Information Technology

Getty Images
One of the most amazing things about open-source isn’t that it produces great software. It’s that so many developers put their egos aside to create great programs with the help of others. Now, however, a handful of programmers are putting their own concerns ahead of the good of the many and potentially wrecking open-source software for everyone.

Open Source

For example, JavaScript’s package manager maintainer RIAEvangelist, Brandon Nozaki Miller, wrote and published an open-code npm source-code package called peacenotwar. It did little but print a message for peace to desktops. So far, so harmless. Miller then inserted malicious code into the package to overwrite users’ filesystems if their computer had a Russia or Belarus IP address. He then added it as a dependency to his popular node-ipc program and instant chaos! Numerous servers and PCs went down as they updated to the newest code and then their systems had their drives erased. Miller’s defense, “This is all public, documented, licensed and open source,” doesn’t hold up. Liran Tal, the Snyk researcher who uncovered the problem said, “Even if the deliberate and dangerous act [is] perceived by some as a legitimate act of protest, how does that reflect on the maintainer’s future reputation and stake in the developer community?  Would this maintainer ever be trusted again to not follow up on future acts in such or even more aggressive actions for any projects they participate in?” Miller is not a random crank. He’s produced a lot of good code, such as node-ipc, and Node HTTP Server. But, can you trust any of his code to not be malicious? While he describes it as “not malware, [but] protestware which is fully documented,” others venomously disagree. As one GitHub programmer wrote, “What’s going to happen with this is that security teams in Western corporations that have absolutely nothing to do with Russia or politics are going to start seeing free and open-source software as an avenue for supply chain attacks (which this totally is) and simply start banning free and open-source software — all free and open-source software — within their companies.” As another GitHub developer with the handle nm17 wrote, “The trust factor of open source, which was based on the good will of the developers is now practically gone, and now, more and more people are realizing that one day, their library/application can possibly be exploited to do/say whatever some random dev on the internet thought ‘was the right thing they to do.'”Both make valid points. When you can’t use source code unless you agree with the political stance of its maker, how can you use it with confidence? Miller’s heart may be in the right place — Slava Ukraini! — but is open-source software infected with a malicious payload the right way to protect Russia’s invasion of Ukraine? No, it’s not. The open-source method only works because we trust each other. When that trust is broken, no matter for what cause, then open-source’s fundamental framework is broken. As Greg Kroah-Hartman, the Linux kernel maintainer for the stable branch, said when students from the University of Minnesota deliberately tried to insert bad code in the Linux kernel for an experiment in 2021 said, “What they are doing is intentional malicious behavior and is not acceptable and totally unethical.”People have long argued that open-source should include ethical provisions as well. For example, 2009’s Exception General Public License (eGPL), a revision of the GPLv2, tried to forbid “exceptions,” such as military users and suppliers, from using its code. It failed. Other licenses such as the JSON license with its sweetly naive “the software shall be used for good, not evil” clause still being around, but no one enforces it.  More recently, activist and software developer Coraline Ada Ehmke introduced an open-source license that requires its users to act morally.  Specifically, her Hippocratic license added to the MIT open-source license a clause stating: “The software may not be used by individuals, corporations, governments, or other groups for systems or activities that actively and knowingly endanger, harm, or otherwise threaten the physical, mental, economic, or general well-being of underprivileged individuals or groups in violation of the United Nations Universal Declaration of Human Rights.”Sounds good, but it’s not open source. You see, open-source is in and of itself an ethical position. Its ethics are contained in the Free Software Foundation’s (FSF)’s Four Essential Freedoms. This is the foundation for all open-source licenses and their core philosophy. As open-source legal expert and Columbia law professor Eben Moglen, said at the time that ethical licenses can’t be free software or open-source licenses: “Freedom zero, the right to run the program for any purpose, comes first in the four freedoms because if users do not have that right with respect to computer programs they run, they ultimately do not have any rights in those programs at all.  Efforts to give permission only for good uses, or to prohibit bad ones in the eyes of the licensor, violate the requirement to protect freedom zero.” In other words, if you can’t share your code for any reason, your code isn’t truly open-source. Another more pragmatic argument about forbidding one group from using open-source software is that blocking on something such as an IP address is a very broad brush. As Florian Roth, security company Nextron Systems’ Head of Research, who considered “disabling my free tools on systems with certain language and time zone settings,” finally decided not to. Why? Because by doing so, “we would also disable the tools on systems of critics and freethinkers that condemn the actions of their governments.” Unfortunately, it’s not just people trying to use open-source for what they see as a higher ethical purpose that are causing trouble for open-source software. Earlier this year, JavaScript developer Marak Squires deliberately sabotaged his obscure, but vitally important open-source Javascript libraries ‘colors.js’ and ‘faker.js.” The result? Tens of thousands of JavaScript programs blew up.Why? It’s still not entirely clear, but in a since-deleted GitHub post, Squires wrote, “Respectfully, I am no longer going to support Fortune 500s ( and other smaller-sized companies ) with my free work. There isn’t much else to say. Take this as an opportunity to send me a six-figure yearly contract or fork the project and have someone else work on it.” As you might imagine, this attempt to blackmail his way to a paycheck didn’t work out so well for him. And, then there are people who deliberately put malware into their open-source code for fun and profit. For example, the DevOps security firm JFrog discovered 17 new JavaScript malicious packages in the NPM repository that deliberately attack and steal a user’s Discord tokens. These can then be used on the Discord communications and digital distribution platform.Besides creating new malicious open-source programs that look innocent and helpful, other attackers are taking old, abandoned software and rewriting them to include crypto coin stealing backdoors. One such program was event-stream. It had malicious code inserted into it to steal bitcoin wallets and transfer their balances to a Kuala Lumpur server. There have been several similar episodes over the years.With each such move, faith in open-source software is worn down. Since open-source is absolutely vital to the modern world, this is a lousy trend. What can we do about it? Well, for one thing, we should consider very carefully indeed when, if ever, we should block the use of open-source code. More practically, we must start adopting the use of Linux Foundation’s Software Package Data Exchange (SPDX) and Software Bill of Materials (SBOM). Together these will tell us exactly what code we’re using in our programs and where it comes from. Then, we’ll be much more able to make informed decisions.Today, all-to-often people use open-source code without knowing exactly what they’re running or checking it for problems. They assume all’s well with it. That’s never been a smart assumption. Today, it’s downright foolish. Even with all these recent changes, open-source is still better and safer than the black-box proprietary software alternatives. But, we must check and verify code instead of blindly trusting it. It’s the only smart thing to do going forward.Related Stories: More

