Newsletter Archives

  • Master Patch List as of May 10, 2022

    Patches came out yesterday.  The full details will be out in next week’s newsletter but in the meantime I’ve posted up the preliminary recap up on the Master patch listing page. Remember, other than the browsers, I have pause or defer on everything else at this time.

    For those tracking the NPS patching issue on domain controllers:  Microsoft is aware of the issue.  ” FYI we’re aware of the NPS issue. It’s not related to NPS specifically but rather with how we’re distinguishing between different kinds of names in the certificates. Only a subset of folks are affected by this.

    Acknowledgement here

    As always, thank you all for supporting the cause! Remember a mere $1 donation will give you access and if you donate $50 or more you’ll get a special code to enable text messages sent to your phone each time the Master Patch List gets updated and when I change the MS-DEFCON level.

  • Today is “What drives me insane about passwords” day

    May 5th was World password day. A day that Microsoft wanted us to ditch our passwords completely and move to authentication apps, fido keys and other tools to move us away from passwords.

    But I’d argue that all of these solutions haven’t addressed that there are times I need to have access to someone else’s account for purposes of administration, management, use case that is not being addressed well at all.

    My girlfriend and I recently discussed this issue. She is currently doing what she calls “case management” for a relative. Where she must manage the doctor’s appointments, assist with the bank accounts, help out with log ins for another person, someone who is remote to her and not local. Often she doesn’t want to have rights to the actual account or the bank account, but merely view rights.  She wants to be able to manage – but not BE the person when it comes to log ins. And often she finds this so frustrating that businesses from banks to medical offices can’t handle this secondary log in possibility.

    Then there is the issue of multi-user two factor. I’ve seen this often with Managed service providers and even in my industry. Often there is an invite sent to a specific person. But that person may not be doing the actual work of the project. So you end up sharing out the credentials which totally loses accountability.  These vendors need to not charge per user, but understand that sometimes in firms we assign someone else to do the actual work.

    Or let’s take the case I often see in small businesses – two people work in the business, the access is tied to the one person’s phone – but another person in the office is actually working on it. So you have to get the code that was sent to the other person’s phone in order to get into the thing.

    Now let’s take the hassle of migration and backing up two factor applications. Case in point: Microsoft authenticator application.

    “Before you can back up your credentials, you must have:

    A bit of a pain in the rear.

    Google authenticator appears to me to be easier – you can actually go into the app and export out the app. So you can place it on a backup device such as an Android tablet or iPad.

    But all of these claims about how passwordless is going to make things easier, no it’s going to make things different is all. Mind you, making sure your password is long, strong and written down either in a password application or literally WRITE THEM DOWN on a piece of paper that you then keep safe.

    But bottom line, on this day AFTER password day. I do want you to do better on passwords, too often we use really lousy ones. But I also want our vendors to realize that THEY need to do better as well.

  • From remote? From local?

    Alex posted earlier about UEFI vulnerabilities in certain models of consumer Lenovo laptops.

    The official notice is here at the Lenovo site.

    I try to weed out the hype and get to “how will I be attacked”?

    If the attack has to occur locally I discount the attack.

    According to Lenovo there are three vulnerabilities:

    One local access the other two described as “attacker with elevated privileges”

    CVE-2021-3970: A potential vulnerability in LenovoVariable SMI Handler due to insufficient validation in some Lenovo Notebook models may allow an attacker with local access and elevated privileges to execute arbitrary code.

    CVE-2021-3971: A potential vulnerability by a driver used during older manufacturing processes on some consumer Lenovo Notebook devices that was mistakenly included in the BIOS image could allow an attacker with elevated privileges to modify firmware protection region by modifying an NVRAM variable.

    CVE-2021-3972: A potential vulnerability by a driver used during manufacturing process on some consumer Lenovo Notebook devices that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.

    I can’t figure out from reading the details from the ESET site if the attacker modifying the boot settings would manifest itself into some other side effect that you and I would then take action to reinstall the operating system? Or some other drastic action?

    What the realistic risk here?

  • Master Patch List as of April 12th 2022

    Patches came out yesterday. So far not seeing anything major trending … yet.  But it’s honestly too early to tell the impact at this time. Edit 4/14/2022: Seeing some reports of issues with browsers with Norton and ESET antivirus.  I’m not seeing issues here with Defender. Based on comments it’s not widespread and thus too early to determine root cause at this time. I’d also make sure your browser is up to date.

