Archive for the ‘Security and Compliance’ category

“Meltdown” and “Spectre and azure.”

February 10th, 2018

Last month as reported on this blog, Intel revealed two critical vulnerabilities they found in Intel chips. These vulnerabilities allow cyber-attackers to steal data from the memory of running apps. This data can include passwords, emails, photos, or documents. Intel dubbed these as: “Meltdown” and “Spectre.”

Microsoft released a patch for Azure the very next day. Just as well because Microsoft Azure is a shared-computing environment by default. One server hosts applications and development of applications, and various Virtual Machines tap into the server to allow employees to and others to access these applications. As such, the Meltdown vulnerability allows an attacker to compromise the host and read all the data from every operating system tapping into it. Around 3-10 million physical servers host Azure, and these servers in turn host tens of millions of Virtual Machines. So impressively Microsoft developed deployed a patch for these vulnerabilities in less than a week’s time. Azure is a cloud-based application and so Microsoft could focus their security team to work on the cloud servers and only the cloud servers. This way, these millions of servers and users had a patch and all applications hosted on the Azure cloud-platform were immediately protected.

A good business case example for business to move to Azure cloud services.

Malware developers are still out there. German antivirus testing firm AV-Test reported 139 samples of malware trying to attack the Meltdown vulnerability in January to exploit those who have not patched.

Microsoft patched their cloud servers, but non-Azure users (as well as all Windows users, period) still need to apply their operating system patches to ensure complete protection. This is one vulnerability you definitely don’t want cyber-attackers to exploit, whether it’s your personal computer or your business’s server.

Cyber attacks doubled in 2017 – expect 2018 to be worse.

January 27th, 2018

Cyber attacks on businesses nearly doubled in the past year. A new report, the Cyber Incident & Breach Trends Report, released by the Online Trust Alliance (OTA) found 156,700 cyber incidents last year, compared to 82,000 in 2016. The OTA is a Internet Society initiative designed to improve online trust.

The organization believes that since a majority of cybersecurity attacks are never reported, the number of cyber incidents last year could actually be closer to 350,000. “Surprising no one, 2017 marked another ‘worst year ever’ in data breaches and cyber incidents around the world,” said Jeff Wilbur, director of the OTA initiative at the Internet Society. “This year’s big increase in cyberattacks can be attributed to the skyrocketing instances of ransomware and the bold new methods of criminals using this attack.”

The OTA claimed that most of the incidents could have been prevented easily – 93 percent of breaches could have been avoided by regularly updating software, blocking fake emails, and training people to recognize phishing attacks.

52 % of security incidents were the result of an actual attack.
15 % resulted from a lack of security software,
11 % were caused by credit card skimming,
11% resulted from companies not having controls to prevent employees’ negligent or malicious actions,
8 % were the result of phishing scams.

Electron is a node.js, V8, and Chromium framework created for the development of cross-platform desktop apps with JavaScript, HTML, and CSS, The Electron framework is popular and widely used by a range of desktop app services. Skype, Signal, Slack, Shopify, and Surf are among the users, A critical vulnerability affecting Electron desktop apps has recently been disclosed.

Regular patching has always been a best practice and neglecting it is a known cause of many breaches.

In 2017 the Equifax breach brought home that message

In 2018 a patching strategy needs to be integral to your processes because of the Spectre and Meltdown vulnerabilities reported (see our earlier posts) when it was highlighted that nearly every computer chip manufactured in the last 20 years was found to contain fundamental security flaws.

Meltdown and Spectre – why do these matter?

January 6th, 2018

One of the most basic premises of computer security is isolation: When you run somebody else’s code as an untrusted process on your machine, then you restrict it to its own tightly sealed test environment. Otherwise, it might peer into other processes, or snoop around the computer as a whole. A security flaw in computers’ most deep-seated hardware puts a crack in those walls, as one newly discovered vulnerability in millions of processors has done, it breaks some of the most fundamental protections computers promise—and sends practically the entire industry scrambling.

A bug in Intel chips allows low-privilege processes to access memory in the computer’s kernel, the machine’s most privileged inner sanctum. Theoretical attacks that exploit that bug, based on quirks in features Intel has implemented for faster processing, could allow malicious software to spy deeply into other processes and data on the target computer or smartphone. On multi-

Meltdown affects Intel processors, and works by breaking through the barrier that prevents applications from accessing arbitrary locations in kernel memory. Segregating and protecting memory spaces prevents applications from accidentally interfering with one another’s data, or malicious software from being able to see and modify it at will. Meltdown makes this fundamental process fundamentally unreliable.

Spectre affects Intel, AMD, and ARM processors, broadening its reach to include mobile phones, embedded devices, and pretty much anything with a chip in it. Which, of course, is everything from thermostats to baby monitors now.

It works differently from Meltdown; Spectre essentially tricks applications into accidentally disclosing information that would normally be inaccessible, safe inside their protected memory area. This is a trickier one to pull off, but because it’s based on an established practice in multiple chip architectures, it’s going to be even trickier to fix.
user machines, like the servers run by Google Cloud Services or Amazon Web Services, they could allow hackers to break out of one user’s process, and instead snoop on other processes running on the same shared server.

It’s not a physical problem with the CPUs themselves, or a plain software bug you might find in an application like Word or Chrome. It’s in between, at the level of the processors’ “architectures,” the way all the millions of transistors and logic units work together to carry out instructions.

In modern architectures, there are inviolable spaces where data passes through in raw, unencrypted form, such as inside the kernel, the most central software unit in the architecture, or in system memory carefully set aside from other applications. This data has powerful protections to prevent it from being interfered with or even observed by other processes and applications.

Because Meltdown and Spectre are flaws at the architecture level, it doesn’t matter whether a computer or device is running Windows, OS X, Android, or something else — all software platforms are equally vulnerable. A huge variety of devices, from laptops to smartphones to servers, are therefore theoretically affected. The assumption going forward should be that any untested device should be considered vulnerable.

