Stein Solutions

07/28/2024

The evil predators are taking advantage of a very few (I hope) people who enable a macro in a Crowdstrike repair document that is exactly how it should be except for a macro which infects their computer.

CrowdStrike is warning that a fake recovery manual to repair Windows devices is installing a new information-stealing malware called Daolpu.

07/26/2024

I enjoy reading my AARP magazine as they do a great job reporting on the latest scams.

Criminals can use public information to victimize both buyers and owners in this real estate scam

07/03/2024

June 8 I solved a unique and important issue by way of three clients but as I expected, it has fallen on deaf ears. No worries. The post is here:

https://www.dell.com/community/en/conversations/inspiron-desktops/cannot-turn-on-memory-integrity/6663fa3f9d31ec38a7cdbaba

In my 07/02/2024 reply update, I referred to three interesting articles regarding the June 2023 Azure breach at Microsoft, and the more recent failed updates causing problems for Windows 10 and 11 users. The body of that reply is pasted as follows:

Thank you – I can see we're like-minded. I recently tested this issue on a new Dell Windows 11 computer and believe you are right: it affects those who migrated from Windows 10 to Windows 11 on older systems. Karen Quintos never contacted me, and it seems Dell doesn't prioritize this solution. I'll escalate my Dell support ticket currently on hold and point them to this thread, hoping they forward it to their management, preferably Karen Quintos.

Next2Last, I hesitated to post the answer because the Microsoft tool involved in the fix is unofficially deprecated due to a known vulnerability. However, I've disassembled the tool into C code, and if run briefly on a healthy system, the vulnerability is likely a non-issue. The tool reveals Dell drivers used by Dell tools that are either (1) missing a digital certificate or (2) not properly removed when uninstalled. I've fixed this issue on three different computers with these drivers, which were unimportant and could be permanently uninstalled. My concern is that disclosing this fix might put a lot of people at risk due to the tool vulnerability, and I don't want to endanger users.

It's disappointing that Dell's uninstall process is faulty and Microsoft doesn't address the widespread issue of Memory Integrity failing with a blank list of incompatible drivers on Dell computers. Since Ms. Quintos hasn't reached out, I'll update the Dell support ticket and email Scott Hanselmann as part of my side project, highlighting the indifference of some corporate entities to practical solutions.

During my brief tenure at Microsoft, I noticed an emphasis on security over quality this is likely as a result of the June 2023 Azure breach (see the CRN article https://www.crn.com/news/security/2024/microsoft-s-inadequate-security-behind-cloud-email-breach-us-review-board ) which affected U.S. government emails.

Recent issues, such as the SSD performance drop in Windows 11, the Windows 10 KB5034441 error (see the Neowin article https://www.neowin.net/news/microsoft-admits-it-cant-fix-windows-10-kb5034441-0x80070643---errorinstallfailure/ ), and the KB5039302 taskbar corruption (see the PCWorld article https://www.pcworld.com/article/2382235/windows-update-kb5039302-corrupts-taskbar-these-windows-versions-are-affected.html ) all of which attest to this.

Despite these issues, I still support and love Microsoft and Dell and believe they are trying their best. It would be nice if they treated the community as a valuable resource.

Blessings,

Harry

The 2023 Microsoft cloud email breach that impacted federal agencies ‘was preventable and should never have occurred,’ according to a new report from the U.S. Cyber Safety Review Board.

06/14/2024

Good article about Microsoft forcing you to *not* be able to easily create a local account. The article points out the advantages of a local account (vs. being forced to sign in with a cloud account). To me the biggest disadvantage of a sync'd Microsoft account is the possibility of a zero-day virus in the form of an extension being installed that will, by default, get sync'd to all your computers where Edge runs. Google Chrome has the same issue and I encourage my clients to NOT sign in to Google or to learn how to configure passwords and extensions to *NOT* be sync'd. Students: what do we call an evil extension that finds a way (via Chrome or Edge sync'ing) to spread itself to all the computers you are signed into? A VIRUS. Thus Microsoft an Google make it so much easier for a malware extension to spread.

Using a local account on Windows 11 has its benefits, as explained by Microsoft on accident.

