What is Microsoft Security Compliance Manager ?

Managing security in a company is a complicated task. In Windows environment there is very nice feature known as Group Policy which you could take a control over managing your IT environment and you could set basic things like forcing user to change password every three months to more complicated tasks like block certain version of application from running or disabling certain settings in Windows. There is no doubt that Group Policy in Windows is very powerful, but many IT professionals are not sure how to configure it to compliance with best practices in security industry. If a company required to follow best practices in IT Security, they could achieve it with Group Policy, but they are not sure which policy should they set. In this case, they need to go through security best practices documents and figure out what each policy is all about and then open Group Policy and look for Group Policy Object and then set that specific policy there. This is time consuming and difficult process and for these reasons, many of IT professionals just setup basic security policies like the one for user account and then let it be like that. Hopefully, Microsoft released a tool which makes it a lot easier to adapt security best practices in Group Policy quickly and it called Security Compliance Manager. What it does is, it contains list of security best practices and map them to Group Policy Objects and it also has explanation like why we need each policy and why there are important. In this case, instead of look into guideline and figure out which policy must be set and where is it located in Group Policy, you will see all required policy and you will see why they needed and you could compare them with your current setting, the recommended one by Microsoft and recommended one by industry. In addition, you could simply sit with your managers and other IT Professional and discuss what changes you wanted to adapt into these policies and once you done, you could import it into your current IT environment and use it. You could also customized your own settings and share it with other branches. Security Compliance Manager is simple tool which makes great things. Make sure you use it and good news is, it is free of charge and you may download it from here.

The above link is the latest version and new version will be released regularly, make sure check out Microsoft website for the latest version.

 

Don’t Scare of WannaCrypt

Recently, a type of ransomware known as WannaCrypt which could spread over network like worm affect millions of computers worldwide. Ransomware is type of malware that encrypt files in a system and ask user to pay so they give them key to unencrypt files and making payment doesn’t necessary grand you the key to unencrypt files. Therefore, it is best not to make any payment and instead, invest more time to protect yourself. Normally, ransomwares come through a file or with a virus where user have to click on the file to or run infected program for ransomware to run and it only infect the affected PC and no other PCs in network. However, WannaCrypt is different, it infect the PC and try spread over network like worm and infect other PCs in the network. In this case, it could encrypt all PCs in a company or organization and this is why it becomes great concern. It uses vulnerability in Microsoft Server Message Block 1.0 (SMBv1) server which has been fixed on March to spread over network. To put this simple, if you already updated your Windows, it won’t be able to spread over network and in general you should install update related to Microsoft Security Bulletin MS17-010. In other world, Microsoft already protected you , before this worm infected the world, but because many users and IT professionals still won’t take Windows Update seriously, it manage to affect the world. In addition, majority of Anti-Malware vendors already released update to protect users against this ransomware and if you are using any of Microsoft Anti-Malware products such as Windows Defender, Microsoft Security Essentials, System Center Endpoint Protection, Windows Intune Endpoint Protection, Microsoft Forefront , you will be protected, if you update your Anti-Malware and in Microsoft Anti-Malware signature, it is known as Ransom:Win32/WannaCrypt .

In conclusion, to protect yourself against this WannaCrypt and other ransomwares, you need to update your Windows and update your Anti-Malware product and in general, you should connect to internet and check for update. Microsoft also released Customer Guidance for WannaCrypt attacks. If you are worried about WannaCrypt, you need to do three things: Update (Windows), Update (Anti-Malware), Update (Other Programs).

 

Goodbye Windows Vista!

Support for Windows Vista has ended on April 11, 2017. It means, you won’t get any update or support for Windows Vista and if there is new vulnerability or security weakness for Windows Vista, you won’t get fix for it, in the other world security researchers and Microsoft security team won’t spend much time to do research on securing Windows Vista. Windows Vista succeed Windows XP, during those times, Windows XP has been blamed for security weaknesses and high number of malware infection. Windows Vista open up new door for security and new operating system introduced with new and powerful security concepts out of the box. Such as introducing two ways firewall (Windows XP was one-way firewall) and with advance and user friendly setting. Bitlocker introduced in the time of Windows Vista and it helped IT professionals and users encrypt their entire hard drive easily. User Account Control (UAC) also introduced in Windows Vista where it requests for permission whenever user tries to perform administrative tasks. In general, there were several improvements in area of security for Windows Vista. Some users blame Windows Vista, because new security features weren’t very friendly for them. In Windows 7, security enhanced and become friendlier and for this reason, many people upgraded to Windows 7. In Windows 8, security enhanced and Anti-Malware software build into the operating system and this improvement continues in Windows 10 and Windows keep improving in each version and new build and releases.

