Feb 03 2015

Configuring Two-Factor Authentication for Web (Cloud) Services

Don’t want your web (cloud) account password to get hacked?
Enable Two-Factor Authentication (aka two-step verification)!

Google Account:

  • Visit this site and follow the instructions to configure your cell phone as a second factor

Whenever you sign in to Google, you’ll enter your password as usual.

Then, a code will be sent to your phone via text, voice call, or our mobile app. Or, if you have a Security Key, you can insert it into your computer’s USB port.

Twitter:

  • Follow the instructions here.
  1. Visit your account settings page.
  2. Select “Require a verification code when I sign in.”
  3. Click on the link to “add a phone” and follow the prompts.
  4. After you enroll in login verification, you’ll be asked to enter a six-digit code that we send to your phone via SMS each time you sign in to twitter.com.

 

Office 365:

Multi-factor authentication increases the security of user logins for cloud services above and beyond just a password. With Multi-Factor Authentication for Office 365, users are required to acknowledge a phone call, text message, or an app notification on their smartphone after correctly entering their password. Only after this second authentication factor has been satisfied can a user sign in.

Multi-factor authentication has been available for Office 365 administrative roles since June 2013, and today we’re extending this capability to any Office 365 user. We’re also enhancing the capabilities that have been available since June. We’re adding App Passwords for users so they can authenticate from Office desktop applications as these are not yet updated to enable multi-factor authentication. And we’re enabling users who are authenticated from a federated on-premises directory to be enabled for multi-factor authentication.

This addition of multi-factor authentication is part of our ongoing effort to enhance security for Office 365, and we’re already working on Office desktop application improvements to Multi-Factor Authentication for Office 365, which we’ll introduce later in this post. Office 365 offers many robust built-in security features for all customers and also optional controls that enable subscribers to customize their security preferences. More information about security in Office 365 is available in the Office 365 Trust Center.

 

Microsoft Account:

Two-step verification uses two ways to verify your identity whenever you sign in to your Microsoft account:

  • Your password

  • An extra security code

Two-step verification helps protect your account by making it more difficult for a hacker to sign in, even if they’ve somehow learned your password. If you turn on two-step verification, you’ll see an extra page every time you sign in on a device that isn’t trusted. The extra page prompts you to enter a security code to sign in. We can send a new security code to your phone or your alternate email address, or you can obtain one through an authenticator app on your smartphone.

Continue reading

Jan 29 2015

ShmooCon 2015 Presentation Videos

ShmooCon2015 was held in Washington, DC from January 16th -18th, 2015.
The ShmooCon 2015 videos are now posted: https://archive.org/details/shmoocon-2015-videos-playlist

ShmooCon 2015 FireTalks Videos

The complete list of all presentations at ShmooCon 2015 including video download links:

  • Keynote Address: Joseph Lorenzo Hall
    https://archive.org/download/shmoocon-2015-videos-playlist/Keynote%20%5BSC2015%5D.mp4Joseph Lorenzo Hall is the Chief Technologist at the Center for Democracy & Technology, a Washington, DC-based non-profit organization dedicated to ensuring the internet remains open, innovative and free. Hall’s work focuses on the intersection of technology, law, and policy, working carefully to ensure that technology and technical considerations are appropriately embedded into legal and policy instruments. Supporting work across all of CDT’s programmatic areas, Hall provides substantive technical expertise to CDT’s programs, and interfaces externally with CDT supporters, stakeholders, academics, and technologists.