When it comes to security at home and in your small business, you’re on your own. Large businesses typically have dedicated IT staff tasked with ensuring the security of a corporate network and preventing outsiders from stealing data or planting ransomware. You have … yourself.

ZDNet Recommends

The worst time to start thinking about security for the PCs on your network is after you’ve experienced a catastrophic incident. The best time is right now, which is why we’ve put this guide together.Following the steps we lay out here should help you understand which security issues are most important and, based on that knowledge, to establish a security baseline. This isn’t a set-it-and-forget-it task, unfortunately. Online attackers are determined, and the threat landscape is constantly evolving. Maintaining effective security requires continued vigilance and ongoing effort.In this guide, we focus on more than just the Windows 11 device itself, because many of the threats come from outside. To stay secure, you need to pay close attention to network traffic, email accounts, authentication mechanisms, and unsophisticated users.This guide focuses primarily on the needs of PC owners managing Windows 11 PCs in a home or small business environment, without full-time IT staff. For installations where you’re required to connect to a business network, you’ll need to coordinate your personal security configuration with corporate policies. In some cases, device management policies will prevent you from adjusting some settings.Before you touch a single Windows setting, though, take some time for a threat assessment. In particular, be aware of your legal and regulatory responsibilities in the event of a data breach or other security-related event. Even small businesses can be subject to compliance requirements; if that applies to you, consider hiring a specialist who knows your industry and can ensure that your systems meet all applicable requirements.

Where can I get an overview of Windows 11 security?

☑ Monitor the Windows Security app regularlyIn Windows 10, Microsoft introduced the Windows Security app, which consolidates security settings and status information into a single location. The Windows 11 version of this app adds some features and should be a regular part of your security monitoring.From this starting point, you can inspect (and adjust) settings for antivirus and antimalware software, device security, firewall and network protection, and other crucial security options. Green checkmarks indicate there are no issues that need immediate attention. Yellow and red icons indicate security issues that need to be addressed.When visiting an app like this, the natural temptation is to click every category and turn on every option you see. Resist that urge, especially in the Exploit Protection section. Changes you make here can have unintended consequences in everyday activities, especially with older apps. The default settings should be adequate for most systems. If you choose to make changes here, do so gradually, and don’t make any additional changes until you’re certain that the previous adjustments worked as expected.

What’s the best way to keep Windows 11 up to date?

