Security baseline (DRAFT) for Windows 10 v1809 and Windows Server 2019

icrosoft is pleased to announce the draft release of the
security configuration baseline settings for Windows 10 version 1809
(a.k.a., “Redstone 5” or “RS5”), and for Windows Server 2019. Please
evaluate these proposed baselines and send us your feedback via blog
comments below.

Download the content here: Windows-10-1809-Security-Baseline-DRAFT.zip

The downloadable attachment to this blog post includes importable
GPOs, a PowerShell script for applying the GPOs to local policy, custom
ADMX files for Group Policy settings, documentation in spreadsheet form
and as a Policy Analyzer file
(MSFT-Win10-v1809-RS5-WS2019-DRAFT.PolicyRules). In this release, we
have changed the documentation layout in a few ways:

  • MS Security Baseline Windows 10 v1809 and Server 2019.xlsx
    multi-tabbed workbook listing all Group Policy settings that ship
    in-box with Windows 10 v1809 or Windows Server 2019. Columns for
    “Windows 10 v1809,” “WS2019 Member Server,” and “WS2019 DC” show the
    recommended settings for those three scenarios. A small number of cells
    are color-coded to indicate that the settings should not be applied to
    systems that are not joined to an Active Directory domain. Cells in the
    “WS2019 DC” columns are also highlighted when they differ from the
    corresponding cells in the “WS2019 Member Server” column. Another change
    from past spreadsheets is that we have combined tabs that used to be
    separate. Specifically, we are no longer breaking out Internet Explorer
    and Windows Defender AV settings into separate tabs, nor the settings
    for LAPS, MS Security Guide, and MSS (Legacy). All these settings are
    now in the Computer and User tabs.
  • BaselineDiffs-to-v1809-RS5-DRAFT.xlsx – This Policy
    Analyzer-generated workbook lists the differences in Microsoft security
    configuration baselines between the new baselines and the corresponding
    previous baselines. The Windows 10 v1809 settings are compared against
    those for Windows 10 v1803, and the Windows Server 2019 baselines are
    compared against those for Windows Server 2016.
  • Windows 10 1803 to 1809 New Settings.xlsx – Lists all the
    settings that are available in Windows 10 v1809 that were added since
    Windows 10 v1803. (We used to highlight these settings in the big
    all-settings spreadsheets.)
  • Server 2016 to 2019 New Settings.xlsx – Lists all the
    settings that are available in Windows Server 2019 that were added since
    Windows Server 2016. (We used to highlight these settings in the big
    all-settings spreadsheets.)

Highlights of the differences from past baselines, which are listed in BaselineDiffs-to-v1809-RS5-DRAFT.xlsx:

