Microsoft-Windows-Red-Team

THE ELITE MICROSOFT HACKER TEAM THAT KEEPS WINDOWS PCS SAFE

ONE OF THEM jailbroke Nintendo handhelds in a former life. Another has more than one zero-day exploit to his name. A third signed on just prior to the devastating Shadow Brokers leak. These are a few of the members of the Windows red team, a group of hackers inside Microsoft who spend their days finding holes in the world’s most popular operating system. Without them, you’d be toast.

Many companies have a red team, or several, and they generally share the same purpose—to play the role of an attacker, probing releases new and old for vulnerabilities, hoping to catch bugs before the bad guys do. Few of them, though, focus on a target as ubiquitous as Windows, an operating system that still boasts nearly 90 percent market share for laptop and desktop computers worldwide. When Windows breaks, the whole world hears the shatter.

Putting It Together

The Windows red team didn’t exist four years ago. That’s around the time that David Weston, who currently leads the crew as principal security group manager for Windows, made his pitch for Microsoft to rethink how it handled the security of its marquee product.

“Most of our hardening of the Windows operating system in previous generations was: Wait for a big attack to happen, or wait for someone to tell us about a new technique, and then spend some time trying to fix that,” Weston says. “Obviously that’s not ideal when the stakes are very high.”

Weston wanted to go beyond Microsoft’s historical mode of using bug bounties and community relationships to formulate a defense. He was tired of the reactive crouch, of responding to known issues rather than discovering new ones. He wanted to play some offense.

Drawing inspiration from his experience with whitehat hackers at events like Pwn2Own—and tired of waiting until the competition ended to glean valuable insights into Windows vulnerabilities—Weston began putting together a team that would essentially conduct a Windows-focused hacking contest every day of the year.

 You can only scan for problems you already know about. A red team finds the ones you don’t.

Today, members of that team include Jordan Rabet, whom David noticed after Rabet showed off an impressive Nintendo 3DS jailbreak in a 2014 YouTube video. Rabet currently focuses on browser security but also played a key role in Microsoft’s response to the Spectre vulnerability that rocked the computer industry less than a year ago.

Viktor Brange, who lives in Sweden, helped respond to leaked NSA Windows-hacking tool Eternal Blue by sifting through Microsoft code base, ascertaining the severity of various issues to triage. Adam Zabrocki’s deep Linux experience helps tackle kernel and virtualization issues. Jasika Bawa helps transform the team’s findings into actual product improvements. And two other members of the team WIRED spoke with for this story do sensitive enough work that they requested anonymity.

Together, the red teamers spend their days attacking Windows. Every year, they develop a zero-day exploit to test their defensive blue-team counterparts. And when emergencies like Spectre or EternalBlue happen, they’re among the first to get the call.

Code Red

Again, red teams aren’t novel; companies that can afford them—and that are aware they could be targeted—tend to use them. If anything, it may come as a surprise that Microsoft hadn’t sicced one on Windows until so recently. Microsoft as a company already had several other red teams in place by the time Weston built one for Windows, though those focused more on operational issues like unpatched machines.

 “Windows is still the central repository of malware and exploits. Practically, there’s so much business done around the world on Windows. The attacker mentality is to get the biggest return on investment in what you develop in terms of code and exploits,” says Aaron Lint, who regularly works with red teams in his role as chief scientist at application protection provider Arxan. “Windows is the obvious target.”
source:  Wired
browsing the web

Avoid Getting Tracked as You Browse the Web

As privacy barriers have gradually been eroded online, it’s become harder and harder to keep control over what you’re revealing to the websites you visit when you open up a web browser. For many users now, revealing who you are is just an inevitable consequence of being on the web and using apps, but if you want to tighten the reins on where your data’s going, you do have some options.

Privacy tools

Starting with data reported to sites by your browser, a plugin or extension is probably your best bet for stopping data from leaking out. Try NoScript Security Suite for Firefox or ScriptSafe for Chrome, which prevent active items on websites from running when you don’t want them too. Other good options include the Electronic Frontier Foundation’s Privacy Badger, which blocks third-party tracking cookies while allowing useful, like those that record ones to continue operating, and Disconnect, which offers free add-ons that work in a similar way.

