Archive

Archive for March, 2014

Creating an intelligent “sandbox” for coordinated malware eradication

March 31st, 2014 No comments

​Hello from China where I am presenting on coordinated malware eradication at the 2014 PC Security Labs Information Security Conference.

Coordinated malware eradication was also the topic of my last blog. I said the antimalware ecosystem must begin to work with new types of partners if we are going to move from the current state of uncoordinated malware disruption, to a state of coordinated malware eradication. Since then we’ve been talking about these ideas at conferences around the world, including the recent RSA Conference in San Francisco, the Digital Crimes Consortium in Singapore, and the APCERT AGM & Conference in Taipei. The level of engagement across the antimalware ecosystem has been high. Security and antivirus (AV) vendors, service providers, Computer Emergency Response Teams (CERTs), anti-fraud departments, and law enforcement have all joined the conversation, asking the essential questions about governance, communication channels, and benefits.

The overall theme of these discussions has been focused on how we can take the information we have and correlate it in new ways – a topic that lends itself to machine learning and big data analysis in the cloud. I believe this can be the most effective way to accelerate our malware eradication efforts. This proposes the next question: how do we create an intelligent “sandbox” where we can do this work?

For some time now, antimalware companies have been applying machine learning and big data analysis to generate more malware detections faster. Machine learning is all about training a machine to find patterns of signals in large streams of labeled information, then using those patterns against future data, all the while using feedback to continuously improve its accuracy. The stronger the labels, and the more diverse the information, the more effective the machine becomes.

Machine learning is similar to how I see people learn. For instance, when toddlers look at animals, at first they all appear to be the same. Then they learn to distinguish dogs from cows, for example. Pretty soon they can tell poodles from retrievers too. We correct them as necessary, and over many repetitions, they soon start to find more efficient identification patterns. In machine learning terms, we’d say the toddlers were trained with labeled information. They extracted patterns of signals from the animals, and then applied these patterns against the new animals that they saw.

Humans do this intuitively and naturally, whereas machines require complex algorithms and training against huge data sets. Currently in the antimalware business, we have three main sources of machine learning signals: voluntarily opted-in telemetry data on encountered malware threats, our analysis of the malicious files, and malware signals from our partners.

To give you a sense of the volume and scale I am talking about, each month the Microsoft Malware Protection Center’s (MMPC) machine learning systems analyze more than 30 million different file samples, and correlate this with what we know about the associated files, websites, and usage patterns. Our systems classify the file samples and then automatically create and deploy signatures for those identified as malware. The huge pipeline of signals makes it possible for us to quickly spot new malware. When we combine this with insights from our in-house AV researchers, our machines get smarter, and our customers receive greater protection.

We are using machine learning advances with the cloud too. For instance, we automatically recognize files showing tell-tale patterns of malicious intent. Cloud-based machines correlate that suspicious behavior with the reputation of the particular software being used to decide if AV software should intervene to block – faster, better, and more efficiently than a client computer could perform the check. In many cases we are able to protect clients even before detection signatures are delivered.

Although machine learning has already contributed significantly to malware protection, I believe that complete eradication of malware families will fail unless we determine how to identify specific attackers, and how to track a given malware family’s malicious activity across its entire lifecycle. The AV industry needs to understand how a malware family is developed and distributed, how it is controlled, how it responds to changes, and how it is monetized.

To answer these questions, we’ll need our machines to correlate more than telemetry, analysis, and the types of signals traditional security vendor partners provide. This is where coordinated malware eradication partnerships come into play. By working together and correlating our signals, we can see the bigger picture and identify appropriate choke points – weak spots for the malware writers.

Coordinated Malware Eradication  

Figure 1: The antimalware ecosystem’s coordinated malware eradication

The next question is where we will accomplish this goal. As I said above, we need a “sandbox” big enough where every industry partner can contribute with a variety of signals and deploy their machine learning and analysis tools. On top of our telemetry and analysis data, Microsoft can also contribute large amounts of cloud-based scalable storage and computing horsepower with the necessary big data analysis tools built-in. Our partners can contribute new information signals, strong labels, and their own tools to better train all of the machines.

For example, take your typical click-fraud attack. An advertising network can see the URLs being abused, the bank accounts in use, and the websites involved. A CERT or ISP can see parts of the command and control system – URLs, files being served, domain registrars, etc. AV vendors can see the client code and the URLs it is working with. Individually no one party has enough to identify the entirety of the attack. But when seen together, the correlation (in this example at least) is pretty easy to spot.