  • The MS Security Guide custom setting protecting against potentially
    unwanted applications (PUA) has been deprecated, and is now implemented
    with a new setting under Computer Configuration…Windows Defender
    Antivirus.
  • We have enabled the “Encryption Oracle Remediation” setting we had considered for v1803.
    At the time we were concerned that enabling the newly-introduced
    setting would break too many not-yet-patched systems. We assume that
    systems have since been brought up to date. (You can read information
    about the setting hereand here.)
  • Changes to Virtualization-Based Security settings (used by Credential Guard and Code Integrity):
    • “Platform Security Level” changed from “Secure Boot and DMA
      Protection” to “Secure Boot.” If system hardware doesn’t support DMA
      protection, selecting “Secure Boot and DMA Protection” prevents
      Credential Guard from operating. If you can affirm that your systems
      support the DMA protection feature, choose the stronger option. We have
      opted for “Secure Boot” (only) in the baseline to reduce the likelihood
      that Credential Guard fails to run.
    • Enabled the new System Guard Secure Launch setting which will enable
      Secure Launch on new capable hardware. Secure Launch changes the way
      windows boots to use Intel Trusted Execution Technology (TXT) and
      Runtime BIOS Resilience features to prevent firmware exploits from being
      able to impact the security of the Windows Virtualization Based
      Security environment.
    • Enabled the “Require UEFI Memory Attributes Table” option.
  • Enabled the new Kernel DMA Protection feature described here.
    The “External device enumeration” policy controls whether to enumerate
    external devices that are not compatible with DMA-remapping. Devices
    that are compatible with DMA-remapping are always enumerated.
  • Removed the BitLocker setting, “Allow Secure Boot for integrity
    validation,” as it merely enforced a default that was unlikely to be
    modified even by a misguided administrator.
  • Removed the BitLocker setting, “Configure minimum PIN length for
    startup,” as new hardware features reduce the need for a startup PIN,
    and the setting increased Windows’ minimum by only one character.
  • Enabled the new Microsoft Edge setting to prevent users from
    bypassing certificate error messages, bringing Edge in line with a
    similar setting for Internet Explorer.
  • Removed the block against handling PKU2U authentication requests, as the feature is increasingly necessary.
  • Removed the configuration of the “Create symbolic links” user rights
    assignment, as it merely enforced a default, was unlikely to be
    modified by a misguided administrator or for malicious purposes, and
    needs to be changed to a different value when Hyper-V is enabled.
  • Removed the deny-logon restrictions against the Guests group as
    unnecessary: by default, the Guest account is the only member of the
    Guests group, and the Guest account is disabled. Only an administrator
    can enable the Guest account or add members to the Guests group.
  • Removed the disabling of the xbgm (“Xbox Game Monitoring”) service,
    as it is not present in Windows 10 v1809. (By the way, consumer services
    such as the Xbox services have been removed from Windows Server 2019
    with Desktop Experience!)
  • Removed Credential Guard from the Domain Controller baseline.
    (Credential Guard is not useful on domain controllers and is not
    supported there.)
  • Created and enabled a new custom MS Security Guide setting for the
    domain controller baseline, “Extended Protection for LDAP Authentication
    (Domain Controllers only),” which configures the
    LdapEnforceChannelBinding registry value described here.
  • The Server 2019 baselines pick up all the changes accumulated in the four Windows 10 releases since Windows Server 2016.

See the rest of the changes here

NIST final public draft Special Publication 800-37, Revision 2

NIST announces the final public draft Special
Publication 800-37, Revision 2
Risk Management Framework for
Information Systems and Organizations–A System Life Cycle Approach for
Security and Privacy
.

There are seven
major objectives for this update:

  • To
    provide closer linkage and communication between the risk management
    processes and activities at the C-suite or governance level of the
    organization and the individuals, processes, and activities at the system
    and operational level of the organization;
  • To
    institutionalize critical risk management preparatory activities at all
    risk management levels to facilitate a more effective, efficient, and
    cost-effective execution of the RMF;
  • To
    demonstrate how the 
    NIST Cybersecurity Framework can be aligned with
    the RMF and implemented using established NIST risk management processes;
  • To
    integrate privacy risk management processes into the RMF to better support
    the privacy protection needs for which privacy programs are responsible;
  • To
    promote the development of trustworthy secure software and systems by
    aligning life cycle-based systems engineering processes in 
    NIST Special Publication 800-160, Volume 1, with the
    relevant tasks in the RMF;
  • To
    integrate security-related, supply chain risk management (SCRM) concepts
    into the RMF to address untrustworthy suppliers, insertion of
    counterfeits, tampering, unauthorized production, theft, insertion of
    malicious code, and poor manufacturing and development practices
    throughout the SDLC; and
  • To
    allow for an organization-generated control selection approach to
    complement the traditional baseline control selection approach and support
    the use of the consolidated control catalog in 
    NIST Special Publication 800-53, Revision 5.

The addition of the
Prepare step is one of the key changes to the RMF—incorporated to achieve more
effective, efficient, and cost-effective security and privacy risk management
processes.

In addition to
seeking your comments on this final public draft, we are specifically
seeking feedback on a new RMF Task P-13, Information Life Cycle. The life
cycle describes the stages through which information passes, typically
characterized as creation or collection, processing, dissemination, use,
storage, and disposition, to include destruction and deletion. Identifying and
understanding all stages of the information life cycle have significant
implications for security and privacy. We are seeking comment on how
organizations would executive this task and how we might provide the most
helpful discussion to assist organizations in the execution.  