Ghostery

We also like Ghostery, a privacy extension available for Chrome, Firefox, Opera, and Microsoft Edge. Like Privacy Badger and Disconnect, it stops cross-site, third-party trackers from running, and you can actually see a list of trackers on each site and choose to block or allow them as needed.

Built-in browser options

For more cookie settings beyond the extensions we’ve mentioned, head into your browser’s settings page. One of the settings will refer to Do Not Track, an agreed-upon protocol that automatically asks sites to not run any scripts designed to track your behavior. It sounds like a perfect solution in theory, but there’s no legal obligation for websites to honor the request, and many will just ignore it.

Opening up an incognito or private window can help. In these cases cookies are only kept for the current browsing session, so as soon as you close down the incognito window, they get erased from your system. From the perspective of the browser, it’s as if you were never online at all.

On the other hand, incognito mode doesn’t stop websites and ISPs from knowing you’re online. You’re still broadcasting your IP address, for example. And, of course, if you log into Facebook (or anywhere else) all the usual rules about tracking and data collection still apply. It’s best to think about incognito mode as hiding your browsing activity on your local device rather than adding any extra anonymity to your online travels.

Dial back tracking on services

Finally, there are the data-privacy options inside the services you use, which are worth reviewing. By visiting your ad preferences page on Facebook, you can limit the ways in which Facebook can target you, both on and off the social network.

Google offers a similar account page where you can do everything from opting-out of seeing personalized ads to deleting all of the searches you’ve ever made through Google.

Using as few apps as possible and registering for as few websites as possible obviously reduces the exposure of your personal information. But even if you’re aware of and activate all of these options, staying anonymous on the web is becoming an ever-more challenging task.

Setting up a VPN or DNS service

Installing a VPN (Virtual Private Network) will cloak certain bits of identifiable information, such as your current physical location. You should only install a VPN once you’re completely sure about what it does and doesn’t protect you against—it’s more of a security measure against hackers and eavesdroppers than a cloaking device.

Sign up with a VPN provider (you really need to opt for a paid VPN to be sure it’s reliable), and you’re essentially transferring your trust from your ISP to the VPN company, which can see all the sites you visit and everything you’re doing. Many firms promise to not log this data—but again, it’s a matter of trust.

The websites you visit will see the IP address of the VPN server rather than your actual location, but they’ll still be able to leave cookies on your machine, track you across multiple sites, and know who you are if you log in anywhere. VPNs can be a useful extra step in being less trackable, but don’t rely on them completely to block your personal data leaking out onto the web.

Alongside VPNs are alternative DNS (Domain Name System) providers, like the recently launched Quad9 service. You need a DNS service to direct you to the right place on the web when you type in a URL. By default, your browser will use the one supplied by your ISP, which means it will follow whatever logging and tracking policies your ISP wants.

As with switching VPNs, switching DNS providers isn’t foolproof—you’re just putting your faith in a different company instead of your ISP—but it’s another way of extricating yourself from some of the tracking that’s happening. Quad9 is run by IBM Security and promises not to collect, store, or sell any information related to your browsing habits.

Finally, we’ll quickly mention HTTPs—the secure version of HTTP that encrypts data between you and a website like Facebook or Amazon. Its main benefit is keeping your data safe and hidden between point A and point B, but in terms of tracking, it stops ISPs from collecting quite as much data: They can see that you’re on Amazon, for example, but not what products you’re looking for.

Many sites now use HTTPS by default, particularly those where you’re going to be entering sensitive information like credit card numbers. The HTTPS everywhere extension from the EFF will force your desktop or mobile browser to always use the HTTPS version of a site, if the website has one available.

Trying to completely block information companies gather on you on the web is very difficult to do, short of quitting all your personalized services and being incredibly careful about how you go online, but the situation isn’t quite hopeless yet. Follow all of the above, and you’ll be off to a good start.

Source:  Field Guide & Mozilla 

 

data security

The Importance of Data Security

Why Data Security is of Paramount Importance

Data security is critical for most businesses and even home computer users. Client information, payment information, personal files, bank account details – all of this information can be hard to replace and potentially dangerous if it falls into the wrong hands. Data lost due to disasters such as a flood or fire is crushing, but losing it to hackers or a malware infection can have much greater consequences.