Coordinated Malware Eradication  

Figure 2: Putting machine learning against massively correlated signals means we can go on the offensive

Putting machine learning to use at these huge scales against massively correlated signals means we can go on the offensive. Hopefully it will leave the bad guys with nowhere to go. It will allow us, as an industry, to blunt the efforts of the malware authors and their supply chains, and to block their attempts to game and steal from our customers.

I encourage you to join the conversation. We will be holding roundtable discussions at a few more upcoming events. The latest schedule is below.  If you would like to attend a discussion, email us at cme-invite@microsoft.com.

Dennis Batchelder
Partner PM Manager
MMPC

Upcoming roundtable discussions:

  • PC Security Labs Conference, 2014 – April 1, 2014 – April 2, 2014 Beijing, China
  • CARO Workshop, May 15, 2014 – May 16, 2014 Melbourne, FL
  • 26th Annual FIRST Conference, June 22, 2014 – June 27, 2014 Boston, MA
  • Microsoft Security Research Alliance Summit
    July 22, 2014 – July 24, 2014 Seattle, WA
    Invite only. NDA required.

Categories: Uncategorized Tags:

Information on FEP and SCEP support after OSes (like Windows XP) reach end-of-life

March 31st, 2014 No comments

ImportantConcerned about how SCEP 2012 and FEP 2010 will work when an OS reaches it’s end of life? Check out this post by Minfang Lv, Software Development Engineer in Test, for all the details:

FEP and SCEP anti-malware protection support after OSes reach end-of-life

J.C. Hornbeck | Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Categories: Uncategorized Tags:

Information on FEP and SCEP support after OSes (like Windows XP) reach end-of-life

March 31st, 2014 No comments

ImportantConcerned about how SCEP 2012 and FEP 2010 will work when an OS reaches it’s end of life? Check out this post by Minfang Lv, Software Development Engineer in Test, for all the details:

FEP and SCEP anti-malware protection support after OSes reach end-of-life

J.C. Hornbeck | Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Categories: Uncategorized Tags:

Information on FEP and SCEP support after OSes (like Windows XP) reach end-of-life

March 31st, 2014 No comments

ImportantConcerned about how SCEP 2012 and FEP 2010 will work when an OS reaches it’s end of life? Check out this post by Minfang Lv, Software Development Engineer in Test, for all the details:

FEP and SCEP anti-malware protection support after OSes reach end-of-life

J.C. Hornbeck | Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Categories: Uncategorized Tags:

How to get rid of malware that keeps coming back

March 27th, 2014 No comments

Windows Defender and Microsoft Security Essentials can get rid of most malware, but here’s what you can do if it comes back.

  1. Make sure you have automatic updating turned on. This feature ensures that you have the latest security improvements from Microsoft installed on your computer. If you’re using other antivirus software, make sure that it is up to date with the latest malware definitions.
  1. Restart your PC.
  2. Run a full scan:
    1. Open your Microsoft security software.
    2. On the Home tab, under Scan options, click Full.
    3. Click Scan now.

 A full scan can take an hour or more, depending on how many files you have on your PC.

Get more advanced troubleshooting for malware that keeps coming back.

Once your computer is clean, take these steps to help keep it clean.

How to recover an account if you haven’t already added security information to it

March 25th, 2014 No comments

A reader asks:

What can I do if my account has been hacked and I haven’t already added security information to it?

It would be easier to recover your account if you had already associated it with information that cybercriminals can’t easily access, like your mobile phone number or an alternate email address. For example, if your account is compromised, Microsoft could send you an account-recapture code in a text message to help you regain access to your account. If you do have access to your account, add security information to your account now.

If you haven’t already added security information to your account 

Scan your PC for viruses

 If your account has been hacked and you can’t get access to it, the first thing you should do is scan your computer for viruses. Do this before you try to change your password. Hackers get your password through malware that’s been installed on your PC without your knowledge (for example, when you download a new screen saver, toolbar, or other software from an untrustworthy source.) It’s important to clear your PC of viruses or malware before you change your password. That way, the hackers won’t get your new password.

If your computer is running Windows 8

Use the built-in Windows Defender to help you get rid of a virus or other malware.

Here’s how: 

  1. From the Search charm, search for defender, and then open Windows Defender.

  2. On the Home tab, choose a scan option, and then tap or click Scan now.

In addition to the color codes for your PC’s overall security status, Windows Defender applies an alert level to any suspected malware it detects. You can decide whether to remove an item entirely, research it further, or let it run because you recognize it.

