + Shift + Left arrow or Right arrow | Move an app or window in the desktop from one monitor to another |
| Windows logo key + Spacebar | Switch input language and keyboard layout |
| Windows logo key + Ctrl + Spacebar | Change to a previously selected input |
| Windows logo key + Ctrl + Enter | Open Narrator |
| Windows logo key + Plus (+) | Open Magnifier |
| Windows logo key + forward slash (/) | Begin IME reconversion |
| Windows logo key + Ctrl + V | Open shoulder taps |
Command Prompt keyboard shortcuts
| Press this key | To do this |
|---|---|
| Ctrl + C (or Ctrl + Insert) | Copy the selected text |
| Ctrl + V (or Shift + Insert) | Paste the selected text |
| Ctrl + M | Enter Mark mode |
| Alt + selection key | Begin selection in block mode |
| Arrow keys | Move the cursor in the direction specified |
| Page up | Move the cursor by one page up |
| Page down | Move the cursor by one page down |
| Ctrl + Home (Mark mode) | Move the cursor to the beginning of the buffer |
| Ctrl + End (Mark mode) | Move the cursor to the end of the buffer |
| Ctrl + Up arrow | Move up one line in the output history |
| Ctrl + Down arrow | Move down one line in the output history |
| Ctrl + Home (History navigation) | If the command line is empty, move the viewport to the top of the buffer. Otherwise, delete all the characters to the left of the cursor in the command line. |
| Ctrl + End (History navigation) | If the command line is empty, move the viewport to the command line. Otherwise, delete all the characters to the right of the cursor in the command line. |
Dialog box keyboard shortcuts
| Press this key | To do this |
|---|---|
| F4 | Display the items in the active list |
| Ctrl + Tab | Move forward through tabs |
| Ctrl + Shift + Tab | Move back through tabs |
| Ctrl + number (number 1–9) | Move to nth tab |
| Tab | Move forward through options |
| Shift + Tab | Move back through options |
| Alt + underlined letter | Perform the command (or select the option) that is used with that letter |
| Spacebar | Select or clear the check box if the active option is a check box |
| Backspace | Open a folder one level up if a folder is selected in the Save As or Open dialog box |
| Arrow keys | Select a button if the active option is a group of option buttons |
File Explorer keyboard shortcuts
| Press this key | To do this |
|---|---|
| Alt + D | Select the address bar |
| Ctrl + E | Select the search box |
| Ctrl + F | Select the search box |
| Ctrl + N | Open a new window |
| Ctrl + W | Close the active window |
| Ctrl + mouse scroll wheel | Change the size and appearance of file and folder icons |
| Ctrl + Shift + E | Display all folders above the selected folder |
| Ctrl + Shift + N | Create a new folder |
| Num Lock + asterisk (*) | Display all subfolders under the selected folder |
| Num Lock + plus (+) | Display the contents of the selected folder |
| Num Lock + minus (-) | Collapse the selected folder |
| Alt + P | Display the preview panel |
| Alt + Enter | Open the Properties dialog box for the selected item |
| Alt + Right arrow | View the next folder |
| Alt + Up arrow | View the folder that the folder was in |
| Alt + Left arrow | View the previous folder |
| Backspace | View the previous folder |
| Right arrow | Display the current selection (if it's collapsed), or select the first subfolder |
| Left arrow | Collapse the current selection (if it's expanded), or select the folder that the folder was in |
| End | Display the bottom of the active window |
| Home | Display the top of the active window |
| F11 | Maximize or minimize the active window |
Virtual desktops keyboard shortcuts
| Press this key | To do this |
|---|---|
| Windows logo key + Tab | Open Task view |
| Windows logo key + Ctrl + D | Add a virtual desktop |
| Windows logo key + Ctrl + Right arrow | Switch between virtual desktops you’ve created on the right |
| Windows logo key + Ctrl + Left arrow | Switch between virtual desktops you’ve created on the left |
| Windows logo key + Ctrl + F4 | Close the virtual desktop you're using |
Taskbar keyboard shortcuts
| Press this key | To do this |
|---|---|
| Shift + click a taskbar button | Open an app or quickly open another instance of an app |
| Ctrl + Shift + click a taskbar button | Open an app as an administrator |
| Shift + right-click a taskbar button | Show the window menu for the app |
| Shift + right-click a grouped taskbar button | Show the window menu for the group |
| Ctrl + click a grouped taskbar button | Cycle through the windows of the group |
Friday, October 26, 2018
RID Hijacking
Relative Identifier (RID) Hijacking has recently gained public attention as a simple, novel, and effective technique to maintain persistence on a Windows system after initial compromise. As information security awareness continues to rise in many organizations their overall security posture also increases, especially in larger organizations that can afford it. As a result, many attackers are forced to leverage stealth techniques when targeting these types of companies to bypass security mechanisms.