Risk Assessment

· Physical threats such as a fire, power outage, theft or malicious damage

· Human error such as the mistaken processing of information, unintended disposal of data or input errors

· Exploits from corporate espionage and other malicious activity

You can then identify areas of vulnerability and develop strategies for securing your data and information systems. Here are several aspects that need to be considered:

· Just who has access to what data

· Who uses the internet, email systems and how they access it

· Who will be allowed access and who will be restricted

· Whether or not to use passwords and how they will be maintained

· What type of firewalls and anti-malware solutions to put in place

· Properly training the staff and enforcing data security.

After the above analysis, you can then prioritize specific data along with your more critical systems and determine those that require additional security measures. It is also a good idea to layout a BCP (Business Continuity Plan) so that your staff is still able to work effectively if the systems happen to fail. Company risks and security implementations should be reviewed frequently to support changes such as the growth of your business and other circumstances.

Securing Data

Once you draw up a plan and assess your risks, it is time to put your data security system into action. Since data can be compromised in many ways, the best security against misuse or theft involves a combination of technical measures, physical security and a well educated staff. You should implement clearly defined polices into your infrastructure and effectively present them to the staff. Here are things that you may do:

· Protect your office or data center with alarms and monitoring systems

· Keep computers and associated components out of public view

· Enforce restrictions on internet access

· Ensure that your anti-malware solution is up to date

· Ensure that your operating system is up to date

· Fight off hacking attacks with intrusion detection technology

· Utilize a protected power supply and backup energy sources

Mobile Data Security

Hand-held devices and laptop computers have become popular in the business environment. However, mobile computers are at a much greater risk of data loss through damage and theft. For this reason, different safeguards need to implemented in addition to the security measures listed above.

· Regularly backup data on removable media and safely store multiple copies

· Activate password protection whenever the device is left alone

· Never leave the device alone and visible in a vehicle

· Protect the device from physical damage by transporting it in protective casing

Efficient data security involves numerous steps, many of which can be downright time consuming. On the other hand, I am sure you will agree that actually losing this important data could be much worse.

 

source:  Spam Laws
Password Security

Strong Passwords Are Vital

Passwords are the currency of the Digital Age. People use passwords to log in to email accounts, online games, bank accounts, credit card accounts, online forums, social networking sites, and every other password-protected corner of the Internet. In order to remember and keep track of all the logins of their lives, a lot of people use the same one, two, or three passwords. What’s more, many people use passwords that have very poor password security — names, nicknames, dates of birth, maiden names, and other obvious and predictable information.

These approaches to password security are very risky, because once thieves guess or otherwise gain access to one login, they can usually access many different pieces of victims’ information and wreak havoc on their personal and financial lives.
It’s important to understand that password complexity relates directly to password security. Sophisticated identity thieves use programs that generate passwords using combinations of personal information, such as phone numbers, addresses, family middle names, and more. These programs are capable of many thousands of login attempts per hour.

Since passwords grant access to bank and credit card accounts and a variety of other aspects of people’s lives, the stakes are very high. It’s each person’s responsibility to use a new password for every login and to make sure that each is complex and unique.

stong passwords are vital
Passwords should never include these:

  • Obvious combinations, such as abc123, yournamexyz or yourname1, combinations of addresses and phone numbers, or your
  • mother’s maiden name
  • Any part of the user name with a slight variation for the password
  • The word “password”
  • 123456789 or a similar string of sequential numbers or letters
  • Words in the dictionary that a hacker using a dictionary program can easily hack
  • Any personal information at all

Password guidelines

How can you improve your password complexity to improve your password security? Passwords should always:

  • Be at least six characters long
  • Be unique to each login
  • Be changed at least once a month
  • Contain a mixture of upper- and lowercase letters, numbers, and symbols, such as *, ^, }, |, ), _ and others

There are various methods you can use to create complex passwords that are impossible to guess but relatively easy for you to remember. One approach is to relate one of your favorite songs, poems, or quotes to the website or account in question. For example, if you’re creating a password for your bank account, you might start with the old saying, “A fool and his money are soon parted.” That axiom is too long to use as a password, but you can easily whittle it down to “aF&H$RsP,” for instance, which translates as follows:

  • “a” represents “A”
  • “a” represents “A”
  • “F” represents “fool” (to add complexity, every second “word” in this password is initial-capped)
  • “&” represents “and” (for obvious reasons)
  • “H” represents “his” (initial-capped)
  • “$” represents “money” (for obvious reasons)
  • “R” represents “are” (and is capitalized as past of the “every second ‘word’ is initial-capped” rule)
  • “s” represents “soon”
  • “P” represents “parted” (initial-capped)

When it comes to password complexity, some people consider this a good rule of thumb: If it’s impossible for you to remember it, then it’s a good password. That rule of thumb, however, flies in the face of a hard-and-fast rule about passwords: Never write them down. Most people break that rule at one time or another, but even if you break it, you should follow this rule: Never store your passwords in an easily accessible location. Don’t leave them on your desktop, don’t tape them to your monitor screen, and don’t keep them in your wallet or purse.