 If your computer is running Windows 7 or Windows Vista 

Get more help removing viruses

Reset your password

Once you’ve scanned your computer for viruses, reset the password on your account.

If you can’t reset your password, and you haven’t already added security information to your account, you can still get back into the account by filling out a questionnaire. You will be asked specific questions about the account and email messages that might be stored there. Someone will get back to you within 24 hours (typically a lot sooner).

For more information, see How to recover your hacked Microsoft account.

SQL Server 2012 Baselines are now live!

March 24th, 2014 No comments

Baselines for SQL Server 2012 are now live and can be downloaded from the following locaitons:
download.microsoft.com/…/SQL-2012-Security-Compliance-Baseline.cab
download.microsoft.com/…/SQL-2012-Security-Compliance-Baseline_Attachments.cab…(read more)

SQL Server 2012 Baselines are now live!

March 24th, 2014 No comments

Baselines for SQL Server 2012 are now live and can be downloaded from the following locaitons:
download.microsoft.com/…/SQL-2012-Security-Compliance-Baseline.cab
download.microsoft.com/…/SQL-2012-Security-Compliance-Baseline_Attachments.cab…(read more)

Microsoft Releases Security Advisory 2953095

March 24th, 2014 No comments

Today we released Security Advisory 2953095 to notify customers of a vulnerability in Microsoft Word. At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010. An attacker could cause remote code execution if someone was convinced to open a specially crafted Rich Text Format (RTF) file or a specially crafted mail in Microsoft Outlook while using Microsoft Word as the email viewer.

As part of the security advisory, we have included an easy, one-click Fix it to address the known attack vectors. The Fix it is available to all customers and helps prevent known attacks that leverage the vulnerability to execute code. Additionally, applying the Fix it does not require a reboot. We encourage all customers using Microsoft Word to apply this Fix it to help protect their systems.

The Enhanced Mitigation Experience Toolkit (EMET) also helps to defend against this vulnerability when configured to work with Microsoft Office software. If you are using EMET 4.1 with the recommended settings, this configuration is already enabled and no additional steps are required.

We also encourage you to follow the "Protect Your Computer" guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. In addition, we encourage everyone to exercise caution when visiting websites and avoid clicking suspicious links, or opening email messages from unfamiliar senders. More information can be found at www.microsoft.com/protect.

We continue to work on a security update to address this issue. We are monitoring the threat landscape very closely and will continue to take appropriate action to help protect our global customers.

Thank you,
Dustin Childs
Group Manager, Response Communications
Trustworthy Computing

TMG 2010 – YOU CANNOT REMOTELY CONNECT TO TMG SERVER WHEN IT’S PUBLISHING RDP PROTOCOL

March 24th, 2014 No comments

If some of you recently tried to publish RDP protocol through TMG server, and suddenly lost the possibility to perform TS connections to the TMG server itself, you may find this post useful!

In TMG 2010, a System Policy rule exists allowing RDP traffic from a white-list of workstations to the TMG server itself.

clip_image002

Thanks to this, it’s generically possible to connect to our TMG server from allowed PCs.

If you perform the following command, you’ll be able to see the TCP listener bound to the Remote Desktop Services (RDS) service accepting incoming RDP connections on default port 3389:

Netstat –ano | findstr :3389

clip_image003

Now, let’s assume that you have to publish RDP protocol externally through TMG, so that TS connections from external devices toward an internal server can be established, while the internal server’s IP address is masked.

You can do this by creating a specific “Non-Web server publishing rule” in TMG:

clip_image005

If you run again the netstat command mentioned above after you performed this configuration, you will see no differences at all, and everything should be working as expected.

Let’s now assume you have to reboot the TMG server.

After the reboot, if you run the netstat, you’ll see that the situation has changed:

clip_image006

clip_image007

Now the TMG server is listening for RDP connection only on the IP address which has been configured within TMG’s Server Publishing rule. Moreover, we can see that the listener is now associated to the PID of the FW service itself, and we no longer have entries related to the RDS service.

If you test TS connectivity to the TMG server from one of the allowed internal workstations, it will now fail.

This happens because of a socket conflict generated between the FW service and the RDS service, and it is an expected behavior.

In order to allow remote access while publishing RDP, basically 2 solutions exist: 

  1. You can publish the RDP server on different port than 3389, using non web server publishing rule and creating a “customized” RDP protocol for the new considered port.