☑ Set an installation/deferral policy for security updatesThe single most important security setting for any Windows 11 PC is ensuring that updates are being installed on a regular, predictable schedule. That’s true of every modern computing device, of course, but the “Windows as a service” model that Microsoft introduced with Windows 10 changes the way you manage updates.Before you begin, though, it’s important to understand the different types of Windows updates and how they work.Quality updates are delivered monthly through Windows Update on the second Tuesday of each month. They address security and reliability issues and do not include new features. (These updates also include patches for microcode flaws in Intel processors.) For particularly severe security issues, Microsoft might choose to release an out-of-band update that is not tied to the normal monthly schedule. All quality updates are cumulative, so you no longer have to download dozens or even hundreds of updates after performing a clean install of Windows 11. Instead, you can install the latest cumulative update and you will be completely up to date.Feature updates are the equivalent of what used to be called version upgrades. They include new features and require a multi-gigabyte download and a full setup. Microsoft’s current policy is to release one Windows 11 feature update per year, in the second half of the year. Feature updates are delivered through Windows Update and are not installed automatically unless the current version has reached the end of its support lifecycle.Using default settings, Windows 11 downloads and installs quality updates shortly after they’re made available on Microsoft’s update servers. On devices running Windows 11 Home, there’s no supported way to specify exactly when these updates are installed; on PCs running business editions of Windows 11 (Pro, Enterprise, or Education), you can use Group Policy settings to automatically defer installation of quality updates on PCs by up to 30 days after their release. Regardless of what edition is installed, users can manually pause all updates for up to five weeks.As with all security decisions, choosing when to install updates involves a trade-off. Installing updates immediately after they’re released offers the best protection; deferring updates makes it possible to minimize unscheduled downtime associated with those updates.Using the Windows Update for Business features built into Windows 11 Pro, Enterprise, and Education editions, you can defer installation of quality updates by up to 30 days. You can also delay feature updates by as much as two years, depending on the edition.Deferring quality updates by 7 to 15 days is a low-risk way of avoiding the possibility of installing a flawed update that can cause stability or compatibility problems. In Windows 11, the only way to adjust Windows Update for Business settings is by using the Local Group Policy Manager (Gpedit.msc); the relevant policies are in Computer Configuration > Administrative Templates > Windows Components > Windows Update.On enterprise networks, administrators can manage updates using Group Policy or mobile device management (MDM) software. Updates can also be managed centrally using a management tool such as System Center Configuration Manager or Windows Server Update Services.Finally, your software update strategy shouldn’t stop at Windows itself. Make sure that updates for Windows applications, including Microsoft Office and Adobe applications, are installed automatically.

How do I configure user accounts for maximum security?

☑ Sign in using a Microsoft account with multi-factor authentication☑ Create standard accounts for inexperienced users☑ Install a password manager for every user☑ Set up multi-factor authentication on all online accounts☑ For home PCs, consider setting up family safety featuresMicrosoft sparked controversy with its decision to require a Microsoft account when setting up a PC with Windows 11 Home edition for the first time. I’ve also seen some online angst over the recent announcement that Microsoft plans to extend that requirement to Windows 11 Pro machines set up for personal use.If you already have a personal Microsoft account tied to services like Microsoft 365 Home or Family or an Xbox Live account, signing in with a Microsoft account makes it easy to access your Office apps and OneDrive storage and online gaming.Even if you have no Microsoft services, however, there’s a solid security benefit behind that design decision. When you sign in with a Microsoft account, the system drive is encrypted by default, and the recovery key is backed up to a secure location, accessible by signing in to that Microsoft account. That minimizes the risk that a forgotten password can lead to catastrophic data loss.If you don’t use Microsoft services, feel free to create a brand-new Microsoft account on the fly, as part of the setup process, and use that new account exclusively for signing in to Windows 11. You get the benefits of full system disk encryption, multi-factor authentication, and (if you choose to use it) 5 GB of OneDrive storage, at no extra cost. Just think of it as a local account whose username has @microsoft.com on the end.If you’re still determined to use a local account, set up using a throwaway Microsoft account first, and then make the switch to a local account. Just be aware that doing so means you’ll also have to find a different encryption option, and you won’t have any recovery mechanism if you forget your sign-in credentials.With all that out of the way, do the following as well:Set up multi-factor authentication for your Microsoft account. (You’ll find full instructions here: “How to lock down your Microsoft account and keep it safe from outside attackers.”)Create standard accounts for other users (and even for yourself). Your primary account, by default, has administrator privileges. If other people (employees or family members) use the same PC, give them standard accounts that are unable to change system settings or install untrusted software without your approval. You can also give yourself a standard account for everyday use, but that’s a needless precaution that will simply force you to type in a password instead of clicking OK to a User Account Control dialog box.Install a password manager and make sure all your online accounts have strong, unique login credentialsSet up multi-factor authentication for online accounts wherever it’s available. (See “Multi-factor authentication: How to enable 2FA to step up your security.”)For PCs at home, set up children’s access using standard accounts and consider setting up the family safety features in Windows 11. You can use those options to set authorized times for young people to be online and to help keep them from straying into unsavory corners of the internet. You’ll find all the links you need in the Windows Security app.