At a time when millions of people become identity theft victims every year, a sober approach to password security and complexity is a big part of preventing identity theft. The very least you can do is make it difficult for others to guess (or find) your passwords.

 

source: Identity Hawk
Brian Ruschman

Q&A with Brian Ruschman, President of C-Forward, Inc.

Q&A with Brian Ruschman, President of C-Forward, Inc.

C-Forward is a top Tier Managed Services Provider for Manufacturers and Non-Profits monitoring and managing a customer’s Computer Network 24/7, Cloud Computing and Data Security while Implementing IT Solutions.

CEOCFO: Mr. Ruschman, according to your site, C-Forward prides itself on being a top tier managed services provider. How so? What is a top tier provider in your eyes?
Mr. Ruschman: Top tier means providing great customer support, being available when our clients need us. We are a 24/7 company with many clients in manufacturing as well as those operating twenty-four hour businesses. Our ability to proactively support them even in off hours makes us top tier. We have several types of software that are configured to alert and monitor so can we find issues before they become big problems. Usually around the security realm, we have eight or nine tools that we use and always upgrade and change. Making sure a firewall is configured correctly, antivirus is updated and malicious emails don’t make it to a user’s inbox is the first step. More importantly we have found that training users on being aware of incoming email and to question messages and attachments or links is the most important thing to prevent downloading viruses.

CEOCFO: How do you train someone not to fall back on old habits? How do you train someone to not click on everything and not instinctively click when you see something scary?
Mr. Ruschman: We educate on what malicious software that hackers employ and the newest tricks that are being used. If you do not think you have a UPS package coming to you or if you do not do business with a certain company, or if the FBI or IRS has randomly contacted you, chances are, it is not a legitimate request. We deploy software for our clients that sends fake Emails and reports back who clicks on the links. The purpose is to discover the habitual offenders who aren’t stopping to think before clicking on an attachment. In an organization with 100 people, if we have three or four people that click on every one of those fake messages that we send them, we have a pretty good idea of who needs training. It is not 100% guaranteed but we really do focus on training those specific people about why something they clicked on was a malicious email and how it can cause infections to be downloaded onto the network.

CEOCFO: You mentioned manufacturing companies and 24/7 businesses. Was that a focus from day one or did it develop opportunistically for those types of businesses?
Mr. Ruschman: It developed opportunistically. We still do not focus on any one vertical. We have earned a great deal of our business by word of mouth referrals. We supply great support and solutions for a company in manufacturing as well as in the non-profit world. These CEO’s and Executive Directors then talk to their friends who are in the same industry. We were founded 20 years ago by our Chairman of the Board, Brent Cooper, with a philanthropic mindset. Naturally, we were a great fit to non-profit organizations, who are prominent in the community. We supported their organizations internal network and, in turn, also supported their fundraising efforts by giving back to the community. We provided terrific support and our name got out in the community. Our clients tend to tell their friends and their friends begin to work with us. We have historically done very little marketing outside of sponsoring our clients’ events.

CEOCFO: What is your geographic range?
Mr. Ruschman: We support clients nationally. Our local headquarters are in Covington which supports Greater Cincinnati and then an office in Lexington supporting Central Kentucky. Some clients have their headquarters in Cincinnati but we support their branch offices in other states as far as Texas, Florida and New Jersey. However, ninety percent of our business is within the greater Cincinnati area but is continually growing in Lexington and Louisville.