The public comment period
for the draft publication
is
October 2 through October 31
. Please submit comments using
the
comment
template
 to [email protected].

Great articel about Maleware and Small Businesses

Small businesses targeted by highly localized Ursnif campaign

Cyber thieves are continuously looking for new ways to get people
to click on a bad link, open a malicious file, or install a poisoned
update in order to steal valuable data. In the past, they cast as wide a
net as possible to increase the pool of potential victims. But attacks
that create a lot of noise are often easier to spot and stop. Cyber
thieves are catching on that we are watching them, so they are trying
something different. Now we’re seeing a growing trend of small-scale,
localized attacks that use specially crafted social engineering to stay
under the radar and compromise more victims.

In social engineering attacks, is less really more?

A new malware campaign puts that to the test by targeting home users
and small businesses in specific US cities. This was a focused, highly
localized attack that aimed to steal sensitive info from just under 200
targets. Macro-laced documents masqueraded as statements from legitimate
businesses. The documents are then distributed via email to target
victims in cities where the businesses are located.

With Windows Defender AV’s next gen defense, however, the size of the attack doesn’t really matter.

Several cloud-based machine learning algorithms detected and blocked
the malicious documents at the onset, stopping the attack and protecting
customers from what would have been the payload, info-stealing malware Ursnif.

TO read the full article on Microsoft site go here

Introducing Microsoft Learn

Microsoft announced a launch more than
80 hours of learning for Azure, Dynamics 365, Power BI, PowerApps, and
Microsoft Flow. The new learning platform includes experiences that will help
you, your customers, and partners to up-level your skills, prepare for
new role-based certification exams,
and explore additional training offerings such as instructor-led training and
Pluralsight.  Check out www.microsoft.com/learn

Highlights include:

  • Content
    organized by learning path, experience level, role and product, for an
    end-to-end view of a technology area and ensuring a comprehensive skillset
  • Learning paths consist of
    step-by-step tutorials with interactive coding environments that provide
    free fixed-time access to Azure resources – without requiring a credit
    card
  • As you and your customers use
    Microsoft Learn, you can track progress, check knowledge, and validate
    deployments to earn points, levels, achievements, and trophies 
 










Role-based certifications
and training

Microsoft introduced new role-based certifications, starting with 3 new roles:
Microsoft Certified Azure Developer, Microsoft Certified Azure Administrator
and Microsoft Certified Azure Solutions Architect. With additional roles to
follow.  The launch of these certifications also includes new exams and
updated instructor-led training to prepare for these exams. Learn more:
http://aka.ms/RoleBasedCert

 

 

Magecart? Again?

I don’t like writing breach stories because they occur far too often. On the other hand, when the breach is the fault of the sales merchant, one hopes exposure would cause a renewed interest in other merchants to better secure their retail websites to assure such data loss doesn’t happen to them.
With the numbers of breaches so large, how easily we forget that back in June, Magecart applied a kind of cross-site-scripting (XSS) attack to effectively digitally skim the credit card information from Ticketmaster buyers used for payment. In defense of Ticketmaster, the actual attack appeared to be a code insertion compromise against Inbenta, a thirdparty supplier for their website. Although obfuscated, and having no impact on the site’s functionality, the subtle change captured and diverted the information to Magecartowned servers with legitimate looking names.

 This attack was nothing new to Magecart, who’s been behind such malaise since 2015 and focuses on e-commerce. At the time of the Ticketmaster breach, RiskIQ believed that there were over 800 different commerce websites also targeted based on their analysis. Clearly Magecart continued with attacks as evidenced by the large compromise of British Airways (having lost over 380,000 transactions). One might imagine that other smaller sites are also being targeted based on the announcement that just this week ABC-CBN (who’s on-line store was compromised) may have lost information on 213 customers.