RID Hijacking effectively allows attackers to assign higher level administrative privileges to lower level accounts that they might have direct access to after initial system compromise. What makes this method so attractive to attackers is that it leverages strictly Windows native commands to execute the technique, does not require installing any additional software, and is a relatively simple process. Therefore, it does not make much noise on a system and in many cases is difficult to detect unless defenders are carefully monitoring the Security Account Manager ( SAM) registry.
Since Windows XP, Windows uses the SAM to store security descriptors for user accounts. These Windows systems store most of this information in the ‘HKLM\SAM\SAM\Domains\Account\Use rs’ key, which does require SYSTEM level privileges to access. This key contains a variety of structured information representing user privilege information. The ‘Names’ subkey contains all the local user account names and looking at the ‘F’ value within this structure is a long number that contains the RID value at hex offset 30 within it along with other interesting information such as whether the account is enabled or disabled. According to security researcher, Sebastian Castro the RID copy stored in the ‘F’ value hex number is the value that is used by the Local Security Authority Subsystem Service (LSASS) and the Security Reference Monitor (SRM) to generate the primary access token used when translating from username to security identifier (SID). This token essentially is used on the system when users are attempting to access system services and applications. So if an attacker can modify the RID value to hex 0x1f4 or 500 in decimal of a guest user account as an example, they can give that guest account system level access. This technique is known as RID hijacking.
Sebastian Castro, the security researcher investigating this vulnerability also published an exploit which automates this attack in Metasploit, which is a popular open source exploit framework used by many worldwide. The exploit can be found at ‘post/windows/manage/ rid_hijack’ within the framework. This exploit has been tested on Windows XP, Windows Server 2003, Windows 8.1, and Windows 10. The best-recommended way to defend against this attack is by monitoring the system registry and looking for inconsistencies within the SAM.
Sources:
https://threatpost.com/trivial-postintrusion-attack-exploits-windowsrid/138448/ https://csl.com.co/en/rid-hijacking/
RID Hijacking effectively allows attackers to assign higher level administrative privileges to lower level accounts that they might have direct access to after initial system compromise. What makes this method so attractive to attackers is that it leverages strictly Windows native commands to execute the technique, does not require installing any additional software, and is a relatively simple process. Therefore, it does not make much noise on a system and in many cases is difficult to detect unless defenders are carefully monitoring the Security Account Manager ( SAM) registry.
Since Windows XP, Windows uses the SAM to store security descriptors for user accounts. These Windows systems store most of this information in the ‘HKLM\SAM\SAM\Domains\Account\Use rs’ key, which does require SYSTEM level privileges to access. This key contains a variety of structured information representing user privilege information. The ‘Names’ subkey contains all the local user account names and looking at the ‘F’ value within this structure is a long number that contains the RID value at hex offset 30 within it along with other interesting information such as whether the account is enabled or disabled. According to security researcher, Sebastian Castro the RID copy stored in the ‘F’ value hex number is the value that is used by the Local Security Authority Subsystem Service (LSASS) and the Security Reference Monitor (SRM) to generate the primary access token used when translating from username to security identifier (SID). This token essentially is used on the system when users are attempting to access system services and applications. So if an attacker can modify the RID value to hex 0x1f4 or 500 in decimal of a guest user account as an example, they can give that guest account system level access. This technique is known as RID hijacking.
Sebastian Castro, the security researcher investigating this vulnerability also published an exploit which automates this attack in Metasploit, which is a popular open source exploit framework used by many worldwide. The exploit can be found at ‘post/windows/manage/ rid_hijack’ within the framework. This exploit has been tested on Windows XP, Windows Server 2003, Windows 8.1, and Windows 10. The best-recommended way to defend against this attack is by monitoring the system registry and looking for inconsistencies within the SAM.