04/08/2024

This is not surprising. Corporate America focuses too much on trusting employees, replying on technologies like RBAC and Identity Access Management but this is clearly not enough.

U.S. officials say some of America’s most prominent tech firms have had their virtual pockets picked by Chinese corporate spies and intelligence agencies.

02/07/2024

The earlier (today, below this one) article I posted mentions boot viruses in the firmware (aka bootkits). Now a critical vulnerability is affecting most Linux distributions and allows for (here we go again)… bootkits.

I recall a 2022 report from Kaspersky saying boot viruses are on the increase. I believe it.

Buffer overflow in bootloader shim allows attackers to run code each time devices boot up.

02/07/2024

I have seen this in the past with multiple clients who I discourage from purchasing from Amazon where:

(1) a laptop can be purchased, intentionally infected and returned – the merchant does not properly reset it and in the case of some boot firmware, even this cannot be undone without micro-solder removal of the BIOS chip and re-flashing it, and re-soldering it. (2) the merchant themselves can do this and indicate the package is new – they know very few people are qualified to investigate and make this case to Amazon requesting the merchant be punished.

I used to believe re-flashing the BIOS (prior to a fresh install) would help but I discovered recently that, for example, Lenovo's flashing tool does not re-flash all parts of the BIOS - only that which is necessary (for example, code sections only) .

In any case, spyware was found inside the AceMagic AD08 mini-PC made by Shenzhen Shanminheng Technology Co., Ltd., also known as Minipc Union, with the Bladabindi and Redline families of malware (remote access, can steal stored passwords, act as a keylogger, etc.). Read more here:
https://www.tomshardware.com/desktops/mini-pcs/mini-pc-maker-ships-systems-with-factory-installed-spyware-acemagic-says-issue-was-contained-to-the-first-shipment?utm_medium=social&utm_content=tomsguide&utm_source=facebook.com&utm_campaign=socialflow&fbclid=IwAR3O426pZDz8Asi68tqvYo3HQKf95Jd1PSsWgLp-DblG7Jco3BA1Q_uzvsI

Some batches of mini-PCs come with malware

01/30/2024

TIP: opening this page in a Chrome tab uses a lot of RAM (1.1GB) when you open it – print to a PDF and close the tab ASAP:

https://hothardware.com/news/global-smartphone-privacy-problem

The article points out that on iPhones push notifications from popular apps like Facebook, X (Twitter), LinkedIn, Instagram, and Tiktok capture data from your phone and send it to remote servers, even if the app itself isn't actually running on your phone.

That's right: even apps you aren't using can be tracking you. The push message wakes up the app who can send anything it wants to the pusher. The data can range from innocuous to not-so-innocuous -- collectively it is used to create a digital "fingerprint" of your device that tracks you across multiple domains….

Roughly it works this way: advertisers want to target you and so companies like Google, X (Twitter) sell that information to them by way of a company called ISA which sells a product called Patternz which requires no intervention to set up. Patternz helps advertisers know many things about (collected by Google and served up to advertisers by ISA) you “from a few data points about a specific smartphone user all the way to a detailed individual listing with personal information, known contacts, and even highly-specific location data accurate down to a few meters”. And Patternz requires no user intervention or awareness—the company's CEO says that the phone is turned into a "de facto tracking bracelet.".

Turns out the NSA is also using this.. . . please read the article.

What's that? The United States federal government is up to something shady? You don't say.

01/20/2024

I found this as an interesting example of perpetrators using anything they can get their claws on. The article starts as follows and the rest of the details are in the link below!

[quote] Microsoft has disabled the ms-appinstaller protocol handler as default after it found new evidence of hackers using it to deploy malware.

"The observed threat actor activity abuses the current implementation of the ms-appinstaller protocol handler as an access vector for malware that may lead to ransomware distribution," Microsoft said in a new security advisory.

Furthermore, the Redmond giant saw hackers selling malware kits on the dark web, which use the MSIX file format and the ms-appinstaller protocol handler.
[end-quote]

ms-appinstaller protocol handler is being disabled by Microsoft once again

01/20/2024

It would be a myth to say the Mac OS is more secure or less vulnerable than the Windows operating system.