In case you are using Windows Vista, it is better to upgrade to supported version of Windows, take a look at Windows Vista end of support. It is recommended to upgrade to Windows 10 which is the latest version of Windows and there are several new security features there. When you upgrade from Windows Vista to Windows 10, you need to reinstall your application and in some case, you might need hardware upgrade. However, you must upgrade to supported version of Windows unless, it is just matter of time before new vulnerability discover in the public and cause damage in your system. If you are using Windows Vista, make a wise choice and upgrade today.

 

Mark as Junk to Fight against Cybercriminals

If you see any suspicious email, you should mark it as SPAM or JUNK or Phishing, instead of deleting it. I have seen many users who just delete suspicious file and unfortunately, there are people in area of security who ask users to delete unknown and suspicious emails. The question is when should we delete email and when mark them as spam? We are deleting emails, when we know it is trustworthy and we could ask sender to stop sending such email or unsubscribe from the email and to free up our mailbox, we will delete them. But if email came from unknown source and we couldn’t trust the email or it has any suspicious behavior, we shouldn’t just delete them and instead we should mark it as spam. This would help our email spamming system to fight against spammer and cybercriminals. It also help legal authorities to have better evidence when fighting against spammers and they could say thousands of our user requesting us to block this guy and we ask them to stop spamming and they refused so we bring them to court. Sometimes, email might come from your trusted friend and it seems suspicious, in this case, you should call your friend and ask them to check basic security steps like check for malwares, change passwords and check with email provider to see whether is there any suspicious behavior with their email or not. If you are using Microsoft Account, there are good description about things you could do here. It is better to contact them by phone or other mean of communication than email, because we are not sure whether your friend’s email have been hacked or not. One interesting feature in Microsoft Outlook.com email is you could mark your friend’s email have been hacked and this would help your friend. It is drop list near the Junk in Outlook.com, where you mark email as Junk or Spam.

We as security professional, should teach our users to mark suspicious emails as Junk or Spam, instead of deleting them. So we will know what emails are trying to harm users and which one are just taking some extra space. In term of Junk or Spam, it is matter of cybercrime and in some cases, they might carry dangerous attachments which might contain new malwares and report as junk or spam, would help us to identify new threats and even unknown or 0-days vulnerability. To make this matter clear for users, I would ask them to consider your home, sometimes, you need to do cleaning and remove dusts and you will see some piece of paper like old receipts which you don’t need them any longer , but they won’t harm you and you just throw them out , to make your home cleaner. But imagine, if someone send you something dangerous. Let say it is a package which might contain bomb or it is a letter convince you to leave your home at specific hour (so may be someone could come into your home during those hours and commit robbery), you won’t just throw it out. You will place it outside your home and call police or other legal authorities. Marking email as Junk or just Delete them is like this. So you should be careful, whether you should delete email or mark it as junk.

 

Machine Learning Damaging Our Privacy

In order to build any model based in Machine Learning and Artificial Intelligence, it is required to collect a lot of data and to get accurate model, we need accurate data. For this reason, companies force to collect a lot of data from users and they send it to their big model for process and then hand it over to machine learning and AI experts to create model for prediction. The main problem is to satisfy the model, we need a lot of data and these data is being stored somewhere. We might say, it is being processed automatically and no human has access to them, but when researchers want to verify something, then they might force to read those personal information, authorities force to take a look at suspicious content and this collection, would put our privacy at risk. Because models relays on AI and Machine Learning, normally, they won’t delete data. For these reasons, I call Machine Learning and AI, one of the biggest enemy of privacy. It force researchers to collect a lot of data, but there is no sufficient information, about protecting those data. Many people argue, we are doing this to protect users, for example in spamming, we need to collect big set of email (but we won’t read them) and mark which email is spam and which is not and we are leaving this to users to classify it and we only care about text and count of words and structure of text. For those who are expert in security, will know that easily we could bypass any email spam, with our tricks, which I don’t want to explain here, because people might abuse it. Anti-Spam could block known spams and those create with semi-professional security guys, but it is helpless for experts. We are collecting a lot of data, spending so much money on servers to collect and process these data, spend so much money on universities and researchers to play around with complex math formula, just to come up with a system, which is helpless in front of experts. Some people argue, that well we have other methods, other protection ways and not everything is based on AI and Machine Learning which is true. But what, we would like to argue is why we are spending so much on this? We might deal with problem of Spam through criminal intelligence analysis, policy data center and monitoring and response team. These methods are a lot cheaper and more efficient. Of course we need spend some money to enhance them, but once we reach to the right place, we could use them to combat against cybercrimes. When we discuss with those who call themselves security experts in university, they always say, sorry we are only care about Machine Learning (because they only care about publication and not national or international security in cyberspace). When we talk with experts in criminology, they say it is interesting topic, but we are only care about law and legal issues. So we are collecting so much data, spending so much money, for unreliable systems.