Not only that, but Meltdown in particular could conceivably be applied to and across cloud platforms, where huge numbers of networked computers routinely share and transfer data among thousands or millions of users and instances.

The one crumb of comfort is that the attack is easiest to perform by code being run by the machine itself — it’s not easy to pull this off remotely. So there’s that, at least.

On Wednesday evening, a large team of researchers at Google’s Project Zero, universities including the Graz University of Technology, the University of Pennsylvania, the University of Adelaide in Australia, and security companies including Cyberus and Rambus together released the full details of two attacks based on that flaw, which they call Meltdown and Spectre.

“These hardware bugs allow programs to steal data which [is] currently processed on the computer,” reads a description of the attacks on a website the researchers created. “While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs.”

Both attacks are based on the same general principle, Meltdown allows malicious programs to gain access to higher-privileged parts of a computer’s memory, while Spectre steals data from the memory of other applications running on a machine. And while the researchers say that Meltdown is limited to Intel chips, they say that they’ve verified Spectre attacks on AMD and ARM processors, as well. With these glitches, if there’s any way an attacker can execute code on a machine, then it can’t be contained.

Meltdown and Spectre

When processors perform speculative execution, they don’t fully segregate processes that are meant to be low-privilege and untrusted from the highest-privilege memory in the computer’s kernel. That means a hacker can trick the processor into allowing unprivileged code to peek into the kernel’s memory with speculative execution.

he processor basically runs too far ahead, executing instructions that it should not execute. .

Retrieving any data from that privileged peeking isn’t simple, since once the processor stops its speculative execution and jumps back to the fork in its instructions, it throws out the results. But before it does, it stores those in its cache, a collection of temporary memory allotted to the processor to give it quick access to recent data. By carefully crafting requests to the processor and seeing how fast it responds, a hacker’s code could figure out whether the requested data is in the cache or not. And with a series of speculative execution and cache probes, he or she can start to assemble parts of the computer’s high privilege memory, including even sensitive personal information or passwords.

Many security researchers who spotted signs of developers working to fix that bug had speculated that the Intel flaw merely allowed hackers to defeat a security protection known as Kernel Address Space Layout Randomization, which makes it far more difficult for hackers to find the location of the kernel in memory before they use other tricks to attack it, but the bug is more serious: It allows malicious code to not only locate the kernel in memory, but steal that memory’s contents, too.

Tough Fix

In a statement responding to the Meltdown and Spectre research, Intel noted that “these exploits do not have the potential to corrupt, modify, or delete data,” though they do have the ability to spy on privileged data. The statement also argued that “many types of computing devices—with many different vendors’ processors and operating systems—are susceptible to these exploits,” mentioning ARM and AMD processors as well.

Microsoft, which relies heavily on Intel processors in its computers, says that it has updates forthcoming to address the problem. “We’re aware of this industry-wide issue and have been working closely with chip manufacturers to develop and test mitigations to protect our customers,” the company said in a statement. “We are in the process of deploying mitigations to cloud services and are releasing security updates today to protect Windows customers against vulnerabilities affecting supported hardware chips from AMD, ARM, and Intel. We have not received any information to indicate that these vulnerabilities had been used to attack our customers.”

Linux developers have already released a fix, apparently based on a paper recommending deep changes to operating systems known as KAISER, released earlier this year by researchers at the Graz University of Technology.

Apple released a statement Thursday confirming that “all Mac systems and iOS devices are affected,” though the Apple Watch is not. “Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown,” the company said. “In the coming days we plan to release mitigations in Safari to help defend against Spectre. We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS.”

Amazon, which offers cloud services on shared server setups, says that it will take steps to resolve the issue soon as well. “This is a vulnerability that has existed for more than 20 years in modern processor architectures like Intel, AMD, and ARM across servers, desktops, and mobile devices,” the company said in a statement. “All but a small single-digit percentage of instances across the Amazon EC2 fleet are already protected. The remaining ones will be completed in the next several hours.”

Google, which offers similar cloud services, pointed WIRED to a chart of Meltdown and Spectre’s effects on its services, which states that the security issue has been resolved in all of the company’s infrastructure.

Those operating system patches that fix the Intel flaw may come at a performance cost: Better isolating the kernel memory from unprivileged memory could create a significant slowdowns for certain processes.

According to an analysis by the Register, which was also the first to report on the Intel flaw, those delays could be as much as 30 percent in some cases, although some processes and newer processors are likely to experience less significant slowdowns. Intel, for its part, wrote in its statement that “performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.”

Until the patches for Meltdown and Spectre roll out more widely, it’s not clear just what the speed cost of neutering those attacks may turn out to be. But even if the updates result in a performance hit, it is a worthwhile safeguard: Better to put the brakes on your processor, perhaps, than allow it to spill your computer’s most sensitive secrets.

Spectre, is not likely to be fully fixed any time soon. The fact is that the practice that leads to this attack being possible is so hard-wired into processors that the researchers couldn’t find any way to totally avoid it. They list a few suggestions, but conclude:

While the stop-gap countermeasures may help limit practical exploits in the short term, there is currently no way to know whether a particular code construction is, or is not, safe across today’s processors – much less future designs.

Critical Server Patches for Meltdown and Spectre – processor bugs

January 5th, 2018

There is a set of critical bugs in our processors. There are two issues, known as Meltdown and Spectre.

If you haven’t been paying attention, a serious security flaw in nearly every processor made in the last ten years was recently discovered. Initially it was thought to be just Intel, but it appears it’s everyone. The severe design flaw in microprocessors allows sensitive data, such as passwords and crypto-keys, to be stolen from memory is real – and its details have been revealed.
On a shared system, such as a public cloud server, it is possible, depending on the configuration, for software in a guest virtual machine to drill down into the host machine’s physical memory and steal data from other customers’ virtual machines.

This is so serious CERT recommends throwing away your CPU and buying a non-vulnerable one to truly fix the issue.