The tug-of-war between hackers and Apple continues at pace

12/13/2023

I was at the Data Connectors Security conference last Thu Dec 7, 2023 - very enjoyable. https://dataconnectors.com/dallas-partners-2023 Many interesting 3rd party products and keynote discussions from CISOs - I concluded this is a thankless job -- one speaker with 150 people mentioned his management asked him if he could reduce his workforce by 10% since AI was supposed to help reduce headcount. I was sad to hear that there was such a disconnect between management and the (typically) already overworked security team. Oh well.

I also listened to a panel of DHS and FBI and Ft. Worth Cybersecurity professionals in law enforcement. A question was asked regarding what could a "hacktivist" do to collaborate with them if he ran into what I inferred was nefarious/criminal activity -- I believe the panel misunderstood the question and answered that that is why they attend these conferences - to help show how much and how important collaboration between enterprises and law enforcement is.

They said "hacktivists" are not going to be terribly productive in that they lack funding. True. But that is understating how evil and effective they have been. I think "hacktivist" are generally considered bad, criminal even if good intentioned. What I think the audience member was asking was what would happen if he personally were fiddling around as a ethical hacker and stumbled into criminals and wanted to help by reporting to the FBI?

The audience member probably meant to say "ethical hacker" instead of "hacktivist" (by the way, I am none of these -- I am a malware hunter and digital forensic incident response engineer -- self proclaimed :-)) - also a former key employee software developer. See http://www.linkedin.com/in/harrystein

In any case, at the end of the day, us little guys who run into criminals pretty much know that unless the crime involves millions of dollars, or a major threat to national security, the FBI has way too much on their plate to take your issue(s) seriously. Sadly, the bad guys know this and leverage this to embolden themselves to do whatever they please.

However, there is much the little guy can do and that is a speech for another time.

Also, what was not discussed was the ability of the FBI to keep the best and brightest security engineers who get discouraged by the by the culture as documented in the book I recently purchased called "The Ransomware Hunting Team: A Band of Misfits' Improbable Crusade to Save the World from Cybercrime" (Dudley, Golden) -- see https://www.amazon.com/gp/product/0374603308/ref=ppx_yo_dt_b_search_asin_title - and read that summary -- I believe 99.999% the FBI is honorable, awesome, and ultra important, and I pray earnestly they fix these issues and are able to attract the best and brightest! Hint: I am available!

Finally, in another panel the question of Bluetooth being safe in the corporate workplace came up and the long panel answer was 100% wrong (IMO) in that it was dismissive indicating that it wasn't terribly interesting or not that big of a deal but I bit my tongue as they could not have been further from the truth. However, that observation only served to remind me that my being in the trenches of the "real world" of 800 home and small business users in the last nine years taught me that Bluetooth is extremely dangerous and I became a self-proclaimed SME in this area and read perhaps 100 articles that most CISOs don't have the time to read (I put together a private and proprietary white paper on this). But that's a story for another time (or you can hire me to consult in this area :-)

Thus, the conference validated I might know a few things that even some CISOs do not know. I say that humbly. No one knows what they don't know. Or as Clint Eastwood once said, "A good man has got to know his limitations". I walked away from the conference feeling good about myself and ready to move on and continue making a difference in the world of cybersecurity and related domains.

Summary: great conference and I would attend again! It was a blessing.

Blessings,

Harry

The Ransomware Hunting Team: A Band of Misfits' Improbable Crusade to Save the World from Cybercrime

11/28/2023

I've been talking about this for years. I've said that Google's static analysis of extensions from the Play Store is easily bypassed by people in a variety of ways. From the start when they first submit the extension, and later with updates. Google admits to this in Aug 2023 and calls it versioning.

The Google Cloud security team acknowledged a common tactic known as versioning used by malicious actors to slip malware on Android devices after evading the Google Play Store's review process and security controls.

11/04/2023

I don't use Discord. I always thought it was a simple messaging app. But two clients in the same week made me change my mind. One was a gamer who went to bed with "abc" in the clipboard and when he woke up and did a paste it had a strange sentence in it - as though something was pranking him or trying to get into his bitcoin account and guessing the key A timeline traced it down to only one possibility: Discord. Rather than using sysmon to monitor clipboard accesses, I used abductive logic based on my second client and the three articles below to conclude it was Discord (he uses multiple Discord servers, copies and pastes many objects shared between friends, and if you have a gamer enemy who does not like you, they can serve up objects for you to copy/paste, click on, etc. that will silently serve up and install malware or change the local Discord scripts to do nefarious/prankish things.