CEOCFO: Do you do much on premise these days?
Mr. Ruschman: Almost all work that we do on premise at this point is proactive work. We visit our clients at least once a quarter (sometimes once a month) and review their infrastructure, making sure things in the networking closets and all onsite hardware is operational and running well. A good deal of our work is done remotely. We have one employee that does 100% of her job from Baltimore. When our Lexington technicians are not going on site to clients in central Kentucky, they are assisting clients that reside closer to Covington. We open, work on and close 60-70% of our tickets proactively, without involving our client at all. For example, we may get an alert that a backup didn’t complete successfully. We would work the solution and fix it without our client ever knowing that it failed. There are a lot of tools now that were not available three years ago that allow us to do that. Our client gets a notification that a ticket was open and then closed with notes on what we fixed, but other than that, they do not even know that we worked on it.

CEOCFO: Do many of your clients want to know what you are doing; do they care as long as everything is running well/?
Mr. Ruschman: They typically do not care. We promote ourselves as their IT department. We are going to be proactive and stay on top of things. We want our client’s IT to be an afterthought, we want computers to work and we want them to be able to do their job. Our goal is not to spend hours on the phone with clients trying to fix an issue. We have proactive software in place to avoid that situation. We put duplication efforts in place for firewalls and routers and with multiple datacenters for backup.

CEOCFO: How do you stay on top and ahead of the curve on things like security? How do you know what is right for any given customer?
Mr. Ruschman: You have to stay on top of it because it changes all the time. I go to five or six conferences a year to learn about the solutions that are available and I learn from different software vendors on their newest updates. When I return, our management team and I go over what we have and we determine if a different, newer solution would be a better fit for what we need to accomplish. Allowing us to be more proactive and security-focused is normally what would have us make a change to a new product. We are a Managed Services Provider, we have a security package and our clients use all services that we offer. We do not granularly offer them certain things. It helps our technicians know what is in place and we use the same tools for all 150 of our clients right now. It has streamlined everything that we do.

CEOCFO: What has changed at C-Forward since you became president in August?
Mr. Ruschman: I have focused on streamlining our efforts to be a complete Managed Services Provider. We have eliminated or upgraded existing clients and situations that were not very successful for us. We want our clients to be happy and we discovered that the unhappy clients were the ones that still utilized us at an hourly rate and called us when they had issues. They were not getting proactive support, not using the tools that we recommend and they were not on our managed services plan. One big change is that we no longer offer hourly rates or block time. We had to realize that our model was not going to work for everybody, but we promote how they can now budget and know exactly what they are going to spend each month. Our clients had to decide what was best for their business. It is my job to sell the value in having a 24/7 reliable helpdesk to work on their network and finding issues before they become big problems; allowing their workforce to continue their jobs with little to no downtime. It is a business decision on their end and on our end. Some clients stayed and others left but it was handled professionally so there were no breaks in service for anyone.

CEOCFO: Are you doing things like cabling and offering staffing for all of your clients or is that as requested?
Mr. Ruschman: We employ cabling specialists in-house and have many projects going on right now with new and old construction. Projects range from one or two new cables to large, new buildings that may involve hundreds of hours to complete. There are some clients that we provide staffing for eight hours a day onsite. That is an option for some larger companies that need the onsite presence and knowledge of an IT team.

CEOCFO: What do you look for in your people?
Mr. Ruschman: You have to have personality. In our field, being able to have a discussion with someone who is not technical and being able to relay information so people can understand it, is very important. Technicians can sometimes do that and sometimes they can’t. The other important attribute is to have a proactive mindset of support; being able to make suggestions when a light is blinking red and not just ignoring it for the next guy. Walking into a building, fixing the issue and leaving does not cut it. We have “proactive” in our tagline for a reason and that is why. We stress that it is important to “see something and say something.”

CEOCFO: What is next for C-Forward?
Mr. Ruschman: It is expansion into new cities. We expanded into Lexington last year and currently have six clients with three employees. Coincidentally, all of the clients in Lexington also have offices in Louisville, so that will be our next move. Dayton and Columbus also make sense. Up until now, we have never grown by acquisition and I envision that to remain the same. We have had slow and steady growth over twenty years and we intend to maintain that. We are at a point now where we are very confident in what we are selling and where we are going. It took us some time to get here, but the management team has worked together over the last four or five years with a franchise-type mentality. Anyone we trust would be able to open an office by mirroring our current operations. We have studied and researched as to why we do what we do and I think expanding for those reasons is going to be a lot simpler in the future.

Source: Lynn Fosse, Senior Editor, CEOCFO Magazine