There are two bugs which are known as Meltdown and Spectre. The Register has a great summarized writeup here – no need for me to regurgitate. This is a hardware issue – nothing short of new chips will eradicate it. That said, pretty much everyone who has written an OS, hypervisor, or software has (or will have) patches to hopefully eliminate this flaw. This blog post covers physical, virtualized, and cloud-based deployments of Windows, Linux, and SQL Server.

The fact every vendor is dealing with this swiftly is a good thing. The problem? Performance will most likely be impacted. No one knows the extent, especially with SQL Server workloads. You’re going to have to test and reset any expectations/performance SLAs. You’ll need new baselines and benchmarks. There is some irony here that it seems virtualized workloads will most likely take the biggest hit versus ones on physical deployments. Time will tell – no one knows yet.

What do you need to do? Don’t dawdle or bury your head in the sand thinking you don’t need to do anything and you are safe. If you have deployed anything in the past 10 – 15 years, it probably needs to be patched. Period. PATCH ALL THE THINGS! However, keep in mind that besides this massive scope, there’s pretty much a guarantee – even on Linux – you will have downtime associated with patching.
Information that you might want to review and decide how to patch your systems.

SQL Server Versions Affected

This is a hardware issue, so every system is affected SQL Server running on x86 and x64 .for these versions:

SQL Server 2008
SQL Server 2008R2
SQL Server 2012
SQL Server 2014
SQL Server 2016
SQL Server 2017
Azure SQL Database

It is likely that SQL Server 2005, SQL Server 2000, SQL Server 7, SQL Server 6.5 are all affected. No SQL Server patches are coming.

Note: according to Microsoft, IA64 systems are not believed to be affected.

SQL Server Patches

There is a KB that discusses the attacks. Here are the patches as of this time:

SQL Server 2017 CU3
SQL Server 2017 GDR
SQL Server 2016 SP1 CU7
SQL Server 2016 SP1 GDR
OS Patches

The Window KB for guidance is 4072698. Here are the OS patches that I’ve been able to find.

Windows Server (Server Core) v 1709 – KB4056892
Windows Server 2016 – KB4056890
Windwos Server 2012 R2 – KB4056898
Windows Server 2012 – N/A
Windows Server 2008 R2 – KB4056897
Windows Server 2008 – N/A
Red Hat v.7.3 – Kernel Side-Channel Attacks CVE-2017-5754, 5753, 5715
SUSE Linux – 7022512
Ubuntu – N/A

VMWare has a security advisory (VMSA-2018-0002) and patches. They have released:

ESXi 6.5
ESXi 6.0
ESXi 5.5 (partial patch)
Workstation 12.x – Upgrade to 12.5.8
Fusion 8.x – Updated to 8.5.9

When to PATCH – Immediately

If you have SQL Server 2017 or SQL Server 2016 running, then patches are available.

SQL Server (Windows) VM in your data center – Patch host OS or isolate SQL Server back on physical hardware. Check Windows OS for microcode changes.

SQL Server (Windows) on bare metal or VM, not isolated from application code on the same machine, or using untrusted code – Apply OS patches, SQL Server patches, enable microcode changes.

SQL Server Linux – Apply Linux OS patches, Linux SQL Server patches, check with Linux vendor

Note that when untrusted SQL Server extensibility mechanisms are mentioned, they mean:

R and Python packages running through sp_external_script, or standalone R/ML Learning Studio on a machine
SQL Agent running ActiveX scripts
Non-MS OLEDB providers in linked servers
Non-MS XPs

There are mitigations in the SQL Server KB.

When You Can Patch Later

If you have SQL Server 2008, 2008 R2, 2012, 2014 you’ll have to wait on SQL Server patches. They aren’t out yet. However, there are other situations that remove an immediate need for patching.

When You Don’t Need to Patch
If you are on AWS, they’ve patched their systems, except for EC2 VMS. Those need patches from you. AWS Statement

Azure is patched according to KB4073235. Guidance in ADV180002 says .This does not include VMs that don’t get automatic updates. You need to patch those manually.

Apple – If you’re running High Sierra, Sierra, or El Capitan, it looks like Apple took care of this back in December of 2017.


Chrome – It looks like Google is going to release a patch for Chrome later in January. See this link for more information.
Firefox – Version 57 or later has the proper fixes. See this blog for more information, so patch away!
Edge and Internet Explorer – Microsoft has a blog post . It looks like the January security update (KB4056890) takes care of that. So if you’re using either of these browsers, please update your OSes as soon as possible.

Details On the Exploits

Descriptions of the exploit, if you want to dig down and understand.

The Register
Ars Technia researcher blog

U.A.E. VAT registration time is running out……..

December 17th, 2017

Companies in the UAE that have not got their tax registration number (TRN) yet will have to procure it within the next 14 days.

Companies who have not completed their VAT registration within the dates prescribed by the Federal Tax Authority (FTA) will have to pay a fine worth Dh20,000 and also stop sales until they get the TRN or tax registration certificate (TRC).

Data security – how secure should we be?

December 9th, 2017

The back story to this is that a British politician (Damian Green) is presently in hot water for allegedly accessing porn on his gov PC. U.K> politician recently tweeted :

Nadine Dorries
✔ @NadineDorries

My staff log onto my computer on my desk with my login everyday. Including interns on exchange programmes. For the officer on @BBCNews just now to claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous !!

10:03 PM – Dec 2, 2017 “

So Nadine is implying it could have been someone else on his PC using his identity.

So should politicians share passwords? What are the problems with doing so? So what about your own staff?
Well it seems the practice is widespread -read here for example:

It’s an interesting read, and certainly points out that the expediency for users to share a workload but it has plenty of downsides in accountability and auditing of actions.

I see little excuse for sharing security credentials in UK government – there are other solutions to handle this issue.

I am more sympathetic in real time environments, like hospitals, where the login process might literally cause a death in the event of a delay.

Authentication aside we often share data among individuals inside of an organization. Outside of sysadmins, not be many people really understand or consider who should have access, let alone who does have access, to some data.