You’d think with such publicity, e-commerce sites, especially those with a large customer base would be watching for similar Magecart activity to assure they don’t fall victim. Or not. Per Threatpost yesterday, “Newegg is a top online merchant with tens of millions of registered users in 50 countries, according to its website. It sells a range of consumer electronics, entertainment, smart-home and gaming products, and is the 161st most popular site in the U.S. according to Alexa. In all, it receives more than 50 million site visitors per month. And between Aug. 14 and Sept. 18, a Magecart-linked payment skimmer was active on the Newegg site”. Like the attacks on the other e-commerce sites, with an eloquent injection of only 8 lines of code (similar to the code used in the British Airways incident but improved), Magecart diverted information to a domain with a legitimate Comodo-issued certificate called neweggstats[.]com. In the analysis of these attacks, RiskIQ further states: “Magecart attacks are surging—RiskIQ’s automatic detections of instances of Magecart breaches pings us almost hourly.”

Who’s to blame for these breaches? Clearly web service providers in the e-commerce arena need to improve their approaches to security. How many sites have been compromised? Perhaps there are some we may never know about, but for many more, my guess is we will learn about them in the near future as e-commerce providers take a closer look at their websites for some unauthorized Magecart additions. 
Sources:
 https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/ https://www.computerworlduk.com/security/magecart-who-what-is-behindbritish-airways-attack-3683768/ https://threatpost.com/magecart-strikes-againsiphoning-payment-info-from-newegg/137576/

This article was created by Peraton

Draft Cybersecurity Practice Guide SP 1800-14, Protecting the Integrity of Internet Routing: Border Gateway Protocol (BGP) Route Origin Validation, is Available for Comment

Draft
Cybersecurity Practice Guide SP 1800-14, Protecting the Integrity of
Internet Routing: Border Gateway Protocol (BGP) Route Origin Validation,
is
Available for Comment

It is difficult to overstate the importance of the
internet to modern business and society in general. The internet is not a
single network, but rather a complex grid of independent interconnected
networks that relies on a protocol known as Border Gateway Protocol (BGP) to
route traffic to its intended destination.

Unfortunately, BGP was not designed with
security in mind and a route hijack attack can deny access to internet
services, misdeliver traffic to malicious endpoints, and cause routing
instability. A technique known as BPG route origin validation (ROV) is designed
to protect against route hijacking.

NIST’s National Cybersecurity Center of
Excellence (NCCoE), together with several technology vendors, has developed
proof-of-concept demonstrations of BGP ROV implementation designed to improve
the security of the internet’s routing infrastructure. 

Comments for this draft are due by October
15, 2018. To review Draft Special Publication (SP) 1800-14, and for information
on submitting comments, please visit the links below.

CSRC Update: https://csrc.nist.gov/news/2018/nist-requests-comments-on-draft-sp-1800-14
 

Publication details: https://csrc.nist.gov/publications/detail/sp/1800-14/draft
 

Project Homepage: https://www.nccoe.nist.gov/projects/building-blocks/secure-inter-domain-routing 

Mitigating Ransomware Using the Rapid Cyberattack Assessment Tool

Here are a group of articles on Mitigating Ransomware Using the Rapid Cyberattack Assessment Tool, by Microsoft.

Every Question Tells a Story – Mitigating Ransomware Using the Rapid Cyberattack Assessment Tool: Part 1 Link is here
 
Every Question Tells a Story – Mitigating Ransomware Using the Rapid Cyberattack Assessment Tool: Part 2 Link is here
 
Every Question Tells a Story – Mitigating Ransomware Using the Rapid Cyberattack Assessment Tool: Part 3 Link is here
 
 

McAfee Researchers Falsify Patient Vitals in Real Time.

During the 26th DEFCON conference this past week McAfee researchers showed how they have successfully been able to falsify patient vitals that are reported to the central monitoring stations. Two variations of the attack are possible due to weak communication protocols between client devices and the central monitoring station. In the first scenario, the attacker would need direct access to the patient and the equipment, where they would be able to disconnect the patient and plug in their own device that would then transmit false information.

