Paul Bergman

Category: Windows

  • New Zero-day Windows NTLM Vulnerability

    New Zero-day Windows NTLM Vulnerability

    Summary

    A newly identified 0-day vulnerability impacts Windows clients from Windows 7 to Windows 11, allowing attackers to capture NTLM authentication hashes through a variant of previous Windows themes spoofing vulnerabilities. Researchers at ACROS Security discovered this flaw while developing a patch for an earlier vulnerability (CVE-2024-38030). This vulnerability lets attackers coerce vulnerable devices into sharing NTLM hashes via malicious theme files, which can be accessed through shared files or network paths.

    Dark Reading Article: https://www.darkreading.com/vulnerabilities-threats/recurring-windows-flaw-could-expose-user-credentials

    Disabling NTLM and Security Implications

    ACROS recommends disabling NTLM where possible, as it reduces exposure to these coercion attacks. However, doing so can affect systems dependent on NTLM for network connections or legacy applications. Organizations should also use firewalls to block malicious requests from reaching external servers.

    Microsoft is investigating this issue, though no patch is available yet. Meanwhile, proactive NTLM management is crucial for mitigating potential attack vectors.

    So, can you turn off NTLM? Probably…

    What is NTLM?

    NTLM (NT LAN Manager) is an older authentication protocol used to validate Windows logins and network access. Designed for early Windows networks, NTLM is still present in Windows systems, though it has been largely replaced by Kerberos in more secure environments. NTLM authenticates users in situations where modern protocols aren’t available, especially in legacy applications and systems.

    Windows Versions Using NTLM

    NTLM remains compatible with various versions of Windows, especially for backward compatibility in:

    • Windows NT and Windows 2000
    • Windows XP and Vista
    • Windows 7, 8, and 10
    • Some configurations in Windows Server environments

    While NTLM is enabled by default for compatibility, more recent Windows installations emphasize Kerberos for higher security.

    How to Disable NTLM

    To disable NTLM, administrators can configure Group Policies in Windows:

    1. Open the Group Policy Management Console (GPMC).
    2. Navigate to Security Settings > Local Policies > Security Options.
    3. Modify Network Security: Restrict NTLM to control NTLM usage, limiting where NTLM can authenticate users.

    Disabling NTLM can enhance security, especially against credential-forwarding attacks, though it may affect applications dependent on NTLM authentication.

    Systems Dependent on NTLM

    While NTLM is increasingly phased out, some legacy applications, network protocols, and services still require it. File sharing in older Windows domains, older SQL Server connections, and some remote access solutions rely on NTLM for authentication. Before disabling NTLM, ensure that critical applications and dependencies are compatible with Kerberos or other protocols to avoid disruptions.

    In summary, while NTLM offers compatibility benefits, it can expose credentials, particularly in environments susceptible to pass-the-hash attacks. Organizations should consider limiting NTLM usage or monitoring its activity through logging, reducing exposure to potential vulnerabilities.

  • Unlocking the Power of Windows Quick Assist

    Unlocking the Power of Windows Quick Assist

    In the rapidly evolving world of remote work and digital collaboration, tools that facilitate seamless support and troubleshooting have become indispensable. Windows Quick Assist stands out as a valuable application that allows users to receive or provide remote assistance effortlessly. In this blog post, we’ll explore the usefulness of Windows Quick Assist, potential security concerns, and steps to ensure a secure experience while using this powerful tool.

    The Usefulness of Windows Quick Assist

    For my entire career, I’ve been supporting people with PC problems. I have great stories of the good old days when “Insert the floppy disk and close the door” needed to be explained. The industry has changed a lot but the need for support never went away. Fortunately, the tools have gotten better! Windows Quick Assist is a built-in feature in Windows 10 and later versions, designed to make remote assistance straightforward and accessible. It’s also easy to access with a simple: Ctrl + Windows + Q.