Over time organizations tend to lean towards allowing an ever-growing number of people having access to data in file shares. Knowledge gives power to take decisions- functional silos are out ….but segmentation of duty, compliance, are the other side of the argument. In these days of self serve internet access and social connectedness people expect access to information.

While we might prevent database access and grant/revoke this at times, the output from our systems also often ends up in Excel sheets or other files, fg hard copy print out, and people that do not have direct access still see the data.

People may leave data lying around on desks or tacked to a wall or on printer, or just on screen in an open plan office to be viewed by passers by. Many do not log off or shutdown their pcs at night. Why? They have never been trained or told to do so, and there is no management oversight to enforce it.
The trend to BYOD means data leaves your premises and then you have no control over it. Removable usb devices, 0r just uploads to one drive or emails to a hotmail account are all possible holes in your security defences.

Credentials on a post-it stuck only your monitor? Server rooms that are not locked?

It’s not just your co-workers, but also janitorial staff, tradespeople, and others likely wander regularly through your office spaces.

Security is a tough battle, and most of the time we don’t need much more than good passwords. Most people don’t have the time or inclination to deal with their own data, much less yours. However, when an attack is targeted on your organization, from outside or within, it’s extremely difficult to ensure your data won’t get lost or corrupted.

There is no magic bullet. There are good reasons to limit access to data on our systems, not the least of which is auditing and accountability. Beyond that, inculcate users to exercise judgment about with whom they may share or to whom they expose reports and other data.

Data breaches and what it means for a Middle East Board of Directors

December 6th, 2017

The new wave of cyber-attacks does appear to be unstoppable. With the increase in data breaches across the world, the UAE holds the world’s highest increase in breaches. Data breaches in the region have risen by 20% from $4.12m in 2016 to $4.94m in 2017, according to a report by Ponemon Institute.

The Middle East also has the highest spend on data breach response, roughly costing $1.43m per organisation.
Early this year, approximately 15 government agencies and private institutions in the Kingdom of Saudi Arabia were attacked by the Shamoon virus. This was followed by a tidal wave of Wannacry and Petya ransomware attacks.

An IDC research states that organisations are expected to spend $101.6 billion by 2020 on security-related hardware, software, and services. Additionally, Gartner states that by 2018, 10% of all enterprise organisations will have adopted deception technologies into their security solutions. A board of directors must engage in a continuing balancing act between the cost of information security and potential risks.

Although information security is essential to corporate compliance with existing laws and regulations, directors are often required to focus less on ensuring “best security” in favour of “good enough” security. The lack of a clear definition of “best security” is largely responsible for this thinking.

What was previously viewed as good enough, will not keep up with the advanced or insider threats of today.

• Important messages that CISOs should communicate to their boards about the importance of focusing on information security:

Information security is now required, and disclosure is no longer solely at a company’s discretion. Between existing laws, insurance mandates, industry regulations, and shareholder demands, robust information security is now a corporate requirement.

• Information security is a significant corporate risk. It is nearly impossible to conduct any facet of a business today without a computer. As a result, the information that resides in an enterprise’s networks is the lifeblood of the business and if not protected, could result in financial damages and negative impact on the company’s brand. This makes information security a critical business issue. Any security strategy that does not include an adaptive security plan with in-network detection to detect attacks that have bypassed prevention solutions will result in a network breach sooner or later, if it hasn’t occurred already.

Some obvious things to consider:
- Policies, procedures, and awareness – Protection via data classification, password strengths, code reviews and usage policies
- Perimeter – Protection via firewalls, denial of service prevention, and message parsing and validation
- Internal network – Protection via transport layer security, such as encryption, and user identification and authentication
- Host/OS – Protection through OS patches and desktop malware
- Application – Protection through protocols such as single sign on (SSO) and identity propagation
- Data – Protection through database security (online storage and back up), content security, information rights management, message level security.

Do your systems still cater for the digital world of a mobile workforce with smart phones, BYOD social media, low cost, high capacity flash drives, and any time, anywhere connections?.

Data breach

December 5th, 2017

We have been asked to assist several companies targeted by ransomware ad phishing attacks in the last year.

The moments after you have experienced a breach are of the utmost importance and can significantly impact your organization and the effectiveness of an investigation.

How prepared is your information technology (IT) department or administrator to handle security incidents?
According to the Computer Security Institute, over 20% of organizations have reported
experiencing a computer intrusion, and common sense says that many more intrusions have
gone unreported. No matter how much detail you know about the network environment, the risk of being attacked remains.

Any sensible security strategy must include details on how to respond to different types of attacks. Many organizations learn how to respond to security incidents only after suffering attacks. By this time, incidents often become much more costly than needed. Proper incident response should be an integral part of your overall security policy and risk mitigation strategy.

There are clearly direct benefits in responding to security incidents. However, there might also be indirect financial benefits. For example, your insurance company might offer discounts if you can demonstrate that your organization is able to quickly and cost-effectively handle attacks. Or, if you are a service provider, a formal incident response plan might help win business, because it shows that you take seriously the process of good information security.

If you suspect a computer systems intrusion or breach, then Immediately Contain and Limit the Exposure – Stop the breach from spreading.
• Do NOT access or alter compromised systems (e.g., do not log on or change passwords).
• Do NOT turn off the compromised machine. Instead, isolate compromised systems from the network (e.g., unplug the network cable). If for some reason it is necessary to power off the machine, unplug the power source.
• Do NOT shutdown the system or push the power button (because it can sometimes create a “soft” shutdown), which modifies system files.
• Preserve logs and electronic evidence. A forensic hard drive image will preserve the state on any suspect machines. Any other network devices (such as firewalls, IDS/IPSes, routers, etc.) that have logs in the active memory should be preserved. Keep all past backup tapes, and use new backup tapes for subsequent backups on other systems.
• Log all the actions you have taken, including composing a timeline of any knowledge related to the incident.
• If using a wireless network, change SSID on the wireless access point (WAP) and other machines that may be using this connection (with the exception of any systems believed to be compromised).
• Be on high alert and monitor all systems.