How do I keep Windows 11 hardware secure?

☑ Check the status of your TPM☑ Ensure that Secure Boot is enabled☑ Turn on Windows Hello, using biometric authentication if it’s availableMicrosoft’s hardware compatibility rules for Windows 11 upped the security game for PCs, although not without controversy. Previously, the governing principle for every new Windows version involved maximum backward compatibility, with even 10-year-old PCs being eligible to install the new operating system.That all changed with Windows 11. For the first time ever, the official hardware specifications were (a) dramatically increased from the previous version and (b) applied not just to new hardware from PC makers but also to upgraders.The biggest change is the requirement for a Trusted Platform Module (TPM) version 2.0, along with the requirement to enable Secure Boot (a feature that uses cryptographic signatures to ensure that a device boots with an operating system that hasn’t been tampered with. (If you’re willing to make a few registry edits, you can install Windows 11 on a PC with an older TPM version and an unsupported CPU. For details, see this Microsoft support document: “Ways to install Windows 11.”)From the Device Security page in the Windows Security app, you can check both of these settings. If you see entries for Security Processor and Secure Boot, you’re good to go. If one or both of those entries are missing, you’ll need to go into the device’s firmware settings to re-enable the setting. Although there are advanced configurations in which you might need to disable Secure Boot for troubleshooting purposes, it’s best to leave this setting alone.Finally, set up a Windows Hello PIN and enable biometric authentication if your device has a fingerprint reader or an infrared camera that supports facial recognition.

What’s the best way to protect data files?

☑ Turn on BitLocker encryption for all data drives☑ Back up your encryption keys☑ Back up data files to the cloud☑ Back up critical data files to local storageReplacing a stolen laptop is inconvenient and expensive. Dealing with lost or stolen data is a nightmare. Physical security has its own challenges, but when it comes to keeping your data secure, you have two key goals:Encrypt your data files. If your computer or storage device is stolen, the thief can’t access your files that are protected with robust encryption and a strong password.Back up your data files. With a good backup plan, you can restore files that are lost or damaged (even if the cause is hardware failure) and get back to work with a minimum of downtime.Those precautions are especially important for files containing sensitive personal or financial information for customers or clients. If you work in a regulated industry or you’re subject to data breach laws, the impact is even worse.On a Windows 11 device, the single most important configuration change you can make is to enable BitLocker Device Encryption on the system drive and on all secondary drives, including USB flash drives. (BitLocker is the brand name that Microsoft uses for the encryption tools available in business editions of Windows. BitLocker features are identical on Windows 10 and Windows 11.)With BitLocker enabled, every bit of data on the device is encrypted using the XTS-AES standard. BitLocker uses the Trusted Platform Module (TPM) chip to store the encryption keys.The steps to turn on BitLocker Device Encryption are different depending on which edition of Windows 11 is installed:Windows 11 Home: This edition supports strong device encryption, but only if you’re signed in with a Microsoft account. It doesn’t allow the management of a BitLocker device.Windows 11 Pro, Enterprise, or Education: These business editions provide full access to BitLocker management tools. For full management capabilities, you’ll need to set up BitLocker using an Active Directory account on a Windows domain or an Azure Active Directory account. On an unmanaged device running a business edition of Windows 11, you can set up BitLocker using a local account or a Microsoft account, but you’ll need to use the BitLocker Management tools to enable encryption on available drives.It is crucial that you backup the recovery key for a BitLocker-encrypted drive. In the event that you ever have to reinstall Windows or experience account problems, you’ll need that 48-digit number to access the data.If you sign in with a Microsoft account, the BitLocker recovery key is saved in OneDrive by default. You can access it by signing in at onedrive.com/recoverykey. I recommend that you print a copy of that key and file it in a safe place, just in case.On a managed PC using a domain or AAD account, the recovery key is saved in a location that is available to the domain or AAD administrator. On a personal device, you can use the Manage BitLocker app to save or print a copy of that recovery key.Don’t forget to encrypt portable storage devices. USB flash drives, MicroSD cards used as expansion storage, and portable hard drives are easily lost, but the data can be protected from prying eyes with the use of BitLocker To Go, which uses a password to decrypt the drive’s contents. For details, see “Protect removable storage devices with BitLocker encryption.”)Finally, make sure that crucial data files are backed up to the cloud and to local storage (on an encrypted drive, naturally). This precaution can be invaluable if you suffer a disk crash, and it’s also excellent protection against ransomware attacks.If you’re concerned about putting sensitive files in the cloud, encrypt the files using third-party software such as Boxcryptor, or consider a zero-knowledge service that has no access to your encryption keys, such as SpiderOak CrossClave.

