Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Patch Lady – 31 days of Paranoia – Day 18

    Posted on October 18th, 2018 at 23:19 Susan Bradley Comment on the AskWoody Lounge

    Today we’re taking a break from our normal paranoia to discuss a recent vulnerability.  The headlines imply that a guest user can gain admin rights via this attack.  But that’s not how I’m reading this.  The Windows RID hijacking as per the blog “Assign the privileges of the hijacked account to the hijacker account, even if the hijacked account is disabled.”.  That is the account you attacked can then assign the rights to another account.  IF the account you hijacked is the administrator account you can then assign those admin rights to a lower level account.  So it does hide the fact that one has a back door in the system.  But… here’s the thing… you already had to have been hacked by something or someone before the RID hijacking could occur in the first place.

    Castro, with help from CSL CEO Pedro García, discovered that by tinkering with registry keys that store information about each Windows account, he could modify the RID associated with a specific account and grant it a different RID, for another account group.
    The technique does not allow a hacker to remotely infect a computer unless that computer has been foolishly left exposed on the Internet without a password.
    But in cases where a hacker has a foothold on a system –via either malware or by brute-forcing an account with a weak password– the hacker can give admin permissions to a compromised low-level account, and gain a permanent backdoor with full SYSTEM access on a Windows PC.

    So the real issue is that you were hacked by something else first… and then this obfuscation can occur.

    Sometimes in security it’s hard to get a real sense of the true risk.  We spend hours in TSA lines but aren’t really any more secure than we think.

    Bottom line don’t be quite so paranoid about this vulnerability.  Be more concerned about something you probably have absolutely no control over.  The bigger vulnerability we all should be freaking out over is the Libssh authentication vulnerability.  This vulnerability “it allows anyone to authenticate to a server without any credentials, simply by telling the system that they’re a legitimate user.”  As is written on the Threatpost post, it’s the equivalent of the Jedi mind trick… the attacker can just say “these aren’t the droids you are looking for” and gain access.  Do you know what applications you currently use rely on Libssh?  No, we don’t.

    That my friend is true paranoia.  When we know we probably are at risk, but don’t know what software might be at risk.

  • Patch Lady – 31 days of Paranoia – Day 17

    Posted on October 18th, 2018 at 00:12 Susan Bradley Comment on the AskWoody Lounge

    So you know you’ve been hacked.  Now what?  You can tell your passwords have been reset and you can’t get into your accounts.  You have evidence that a bank account has had funds transferred without your permission.  What can you do?

    Well it honestly depends on exactly the level and damage of the attack.  Financial crimes have a higher impact and thus will often get action.  Low impact crimes, for example where someone is spoofing you online and pretending to be you in Facebook and asking for “friend” requests won’t get police action.

    But what can you do to at least make authorities aware of the problem?  Obviously with any hacking or cyber activity that has a financial impact, immediately call your financial institution.  They can change bank account numbers, put in place positive pay processes to ensure that no authorized transactions get made without your explicit permission.   For high impact intrusions you can contact the FBI or the Secret Service or the Internet Crime Complaint Center.  For lesser impactful attacks you have much less options.

    Think the cyber attack is originating from Azure, or Amazon Web Services?  You can contact them.  And that’s often the best place to start.  See if you can determine where the attack originated from and contact the hoster or ISP that  the attack came from.  Often you can narrow this down by reviewing email header files.

    Tomorrow I’ll talk about the ways you can recover from an attack and some of the investigation tools you can use on machines.

  • Patch Lady – a new ribbon for Office

    Posted on October 17th, 2018 at 23:57 Susan Bradley Comment on the AskWoody Lounge

    In the last few weeks you may have received a new ribbon bar look.  It’s a bit whiter and has more contrast than the old icons.  If you think you accidentally clicked on something and think you messed up a view, it’s actually the new look being rolled out to some users.  If you want to go back to the more classic view, you can flip your click to run patching schedule from monthly to semi-annual channel.

    There is a user voice item that has (at the time of this posting) 575 votes.

    Bottom line, it’s not you, it’s them.  You didn’t do anything other than use your computer and get updates silently in the background.

  • Patch Alert: Where we stand with the October patches

    Posted on October 17th, 2018 at 09:25 woody Comment on the AskWoody Lounge

    It ain’t pretty, lemme tell ya.

    Information on Computerworld.Woody on Windows.

  • Patch Lady – 31 days of Paranoia – Day 16

    Posted on October 16th, 2018 at 23:23 Susan Bradley Comment on the AskWoody Lounge

    Today we live in a world where recording devices are ubiquitous.  There are recording devices on public streets, recording devices in the door bells of houses, and in general, there is often a video recording that Authorities can obtain to gain more information.  California has a law that states….

    California’s wiretapping law is a “two-party consent” law. California makes it a crime to record or eavesdrop on any confidential communication, including a private conversation or telephone call, without the consent of all parties to the conversation. See Cal. Penal Code § 632. The statute applies to “confidential communications” — i.e., conversations in which one of the parties has an objectively reasonable expectation that no one is listening in or overhearing the conversation. See Flanagan v. Flanagan, 41 P.3d 575, 576-77, 578-82 (Cal. 2002).  A California appellate court has ruled that this statute applies to the use of hidden video cameras to record conversations as well. See California v. Gibbons, 215 Cal. App. 3d 1204 (Cal Ct. App. 1989).