The second client was on a famous video equipment web site that is very ad-centric revenue-driven -- and had an unvetted ad that ran a contest to win a high-def (expensive) camera. To win, you had to install what would turn out to be a rogue version of Discord and connect to a Server -- the whole app does not get detected by any AV. But it's evil. A week later it silently installed the Chromestra virus which only 12 of 70 AVs detect and his was not among these. So that ran for a couple months until he noticed the browsing hijacking and called me -- I did the intake and forensics and drew the conclusions. Chromestra also installed a well hidden Edge browser hijacker extension. If you use Discord you need to read the following three links. Summary: DO YOU REALLY NEED IT AND CAN YOU LIVE WITHOUT IT? A gamer can because they typically don't keep personal information on a computer and are trained to rebuild their operating system from a thumb drive as soon as they are infected. But it's still disturbing and they need to self-educate on this topic.

https://www.makeuseof.com/what-is-discord-virus/
https://www.bleepingcomputer.com/news/security/discord-abused-to-spread-malware-and-harvest-stolen-data/ Dec 2019

https://www.bleepingcomputer.com/news/security/discord-still-a-hotbed-of-malware-activity-now-apts-join-the-fun/ #:~:text=Discord%20used%20by%20malware,data%20from%20the%20victim's%20system. Oct 16, 2023
https://www.makeuseof.com/what-is-discord-virus/

Discord is a fun place to chat with friends. Unfortunately, that also makes it an attractive place for people looking to take advantage of others.

11/04/2023

It's big business to preinstall malware on Android and Apple phones under the guise it is safe and useful. It's too difficult to study and detect that the pre-installed software is intentionally evil or has been infiltrated. We just have to trust it. I've been reporting on pre-installed apps turning out to be malware for years. We just have to live with it. If you are doing your banking, financials, etc. on a phone you have to trust Google and Apple to aggressively ramp up how they do security, anti-keylogging, Authenticator apps, 2FA, screen locks, etc., etc. I personally think they are doing a much better job these days than say a few years ago (where I argued it was unsafe to do all that on a phone vs. on a clean and secure Windows desktop tied to a phone for 2FA and Authenticator apps). Thank goodness.

Somehow, advanced Triada malware was added to devices before reaching resellers.

11/04/2023

It's not important to understand this technical juju -- what is important is to appreciate that breaking into a corporate networks requires a very complex (but effective) way of forging certificates. I am not an SME on this subtopic - but I am an SME on the topic of how much smarter and more of the bad guys there are than the good guys. That's all I could get out of this article.

I identified several signs of attacks that use forged certificates inside the network and developed a Proof-of-Concept utility capable of finding artifacts in AD, as well as a number of detection logic rules that can be added to SIEM.

11/04/2023

We don't do a good job protecting our intellectual property, etc.

Two House Committees have written to the National Science Foundation warning of threats to U.S. science research from foreign states and are demanding answers

10/01/2023

I forgot to post this in early August and consider it important. While it criticizes Microsoft Azure security, I know that Microsoft Azure is in very good hands with the legend rock-star (term for awesome computer genius) Mark Russinovich -- he has the hardest job in the planet and I can't think of anyone better or smarter to make things great in every regard with whatever he is in charge of. He has been and remains a hero of mine. It's very easy to be critical of anyone and everyone since security is ultra-challenging and the bad actors seem to always be one or two steps ahead of the good guys. But if we keep things in the proper perspective, we should be grateful for whatever Microsoft can and does do in the areas of security.

Azure looks like a house of cards collapsing under the weight of exploits and vulnerabilities.