How do I protect my Windows 11 PC from malicious software?

☑ Configure security software☑ Configure anti-spam protection☑ Manage which apps standard user accounts are allowed to runSecurity software is one layer in a defensive strategy designed to keep threats from ever reaching a PC. It’s no longer the most important layer, but it’s still crucial to have up-to-date security software.Every installation of Windows 11 includes built-in antivirus, anti-malware software called Microsoft Defender Antivirus, which updates itself using the same mechanism as Windows Update. Microsoft Defender Antivirus is designed to be a set-it-and-forget-it feature and doesn’t require any manual configuration. If you install a third-party security package, Windows disables the built-in protection and allows that software to detect and remove potential threats.To check the status of Microsoft Defender Antivirus, use the Virus & Threat Protection page in the Windows Security app. (You’ll find ransomware protection options under the Controlled Folder Access heading.)Large organizations that use Windows Enterprise edition can deploy Microsoft Defender for Endpoint, a security platform that monitors Windows 11 PCs and other managed devices using behavioral sensors. Using cloud-based analytics, these tools can identify suspicious behavior and alert administrators to potential threats.For smaller businesses, the most important challenge is to prevent malicious code from reaching the PC in the first place. Microsoft’s SmartScreen technology is another built-in feature that scans downloads and blocks the execution of those that are known to be malicious. The SmartScreen technology also blocks unrecognized programs but allows the user to override those settings if necessary.It’s worth noting that SmartScreen in Windows 11 works independently of browser-based technology such as Google’s Safe Browsing service and the SmartScreen Filter service in Microsoft Edge.On unmanaged PCs, SmartScreen is another feature that requires no manual configuration. You can adjust its configuration using the App & Browser Control settings in the Windows Security app.Another crucial vector for managing potentially malicious code is email, where seemingly innocuous file attachments and links to malicious websites can result in infection. Although email client software can offer some protection in this regard, blocking these threats at the server level is the most effective way to prevent attacks on PCs.An effective approach for preventing users with standard accounts from running unwanted programs (including malicious code) is to configure a Windows 11 PC so it’s prevented from running any apps except those you specifically authorize. To adjust these settings on a single PC, go to Settings > Apps > Apps & Features; under the Choose Where To Get Apps heading, select The Microsoft Store Only. This setting allows previously installed apps to run, but prevents installation of any downloaded programs from outside the Store.

What’s the best way to prevent attacks over the network?

☑ Use a hardware firewall☑ Leave the Windows firewall turned on☑ Protect your Wi-Fi accountThe gateway for your cable, fiber, DSL, or other wired internet connection should include a firewall feature that prevents outsiders from connecting to PCs that are on your internal network. Check the management interface for that device (access is typically through a web-based portal that connects to a private IP address like 192.168.1.1 or 10.0.0.1). Make sure those security features are enabled, and consider changing the default administrative credentials (admin/password is common) to something more secure.Every version of Windows shipped in the past two decades has included a stateful inspection firewall. In Windows 11, this firewall is enabled by default and doesn’t need any tweaking to be effective. As with its predecessors, the Windows 11 firewall supports three different network configurations: Domain, Private, and Public. Apps that need access to network resources can generally configure themselves as part of the initial setup.To adjust basic Windows firewall settings, use the Firewall & Network Protection tab in the Windows Security app. For a far more comprehensive, expert-only set of configuration tools, click Advanced Settings to open the legacy Windows Defender Firewall with Advanced Security console. On managed networks, these settings can be controlled through a combination of Group Policy and server-side settings.From a security standpoint, the biggest network-based threats to a Windows PC arise when connecting to wireless networks. Large organizations can significantly improve the security of wireless connections by adding support for the 802.1x standard, which uses access controls instead of shared passwords as in WPA2 wireless networks. Windows 10 and Windows 11 will prompt for a username and password when attempting to connect to this type of network and will reject unauthorized connections. On networks that use a shared password, make sure that visitors connect to a separate guest network.For times when you must connect using an untrusted wireless network, the best alternative is to set up a virtual private network (VPN). Windows 11 supports the most popular VPN packages used on corporate networks; to configure this type of connection, go to Settings > Network & Internet > VPN. Small businesses and individuals can choose from a variety of Windows-compatible third-party VPN services.