However, McAfee researchers found that it was possible to also use a method called ARP spoofing to feed false information to the monitoring station by capturing data coming from a client device, manipulating it, and sending the data on to the central monitoring station because of a UDP based protocol called RWHAT. RWHAT is used by many medical devices, most of which are wired and wireless capable devices. While this is not a widely known protocol, it is easy to see and manipulate due to the simplicity of the UDP packets. Additionally, these devices often use no authentication or weak authentication. 
The doctors that helped the researchers vet the potential threat indicated that it is common practice to make diagnoses based on the data on the central monitoring stations. The method that was used by the McAfee researchers was to acquire a client monitoring station and a central monitoring system from eBay. While the units used are from 2004, they are still commonly used today. McAfee was careful not to mention the manufacturer of the units used as they are still in the process of working with the company to patch the vulnerabilities. Once they had the equipment and were able to crack the networking component, their next step was to acquire an ECG simulator from eBay for about $100. With the ECG simulator available, they determined that the traffic was unencrypted and contained counter and patient information.

Using the emulation as a springboard they successfully were able to modify the data being sent to the monitoring station. Then in real-time they were able to simulate a flatline signal to the central monitoring station as well as manipulate oxygen levels and blood pressure information. This creates the potential to falsify information to staff that might result in unneeded or unwanted procedures or prescriptions. This attack could potentially make staff believe that a patient is resting peacefully when they are not hooked up to their bedside equipment, or worse. While this threat vector might not be subjected to mass exploitation it could be leveraged in cases of high-value patients.
Sources
https://www.bleepingcomputer.com/news/security/hackers-can-falsify-patientvitals/ https://www.theregister.co.uk/2018/08/14/patient_monitor_hack/
https://venturebeat.com/2018/08/11/mcafee-researchers-falsify-a-patientsvital-signs-in-real-time/
visual

What Else is your Fax Machine Doing?

Researchers Eyal Itkin and Yaniv Balmas revealed a new type of vulnerability at Defcon 2018 – one which attacks your fax machine. They call this new exploit ‘Faxploit’ and demonstrated how a victim’s network could be infiltrated by sending a malicious fax to a certain model of networked fax machines over a normal phone line connection. By utilizing vulnerabilities, they discovered they could take over the machine and use it as a jump point into the internal network. After an impressive amount of reverse engineering utilizing existing exploits to load a debugger onto the target fax machine, the two researchers discovered additional vulnerabilities which could be used for a device takeover attack.
The vulnerability used in their demonstration relates to the embedded JPEG image parser on the device, normally used when receiving or sending colored faxes. By sending specially crafted JPEG headers to the machine they could trigger a stack based buffer overflow in the header parser and run arbitrary code on the device. Once they discovered the vulnerability in the fax handling mechanism of the device it was time to write an exploit to take advantage of it. They discovered that when the device received a JPEG it simply dumped the contents to a file with no validation. Due to this flaw they were able to store the exploit entirely inside of a specially crafted JPEG, achieving persistence due to it being written to the disk. When they wanted to perform tasks that needed additional input they could simply read from the file sitting on disk.
Their finished exploit implemented 3 main features. First it would take over the LCD display on the printer as a demonstration that they had full control of the device. Next it would check if the printer had an ethernet cable attached. If the cable is attached the third feature is activated – it attempts to attack and take control of other computers attached to the same network using previously leaked NSA tools Eternal Blue and Double Pulsar. While the demonstration exploit shown by the researchers changed the LCD on the printer, a real attacker’s exploit may instead opt to stay quiet to increase the time it goes undetected.
The fax machine attacked in their demonstration was an HP Officejet Pro 6830. HP was coordinated with after the vulnerabilities were discovered and patched firmware has been available on HP’s website since August 1st. While only one specific model was attacked in their demonstration it is possible that other models from other manufacturers may suffer from similar flaws due to the nature of parsing complex file formats from unknown origins.
The researchers coordinated with HP to rectify the vulnerability;  patched firmware has been available from HP since August 1st. This means special care should be taken similar to other riskier devices on the network, such as ensuring that the devices are firewalled off appropriately or on different network segments. While these precautions would prevent the device from being used as a door into the network, they wouldn’t protect against other types of local attacks. 

Sources: • https://research.checkpoint.com/sending-fax-back-to-the-dark-ages/https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-andexploits/faxploit-vulnerabilities-in-hp-officejet-printers-can-let-hackersinfiltrate-networks