// archives

Malicious Software

This tag is associated with 5 posts

RSA 2015 – Microsoft Key Announcements in Security

 

The US RSA conference is probably the world’s leading security conference with about 30’000 participants and took place last week in San Francisco. Scott Charney, Microsoft’s CVP Trustworthy Computing, gave a noteworthy keynote on Enhancing Cloud Trust that can be watched here. It is well worth the time.

The announcements made by us and the presence that Microsoft had at the conference was impressive. The main theme was very clearly that we truly live in a mobile first, cloud first world and that with the explosion of devices and apps come new challenges. Security has been a top priority for Microsoft for a long time already and Microsoft is committed to providing customers with transparency and control over their data in the cloud. Here are the highlights that we announced:

  • New Security & Compliance signals and activity log APIs so that customers can access enhanced activity logs of user, admin and policy related actions through the new Office365 Management Activity API.
  • New customer Lockbox for O365 that brings the customer into the approval workflow if one of our service engineers would have to troubleshoot an issue that requires elevated access. With the customer lockbox the customer has the control to approve or reject that request.
  • Device guard is the evolution of our malware protection offering for Windows 10 and brings a new capability to completely lock down the Windows desktop such that it is incapable of running anything other than trusted apps on the machine.
  • Increasing levels of encryption where O365 will implement content level encryption for e-mail in addition to the BitLocker encryption we offer today (similar to OneDrive for Business’ per-file encryption). In addition we expect enabling the ability for customers to require Microsoft to use customer generated and controlled encryption keys to encrypt their content at rest.
  • Microsoft Passport is a new two factor authentication designed to help consumers and businesses securely log-in to applications, enterprise content and online experiences without a password.
  • Windows Hello which will provide that Microsoft Passport can be unlocked using biometric sensors on devices that support that (most notably iris and face unlock feature in addition to fingerprint).
  • Azure Key Vault which helps customers safeguard and control keys and secrets using FIPS 140-2 Level 2 certified Hardware Security Modules in the cloud with ease and at cloud scale and provides enhanced data protection and compliance and control.
  • New Virtual appliances in Azure where we work with industry leaders to enable a variety of appliances so that customers have greater flexibility in building applications and enabling among others network security appliances in Azure.
  • Enterprise Mobility where we have the Enterprise Mobility Suite (EMS) bringing customers enterprise grade cloud identity and access management, mobile device management and mobile app management and data protection (Reto’s comment: not new but worthy to call out having grown our install base by 6x just in the last year)

More information can be found on Scott Charney’s blog on “Enabling greater transparency and control” that also has further links to more in-detail information on the individual technologies mentioned above.

Targeted Attacks Video Series

Cybersecurity is currently on the top of the mind of many organizations trying to protect their intellectual property, research, customer and employee databases and other valuable information. In almost every discussion that I have on cybersecurity the topic of targeted attacks is put into the center. This is now even encreasing as we see such attacks being used much more commonly than usually assumed and only a small number of organizations have the resources to limit or even detect them.

The question is then often what a targeted attack really is and to answer that we have created the Targeted Attacks Video Series  on Advanced Persistent Threats (APTs), or what we at Microsoft call Targeted Attacks by Determined Human Adversaries. These five short informational videos summarizes three security whitepapers, Determined Adversaries and Targeted Attacks, Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques, and Best Practices for Securing Active Directory.

Take the time to look at them below – it is well worth it:

  • Introduction to Determined Adversaries and Targeted Attacks: Tim Rains, Director, Microsoft Trustworthy Computing, provides background information on these types of attacks and set the context for the rest of the video series.

  • Mitigating Pass-the-Hash Attacks: Patrick Jungles, Security Program Manager, Trustworthy Computing, explains what a Pass-the-Hash attack is and some tested mitigations to help manage the risk associated with credential theft attacks.

  • Anatomy of a Cyber-attack Part 1: Sean Finnegan, CTO of the Microsoft Consulting Services Cybersecurity Practice, walks through a typical targeted attack, step by step, describing how attackers perpetrate these attacks.

  • Anatomy of a Cyber-attack Part 2: Sean Finnegan finishes his briefing on how determined adversaries commit targeted attacks.

  • Importance of Securing Active Directory: Bret Arsenault, Microsoft CISO, discusses the importance of protecting your Active Directory in the context of target attacks.

 

I hope this helps for the next discussion on the topic of targeted attacks – and if you work for an organization that has information with commercial value then that discussion that discussion should start sooner rather than later.

Windows Defender Offline – new tool against advanced malware

I wrote previously about how to secure your computer but last week Microsoft’s Malware Protection Center released a new tool against rootkits and other advanced malware that I would briefly like to review – the Windows Defender Offline.

Windows Defender Offline is scanning your PC to remove rootkits and other advanced malware that can’t always be detected by antimalware programs. If such a type of malware is detected on your PC you will be prompted by Microsoft Security Essentials to use Defender. However, it is good practice to run the Defender Offline on a regular basis as some advanced malware doesn’t necessarily get detected by any anti-virus program.