  2. You can just change the RDS on the TMG to listen on a different port or adapter

 To apply this second solution, you can open Remote Desktop Session Host Configuration > Right-Click on RDP-TCP > Network Adapter > then select the internal NIC.

clip_image009

After this action, just restart the RDS service.

If you now run a new netstat, you’ll see the following situation:

clip_image010

You will now have the RDS service listening on the IP addresses bound to the internal NIC, while the FW service is listening on the external side for RDP publishing.

With this configuration, it’s again possible to establish TS connections to the TMG server even when the server publishes the RDP protocol.

As always…I hope you can find this useful!!

Author:

Daniele Gaiulli
Support Engineer – Microsoft Forefront Edge Security Team

Reviewer:

Philipp Sand
Sr. Support Escalation Engineer – Microsoft Forefront Edge Security Team

Categories: Publishing, RDP, TMG Tags:

TMG 2010 – YOU CANNOT REMOTELY CONNECT TO TMG SERVER WHEN IT’S PUBLISHING RDP PROTOCOL

March 24th, 2014 No comments

If some of you recently tried to publish RDP protocol through TMG server, and suddenly lost the possibility to perform TS connections to the TMG server itself, you may find this post useful!

In TMG 2010, a System Policy rule exists allowing RDP traffic from a white-list of workstations to the TMG server itself.

clip_image002

Thanks to this, it’s generically possible to connect to our TMG server from allowed PCs.

If you perform the following command, you’ll be able to see the TCP listener bound to the Remote Desktop Services (RDS) service accepting incoming RDP connections on default port 3389:

Netstat –ano | findstr :3389

clip_image003

Now, let’s assume that you have to publish RDP protocol externally through TMG, so that TS connections from external devices toward an internal server can be established, while the internal server’s IP address is masked.

You can do this by creating a specific “Non-Web server publishing rule” in TMG:

clip_image005

If you run again the netstat command mentioned above after you performed this configuration, you will see no differences at all, and everything should be working as expected.

Let’s now assume you have to reboot the TMG server.

After the reboot, if you run the netstat, you’ll see that the situation has changed:

clip_image006

clip_image007

Now the TMG server is listening for RDP connection only on the IP address which has been configured within TMG’s Server Publishing rule. Moreover, we can see that the listener is now associated to the PID of the FW service itself, and we no longer have entries related to the RDS service.

If you test TS connectivity to the TMG server from one of the allowed internal workstations, it will now fail.

This happens because of a socket conflict generated between the FW service and the RDS service, and it is an expected behavior.

In order to allow remote access while publishing RDP, basically 2 solutions exist: 

  1. You can publish the RDP server on different port than 3389, using non web server publishing rule and creating a “customized” RDP protocol for the new considered port.

  2. You can just change the RDS on the TMG to listen on a different port or adapter

 To apply this second solution, you can open Remote Desktop Session Host Configuration > Right-Click on RDP-TCP > Network Adapter > then select the internal NIC.

clip_image009

After this action, just restart the RDS service.

If you now run a new netstat, you’ll see the following situation:

clip_image010

You will now have the RDS service listening on the IP addresses bound to the internal NIC, while the FW service is listening on the external side for RDP publishing.

With this configuration, it’s again possible to establish TS connections to the TMG server even when the server publishes the RDP protocol.

As always…I hope you can find this useful!!

Author:

Daniele Gaiulli
Support Engineer – Microsoft Forefront Edge Security Team

Reviewer:

Philipp Sand
Sr. Support Escalation Engineer – Microsoft Forefront Edge Security Team

Categories: Publishing, RDP, TMG Tags:

TMG 2010 – YOU CANNOT REMOTELY CONNECT TO TMG SERVER WHEN IT’S PUBLISHING RDP PROTOCOL

March 24th, 2014 No comments

If some of you recently tried to publish RDP protocol through TMG server, and suddenly lost the possibility to perform TS connections to the TMG server itself, you may find this post useful!

In TMG 2010, a System Policy rule exists allowing RDP traffic from a white-list of workstations to the TMG server itself.

clip_image002

Thanks to this, it’s generically possible to connect to our TMG server from allowed PCs.

If you perform the following command, you’ll be able to see the TCP listener bound to the Remote Desktop Services (RDS) service accepting incoming RDP connections on default port 3389:

Netstat –ano | findstr :3389

clip_image003

Now, let’s assume that you have to publish RDP protocol externally through TMG, so that TS connections from external devices toward an internal server can be established, while the internal server’s IP address is masked.

You can do this by creating a specific “Non-Web server publishing rule” in TMG:

clip_image005

If you run again the netstat command mentioned above after you performed this configuration, you will see no differences at all, and everything should be working as expected.