10/01/2023

Kurt Knutsson is an excellent poster on FoxNew.com - in the future I will skim his many articles and repost the ones I feel are of most importance to my followers.
https://www.foxnews.com/person/k/kurt-knutsson-cyberguy-report

Browse stories from Kurt Knutsson, CyberGuy Report

10/01/2023

A good article on how your phone can be vulnerable to malware. This just goes to show you that the criminal mind out there is trying to think of anything and everything to socially enginneer (trick) you into installing the malware. I found this fellow from Fox-News, Kurt Knutsson (aka 'The CyberGuy') to be quite credible an enjoyable to read. He's very active and I'll post his direct link in a minute but first the phone malware link:

Kurt "The CyberGuy" Knutsson warns about two types of malware that can hack into your Android device and steal your data if you download a corrupted app.

09/01/2023

Access may be limited but you'll catch the drift...

Infiltration comes as allies scrutinise Tokyo’s defences against hacking

09/01/2023

Sad but true.

Hackers are targeting Cisco Adaptive Security Appliance (ASA) SSL VPNs in credential stuffing and brute-force attacks that take advantage of lapses in security defenses, such as not enforcing multi-factor authentication (MFA).

08/05/2023

This article is an excellent Kaspersky technical article on how Kerberos is exploited in corporate Active Directory networks. Although pitching their detection tool being able to detect this, it is nevertheless extremely useful in understanding how criminals will think of everything,

I identified several signs of attacks that use forged certificates inside the network and developed a Proof-of-Concept utility capable of finding artifacts in AD, as well as a number of detection logic rules that can be added to SIEM.

08/05/2023

FYI on whistleblowers.

Press Release SEC Awards More Than $104 Million to Seven Whistleblowers FOR IMMEDIATE RELEASE 2023-147 Washington D.C., Aug. 4, 2023 — The Securities and Exchange Commission today announced awards of more than $104 million to seven individuals whose information and assistance led to a successful S...

07/09/2023

https://www.bleepingcomputer.com/news/security/apps-with-15m-installs-on-google-play-send-your-data-to-china/

Although the article is about Android Google Play apps, I will apply the principles to the Chrome Web Store (hereon referred to as CWS) where Chrome extensions are obtained. I coach my clients: "Try hard not to install anything from the CWS on a business critical computer". If you must install something, do extreme vetting (details how this is done is omitted but it cannot be automated – it requires old-fashioned investigative work) and assess the risk of a supply chain component being infiltrated. I coach "less is more" and “Can you get by without the extension?” “What did you do to extreme-vet it?”

Is there a home-brewed solution using standard Microsoft tools like many exes in the system32 folder (even tar.exe is there to eliminate the need for 7zip and winrar), the SysInternals suite, Powershell, command prompts, etc. - (Microsoft is also vulnerable but not as likely as many one-man band or small company apps that Fortune 500 companies readily install on their developers workstations without a thought – this is known as being security-illiterate). What’s in your wallet?

I once consulted for a company whose flagship product was amazing -- but when you did a Help About to see the attributions to which 3rd party tools, including open source, were utilized, there were over 40 items listed! Whew! Is that impressive? Perhaps not.

Can you imagine the possibility of exactly one of these 40 having been infiltrated and the company not knowing it? Of course and yes. It happens all the time! That company chose the app being easy to use and powerful and feature-rich over security and the "less-is-more" philosophy. The beauty of the product was that it was a perfect blend of all 40 best-of-breed components. They bragged to their clients about that and the SOC certification they easily obtained but in truth you are only as strong as your weakest link and they were too understaffed to even assess that (the company strategy emphasized growth by way of amazing new features for new markets, and KPIs -- over everything else). Like Peiter Zatko, they didn't want to hear about anything opposing this growth strategy. The fact that national security was at risk does not matter – you can hire compliance officers to implement plausible deniability and keep top staff out of trouble.

Is it any surprise to anyone why we hear about daily attacks and breaches of data? It's almost expected collateral damage to a company being profitable. So the criminals co-exist with the corporations and security becomes a step-child that’s part of doing business. And the Peiter Zaitko got put on a PIP and then dismissed. That led to a major whistleblowing effort involving the SEC, Justice Department, and FBI. But even that will fade into the sunset – Zaitko will get his SEC reward (not his motive), and breaches will continue as always. It’s now engrained in our culture – more so than mass shootings.