There is no need to collect so much information and even, if there is a need to collect them, there is no need to keep those information forever. These problems with privacy raised, because everyone force themselves into Machine Learning and AI. If they think about something else or they let others to investigate in these areas, we could protect privacy of our users and enhance their security. As it already been mentioned, policy management, is the recommended solution and there is no need to collect so much data and even if we do, we could delete them later or let users to control their data, instead of collecting them. For these reason, I am requesting cybersecurity experts, to move away from Machine Learning and AI (I don’t say everyone should leave it, but we need people to think in different direction). Universities should open doors to young people who love cybersecurity but they prefer methods without mathematic and AI. Professors don’t understand these methods and they force everyone to follow AI direction and this put our privacy at risk. We need to open new doors to develop expertise in policy management, rather than unreliable math formulas and forcing people to use AI.

 

Why Data is being Collected in Windows 10?

There are many discussions about privacy issue with Windows 10 and people claiming by installing Windows 10, Microsoft steals your data and hand them over to national security agency and the U.S. government. It also gives opportunity to Linux fans and they posting articles saying that if you want privacy, you better use Linux. In this post, these issues will be analyzed. I would like to start with story why companies or governments need to collect data. Let’s go back to the time when computer and internet doesn’t exist. During those time governments still collect data on paper. When new baby born into hospital, his or her parent need to fill up some form including the place of birth, parents, given name, national id number and so on. All of these was inside a piece of paper (before computer and IT come to picture). And our government would have access to these data. So, they will know who are citizens of a country, so they would grand them special benefits which wasn’t available to people who aren’t citizen and if someone born into a country but doesn’t have any national card, then they would ask for one and at some point, of life, people must share some data with governments. Then another scenario come into picture when people would want to travel to travel to other country and stay there for longer time. In this time diplomacy come into picture and passports created. In this case, when you wanted to enter to another country, you should share some details about yourself, like place of birth, date of birth, passport number and so on. If you required to get visa, you need to share more data with the embassy of foreign country. It makes like a bit difficult for many citizens (and still people are suffering because of diplomatic conflicts). Therefore, new systems come into place, where governments could share data easily through fast and secure diplomacy protocols. Consider Schengen system for example, countries under Schengen agreement would get special carts for their citizens and they could use it to travel in other countries borders. No one asking you any question or ask you to submit tons of documents to embassies so they could figure out whether grand you a visa or not. Why? Because, whenever there is problem, they just get your ID Card and insert through IT system, they will know whether you are legal traveler and in case of crime, they could quickly investigate the all your crime activities across Schengen areas. Europol doing great job with providing powerful IT infrastructure. And if you are able to travel across countries without staying in long lines for interview and visa, because your governments doing great job in diplomacy by protecting national security and sharing data when needed and it is all thanks to IT.

When we talk about privacy, it means we are sharing data, so a system give us certain benefits and they are protecting our data and there are certain rules there and if we break those rules, then we are in trouble. For example, when you are communicating through your mobile phone, then your telecommunication company would have ability to trace your location but they never do it unless if you are wanted by police or legal authorities or you are threat to your country. If you are not breaking any law or you are not in watch list, then nobody would trace you. Even if you are living in no digital environment, so you don’t have any phone or communication devices, governments still could collect data through your friends or by sending someone to watch you over. They will do they job but with different methods.

Microsoft like all other companies does collect some data and all these have been discussed in Privacy Statement. And all data there are being collected to help users. For example, consider case of Windows Update, they need to collect data like what version of Windows you are using and what updates has been installed so far. If this mechanism is not in place, then Microsoft need to release all updates for Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 and so on. And whether you got your PC today and need to install tons of updates and someone who just check for update yesterday both would have get gigs of update and many of those updates would have been failed. Therefore, you need to share these data to automated server and it will offer you updates which you will need. In government agency and when privacy is their main concern, they have local deployment of update, so when new update released, they will test it to make sure it is safe and they IT admin check systems to see what version of Windows are there and what updates do they need and then deploy those updates. So, they won’t share data with Microsoft and these data shared with their internal server. If they need their private email server, they won’t setup Office365 but they create their own email storage and use Exchange Server, OneDrive for Business and other private cloud services.