Alert All Necessary Parties Within 24 Hours
All external disclosures should be coordinated with your Legal Representative. Potential agencies include local and national law enforcement, external security agencies, and virus experts. External agencies can provide technical assistance, offer faster resolution and provide information learned from similar incidents to help you fully recover from the incident and prevent it from occurring in the future.

For particular industries and types of breaches, you might have to notify customers and the general public, particularly if customers might be affected directly by the incident.

If the event caused substantial financial impact, you might want to report the incident to law enforcement agencies.

For higher profile companies and incidents, the media might be involved. Media attention to a security incident is rarely desirable, but it is often unavoidable. Media attention can enable your organization to take a proactive stance in communicating the incident. At a minimum, the incident response procedures should clearly define the individuals authorized to speak to media representatives.

Normally the public relations department within your organization will speak to the media. You should not attempt to deny to the media that an incident has occurred, because doing so is likely to damage your reputation more than proactive admission and visible responses ever will. This does not mean that you need to notify the media for each and every incident regardless of its nature or severity. You should assess the appropriate media response on a case-by-case basis.

Be sure to notify:
• Your internal information security group and incident response team, if applicable.
• The card associations and your merchant bank if the breach is part of a cardholder data segment.
• Your legal advisor

Maybe your auditors.
Maybe your insurers.
Maybe the authorities/police.

Synergy Software Systems support desk.

Consider what message you need to give to staff, and to your trading partners.
Update your policies and procedures, and tools.

Thank those who helped you – you may need them again.

Security, security

November 5th, 2017

The IRS fends off 4 million hacking attempts a day, Commissioner John Koskinen said last Tuesday

System accounts – security

October 29th, 2017

An Office 365-focused Botnet puts the spotlight on the security of System Accounts which are commonly overlooked

A botnet it dubbed “KnockKnock” aActive since at least May, and especially active from June through August, is relatively small botnet whose attack highly targeted for both: the types of accounts it attacks and the types of organizations. GThis is interesting is because it is trying to get into system accounts, that are commonly used to connect the Exchange Online e-mail system with marketing and sales automation software. In cases where the system accounts are compromised, KnockKnock exports data from the inbox, creates a new inbox rule and starts a phishing attack from the account against the rest of the organization.

The attacks analysed averaged only five e-mail addresses per customer. Additionally, the organizational targeting was extremely specific — aimed at infrastructure and Internet of Things (IoT) departments within the manufacturing, financial services, health care and consumer products industries, as well as U.S. public sector agencies.

Non-human system accounts are less likely to be protected by multi-factor authentication or security policies, such as recurring password reset requirements. Once such accounts are provisioned, they’re easy to overlook and can prove to be the weakest link in Office 365 and in general the security infrastructure.

Bad Rabbit – a virulent wave of data-encrypting malware is sweeping through Eastern Europe

October 28th, 2017

A new, potentially virulent wave of data-encrypting malware is sweeping through Eastern Europe and has left a wake of outages at news agencies, train stations, and airports, according to multiple security companies

A new ransomware outbreak similar to WCry is shutting down computers worldwide, Ransom:Win32/Tibbar.A or Bad Rabbit, as the outbreak is dubbed, is primarily attacking targets in Russia, but it’s also infecting computers in Ukraine, Turkey and Germany, researchers from Moscow-based Kaspersky Lab said. In a blog post, the antivirus provider reported that the malware is using hacked Russian media websites to display fake Adobe Flash installers, which when clicked infect the computer visiting the hacked site. Researchers elsewhere said the malware may use other means to infect targets.

Bad Rabbit appears to specifically target corporate networks by using methods similar to those used in a June data-wiping attack dubbed “NotPetya” that shut down computers around the world.
Bad Rabbit infects Windows computers and relies solely on targets manually clicking on the installer, Kaspersky Lab said. So far, there’s no evidence the attack uses any exploits.

The Ukrainian computer emergency agency CERT-UA posted an advisory on Tuesday morning reporting a series of cyberattacks.

Kevin Beaumont said on Twitter that Bad Rabbit uses a legitimate, digitally signed program called DiskCryptor to lock targets’ hard drives. Kaspersky Labs’ blog post said the executable file dispci.exe appears to be derived from DiskCryptor and is being used by Bad Rabbit as the disk encryption module.

Bad Rabbit relies on hard-coded credentials that are commonly used in enterprise networks for file sharing and takes aim at a particularly vulnerable portion of infected computers’ hard drives known as the master boot record. A malicious file called infpub.dat appears to be able to use the credentials to allow the Bad Rabbit to spread to other Windows computers on the same local network, The malware also uses the Mimikatz network administrative tool to harvest credentials from the affected systems.

Once Bad Rabbit infects a computer, it displays a message in orange letters on a black background. It directs users to a Dark Web site that demands about $283 in Bitcoin to decrypt data stored on the encrypted hard drive. The dark Web site also displays a ticking clock that gives victims 40 hours to pay before the price increases. It’s not yet known what happens when targets pay the ransom in an attempt to restore their data. The NotPetya malware was written in a way that made recovery just about impossible, a trait that has stoked theories that the true objectives of the attackers was to wipe data in an act of sabotage, as opposed to generate revenue from ransomware. It also remains unclear who is behind the attack.

The outbreak is the latest reminder that you should back up all their data on drives that are secured with a password or other measure to protect them from ransomware.

Windows Defender Antivirus detects and removes this threat with protection update and higher.

This threat appears as a fake Adobe Flash Player update.

Microsoft advice:
Microsoft doesn’t recommend you pay the ransom. There is no guarantee that paying the ransom will give you access to your files. If you’ve already paid, then see our for help on what to do.

Review logs and shutdown or run Windows Defender Offline.