    Edit 4/14/2022 3:21 pacific – check for updated a/v – this appears to have been resolved at least with ESET.

    I’ve updated the Master Patch Listing for the releases this month. Note, other than the browsers, I have pause or defer on everything else at this time.

    If there is anything I’ve typed in wrong, forgive me, I’m a bit bleary eyed this week as we are almost to the USA tax due date of April 18th. (No, not the 15th, but the 18th).  Take pity on your CPA and stop emailing or texting them photos of your tax documents. Not only is it not secure to be sending your sensitive tax data that way, it makes it EXTREMELY hard for us to print out or save the tax documents. The CPA listserve recently had a thread about how to deal with issue and we were all indicating how often this occurs. Remember if you can see that sensitive social security number as you email or text me that document, so can the attacker.

    Stay tuned for the details in the newsletter this weekend about the Patching issues and headlines and as always, I’ll keep the Master Patch Listing up to date with the latest.

    As always, thank you all for supporting the cause! Remember a mere $1 donation will give you access and if you donate $50 or more you’ll get a special code to enable text messages sent to your phone each time the Master Patch List gets updated and when I change the MS-DEFCON level.

  • Microsoft’s announcements this week

    Q: So Susan, I see that Microsoft held this event this week to make announcements regarding hybrid work, what are your thoughts about what was discussed?

    A.  Well, it’s like this. While as you can imagine I’m totally excited about the security announcements, but I’m a realist. So I ALWAYS look a these announcements with either my home computer or my small business computing needs in mind.  Too many of Microsoft’s security these days are hooked to subscription enterprise licenses so while all of these security announcements sound cool, unless normal users like you can I can take advantage of this, it’s not keeping us secure.

    Q. What do you mean?

    A: Well take this list:    The Windows 11 Security Announcements include Pluton (new security specific chip) SHIPPING, HVCI/VBS (Hypervisor-Protected Code Integrity (HVCI) ) on default ALL CPUs, Credguard default ON, LSASS Protection default ON, EXE signed or rep REQUIRED, Script Blocking from Internet ON, Enhanced Phishing ON, File Layer Encryption with Hello ON.  Some of those features I KNOW are only in Enterprise and in E3 or E5 and thus only available for businesses with subscription agreements.  So like ” In the future, Credential Guard will be enabled by default for organizations using the Enterprise edition of Windows 11. ”  Translation – that’s businesses with enterprise subscription agreements ONLY. You and I won’t be able to get that.

    Q. But isn’t security important for Enterprises?

    A. Oh, don’t get me wrong, I love security enhancements.  It PAINS me every time someone in the forum talks about how they still run Windows XP and they consider it secure (If you still are using it and it’s connected to the Internet and not isolated, it’s honestly not, you can’t install a modern browser on it) or love Windows 7 (I’ll be covering Windows 7 and the future in this week’s newsletter — stay tuned). But it also PAINS me every time something that I feel should be available to all Windows users from home users to small business to big business without restriction.  For example “The enhanced phishing detection and protection built into Windows with Microsoft Defender SmartScreen will help protect users from phishing attacks by identifying and alerting users when they are entering their Microsoft credentials into a malicious application or hacked website”.  That shouldn’t just be for “Microsoft credentials”.  That should be ANY credentials.  And it remains to be seen if that’s tied to certain Enterprise only subscription models.

    Q. What about this new thing called “Smart app control “that prevents users from running malicious applications on Windows devices that default blocks untrusted or unsigned applications. Smart App Control goes beyond previous built-in browser protections and is woven directly into the core of the OS at the process level. Using code signing along with AI, our new Smart App Control only allows processes to run that are predicted to be safe based on either code certificates or an AI model for application trust within the Microsoft cloud. Model inference occurs 24 hours a day on the latest threat intelligence that provides trillions of signals. When a new application is run on Windows 11, its core signing and core features are checked against this model, ensuring only known safe applications are allowed to run. This means Windows 11 users can be confident they are using only safe and reliable applications on their new Windows devices. Smart App Control will ship on new devices with Windows 11 installed. Devices running previous versions of Windows 11 will have to be reset and have a clean installation of Windows 11 to take advantage of this feature. “