Let’s now assume you have to reboot the TMG server.

After the reboot, if you run the netstat, you’ll see that the situation has changed:

clip_image006

clip_image007

Now the TMG server is listening for RDP connection only on the IP address which has been configured within TMG’s Server Publishing rule. Moreover, we can see that the listener is now associated to the PID of the FW service itself, and we no longer have entries related to the RDS service.

If you test TS connectivity to the TMG server from one of the allowed internal workstations, it will now fail.

This happens because of a socket conflict generated between the FW service and the RDS service, and it is an expected behavior.

In order to allow remote access while publishing RDP, basically 2 solutions exist: 

  1. You can publish the RDP server on different port than 3389, using non web server publishing rule and creating a “customized” RDP protocol for the new considered port.

  2. You can just change the RDS on the TMG to listen on a different port or adapter

 To apply this second solution, you can open Remote Desktop Session Host Configuration > Right-Click on RDP-TCP > Network Adapter > then select the internal NIC.

clip_image009

After this action, just restart the RDS service.

If you now run a new netstat, you’ll see the following situation:

clip_image010

You will now have the RDS service listening on the IP addresses bound to the internal NIC, while the FW service is listening on the external side for RDP publishing.

With this configuration, it’s again possible to establish TS connections to the TMG server even when the server publishes the RDP protocol.

As always…I hope you can find this useful!!

Author:

Daniele Gaiulli
Support Engineer – Microsoft Forefront Edge Security Team

Reviewer:

Philipp Sand
Sr. Support Escalation Engineer – Microsoft Forefront Edge Security Team

Categories: Publishing, RDP, TMG Tags:

Tax scams: 6 ways to help protect yourself

March 20th, 2014 No comments

We’ve received reports that cybercriminals are at it again, luring unsuspecting taxpayers in the United States into handing over their personal information as they rush to file their taxes before the deadline.

Here are 6 ways to help protect yourself.

1.     Beware of all email, text, or social networking messages that appear to be from the IRS. Cybercriminals often send fraudulent messages meant to trick you into revealing your social security number, account numbers, or other personal information. They’ll even use the IRS logo. Read more about how the IRS does not initiate contact with taxpayers by email or use any social media tools to request personal or financial information.
2.       Use technology to help detect scams. Scams that ask for personal or financial information are called “phishing scams.” Internet Explorer, Microsoft Outlook, and other programs have anti-phishing protection built in. Read more about identity theft protection tools that can help you avoid tax scams.
3.       Check to see if you already have antivirus software. If a cybercriminal does fool you with a tax scam that involves downloading malware onto your computer, you might already be protected by your antivirus software. If your computer is running Windows 8, you have antivirus software built in. Download Microsoft Security Essentials at no cost for Windows 7 and Windows Vista. 
4.       Make sure the website uses secure technology. If you’re filing your taxes on the web, make sure that the web address begins with https, and check to see if a tiny locked padlock appears at the bottom right of the screen. For more information, see How do I know if I can trust a website and What is HTTPs?
5.       Think before you download tax apps. Download apps only from major app stores—the Windows Phone Store or Apple’s App Store, for example—and stick to popular apps with numerous reviews and comments.
6.       Be realistic. If it sounds too good to be true, it probably is. From companies that promise to file your taxes for free, to websites that claim you don’t have to pay income tax because it’s unconstitutional—keep an eye out for deliberately misleading statements.

MS14-016 – Important: Vulnerability in Security Account Manager Remote (SAMR) Protocol Could Allow Security Feature Bypass (2934418) – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (March 20, 2014): Clarified in the vulnerability FAQ what systems are primarily at risk for CVE-2014-0317. Added Update FAQ to explain why users running Windows Vista, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2 might not be offered the update. These are informational changes only.
Summary: This security update resolves one privately reported vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass if an attacker makes multiple attempts to match passwords to a username.

Categories: Uncategorized Tags:

MS14-016 – Important: Vulnerability in Security Account Manager Remote (SAMR) Protocol Could Allow Security Feature Bypass – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (March 20, 2014): Clarified in the vulnerability FAQ what systems are primarily at risk for CVE-2014-0317. Added Update FAQ to explain why users running Windows Vista, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2 might not be offered the update. These are informational changes only.
Summary: This security update resolves one privately reported vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass if an attacker makes multiple attempts to match passwords to a username.