This ransomware attempts to reboot your PC so it can encrypt your files. You might be able to stop your PC from rebooting and instead shut it down or run a Windows Defender Offline scan:
Check event logs for the following IDs: 1102 and 106
• Event 1102 indicates that the audit log has been cleared, so previous activities can’t be seen.
• Event 106 indicates that scheduled tasks “drogon” and “Rhaegel” have been registered (these are ransomware wipers)
• If events 1102 and 106 are present, then issue a shutdown with the parameter -a to prevent a reboot

You can also immediately inititate a Windows Defender Offline scan by using PowerShell or the Windows Defender Security Center app.

Run antivirus or antimalware software

Use the following free Microsoft software to detect and remove this threat:
• Windows Defender Antivirus for Windows 8.1 and Windows 10, or Microsoft Security Essentials for Windows 7 and Windows Vista
• Microsoft Safety Scanner – Run a full scan to look for anyhidden malware.

Advanced troubleshooting – To restore your PC, download and run Windows Defender Offline.

Ask us about how to use cloud protection to guard against the latest malware threats. It’s turned on by default for Microsoft Security Essentials and Windows Defender for Windows 10. Go to All settings > Update & security > Windows Defender and make sure that your Cloud-based Protection settings is turned On.

Indicators of compromise
Presence of the following files in %SystemRoot%:
• infpub.dat
• cscc.dat
• dispci.exe
• You can’t access your files or your PC
• A ransom message in red on a black background

Security security security

September 26th, 2017

You never know when some item that queries or alters data in SQL Server will cause issues.

Bruce Schneier recently commented on FaceID and Bluetooth security, the latter of which has a vulnerability issue. I was amazed to see his piece on infrared camera hacking. A POC on using light to jump air gaps is truly frightening. It seems that truly anywhere that we are processing data, we need to be thinking (see

Airborne attacks, unfortunately, provide a number of opportunities for the attacker. First, spreading through the air renders the attack much more contagious, and allows it to spread with minimum effort. Second, it allows the attack to bypass current security measures and remain undetected, as traditional methods do not protect from airborne threats. Airborne attacks can also allow hackers to penetrate secure internal networks which are “air gapped,” meaning they are disconnected from any other network for protection. This can endanger industrial systems, government agencies, and critical infrastructure. With BlueBorne, attackers can gain full control right from the start. Moreover, Bluetooth offers a wider attacker surface than WiFi, almost entirely unexplored by the research community and hence contains far more vulnerabilities

Finally, unlike traditional malware or attacks, the user does not have to click on a link or download a questionable file. No action by the user is necessary to enable the attack.

Fully patched Windows and iOS systems are protected

– the Equifax breach for example must worry everyone who has ever had credit in the USA. (Hackers broke into Equifax’s computer systems in March, which is two months earlier than the company had previously disclosed, according to a Wall Street Journal report.)

The Securities and Exchange Commission said Wednesday that a cyber breach of a filing system it uses may have provided the basis for some illegal trading in 2016. In a statement posted on the SEC’s website, Chairman Jay Clayton said a review of the agency’s cybersecurity risk profile determined that the previously detected “incident” was caused by “a software vulnerability” in its EDGAR filing system (which processes over 1.7 million electronic filings in any given year.) The agency also discovered instances in which its personnel used private, unsecured email accounts to transmit confidential information.

So let me suggest take a good look at your systems and be honest – do you feel safe?

Microsoft has released Microsoft 365, a complete, intelligent solution, including Office 365, Windows 10, and Enterprise Mobility + Security, that empowers everyone to be creative and work together, securely. Watch Satya introduce it.

What about your websites?
Although acts of vandalism such as defacing corporate websites are still commonplace, hackers prefer to gain access to the sensitive data residing on the database server and then to sell the data.

The costs of not giving due attention to your web security are extensive and apart form direct financial burden and inconvenience also risks:
• Loss of customer confidence, trust and reputation with the consequent harm to brand equity
• Negative impact on revenues and profits arising e.g. from falsified transactions, or from
employee downtime
• Website downtime – is in effect the closure of one of the most important sales and marketing channels
especially for an e-business
• Legal battles and related implications from Web application attacks and poor security
measures including fines and damages to be paid to victims.

Web Security Weaknesses
Hackers will attempt to gain access to your database server through any way they can e.g. out of date protocols on a router. Two main targets are :
• Web and database servers.
• Web applications.

Information about such exploits are readily available on the Internet, and many have been reported on this blog previously.

Web Security Scanning
So no surprise that Web security should contain two important components: web and database server security, and web application security.

Addressing web application security is as critical as addressing server security.

Firewalls and similar intrusion detection mechanisms provide little defense against full-scale web
Since your website needs to be public, security mechanisms allow public web traffic to
communicate with your web and databases servers (i.e. over port 80).

It is of paramount importance to scan the security of these web assets on the network for possible vulnerabilities. For example, modern database systems (e.g. Microsoft SQL Server, Oracle and MySQL) may be
accessed through specific ports and so anyone can attempt direct connections to the databases to try and bypass the security mechanisms used by the operating system. These ports remain open to allow communication with legitimate traffic and therefore constitute a major vulnerability.

Other weaknesses relate to the database application itself and the use of weak or default passwords by
administrators. Vendors patch their products regularly, and equally regularly find new ways of

75% of cyber attacks target weaknesses within web applications rather than directly at the
servers. Hackers launch web application attacks on port 80 . Web applications are more open to uncovered vulnerabilities since these are generally custom-built and therefore pass through a lesser degree of
testing than off-the-shelf software.

Some hackers, for example, maliciously inject code within vulnerable web applications to trick users
and redirect them towards phishing sites. This technique is called Cross-Site Scripting (XSS) and may
be used even though the web and database servers contain no vulnerability themselves.

Hence, any web security audit must answer the questions “which elements of our network
infrastructure are open to hack attacks?”,
“which parts of a website are open to hack attacks?”, and “what data can we throw at an application to cause it to perform something it shouldn’t do?”