    If you are recording someone without their knowledge in a public or semi-public place like a street or restaurant, the person whom you’re recording may or may not have “an objectively reasonable expectation that no one is listening in or overhearing the conversation,” and the reasonableness of the expectation would depend on the particular factual circumstances.  Therefore, you cannot necessarily assume that you are in the clear simply because you are in a public place.

    If you are operating in California, you should always get the consent of all parties before recording any conversation that common sense tells you might be “private” or “confidential.” In addition to subjecting you to criminal prosecution, violating the California wiretapping law can expose you to a civil lawsuit for damages by an injured party.

    If you have security cameras in a location where there is no expectation of privacy – out in the street in front of your house – you would not be under a wiretapping law.  However if your security cameras are inside your house, there is an expectation of privacy and thus wiretapping laws would come into play.  Now let’s layer on how some of these video cameras have less than stellar security and now layer on the ability to search for such internet of things devices through a specially crafted search browser, it’s no wonder that we’re all a bit paranoid these days.  Make no mistake, video cameras often help law enforcement put evidence together.  Case in point a local homicide in my City was able to spot an assailant’s truck in several videos captured by surrounding homes and businesses and was able to use the video as additional evidence of proof that the assailant was in the area where the homicide occurred.  So video capturing helps a great deal.  BUT… as with all technology – it can be abused both in terms of privacy and as well as being used by attackers.

    If you set up a home video camera consider the vendor security features:  Make sure it doesn’t have embedded passwords, demands complex passwords, can be updated relatively easily among other things.

    Cameras can help make you safer, but they can also introduce security risks as well.

  • Reviews of the Surface Pro 6 and the Surface Laptop 2

    Posted on October 16th, 2018 at 09:43 woody Comment on the AskWoody Lounge

    The embargo must’ve been lifted overnight. You can see reviews all over the web.

    Bottom line:

    Surface Pro 6 is a little faster that the “Surface Pro (2017)” but not that much. i5, 8GB RAM, 256 GB and a keyboard for about $ 1,350.

    Surface Laptop 2 is a little faster than the Surface Laptop (1) but not that much. i5, 8GB RAM, 256 GB storage for $1,300.

    No USB-C.

    Compare with any Chromebook for a small fraction of the price. The ultimate Chromebook, the Google Pixelbook with i5, 8GB RAM, 128 GB storage runs half the price. Admittedly the Pixelbook lacks some key Surface features: Bluescreens, bugs, malware, slow reboots.

    Disclaimer: Unless it isn’t patently obvious, no, I’ve never held either a Surface Pro 6 or Laptop 2 in my hands. This isn’t a review. I wasn’t under embargo. Microsoft didn’t give me a test machine.

    But I have held a Pixelbook. In fact, my son still uses my original Pixelbook almost every day. Built like a brick spithouse.

  • Phone scam: Win7 license is “about to expire”

    Posted on October 16th, 2018 at 04:58 woody Comment on the AskWoody Lounge

    Fascinating story/question from JW:

    I’m writing in reference to what my wife & I believe to be a phone scam related to the upcoming termination of Microsoft support for Windows 7. We have now received two phone calls (several weeks apart), from someone claiming to represent Microsoft, informing us that our Win7 license is about to expire, and that we must pay a fee by phone (credit card) in order to continue to use the software beyond a certain date (which has changed with each call). This strikes us as being illegitimate and a scam to get money and our credit card info. Have you heard of this previously and do you agree this is likely an illegitimate request? Is there some useful action we might take other than sharing this with you.

    No question it’s illegitimate.

    It’s also the first time I’ve heard this one.

    As Win7 approaches end of life (14 months to go!) I expect we’ll hear more variations on this theme.

  • Patch Lady – 31 days of Paranoia – Day 15

    Posted on October 15th, 2018 at 23:15 Susan Bradley Comment on the AskWoody Lounge

    We’re on the 15th day of our travels through paranoia and on the day that Paul Allen, one of the founders of Microsoft passed away, I’m touching on the next big disruptor that the Microsoft company is increasingly implementing:  That of cloud services.

    Paul Allen and Bill Gates took mainframe computers from locked away in a freezing room only accessible by the few to where nearly everyone has more power in their desktop and laptop than the old mainframes used to have.  The next disruptor is cloud services.  Especially for small firms, my biggest fear for small businesses that rely on cloud computing is that we won’t get solid guidance on how best to secure and deploy cloud services.

    Too often people see cloud services as easy to set up, and they are, but they don’t take the time to think about security.  I have personally seen where users of cloud services will often share credentials to another person without thinking of the risk of sharing credentials.  I’ve seen where consultants can misconfigure settings or – as often seen in big cloud breaches – leave files in cloud locations and not set the file security properly.

    There’s a lot of good things about cloud services.  And then there’s a lot of risks to cloud services.  Always ask and check on how easy it is move FROM a cloud provider, check on the encryption status, check on the backup status.  And these days I’m seeing more and more vendors providing cloud backup solutions to give users more granular options in restoring files saved in the cloud.

    So read those end user license agreements, and ask questions of your vendors before you sign up.