Mitigating Credential Theft using the Windows 10 Isolated User Mode

Posted by on

In this video Seth Juarez interviews Seth Moore who describes another benefit of the Windows 10 Isolated User Mode, credential theft mitigation.

He first describes the kinds of credentials that can be stolen and how a hacker gains access to them. He then describes how the Windows 10 Isolated User Mode prevents the typical techniques from ever working. It is truly a fascinating look at how the Windows kernel group is continuing to innovate in order to protect us from being compromised. The best part for me is how hesitant Seth was to declare victory when it comes to having a bullet-proof system: this kind of attitude shows the level of vigilance the operating system folks have when it comes to securing our computing environments.
Quote: Seth Juarez (1)

You can access the video page directly here:
https://channel9.msdn.com/Blogs/Seth-Juarez/Mitigating-Credential-Theft-using-the-Windows-10-Isolated-User-Mode

Thanks to Seth Juarez, Seth Moore and everyone else involved.

Enjoy.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Windows 10 Security with Isolated User Mode Processes and Features

Posted by on

I stumbled across these videos by Seth Juarez the other day, which explain the detail around Isolated User Mode and security improvements in Windows 10. There is a lot of talk about privacy and ‘telemetry’ in relation to Windows 10, however there is a bigger picture. This should make an interesting watch for those interested in security, Windows 10, Kernel security etc.

Interesting stuff for client side eg: lsass.exe now with lsaiso.exe / Credential Guard (more on this another day) and server side eg: vTPM.

Thanks to Microsoft, these videos are great.

Video 1: Isolated User Mode in Windows 10 with Dave Probert
Dave Probert, Windows kernel developer, Protecting ourselves from kernel exploits. The solution he lays out forms part of Windows 10, and lays the foundation for future developments.

Video 2: Isolated User Mode Processes and Features in Windows 10 with Logan Gabriel
Logan Gabriel, Senior Security Engineer, discusses the processes and features that come in Windows 10 due to Isolated User Mode.

Video 3: More on Processes and Features in Windows 10 Isolated User Mode with Dave Probert
Dave Probert, Windows kernel developer, describes how lsass.exe (Local Security Authority Subsystem Service) can have a separate process LsaIso.exe (aka ‘Credential Guard’) to hold secrets within Secure Mode, then more on trustlets.

You can access the video pages directly here:
Video 1: Isolated User Mode in Windows 10 with Dave Probert
Video 2: Isolated User Mode Processes and Features in Windows 10 with Logan Gabriel
Video 3: More on Processes and Features in Windows 10 Isolated User Mode with Dave Probert

Thanks to Seth Juarez, Dave Probert, Logan Gabriel and everyone else involved.

Enjoy.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Spinrite and the Humax DTR-T1000 YouView HD Digital TV Recorder

Posted by on

DTR-T1000I purchased Spinrite some time ago, and have used it a couple of times over the years, but never had any real big success story but equally, I have never had any real problematic drive.

The Humax DTR-T1000 YouView HD Digital TV Recorder in the living room started to play up, it was now out of warranty, so I decided it was time to remove the cover. Following the removal of three standard screws the cover came off easily.

Humax DTR-T1000 YouView HD Digital TV Recorder Partial Teardown

Humax DTR-T1000 YouView HD Digital TV Recorder Partial Teardown

I removed the drive caddy from the main chassis, then the standard Seagate 500GB SATA Hard Disk and connected it up to a PC as the only hard disk, booted and set the BIOS to ‘auto’ for the SATA interface. I let the system boot from the Spinrite CD, and set Spinrite to work at Level 2 – Recover unreadable data.

Off to bed, leaving Spinrite to do its magic on the 500GB. The next morning Spinrite was still going so despite the moaning I was subjected to about the lack of TV in the house, I left it to run.

Spinrite Status on DTR-T1000

Spinrite Status on DTR-T1000

Spinrite was still running the following evening (24 hours on), I glanced through the screens and decided to leave it to do its work. DVD tonight I thought, that will give it till this time tomorrow to complete, a good 48 hours.

Spinrite Detailed Technical Status on DTR-T1000

Spinrite Detailed Technical Status on DTR-T1000

Spinrite completed after 3 days, 22 hours and 19 minutes. I reconnected the drive, noted the internal fan appeared to have failed (maybe the cause of these issues…?) and connected it back up to the TV.

On came the box, and it booted successfully. All recordings were then available and the Humax DTR-T1000 YouView HD Digital TV Recorder functioned correctly. I did have a couple of recordings with issues, presumably due to unrecoverable sectors, however these recordings were still on the whole watch-able, and then once deleted, the issue was behind me.

For more about Spinrite, see: https://www.grc.com/sr/spinrite.htm

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Alfa 9dBi WiFi SMA OMNI-Directional Antenna Teardown

Posted by on

So one of the Alfa 9dBi WiFi Antennas reached the end of its usable life. So, not wanting to miss the opportunity, here is a teardown photo of its internals, just for the fun of it.

Alfa 9dBi WiFi SMA OMNI-Directional Antenna Teardown

Alfa 9dBi WiFi SMA OMNI-Directional Antenna Teardown

If you would like to boost your wireless, here is an Amazon link:
Alfa 9Dbi Wifi Booster Sma Omni-Directional High-Gain Screw-On Swivel Antenna With Magnetic Base

#whynot

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Outlook 2010: cannot open your default e-mail folders

Posted by on

cannot-open-your-default-e-mail-foldersToday I had to resolve a problem with Outlook 2010 not starting. The user was greated with the message:
“Cannot open your default e-mail folders. The information store could not be opened.”

I found the Outlook.exe file was in XP compatibility mode.