Continue reading

Jan 27 2015

Enabling Windows 8 Hyper-V for a Portable Lab

Installing Hyper-V:

  • Requirement: Windows 8 Pro or Windows 8 Enterprise which include Client Hyper-V.
  • Requirement: Your computer processor must support virtualization technology (VT), though most processors in the past 5 years support VT (pretty much all Intel i-series processors, i3, i5, i7).
  • Enable virtualization technology (VT) on your computer’s processor by editing the BIOS settings at boot-up (many computer BIOS have VT disabled).
  • Open the Start Screen, also referred to as Metro, (press the Windows Key) and search for “Windows Feature”. Open “Turn Windows Features on or off” and scroll down to “Hyper-V”.
  • Expand and Check the box next to Hyper-V. Ensure there is a check box. If there isn’t processor visualization technology, you won’t be able to check the box and enable install of “Hyper-V Platform”.
  • Restart the computer when prompted.

Note: It can take a while for Hyper-V to install – expect it to take 30 – 45 minutes.

 

Jan 23 2015

Shmoocon 2015 FireTalks Videos

The ShmooCon 2015 Presentation Videos are posted.

The ShmooCon Firetalks (2015) are posted:

Videos courtesy of IronGeek.com (Adrian Crenshaw)

Jan 22 2015

Group Policy Settings Reference for Windows 8.1 and Windows Server 2012 R2

 

These spreadsheets list the policy settings for computer and user configurations that are included in the Administrative template files delivered with the Windows operating systems specified. You can configure these policy settings when you edit Group Policy Objects.

The Group Policy Settings reference for Windows & Windows Server can be downloaded here.

Here are the key new Windows 8.1 & Windows Server 2012 R2 Group Policy Settings:
Continue reading

Jan 19 2015

Attackers Can Now Use Mimikatz to Implant Skeleton Key on Domain Controllers & BackDoor Your Active Directory Forest

Once an attacker has gained Domain Admin rights to your Active Directory environment, there are several methods for keeping privileged access. Skeleton Key is an ideal persistence method for the modern attacker. More information on Skeleton Key is in my earlier post.

Note that the behavior documented in this post was observed in a lab environment using the version of Mimikatz shown in the screenshot. There are likely differences in the Skeleton Key malware documented by Dell SecureWorks and the Mimikatz skeleton key functionality. Mimikatz effectively “patches” LSASS to enable use of a master password with any valid domain user. Rebooting the DC refreshes the memory which removes the “patch”.

Implanting the Mimikatz Skeleton Key on one or multiple Domain Controllers:

Mimikatz can now inject a skeleton key into LSASS on the Domain Controller by running the following command on the DC:

mimikatz.exe “privilege::debug” “misc::skeleton” exit

Mimikatz-Skeleton-Implant

When there are multiple Domain Controllers in an Active Directory site, all of them need the Skeleton Key implant to ensure the skeleton key master password is accepted as the user’s valid password.. Since the client discovers a Domain Controller using DCLocator, the DC the client selects is effectively random. If all the DCs don’t have skeleton key configured, the master password won’t work when the client authenticates to a DC without skeleton key.

Scenario:

Continue reading

Jan 16 2015

Active Directory Domain Controller Skeleton Key Malware & Mimikatz

Dell SecureWorks posted about the Skeleton Key malware discovered at a customer site.

The Skeleton Key malware is installed on one or multiple Domain Controllers running a supported 64bit OS.
The malware “patches” the security system enabling a new master password to be accepted for any domain user, including admins.

This enables the attacker to logon as any user they want with the master password (skeleton key) configured in the malware.
“Joe User” logs in using his usual password with no changes to his account.  The attacker can log in as Joe using the skeleton key password and it is seen as a valid logon…

Key Points:

  • Requires domain-level admin rights (and debug rights which admins have by default) to “patch” LSASS on a Domain Controller.
  • All existing user account passwords continue working as normal.
  • Adds a new password that enables the attacker to log on as any user with this password – this is the “skeleton key”.
  • Active Directory Domain Controllers may experience replication issues.
  • User accounts that require a smart card for authentication are not affected.
  • The Skeleton Key malware currently doesn’t remain active after a reboot – rebooting the DCs removes the in-memory patch. Note that DCs are typically only rebooted about once a month.
  • The Skeleton Key malware only works on the following 64-bit systems: Windows Server 2008, Windows Server 2008 R2, and Windows Server 2003 R2.
  • Performs Kerberos encryption downgrade to RC4_HMAC_MD5
  • Mimikatz now has skeleton key functionality and seems to work on all versions of Windows Server…
  • Protect your Active Directory admin accounts and don’t let untrusted code run on Domain Controllers.