Sources:
https://threatpost.com/trivial-postintrusion-attack-exploits-windowsrid/138448/ https://csl.com.co/en/rid-hijacking/
Zero-day jQuery Exploit
A zero-day exploit in the jQuery file upload tool may have had an open secret for years. A security researcher at Akamai Security Intelligence Response Team (SIRT) by the name of Larry Cashdollar found the exploit designated CVE-20189206. The vulnerability affects the plugin authored by Sabastian Tschan commonly known as “blueimp”. The jQuery File upload is one of the most starred plugins on github next to the jQuery framework itself. The tool appears to have been forked over 7800 times and has most likely been integrated on thousands of other projects.
The vulnerability affects Apache web servers that have the plugin and has existed since Apache 2.3.9 when Apache disabled support for .htaccess security configuration files. Unfortunately, jQuery’s file upload relied on .htaccess, and Apache made the change only five days before Sabastian’s plugin was first published. Worse yet it seems that this exploit has been an open secret in the hacker community for years. An attacker can use the vulnerability to upload files without any validation required. This would allow attackers to upload back doors, key loggers, and even execute a web shell on the server. Cashdollar was able to get in touch with Sabastion, and together they were able to work to get the vulnerability fixed in the latest version for the jQuery file upload. However, both noted that it is unlikely to get deployed in all the other projects and/or servers that use the plugin. They stated that there is no accurate way to determine how many projects that have forked from the jQuery file upload and if they are being maintained by applying changes to the master project. Additionally, there are no good ways to determine how many production environments that possibly have the plugin integrated in them.
Cashdollar has also noted that he doubts that he is the only person to find the videos that demonstrate this vulnerability. The videos on YouTube indicate that this exploit has been known and used in some circles for years, so it is possible that hackers have been able to quietly utilize this method to execute remote code on webservers that are using the plugin. However, now that the code has been patched and the exploit has been made public, there is concern that that the risk has increased. With an unknown number of potential forked projects and environments that might use the tool the likelihood that the patch will not entirely eliminate the potential threat. If you want to test your environment for this vulnerability this link will help Https://gethub.com/lcashdol/treee/Exploits/ tree/master/CVE-2018-9206. There you will find the files that will test for three of the most commonly used variations of the exploit software.
Sources:
https://www.theregister.co.uk/2018/10/22/jquery_file_flaw/
https://searchsecurity.techtarget.com/news/252451045/Zero-day-jQueryplugin-vulnerability-exploited-for-3-years
https://www.zdnet.com/article/zero-day-in-popular-jquery-plugin-activelyexploited-for-at-least-three-years/
The vulnerability affects Apache web servers that have the plugin and has existed since Apache 2.3.9 when Apache disabled support for .htaccess security configuration files. Unfortunately, jQuery’s file upload relied on .htaccess, and Apache made the change only five days before Sabastian’s plugin was first published. Worse yet it seems that this exploit has been an open secret in the hacker community for years. An attacker can use the vulnerability to upload files without any validation required. This would allow attackers to upload back doors, key loggers, and even execute a web shell on the server. Cashdollar was able to get in touch with Sabastion, and together they were able to work to get the vulnerability fixed in the latest version for the jQuery file upload. However, both noted that it is unlikely to get deployed in all the other projects and/or servers that use the plugin. They stated that there is no accurate way to determine how many projects that have forked from the jQuery file upload and if they are being maintained by applying changes to the master project. Additionally, there are no good ways to determine how many production environments that possibly have the plugin integrated in them.
Cashdollar has also noted that he doubts that he is the only person to find the videos that demonstrate this vulnerability. The videos on YouTube indicate that this exploit has been known and used in some circles for years, so it is possible that hackers have been able to quietly utilize this method to execute remote code on webservers that are using the plugin. However, now that the code has been patched and the exploit has been made public, there is concern that that the risk has increased. With an unknown number of potential forked projects and environments that might use the tool the likelihood that the patch will not entirely eliminate the potential threat. If you want to test your environment for this vulnerability this link will help Https://gethub.com/lcashdol/treee/Exploits/ tree/master/CVE-2018-9206. There you will find the files that will test for three of the most commonly used variations of the exploit software.
Sources:
https://www.theregister.co.uk/2018/10/22/jquery_file_flaw/
https://searchsecurity.techtarget.com/news/252451045/Zero-day-jQueryplugin-vulnerability-exploited-for-3-years
https://www.zdnet.com/article/zero-day-in-popular-jquery-plugin-activelyexploited-for-at-least-three-years/
Saturday, October 20, 2018
Windows 10, version 1809 Features removed or planned for replacement
Here is a Blog from Microsoft about changes to Windows 10 1809.