    Here are some key benefits:

    1. Ease of Use: With Quick Assist, both the helper and the person needing help can connect easily by sharing a code. This simplicity reduces the barrier to entry for users who may not be tech-savvy.
    2. Real-Time Support: Quick Assist allows real-time screen sharing and control, enabling the helper to diagnose and fix issues directly on the user’s machine. This immediacy is particularly useful for troubleshooting complex problems that are difficult to describe over the phone or via email.
    3. Built-In Tool: As a native Windows application, Quick Assist does not require any additional downloads or installations. This integration ensures that it is readily available on any Windows 10 or later PC, promoting accessibility.
    4. Educational Use: Beyond troubleshooting, Quick Assist can be an excellent tool for remote learning and demonstrations. Educators and trainers can use it to guide students or trainees through software applications or processes in real-time.

    Potential Security Concerns

    While Windows Quick Assist is a powerful tool, it is essential to be aware of potential security concerns:

    1. Unauthorized Access: One of the primary risks is the possibility of unauthorized access. If the Quick Assist code falls into the wrong hands, an unauthorized person could gain control of the user’s computer.
    2. Sensitive Data Exposure: During a remote session, the helper can see everything on the user’s screen. If sensitive information is not properly managed, there is a risk of exposing confidential data.
    3. Malware and Phishing Attacks: Cybercriminals might exploit Quick Assist to conduct phishing attacks, tricking users into downloading things or granting access to their systems under the guise of legitimate help.

    Steps to Ensure Security

    To mitigate these risks and use Windows Quick Assist securely, consider the following best practices:

    1. You originate the conversation: You should ALWAYS be the starting point for support. This means that connection requests should come as a response to you asking for help, not the other way around. Never listen to someone that contacts you with a message like, “We’ve noticed something you should be aware of…”.
    2. Verify the Helper’s Identity: Always verify the identity of the person providing assistance. This can be done through a trusted communication channel, such as a phone call or a verified email address, before starting a Quick Assist session.
    3. Limit Access: It is possible to simply share your screen. Often the support tech only needs to see what you are looking at. If the support can be done without giving full access, don’t give full access.
    4. Be aware of what is going on: This is a hard one but related to access above. Even if the tech asks you to type a command in, try to be aware of what it is doing. I get it, you’re not the expert, but if it doesn’t feel right, you may want to reconsider typing it in.
    5. Monitor the Session: Keep an eye on the session at all times. Do not leave your computer unattended while someone has remote access. This vigilance helps ensure that no unauthorized actions are taken.
    6. End the Session Promptly: Once the issue is resolved, end the Quick Assist session immediately. This action ensures that the helper no longer has access to your system.
    7. Use Up-to-Date Security Software: Ensure that your computer has updated antivirus and anti-malware software. This software can help protect against any malicious activity that might occur during a remote session.
    8. Regularly Update Windows: Keep your Windows operating system updated with the latest security patches and updates. These updates often include important security enhancements that can protect against new threats.

    Conclusion

    Windows Quick Assist is an incredibly useful tool for remote assistance, offering real-time support and ease of use. However, it is essential to be mindful of potential security concerns and take appropriate steps to safeguard your data and system. By verifying identities, monitoring sessions, and maintaining robust security practices, you can harness the full potential of Windows Quick Assist while ensuring a secure and productive experience.

  • Microsoft’s Security Reputation: A Balanced Perspective

    Microsoft’s Security Reputation: A Balanced Perspective

    When it comes to the security of tech giants like Microsoft, Apple, Google, and various Linux distributions, the headlines can often be misleading. Microsoft, with its extensive range of products, frequently comes under fire for the sheer volume of security vulnerabilities reported. However, a deeper dive into the statistics reveals a more nuanced picture that deserves attention.

    The Misleading Nature of Raw Data

    At first glance, Microsoft seems to have a disconcerting number of security vulnerabilities. This perception stems from the absolute numbers reported, which indeed are higher than those of its competitors. However, this figure does not take into account the scale and diversity of Microsoft’s product portfolio, which is significantly larger than that of most other tech companies.