Ask us about Acunetix and Web Security
Acunetix ensures web site security by automatically checking for SQL Injection, Cross Site Scripting,
and other vulnerabilities. It checks password strength on authentication pages and automatically
audits shopping carts, forms, dynamic content and other web applications. As the scan is being
completed, the software produces detailed reports that pinpoint where vulnerabilities exist

CCleanup: hacked if you use this software then read on

September 20th, 2017

Hackerssuccessfully breached CCleaner’s security to inject malware into the app and distribute it to millions of users. Security researchers at Cisco Talos discovered that download servers used by Avast (the company that owns CCleaner) were compromised to distribute malware inside CCleaner. “For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner,” says the Talos team.

CCleaner has been downloaded more than 2 billion times according to Avast, making it a popular target for hackers. Dubbed “crap cleaner,” it’s designed to wipe out cookies and offer some web privacy protections. 2.27 million users have been affected by the attack, and Avast Piriform believes it was able to prevent the breach harming customers. “Piriform believes that these users are safe now as its investigation indicates it was able to disarm the threat before it was able to do any harm,” says an Avast spokesperson.

The Talos site update as of this week:
Update 9/18: CCleaner Cloud version 1.07.3191 is also reported to be affected
Update 9/19: This issue was discovered and reported by both Morphisec and Cisco in separate in-field cases and reported separately to Avast.
Update 9/19: There has been some confusion on how the DGA domains resolve.

Piriform, the developer of CCleaner now owned by security firm Avast, says that its download servers were compromised at some point between 15 August, when it released version v5.33.6162 of the software, and 12 September, when it updated the servers with a new version. In that period, a trojan was loaded into the download package which sent “non-sensitive data” from infected users’ computers back to a server located in the US. The data, according to Piriform, included “computer name, IP address, list of installed software, list of active software, list of network adapters”.

As well as the data leak, however, the infection also resulted in a “second stage payload” being installed on to the affected computer – another piece of malware, which Piriform says was never executed.
“At this stage, we don’t want to speculate how the unauthorised code appeared in the CCleaner software, where the attack originated from, how long it was being prepared and who stood behind it,” the company’s vice president, Paul Yung, said.

The company says 2.27m users were infected, but added that “we believe that these users are safe now as our investigation indicates we were able to disarm the threat before it was able to do any harm”. By taking down the “command and control” server, Piriform may have prevented the infection being used to inflict further damage.

GDPR Affects All European Businesses – What about the G.C.C. and U.A.E.?

August 19th, 2017

See our previous article on this topic for why your company may be affected if you are a branch of a European company, or have branches in Europe, or trade with a European company.

From May 25, 2018, companies with business operations inside the European Union must follow the General Data Protection Regulations (GDPR) to safeguard how they process personal data “wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.”

The penalties set for breaches of GDPR are up to 4% of a company’s annual global turnover.
For large companies like Microsoft that have operations within the EU, making sure that IT systems do not contravene GDPR is critical. As we saw on August 3, even the largest software operations like Office 365 can have a data breach.

Many applications can store data that might come under the scope of GDPR. the regulation has a considerable influence over how tenants deal with personal data. The definition of personal data is “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
GDPR goes on to define processing of personal data to be “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”

That means that individuals have the right to ask companies to tell them what of their personal data a company holds, and to correct errors in their personal data, or to erase that data completely.

Companies therefore need to:
- review and know what personal data they hold,
- make sure that they obtain consents from people to store that data,
– protect the data,
- and notify authorities when data breaches occur.

On first reading, this might sound like what companies do – or at least try to do – today. The difference lies in the strength of the regulation and the weight of the penalties should anything go wrong.

GDPR deserves your attention.

The definitions used by GDPR are broad. To move from the theoretical to the real world an organization first needs to understand what personal data it currently holds for its business operations, and where they use the data within software applications.

It is easy to hold personal information outside of business applications like finance and erp and crm e.g. inside Office 365 applications, including:
• Annual reviews written about employees stored in a SharePoint or OneDrive for Business site.
• A list of applicants for a position in an Excel worksheet attached to an email message.
• Tables holding data (names, employee numbers, hire dates, salaries) about employees in SharePoint sites.
• Outlook contacts, and emails. Skype business,
• Social media sites
• Loyalty programmes
• T@A systems
• E commerce sites
• Mobile apps e.g. What’s App

Other examples might include contract documentation, project files that includes someone’s personal information, and so on.

What backups do you have of the customer’s data?
What business data do your staff hold on BYOD devices e.g. in What’s App?

Data Governance Helps
Fortunately, the work done inside Office 365 in the areas of data governance and compliance help tenants to satisfy the requirements of GDPR. These features include:
• Classification labels and policies to mark content that holds personal data.
• Auto-label policies to find and classify personal data as defined by GDPR. Retention processing can then remove items stamped with the GDPR label from mailboxes and sites after a defined period, perhaps after going through a manual disposition process.
• Content searches to find personal data marked as coming under the scope of GDPR.
• Alert policies to detect actions that might be violations of the GDPR such as someone downloading multiple documents over a brief period from a SharePoint site that holds confidential documentation.
• Searches of the Office 365 audit log to discover and report potential GDPR issues.
• Azure Information Protection labels to encrypt documents and spreadsheets holding personal data by applying RMS templates so that unauthorized parties cannot read the documents even if they leak outside the organization.

Technology that exists today within Office 365 that can help with GDPR.

Classification Labels
Create a classification label to mark personal data coming under the scope of GDPR and then apply that label to relevant content. When you have Office 365 E5 licenses, create an auto-label policy to stamp the label on content in Exchange, SharePoint, and OneDrive for Business found because documents and messages hold sensitive data types known to Office 365.

GDPR sensitive data types

Select from the set of sensitive data types available in Office 365.
The set is growing steadily as Microsoft adds new definitions.
At the time of writing, 82 types are available, 31 of which are obvious candidates to use in a policy because those are for sensitive data types such as country-specific identity cards or passports.