The main difference between Defender Offline and most other anit-malware tools is that it is run from a clean boot disk/CD/USB Stick and that way anti-malware that tries to use some cloaking technique will not have the possibility to hide.

For more information on what Windows Defender Offline does and what the system requirements are, please visit this website: http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline.

Less Spam today? Good news – I will tell you why

Microsoft Digital Crimes Unit

Did you notice that you got fewer spam e-mails today? All in all there were about 3.8 Billion fewer spam mails sent out. Why? Because there is one less Botnet in operation. Today Microsoft annaounced that we have taken down the Kelihos botnet in an action codenamed “Operation b79”.  This is the third botnet takedown in Microsoft’s Project MARS (Microsoft Active Response for Security), a program driven by the Microsoft Digital Crimes Unit in close collaboration with the Microsoft Malware Protection Center (MMPC) and the Trustworthy Computing team to annihilate botnets and advance the security of the Internet for everyone. Why does it matter? Because it is one step further in making cybercrime more expensive and it is the first time Microsoft has named a defendant in its fight against botnets making suddenly cybercrime much less anonymous.

Microsoft has a very interesting unit in the fight against Cybercrime – the Digital Crimes Unit. I had the opportunity to spend last week at their premise in Redmond, to have interesting discussions and get our efforts in regard to child abuse and digital crimes aligned. With our ever increased dependance on our computers, smartphones and networks at home, on the road and at work, it becomes more and more crucial to keep this infrastructure safe, secure and private. To achieve this we are working in close cooperation with local law enforcement agencies, government CERTs, Internet Providers and other organizations and agencies. From a personal perspective it is highly interesting to have the opportunity to work at national level as a facilitator and sponsor between these Swiss entities and the different units of Microsoft Redmond and to be able to participate in the fight against child abuse and cybercrime.

The fight against botnets will continue. There are still tens of thousands of computers infected that regularely try to connect to the three botnets Microsoft took down. The following video gives an impression of the state of two botnets as of 21. September 2011.

What now needs to be done is to clean up the infected computers. To aid in this I started working together with Government, Internet Service Providers and Community Emergency Response Teams so that we can also take advantage in Switzerland of the work that is done in Redmond. More on that in a later post once the initiative has advanced and all partners are on board. In the meantime – please keep your computers safe and private. With that you are participate in the global fight against cybercrime and you keep your privacy protected. You can find information on “how-to” in this earlier blogpost.

Interested to know more about the botnet takedown? Read here the official Microsoft Blog.

Follow the Microsoft Digital Crimes Unit on Facebook and Twitter.

 

Security updates – measuring effect (Autorun Abuse)

Obviously I am a strong advocate of keeping computers up to date and especially on installing security updates. However, it is normally pretty hard to measure the effects on such activities. And now that we have an example where we can see very directly the effect of a security update I would like to share that with you.

Maybe you are aware of Windows XP and Vista’s autorun feature. Basically very convenient but also unfortunately widely exploited. On 8. February Microsoft started the release of updates for Win XP and Vista to prevent AutoPlay from being enabled automatically except in combination with CD’s and DVD’s. Effectively locking down this feature more. With this we can now look at infection rate before and after this update and measure the effect. You can read the whole thread in our threat research and response blog.

In a nutshell – the effect was pretty substantial. The infection rates for Win XP and Vista went significantly down. XP’s infections on scanned computers were reduced by 59% and the ones of Vista by 74% while Win 7 stayed basically the same as it had this feature already enabled. An additonal interesting point is that the infection rate didn’t change significantly with Win XP SP2 as it is out of support and therefore didn’t get the update.

Chart showing effect of autorun update. Source: Microsoft

 

 

 

 

 

 

 

Another interesting aspect was that the overall infection rates changed also significantly. By May of 2011 the number of infections found by the Microsoft Malicious Software Removal Tool was reduced by 68%. Which means that by making even just one section of a computer “population” more secure it can have a significant residual effect with the rest of the computers.

My conclusion? This is a good example to show the effectiveness of security updates. So my recommendations is to let the update feature install them automatically as soon as they get available and to make sure that your operating system is still receiving the updates and is not out of support. So if you still run XP SP2 please make sure to update as quickly as possible to XP SP3.

About the Author

Reto is partner at PwC Switzerland. He is leading the Cybersecurity practice and is member of PwC Digital Services leadership Team. He has over 15 years work experience in an information security and risk focused IT environment. Prior to working at PwC he was Microsoft's Chief Security Officer for Western Europe and also has work experience as group CIO, Chief Risk Officer, Technical Director and Program Manager.

more about me and contact info

Translate

Chinese (Simplified)EnglishFrenchGermanItalianPortugueseRussianSpanish

replica Rolex