In higher level governments also get involve, so for example in European Union, data from citizen of these countries will be kept inside a server inside the EU, so even if U.S. government want to access data of any European citizen, they need to ask permission from EU government and those governments protect privacy of people. Same scenario is applicable for Linux, it also collects data for example to check for update and there are several things which it won’t collect, because it doesn’t private services where Microsoft provide to users. For example, when error detect in Windows, it asks users to send more data anonymously, so people in Windows team investigate the problem and release a fix for it. And you could disable this feature. In Linux, you need to share your error to public forum and keep share them to everyone and maybe you find some fix or you force to reinstall it. I addition, if U.S. government want to access your Linux PC, do you think, is that difficult task for them? Several security features in Windows are not available in Linux and someone with basic hacking knowledge could break into Linux system easily and collect all data. Even if you are not connecting to internet, they could send someone to steal your device. You just make things harder for them and yourself but you won’t stop them.

When it comes to privacy, governments must build powerful regulation to collect and protect data and build trust between people and government. People should have right to complain when their privacy broken and get response from government. It is job of government to create law so data protection and privacy is in place for their people like Privacy Shield in EU which did a great job. Switching to different operating system and spreading groundless rumor about companies stealing data won’t solve problem with privacy. We need to come up with some evidence and propose solutions to protect our people’s privacy. If you have knowledge of using Windows, you could take complete control of your privacy and create your own private cloud where no date being shared with Microsoft but for this you need to purchase your own data center and tools and spend more time on it. You actually, should do a job which Microsoft is doing for you as part of Windows warranty.

 

Hacking Cars !

Computer technology came to car manufacturer and makes our life better. A central computer could play video, monitor activities in fuel system and so on. Then communication comes to place, when we could connect our mobile device to a car and then view SMS, play music and even answer calls. As we go forward, these technologies are getting smarter, for example HERE propose a way to have a better life with cars, by monitoring traffic, see which places are prone to damage your car, find place to park cars. I strongly recommend you visit demos in HERE website. Going forward are cars getting smarter, thanks to IoT. It is actually good thing, because soon we will have cars to drive us, our government would have a better data to create rules and monitor situation. So next time, when your car break down, you just need to press a button and it automatically log the problem and request for service to your location. So you don’t need to call a number, share several information, send your location and explain what happens. As we are moving our cars into internet, it promote new risks too. What if someone hacked into our cars and perform some malicious actions and intentionally break down our cars, even damage the breaking system and cause injury and even in worse case, cause dead. There are proof-of-concept about hacking cars out there and it is challenge for car manufacturers to keep their consumers safe on the internet-connected-cars. Why this problem started in first place, we could classify the cause of car-hacking in the following categories:

Lack of expertise: Just if someone could connect to internet and write a bit of python codes, doesn’t make him or her, expert in field of cybersecurity. The problem raised, when people from other backgrounds like mechanical engineering, physics, electronics, design a system which required expertise in software engineering and computer security. Building a safe car which safe passengers against accident is not same as building a car to protect them against hackers.

Requirement Changed but Design Method Doesn’t: When they design cars, they care about safety of cars and protecting passengers against accident, they calculate possibilities to protect passengers against failure of break system. But when they connect cars to other devices and even internet, they just perform a basic security test and create a system which could just work. There is no regular update or emergency response to cyber-threats in internet-connected-cars yet.

Lack of Threat Modeling: They will investigate and create a system which is safe by design, but no model has been proposed to simulate attack scenario to cars. The closer model, would be Microsoft Threat Modeling, but they are not even use it.

To overcome these problems and build a safe internet-connected-cars, car makers, should hire people with expertise in cybersecurity and work with car manufacturer’s designers. They should create a new test cases to evaluate safety of the car from physical security and cybersecurity perspective. Special team should be there to continually evaluate and response to threat, targeting cars which are connected to internet. In new design, risks related to cyberattacks, must be identified and prioritize and method to mitigate and defend them, should be defined. New model should be created to define attacks and propose defense and also create a cycle to identify new threats and combat them regularly. Updates also should be patch to cars without harming the user experience. Update also could be installed during regular PC maintenance.

As conclusion, internet-connected-cars are new opportunity and if they design well, they could even prevent death and accident. Just imagine, in your city, if majority of cars are internet connected, when you are too close to other car, it will automatically detect and press the break. But, if risks of cyberattacks targeting these cars, wouldn’t be identify and mitigate properly, it would create greater risk. Therefore, we need to identify them and prepare ways to protect ourselves against them.