Figure 1: Selecting personal data types for an auto-label policy (image credit: Tony Redmond)

GDPR Policy

The screenshot in Figure 2 shows a set of sensitive data types selected for the policy. The policy applies a label called “GDPR personal data” to any content found in the selected locations that matches any of the 31 data types.

Auto-apply policies can cover all Exchange mailboxes and SharePoint and OneDrive for Business sites in a tenant – or a selected sub-set of these locations.

Figure 2: The full set of personal data types for a GDPR policy (image credit: Tony Redmond)

Use classification labels to mark GDPR content so that you can search for this content using the ComplianceTag keyword (for instance, ComplianceTag:”GDPR personal data”).

It may take 1-2 week before auto-label policies apply to all locations.
An auto-label policy will not overwrite a label that already exists on an item.

A problem is that classification labels only cover some of Office 365. Some examples of popular applications where you cannot yet use labels are:
• Teams.
• Planner.
• Yammer.

Microsoft plans to expand the Office 365 data governance framework to other locations (applications) over time.
Master data management
What about all the applications running on SQL or other databases?
Master Data Management MDM is a feature of SQL since SQL 2012. However, when you have many data sources then you are relay into an ETL process and even with MDM tools the work is still significant.

If you have extensive requirements then ask us about Profisee our specialist, productized MDM solution built on top of SQL MDM that allows you to do much of the work by configuration.

Right of Erasure
Finding GDPR data is only part of the problem. Article 17 of GDPR (the “right of erasure”), says: “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay.” In other words, someone has the right to demand that an organization should erase any of their personal data that exists within the company’s records.

Content searches can find information about someone using their name, employee number, or other identifiers as search keywords, but erasing the information is something that probably also needs manual processing to ensure that the tenant removes the right data, and only that data.

You can find and remove documents and other items that hold someone’s name or other identifier belonging to them by using tools such as Exchange’s v Search-Mailbox cmdlet, or Office 365 content searches.
What if the the data ahs to be retained because the company needs to keep items for regulatory or legal purposes, can you then go ahead and remove the items?
The purpose of placing content on-hold is to ensure that no-one, including administrators, can remove that information from Exchange or SharePoint.

The GDPR requirement to erase data on request means that administrators might have to release holds placed on Exchange, SharePoint, and OneDrive for Business locations to remove the specified data. Once you release a hold, you weaken the argument that held data is immutable. The danger exists that background processes or users can then either remove or edit previously-held data and so undermine a company’s data governance strategy.

The strict reading of GDPR is that organizations must process requests to erase personal data upon request.
What if the company needs to keep some of the data to satisfy regulations governing financial transactions, taxation, employment claims, or other interactions? This is a dilemma for IT. Lawyers will undoubtedly have to interpret requests and understand the consequences before making decisions and it is likely that judges will have to decide some test cases in different jurisdictions before full clarity exists.

Hybrid is even More Difficult

Microsoft is working to help Office 365 tenants with GDPR. However, I don’t see the same effort going to help on-premises customers. Some documentation exists to deal with certain circumstances (like how to remove messages held in Recoverable Items), but it seems that on-premises customers have to figure out a lot things for themselves.

This is understandable. Each on-premises deployment differs slightly and exists inside specific IT environments. Compared to the certainty of Office 365, developing software for on-premises deployment must accommodate the vertical and company specific requirements with integrations and bespoke developments.

On-premises software is more flexible, but it is also more complicated.
Solutions to help on-premises customers deal with GDPR are more of a challenge than Microsoft or other software vendors wants to take on especially given the industry focus of moving everything to the cloud.

Solutions like auto-label policies are unavailable for on-premises servers. Those running on-premises SharePoint and Exchange systems must find their own ways to help the businesses that they serve deal with personal data in a manner that respects GDPR. Easier said than done and needs to start sooner than later.

SharePoint Online GitHub Hub

If you work with SharePoint Online, you might be interested in the SharePoint GDPR Activity Hub. At present, work is only starting, but it is a nway to share information and code with similarly-liked people.

ISV Initiatives

There many ISV-sponsored white papers on GDPR and how their technology can help companies cope with the new regulations. There is no doubt that these white papers are valuable, if only for the introduction and commentary by experts that the papers usually feature. But before you resort to an expensive investment, ask yourself whether the functionality available in Office 365 or SQL is enough.

Technology Only Part of the Solution

GDPR will effect Office 365 because it will make any organization operating in the European Union aware of new responsibilities to protect personal data. Deploy Office 365 features to support users in their work, but do not expect Office 365 to be a silver bullet for GDPR. Technology seldom solves problems on its own. The nature of regulations like GDPR is that training and preparation are as important if not more important than technology to ensure that users recognize and properly deal with personal data in their day-to-day activities.

Malicious tech support ads – Windows 10 users beware.

August 13th, 2017

1. On Tuesday, Microsoft’s Malware Protection Center announced that it had learned about new strategies to target those using Windows 10 via links that lead to fraudulent tech support sites.
2. Zdnet reports that the scam involves a series of malicious ads that redirect victims to a fake tech-support page, in which Windows 10 users are presented with a display of fake Blue Screen of Death (BSOD) or other bogus Windows security alerts
3. Once users have clicked on the link that leads to the fraudulent website, they are presented with a host of security-alert popups that aim to drive users to contact the bogus support call center.
To report a scam

To prevent these kinds of attacks, Microsoft’s Windows 10,, Edge, and Exchange Online Protection include security features to block the fake tech support sites and fraudulent emails.

According to Microsoft, Edge users can prevent dialog loops by blocking a certain page from multiplying.
A new Edge feature gives users the ability to shut down browsers or tabs when facing a suspicious-looking popup message.

According to Microsoft,each month “…at least three million users of various platforms and software encounter tech support scams”.
the scam new techniques introduce a different layer to the mix, and embed links in phish-like emails—and represent a step up from the previous methods used by scammers, potentially leading to a wider pool of victims