Categories: Uncategorized Tags:

Vulnerability in Security Account Manager Remote (SAMR) Protocol Could Allow Security Feature Bypass – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (March 20, 2014): Clarified in the vulnerability FAQ what systems are primarily at risk for CVE-2014-0317. Added Update FAQ to explain why users running Windows Vista, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2 might not be offered the update. These are informational changes only.
Summary: This security update resolves one privately reported vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass if an attacker makes multiple attempts to match passwords to a username.

Categories: Uncategorized Tags:

MS14-016 – Important : Vulnerability in Security Account Manager Remote (SAMR) Protocol Could Allow Security Feature Bypass (2934418) – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (March 20, 2014): Clarified in the vulnerability FAQ what systems are primarily at risk for CVE-2014-0317. Added Update FAQ to explain why users running Windows Vista, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2 might not be offered the update. These are informational changes only.
Summary: This security update resolves one privately reported vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass if an attacker attempts to match passwords to a username.

Categories: Uncategorized Tags:

Help! Someone is holding my computer hostage

March 18th, 2014 No comments

If you see a pop-up window, webpage, or email message warning you that your computer has been locked because of possible illegal activities, you might be a victim of a criminal extortion scam called ransomware.

Ransomware often masquerades as an official-looking warning from a well-known law enforcement agency, such as the US Federal Bureau of Investigation (FBI).

The aim of ransomware is to prevent you from using your computer until you pay a fee (the “ransom”). If you get an email message or a warning like this, do not follow the payment instructions. If you pay the ransom, the criminals probably won’t unlock your computer and might even install more viruses or steal your personal and financial information.

 

Example of ransomware

What to do if you think you’ve been a victim of ransomware

If you’ve already paid the scammers, you should contact your bank and your local authorities, such as the police. If you paid with a credit card, your bank may be able to block the transaction and return your money.

To detect and remove ransomware and other malicious software that might be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products can detect and remove this threat:

More information about how to prevent and get rid of ransomware

 

 

 

March 2014 Security Bulletin Webcast and Q&A

March 17th, 2014 No comments

Today we published the March 2014 Security Bulletin Webcast Questions & Answers page. We answered eight questions in total, with the majority focusing on the updates for Windows (MS14-016) and Internet Explorer (MS14-012). One question that was not answered on air has been included on the Q&A page.

Here is the video replay.

We invite you to join us for the next scheduled webcast on Wednesday, April 9, 2014, at 11 a.m. PDT (UTC -7), when we will go into detail about the April bulletin release and answer your bulletin deployment questions live on the air.

You can register to attend the webcast at the link below:

Date: Wednesday, April 9, 2014
Time: 11:00 a.m. PDT (UTC -7)
Register:
Attendee Registration

I look forward to seeing you next month.

Thanks,
Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

Thanks to you the Microsoft #Do1Thing initiative donates $50,000 to TechSoup Global

Together we've raised $50,000

On Safer Internet Day, February 11, 2014, Microsoft launched the interactive Safer Online website. Every time you made your #Do1Thing promise or shared the website with your social circles, Microsoft made a donation to TechSoup Global.

In less than 24 hours, so many of you promised to #Do1Thing to stay safer that Microsoft donated $50,000 to TechSoup Global! But it wasn’t just the promise alone.

“As communities around the world use the Internet to learn and connect, developing responsible online safety habits is something each of us should act on,” says Rebecca Masisak, CEO of TechSoup Global. “We appreciate being a part of Safer Internet Day. And with your contributions, TechSoup Global will further develop and deliver online safety education training materials and guidance to be shared across our global network.”

So far, people from five continents have shared what they are doing to help create a better Internet. What’s the number one global promise so far? Creating strong passwords and regularly changing them. Other popular responses included: two-step authentication for online accounts, sharing minimal personal information, using secured Wi-Fi connections, and shopping on https-enabled websites

Of those who answered our Safer Online polling questions:

  • Nearly half (47 percent) of participants chose learning as the greatest benefit the Internet has brought to their lives, while 17 percent chose exploring, and 10 percent go online for entertainment purposes.
  • Website visitors were also asked which potential online risks concern them the most. Of the nine choices, 28 percent selected financial loss as the most concerning, with 22 percent opting for loss of personal privacy, and 19 percent finding forms of malware on their device the greatest concern.
  • Finally, over two thirds (76 percent) of respondents edit or remove online information that may impact their reputation. Learn how to take charge or your online reputation.

If you haven’t done so yet, share your #Do1Thing story, see what others around the world are promising, and get online safety tips to help you stay safer online, today and every day!