Even all of these articles posted here, or reading Brian Kreb’s security blog all the time eventually will numb you and give you a sense of hopelessness. Then it seems to get worse: qualified security experts like myself get summarily dismissed due to age discrimination while our nation cries about a shortage of security experts. When they do hire someone qualified, it’s almost a certainty they will be micromanaged into not being creative and thinking out of the box. Leadership is a lost art. I threw out all my Warren Bennis books – they are pointless today. For quality, I still apply root-cause analysis as taught by Philip Crosby – but this too is a lost art.

So we have a management and leadership crisis, a security crises, etc. And of course China and Russia and Iran are chuckling away – no such problems over there in an autocracy and a Gulag waiting for you! SO, THIS IS MY COUNTRY and I SEEMINGLY CANNOT DO ANYTHING ABOUT IT – except for one thing… I can pray … I can remind myself what Proverbs in the Bible says, “wisdom starts with fear of the Lord”. The more people turn to God and worship, the more (IMO) crime and chaos will diminish because God LOVES obedience! No apologies for the sidenote!

If you're going to strike a balance that does *NOT* err on the side of security caution, be ready for the consequences. Sooner or later an egg will be thrown in your face but if you have mastered the art of fooling the public, you’ll get through it!

06/10/2023

If you ever wonder how overwhelmed our FBI is with cyber crimes this article will give you the insight you need. It speaks to the cultural challenges they faced (and likely still face), the frustrations of smart computer professionals who worked (and left) who had a heart to serve, etc. Pray for the FBI, pray for our country.

In this excerpt from “The Ransomware Hunting Team: A Band of Misfits’ Improbable Crusade to Save the World From Cybercrime,” the authors reveal how unprepared the nation’s top federal law enforcement agency was to combat online crime.

06/03/2023

As I always say, there is tremendous risk in an iPhone or Android phone with apps installed from the Apple Store or the Google Play Store. The risk continues with browser extensions, apps from the App Store. Microsoft, Apple, and Google will have you believe the stores are fairly safe but I vehemently disagree based on my experience and knowledge of how easy it is to write undetectable or very-hard-to-detect viruses. Anyway, if you read the last several years worth of articles posted in this Facebook, you will have to agree. Below is a typical article on infected Android phones.

Thank you Andrew S. for sending this link:

Delete these Android apps ASAP if they're on your phone.

05/18/2023

Many of you asked about Peiter Zatko of Twitter and his whistleblowing story. Although first reported a year ago, I 100% assure you this Oct 2022 article is great reading. If you are a self-proclaimed security expert and don't know about this, well you're not really keeping up with anything other than corporate ladders, bonuses, KPIs, and maintaining bad cultures. Don't think it can happen? It's pretty much the norm in way too many American corporations. Read on!

When Peiter Zatko joined Twitter as head of security in late 2020 at the urging of founder and then-CEO Jack Dorsey, he was surprised by what he discovered. Twitter, a social network with hundreds of millions of users, “was over a decade behind industry security standards,” he later testified.

05/15/2023

This will surprise you how much can be done with a cable or even a Wi-fi adapter put in your USB. One of my clients purchased a computer on eBay from a merchant who sold thousands of refurbished towers - most had Wi-fi built in. But it was cheaper to blindly add a $1 (yes!) Chinese Wi-fi adapter in case the tower motherboard did not have it. They purchased these in bulk unwittingly providing a Wi-fi adapter that behaved just like the cable discussed below (but $180). When I asked them about it, they denied it and said they manufacturer their own which was, IMO, a lie as I have the adapter in front of me and found it in a web site for Chinese parts. When I asked an an expert to reverse engineer it (S***t S*****t) he disappointingly said he was too busy. If I contact the FBI, they are too busy. So nothing will be done.

In the end, all such small (and some larger) crimes are gotten away with. The bad guys win and you lose. Me, I just observe all this and report on the reality. As does my hero, Brian Krebs. That's the nature of the demonic and evil Internet and incompetent and mediocre security experts at corporate America who think they know what they are doing and push back when someone smarter than them makes them look bad.

As long as you are aware of the cockroaches out there trying to infiltrate you in 100s of unimaginable ways, you will be fine.

Level up your desk game! Check out the Secretlab Magnus Desk Pro: https://lmg.gg/kdg6fPlay Crusader Kings 3 this weekend starting May 11th: https://lmg.gg/CK...