    A Matter of Scale

    To put things in perspective, it’s essential to consider the number of products each company manages. Microsoft, with its vast array of services and software, ranging from widely-used operating systems like Windows to numerous business applications and cloud services, inevitably has more potential points of exposure than companies with fewer products. When adjusted for the number of products, the data tells a different story.

    The Real Comparison

    When comparing the number of vulnerabilities per product, a more accurate measure of a company’s security posture emerges. According to recent analyses, while Microsoft has the highest total number of vulnerabilities, companies like Apple and Google report more vulnerabilities per product, with figures standing at 74 and 56 respectively. Even Debian, often lauded for its stability and security, has a similar rate of 74 vulnerabilities per product.

    Understanding Vulnerability Reporting

    It’s also important to understand the dynamics of vulnerability reporting. Companies with a high level of transparency and a robust reporting mechanism will naturally have higher reported numbers. Microsoft, with its comprehensive approach to cybersecurity, actively encourages the reporting and patching of vulnerabilities, which contributes to its high numbers. I often get information about vulnerabilities reported from Microsoft but far fewer from the other major players. The implication could be that the other players are more secure but the reality may be that the other players simple don’t tell anyone (or don’t know).

    The Role of Active Communities

    Another factor to consider is the role of the community and user base in detecting and reporting issues. Open-source platforms like Debian often benefit from a large community that actively searches for and reports security issues, which can lead to a higher number of reported vulnerabilities but also faster patching and dissemination of information. My personal take on it is that having an open-source platform is a double-edged sword. Community based development sounds great…if the goals of the whole community are aligned. However, bad actors can introduce vulnerabilities far more easily. While a vulnerability could be found it could also live longer in-the-wild simply because there is no formal quality control.

    Microsoft’s Proactive Security Measures

    Microsoft has consistently invested in enhancing its security measures. Its initiatives include regular security updates, the use of advanced threat protection technologies, and extensive resources dedicated to cybersecurity research. The company’s proactive stance on security is aimed at not just remedying vulnerabilities but also at preventing security breaches before they occur.

    The Bigger Picture

    When assessing the security of technology products, it is crucial to look beyond the raw numbers. The number of vulnerabilities reported should be weighed against the number of products managed, the company’s responsiveness to threats, and the overall impact of the vulnerabilities. In this light, Microsoft’s security reputation is more about its transparent reporting and extensive product range rather than a reflection of weak security protocols.

    It’s easy to think of Microsoft as the hated enemy and MANY technologists do. Yet they run around with phones in their pockets that are developed by a company far more secretive and controlling.

    In conclusion, while the headlines may not always be favorable, Microsoft’s approach to security deserves a more considered evaluation. It’s not just about being obligated to do so. The tech giant’s efforts to maintain transparency, encourage reporting, and invest in security innovations are vital components of its strategy to protect users across its vast product ecosystem. Understanding this context is key to forming a balanced view of Microsoft’s security landscape.

    Want to know more?

    Check out the CVE database on vulnerabilities at Mitre: CVE – CVE (mitre.org)
    NIST maintains the National Vulnerability Database (NVD), a repository of information on software and hardware flaws that can compromise computer security. This is a key piece of the nation’s cybersecurity infrastructure. NVD – Home (nist.gov)

    Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He is also CEO of a mentoring non-profit in San Diego, Lamp of Learning. He writes on cybersecurity and board management for both corporate and nonprofit boards.

  • Microsoft OWA breach

    Today, we’re diving into a topic that has been making headlines recently. It’s all about the Microsoft Outlook Web App (OWA) breach. I understand that hearing about data breaches can be unsettling, but it’s essential to stay informed and take proactive steps to protect yourself and your information. In this blog post, we’ll break down the Microsoft OWA breach, we’ll talk about what happened, what you can do to protect yourself, and why staying informed is crucial in the digital age. Let’s dive in!