Skeleton Key Malware Actions:

Continue reading

Jan 14 2015

Windows Server 2012 & Windows Server 2012 R2 Complete Documentation

Microsoft took all the Windows Server 2012 (& 2012 R2) documentation and posted it as a single PDF!

Version: 1.0
File Name:  WS12_R2_and_WS12_TechNet.pdf
Date Published: 2/18/2014
File Size: 125.9 MB

This download is an Adobe® PDF of the entire contents of the Windows Server 2012 R2 and Windows Server 2012 section of the Microsoft TechNet Library, for the convenience of Windows Server users who have limited Internet access, or require a portable version of the Windows Server 2012 R2 and Windows Server 2012 documentation.

The PDF is 8,709 pages in length.

Highlights of the PDF include the following.
What’s New in Windows Server 2012 R2
What’s New in Windows Server 2012
Technical Scenarios
Install and Deploy Windows Server
Migrate Roles and Features to Windows Server
Secure Windows Server
Manage Privacy in Windows Server
Support and Troubleshoot Windows Server
Server Roles and Technologies
Management and Tools for Windows Server

Download Link:
http://www.microsoft.com/en-us/download/details.aspx?id=41182

 

 

Jan 13 2015

“Hacker” Movies to Watch before the Blackhat Movie

Over the years, there have been lots of “hacker” movies of varying quality.

Here are some good ones to watch before the movie “Blackhat” is out starring Chris Hemsworth. My favorites in bold.

Bonus:
Movie code tumblr

Blackhat-trailer-movie-code-screenshot

HACK THE PLANET!

Jan 07 2015

PowerShell Security: Execution Policy is Not An Effective Security Strategy – How to Bypass the PowerShell Execution Policy

If you have worked with PowerShell recently, you may have run into an Execution Policy message:

c:\temp\Find-PSServiceAccounts.ps1 : File C:\temp\Find-PSServiceAccounts.ps1 cannot be loaded because running scripts
is disabled on this system. For more information, see about_Execution_Policies at
http://go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:1
+ c:\temp\Find-PSServiceAccounts.ps1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : SecurityError: (:) [], PSSecurityException
+ FullyQualifiedErrorId : UnauthorizedAccess

It’s likely that Microsoft was concerned about another scripting environment where scripts run automatically without built-in controls.
However, any teeth the PowerShell execution policy may have had was significantly reduced during the development process.

From Microsoft TechNet:

It may seem odd to permit users to override an administrator-established value for the execution policy, but remember that the execution policy is intended to help stop unintended script execution. It is not intended to stop skilled users from executing scripts at all, merely to ensure that they do not do so without knowing what they are doing.

The result of this is that the Execution Policy does not provide effective security against a determined attacker with access to computers on your network.

Microsoft TechNet decribes the different options for the PowerShell Execution Policy:

The following execution policies govern scripting in Windows PowerShell:

  • Restricted. Permits interactive commands only (no scripts). This is the default.
  • AllSigned. Permits scripts, but requires a digital signature from a trusted publisher for all scripts and configuration files, including scripts that you write on the local computer.
  • RemoteSigned. Permits scripts, but requires a digital signature from a trusted publisher for all scripts and configuration files that are downloaded from the Internet, including e-mail. A digital signature is not required for scripts that you create on the local computer.
  • Unrestricted. Permits scripts, including unsigned scripts.

By default, the PowerShell exeuction policy is set to Restricted which means no script will run. Technically this is true, but it is trivial to bypass this “protection”.
Continue reading

Load more