    A. First off have you tried buying a computer or laptop right now?  Most/many of my IT folks are scrambling to buy equipment because of supply chain issues. Next “clean installation of Windows 11” is a heavy burden.  Do you know where all of your product keys are?  I guarantee there is some older app you probably will have a hard time reinstalling clean. Finally – and again – what license is needed for this?  And show me a home user or small business and I GUARANTEE you that I STILL find an application that isn’t code signed.  So I’m going to bet that we’re going to have to either whitelist apps or find workarounds. Realistically this only will be helpful in an Office only worker computer – someone that only uses Windows and Office, not a key line of business type of computer.

    Q. So these announcements weren’t important?

    A. No, I’m not saying that.  I’m just saying that I don’t parrot public relations blasts and immediately post about them. That’s not what we’re about here at Askwoody.com  I wait until actual software is released, I can test it, I can see if it’s useful (or not) and most importantly to me and I’m sure the readers of Askwoody.com, I wait to see how it’s licensed.  If it’s not either default to all users – or reasonably priced – it’s not going to be a realistic security solution to the folks that need help.  We’re about what really works here on Askwoody.com, not what isn’t yet released.  So the readers of Askwoody.com will get reality, not public relations blasts regurgitation.

    Q. You always plan to talk to yourself like this and ask yourself questions?

    A. It’s Friday.  What can I say.  Have a good weekend all.  Patch Tuesday is next week, make sure you defer those updates!

  • Microsoft hacked? What’s OKTA?

    The security buzz today is all about two related events. First off the reports are that source code from Microsoft’s Bing Search engine, Bing Maps and Cortana virtual assistance was obtained and dumped out for all to see.

    First off I typically don’t panic on these “source code” leaks. It doesn’t mean that Bing is now insecure. Rather it just means that like open source software more people can look at it and POTENTIALLY find vulnerabilities.  Doesn’t mean they WILL, just that it’s been exposed to more eyeballs. What is more interesting (concerning?) to me is HOW this group was able to gain access.  I’m more interested in the how of an attack than the what.  “Microsoft is investigating”.  Yeah.  I bet they are.  I feel sorry for the investigation team that now has to comb through log files.

    Next this same group called Lapsus$ out of Brazil was able to obtain access to a support personnel for the OKTA single sign on authentication software for Enterprises is the bigger “oh dear” of the day. Lapsus$ also is the group that has stolen source code from Nivida, Samsung, Ubisoft among others.  OKTA CEO is saying that this event is related to an event in January where an engineer got “popped” and compromised.

    So… while the timing may make you think this is related to yesterday’s White House announcement regarding possible Russian cyber attacks, it doesn’t appear to be a direct cause and effect.

    But that said, in light of yesterday’s statement what should you and I do?

    Well if you weren’t doing this stuff before, it may be already too late… but here’s my list:

    1. BACKUP.  Oh, you aren’t doing this now?  You should have been doing this for YEARS already and be expert at this.
    2. Password review and multi factor where you can.  I don’t want you to run out and immediately change all of your passwords because that would most likely cause you to choose really bad ones as a result. Don’t just change passwords for change sake. But certainly look at those services and sites that are your high risk ones like banking and financial. Is THAT password unique? Passphrase? For banks (that are always the slowest to upgrade to new authentication) can you at least ensure some sort of two factor mechanism? Stop reusing passwords and get a password storing solution (either a paper journal and write them down or a solution like Lastpass, Keypass, etc)
    3. Ensure that March updates are installed at this time (Windows, Apple, ChromeBook) all should be deployed now.
    4. Review if your router was patched in this century (just kidding, but kinda seriously). If you can’t remember the last time your router got a firmware update it may be time to consider a new router?

    As always if you have any questions either post in the comments to this post or head on over to the CyberSecurity for Home users forum.

    Needless to say we will be discussing these topics and more in the AskWoody Newsletter.

    P.S. Black Hills Information security will be doing a webcast on Youtube  at 4:30 p.m. eastern time (now)

  • Master Patch List as of March 22, 2022

    We have yet to see the preview releases for Windows 11 either last week or this week (I’m guessing they may be coming out tomorrow?), but I’ve published the updates to the Master Patch List tonight as of March 22, 2022 and we’re getting ready to send out the alert tomorrow regarding the Patch status for March.