    Understanding The Microsoft OWA breach

    So, what exactly happened? Microsoft’s Outlook Web App (OWA) suffered a security breach that had many users concerned about the safety of their emails, attachments, and personal information. The breach occurred due to a vulnerability that allowed  unauthorized access to OWA accounts. And then recently, Microsoft finally explains the cause of the Azure breach. It stated that the corporate account of one of its engineers was hacked by a highly skilled threat actor that acquired a signing key used to hack dozens Azure and Exchange accounts belonging to high-profile users. 

    It’s important to note that not every OWA user was affected, but it’s still crucial to take precautions. Microsoft acted swiftly to address the breach and initiated an investigation. They also took measures to secure the affected OWA servers and notified customers whose data may have been compromised. In addition, they recommended that users change their passwords as a precaution.

    How to Protect Yourself

    1. Change Your Password – If you are using OWA or any other Microsoft services, change your password immediately. Make sure that your password is strong and unique that includes a combination of letters, numbers, and special characters. 
    2. Timely Action – Microsoft acted swiftly to patch the vulnerability and address the breach. If you’re using OWA, make sure that your software is updated to the latest version to ensure that you’re protected. 
    3. Enable Multi-Factor Authentication (MFA) – If you haven’t already, enable MFA to your OWA account. This can add an extra layer of security by requiring you to verify your identity through a second method, like a code sent to your phone.
    4. Beware of Phishing Attempts – Stay vigilant against phishing emails or suspicious messages. Cybercriminals often take advantage of these situations to trick users into revealing sensitive information. 
    5. Monitor Your Accounts – Regularly check your email and financial accounts for any unusual activities. If you notice something suspicious, report it immediately.
    6. Stay Informed – And last but not the least, keep up to date with news and updates from Microsoft regarding the breach. They may release additional information or security recommendations. 

    The Microsoft OWA breach may have raised some concerns, but always remember that being aware and taking proactive measures are your best allies in the digital world. By keeping your software updated, using strong passwords, enabling MFA, and staying vigilant, you can reduce the risks associated with such incidents. 

    Don’t let this breach discourage you from using technology – it’s an integral part of our lives.

    Instead, let it serve as a reminder to be proactive and informed about cybersecurity. Together, we can make the digital world a safer place for everyone. Stay safe, stay informed, and keep your digital world secure!

    References:

    https://arstechnica.com/security/2023/09/hack-of-a-microsoft-corporate-account-led-to-azure-breach-by-chinese-hackers/

    Outlook Hack: Microsoft Reveals How a Crash Dump Led to a Major Security Breach (thehackernews.com)

    iTWire – Microsoft says Azure breach ‘probably’ due to account being cracked

    How To Prevent A Data Breach In Your Company (forbes.com)

    Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He writes on cybersecurity and board management for both corporate and nonprofit boards.

  • How to Update Microsoft Outlook

    How to Update Microsoft Outlook

    Updating your software regularly is crucial to keeping your systems secure. As technology advances, new software vulnerabilities and bugs are discovered, which could lead to potential security breaches or system failures. By regularly updating your software, you ensure that any known bugs and security flaws have been patched, thus improving the overall security of your system.

    Software developers play a significant role in creating secure apps, and there is a growing demand for them to take ownership of their work. With the rise of cyber attacks and data breaches, it’s becoming increasingly important for developers to implement security measures throughout the entire software development lifecycle. This includes writing secure code, conducting regular security audits, and staying up-to-date with the latest security trends and practices. While there is a growing call for software developers to take more responsibility for creating secure apps, it is important for all computer users to prioritize software updates and make them a regular part of their routine. By doing so, you can help to safeguard your digital assets and prevent potential security breaches.

    How to update the Microsoft Outlook Client

    (Note: this doesn’t apply to Outlook 365 which is web based)

    Updating is fairly easy but the button may be hard to find.

    • First, open the File menu.
    • Find the “Office Account” and “Office Updates” items
    • Click “Update Now”

    Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He writes on cybersecurity and board management for both corporate and nonprofit boards.