To check:
1. Open My Computer and navigate to c:\Program Files\Microsoft Office\Office X\ or on 64-bit, C:\Program Files x86\Microsoft Office>Office X. (Where X is a version number)
2. Right click on Outlook.exe and click on Properties. Click on the ‘Compatibility’ tab and uncheck any compatibility mode options.
3. Retry.

Hope this helps with your problem….

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Ubuntu Apache New Website (in 10 seconds)

Posted by on

Install the required components to host the site, eg: a LAMP stack. Update the Ubuntu server and install LAMP, Linux, Apache, MySQL and PHP:

$ sudo apt-get update
$ sudo apt-get install lamp-server^

Now we need to clone the default site config file, and customise it to our requirements. Once thats done, enable the site with a2ensite and restart Apache. 

cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/mysite.com.conf
vim /etc/apache2/sites-available/mysite.com.conf
sudo a2ensite mysite.com
service apache2 restart
Facebooktwittergoogle_plusredditpinterestlinkedinmail

Basic web server backup script – MySQL and Apache

Posted by on

I was working on a dedicated server the other day and needed a quick script to backup the website and the MySQL database. The following bash script will do just that, simply modify the directory paths within the tar command to ensure every folder you need is included, the MySQL command assumes all databases need to be backed up and that it should run as root.

In an ideal world you should modify this script to run within the context of a dedicated backup account. 

#!/bin/bash
# quickbackup.sh - R. Jervis - Quick (sample) webserver backup script

cd /backup
mysqldump --all-databases > dump-$( date '+%Y-%m-%d_%H-%M-%S' ).sql -u root -p
tar -cvzf backup-$( date '+%Y-%m-%d_%H-%M-%S' ).tar.gz /var/www/html/ /etc/apache2/ /etc/ssl/ /etc/php5/
Facebooktwittergoogle_plusredditpinterestlinkedinmail

Raspberry Pi Screensaver and Screen Blanking with Pidora

Posted by on

So I tried and failed to disable the screensaver and screen blanking within pidora on the Raspberry Pi. I was up against a time target and needed to find a solution.

I needed the screen to stay live, with no screen blanking or screensaver, even when the keyboard and mouse were completely disconnected. I tried a range of settings and all of them failed me within the time available. After aproxommatly 10 minuites, the screen would blank with either a black screen, gray screen, or screensaver depending on the settings in use.

I found some commands would work, however attempts to ensure this was the case after a reboot failed.

Option 1 – Disable the screensaver from within the settings menu

Option 2 – Reconfigure X power saving with .xinitrc

“You may need to install xset, a lightweight application that controls some X settings.”

apt-get install x11-xserver-utils

Now open up your ~/.xinitrc file (if you don’t have one then create it) and enter this:

xset s off         # don't activate screensaver
xset -dpms         # disable DPMS (Energy Star) features.
xset s noblank     # don't blank the video device

Start LXDE

exec /etc/alternatives/x-session-manager

To view your Xsession screen saver setting, use this command (must be used from xterminal)

xset q

Disable text terminals from blanking
change two settings in /etc/kbd/config

BLANK_TIME=0
POWERDOWN_TIME=0

Disable Xsession from blanking
Additional info https://wiki.archlinux.org/index.php/Di … _Signaling
Add these lines to /etc/xdg/lxsession/LXDE/autostart

@xset s noblank
@xset s off
@xset -dpms

Option 3: Simulate Input = The answer…
For me, the easiest answer in the end was to simulate mouse movement. A cop out some may say, but as this pi will never have a keyboard or mouse connected and I wanted the pointer out of the viewable area it also solved moving the pointer from the centre.

I created this file:

#!/bin/bash
# mousemove.sh - R. Jervis - Move the mouse to keep screen alive and force webpage refresh with F5. 

sleep 60

while :
do
	echo "Test"
	xdotool mousemove 30 45
	sleep 60
	xdotool mousemove 30 55
	sleep 60
	xdotool click 1
	xdotool key F5
done

I then enabled it to run on-boot.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Qualys Labs SSL Test – Incorrect SNI alerts

Posted by on

If you have run the Qualys SSL Test, you may have seen the following errors in your report:

  • Client aborts on SNI unrecognized_name warning
  • Incorrect SNI alerts

If your unsure what SNI is all about, then the following quote from Wikipedia should bring you up to speed:

Server Name Indication (SNI) is an extension to the TLS computer networking protocol[1] by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. This allows a server to present multiple certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites (or any other Service over TLS) to be served off the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS. The desired hostname is not encrypted,[2] so an eavesdropper can see which site is being requested.

If your running Apache, you can address this issue by insuring the correct site names are contained within the Virtual Host configuration.  For example, it maybe appropriate to add this configuration to a .conf file relating to the site in question, eg /etc/apache2/sites-enabled/default-ssl.conf:

Enter the below within the section: VirtualHost

ServerName www.example.com
ServerAlias example.com www.example.com

You will need to restart Apache to apply the changes:

service apache2 restart

Hope this helps, if so please consider letting me know (below) or sharing.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

PFDAVAdmin Tool on Windows Server 2012 R2

Posted by on

PFDAVAdminRecently I had to get the PFDAVAdmin Tool (which is used for managing permissions in Exchange 2003 settings) running on a new Windows 2012 R2 server.

I ran into issues where I would see the error:
Could not expand https://localhost/exadmin/admin/example.com/public%20folders/ : Name cannot begin with the ‘0’

Following some research, I found these articles on the tool which may be of interest to you:

The key was the need for computer to have the following installed to ensure correct operation of PFDAVAdmin.

  • .NET Framework 1.1
  • Exchange 2003 System Manager

NOTE: It is advised you do not run this tool from the Exchange Server its self due to the versions of .NET framework.

Hope this helps, if so please let me know.

Facebooktwittergoogle_plusredditpinterestlinkedinmail