We're removing the following features and functionalities from the installed product image in Windows 10, version 1809. Applications or code that depend on these features won't function in this release unless you use an alternate method.
We're no longer actively developing these features and may remove them from a future update. Some features have been replaced with other features or functionality, while others are now available from different sources.
If you have feedback about the proposed replacement of any of these features, you can use the Feedback Hub app.
Features we removed in this release
We're removing the following features and functionalities from the installed product image in Windows 10, version 1809. Applications or code that depend on these features won't function in this release unless you use an alternate method.
| Feature | Instead you can use... |
|---|---|
| Business Scanning, also called Distributed Scan Management (DSM) | We're removing this secure scanning and scanner management capability - there are no devices that support this feature. |
| FontSmoothing setting in unattend.xml | The FontSmoothing setting let you specify the font antialiasing strategy to use across the system. We've changed Windows 10 to use ClearType by default, so we're removing this setting as it is no longer necessary. If you include this setting in the unattend.xml file, it'll be ignored. |
| Hologram app | We've replaced the Hologram app with the Mixed Reality Viewer. If you would like to create 3D word art, you can still do that in Paint 3D and view your art in VR or Hololens with the Mixed Reality Viewer. |
| limpet.exe | We're releasing the limpet.exe tool, used to access TPM for Azure connectivity, as open source. |
| Phone Companion | When you update to Windows 10, version 1809, the Phone Companion app will be removed from your PC. Use the Phone page in the Settings app to sync your mobile phone with your PC. It includes all the Phone Companion features. |
| Future updates through Windows Embedded Developer Update for Windows Embedded Standard 8 and Windows Embedded 8 Standard | We’re no longer publishing new updates to the WEDU server. Instead, you may secure any new updates from the Microsoft Update Catalog. |
Features we’re no longer developing
We're no longer actively developing these features and may remove them from a future update. Some features have been replaced with other features or functionality, while others are now available from different sources.
If you have feedback about the proposed replacement of any of these features, you can use the Feedback Hub app.
| Feature | Instead you can use... |
|---|---|
| Companion device dynamic lock APIS | The companion device framework (CDF) APIs enable wearables and other devices to unlock a PC. In Windows 10, version 1709, we introduced Dynamic Lock, including an inbox method using Bluetooth to detect whether a user is present and lock or unlock the PC. Because of this, and because third party partners didn't adopt the CDF method, we're no longer developing CDF Dynamic Lock APIs. |
| OneSync service | The OneSync service synchronizes data for the Mail, Calendar, and People apps. We've added a sync engine to the Outlook app that provides the same synchronization. |
| Snipping Tool | The Snipping Tool is an application included in Windows 10 that is used to capture screenshots, either the full screen or a smaller, custom "snip" of the screen. In Windows 10, version 1809, we're introducing a new universal app, Snip & Sketch, that provides the same screen snipping abilities, as well as additional features. You can launch Snip & Sketch directly and start a snip from there, or just press WIN + Shift + S. Snip & Sketch can also be launched from the “Screen snip” button in the Action Center. We're no longer developing the Snipping Tool as a separate app but are instead consolidating its functionality into Snip & Sketch. |
macOS 10.12 Draft NIST Security Configuration Checklist
NIST invites comments on Draft Special Publication (SP) 800-179 Revision 1, Guide to Securing macOS 10.12 Systems for IT Professionals: A NIST Security Configuration Checklist. This publication assists IT professionals in securing macOS 10.12 desktop and laptop systems within various environments. It provides detailed information about the security features of macOS 10.12 and security configuration guidelines. The publication recommends and explains tested, secure settings with the objective of simplifying the administrative burden of improving the security of macOS 10.12 systems in three types of environments: standalone, managed, and specialized security-limited functionality.
A public comment period for this document is open until November 16, 2018. We strongly encourage you to use the comment template for submitting your comments.
CSRC Update:
https://csrc.nist.gov/news/2018/nist-releases-draft-sp-800-179-rev-1-for-comment
Publication Details:
https://csrc.nist.gov/publications/details/sp/800-179/rev-1/draft
Subscribe to:
Posts (Atom)