    Thank you all for supporting the cause! Remember a mere $1 donation will give you access and if you donate $50 or more you’ll get a special code to enable text messages sent to your phone each time the Master Patch List gets updated and when I change the MS-DEFCON level.

    If Microsoft does release the preview updates for Windows 11, I’ll update the Master Patch List but remember, I don’t recommend installing preview releases.

  • Master Patch List as of March 8th

    A reminder again, for those of you that are Plus members, I’ve updated the Master patch listing through March 8, 2022.  The ONLY thing I want folks to install at this time is Exchange updates for anyone who has Exchange on premises email servers running Exchange 2013, 2016 or 2019. There is a “from remote” vulnerability.  Full details will be in the newsletter out on the weekend.

    Remember if you get offered/or install the PC Health tool called KB 5005463  or KB4023057 you can remove them by going into control panel, programs and look Windows PC Health Check or Microsoft Update Health Tools. They should have a recent date of install and look similar to below:

    Click on it to remove them from your computer.

    Thank you all for supporting the cause! Remember a mere $1 donation will give you access and if you donate $50 or more you’ll get a special code to enable text messages sent to your phone each time the Master Patch List gets updated and when I change the MS-DEFCON level.

  • Defender reports a false positive

    Gunter Born reports on Borncity.

    Microsoft defender is triggering a false positive on Dell laptops specifically on the Dell Support Assist Remediation Service tool.  Don’t panic, it’s not you, it’s them.

    I have a love/hate relationship with OEM tools.  Often they are wonderful.  Often they introduce vulnerabilities.  Often you have no idea they are installed.

    Bottom line, no antivirus is perfect and quite frankly, no one is better than you being a teeny weeny bit paranoid and not clicking in the first place.

  • Master Patch List updated through Feb 22

    For those of you that are Plus members, I’ve updated the Master patch listing through February 22, 2022.  I’ve expanded the listing of Browsers showcasing that many of them received updates last week.

    Remember the .NET updates this month did not include security updates but I’ve gone ahead and indicated they should be installed if you are offered them.

    Thank you all for supporting the cause! Remember a mere $1 donation will give you access and if you donate $50 or more you’ll get a special code to enable text messages sent to your phone each time the Master Patch List gets updated and when I change the MS-DEFCON level.

  • Master Patch Listing updated as of February 8, 2022

    I’ve just updated the Master Patch Listing through February 8, 2022.  (Plus members only – remember a mere $1 donation gains you access but we are VERY appreciative of any and all donations to the cause and my slightly bleary eyes this time of year for me.)

    Remember I’m not recommending that you install updates at this time. This is merely to let you know that I’ve updated the list of released updates so you know what to expect to be offered and installed later on.

    Some notes for the February releases…. .NET does not include security updates so you’ll see monthly rollups and not security only updates.

    I recommend 21H1 or 21H2 at this time, but not yet Windows 11.

    As always, the full details of security patches for Windows, Office, Chrome Browser, Firefox Browser, and Chromebook will be discussed in the Plus Newsletter along with several other articles from our expert authors. Thank you all for supporting the cause!

     

  • February 2022 Patch Tuesday early reports

    It’s that time of the month again that we wait on news of update side effects. It’s my philosophy that you shouldn’t rush into anything and patching (with very few exceptions) falls into that as well.

    This month includes patches for Print spooler (ugh) but it remains to be seen if we’ll see more printer side effects.

    So ensure you have (for Windows 10/11) start/settings/update and security/advanced options/pause updates/choose the date of February 22 and then sit back and let’s see how February shakes out. In the meantime here’s a Valentine’s day poem from Kelley Robinson:

    Roses are red
    Violets are blue
    Turning on 2FA
    Is good for me and you

    Links to keep an eye on for those of you that want to dig through the weeds yourself – but as always we’ll be recapping the side effects in the newsletter and Master patch list so you don’t have to wade through all of the weedy stuff.

    Raw link from MSRC
    Dustin Child’s Security update review
    SANS patch recap
    Patch Tuesday dashboard
    Reddit’s Patch Tuesday megathread (lots and lots to dig through)