Windows 11 More

A hands-on guideIf your PC were lost or stolen, you’d probably cringe at the cost of replacing it. But that’s nothing compared to what you’d stand to lose if someone had unfettered access to the data on that device. Even if they can’t sign in using your Windows user account, a thief could boot from a removable device and browse the contents of the system drive with impunity. The most effective way to stop that nightmare scenario is to encrypt the entire device so that its contents are only available to you or someone with the recovery key.

Windows 11 FAQ

Everything you need to know

What’s new in Windows 11? What are its minimum hardware requirements? When will your PC be eligible for the upgrade? We’ve got the answers to your questions.

Read More

All editions of Windows 10 and Windows 11 include XTS-AES 128-bit device encryption options that are robust enough to protect against even the most determined attacks. Using management tools, you can increase the encryption strength to XTS-AES 256. On modern devices, the encryption code also performs pre-boot system integrity checks that detect attempts to bypass the boot loader. BitLocker is the brand name that Microsoft uses for the encryption tools available in business editions of Windows (desktop and server). A limited but still effective subset of BitLocker device encryption features is also available in Windows 10 and Windows 11 Home editions. Here’s how to make sure your data is protected.

What are the hardware requirements for BitLocker?

The most important hardware feature required to support BitLocker Device Encryption is a Trusted Platform Module chip, or TPM. The device also needs to support the Modern Standby feature (formerly known as InstantGo).Virtually all devices that were originally manufactured for Windows 10 meet these requirements. All devices that are compatible with Windows 11, without exception, meet these requirements.

How does BitLocker work in Windows 10 and Windows 11?

On all devices that meet the BitLocker hardware requirements (see the previous section for details), device encryption is automatically enabled. Windows Setup automatically creates the necessary partitions and initializes encryption on the operating system drive with a clear key. To complete the encryption process, you must perform one of the following steps:Sign in using a Microsoft account that has administrator rights on the device. That action removes the clear key, uploads a recovery key to the user’s OneDrive account, and encrypts the data on the system drive. Note that this process happens automatically and works on any Windows 10 or Windows 11 edition.Sign in using an Active Directory account on a Windows domain or an Azure Active Directory account. Either configuration requires a business edition of Windows 10 or Windows 11 (Pro, Enterprise, or Education), and the recovery key is saved in a location that is available to the domain or AAD administrator.If you sign in using a local account on a device running a business edition of Windows 10, you need to use the BitLocker Management tools to enable encryption on available drives.On self-encrypting solid-state drives that support hardware encryption, Windows will offload the work of encrypting and decrypting data to the hardware. Note that a vulnerability in this feature, first disclosed in November 2018, could expose data under certain circumstances. In those cases, you’ll need a firmware upgrade for the SSD; on older drives where that upgrade is not available, you can switch to software encryption using the instructions in this Microsoft Security Advisory: Guidance for configuring BitLocker to enforce software encryption.Note that Windows 10 and Windows 11 still support the much older Encrypted File System feature. This is a file- and folder-based encryption system that was introduced with Windows 2000. For virtually all modern hardware, BitLocker is a superior choice.

How do I manage BitLocker encryption?

For the most part, BitLocker is a set-it-and-forget-it feature. After you enable encryption for a drive, it doesn’t require any maintenance. You can, however, use tools built into the operating system to perform a variety of management tasks.The simplest tools are available in the Windows graphical interface, but only if you are running Pro or Enterprise editions. Open File Explorer, right-click any drive icon, and click Manage BitLocker. That takes you to a page where you can turn BitLocker on or off; if BitLocker is already enabled for the system drive, you can suspend encryption temporarily or back up your recovery key from here. You can also manage encryption on removable drives and on secondary internal drives. On a system running Windows Home edition, you’ll find an on-off button in Settings. In Windows 10, look under Update & Recovery > Device Encryption. In Windows 11, this setting is under Privacy & Security > Device Encryption. A warning message will appear if device encryption hasn’t been enabled by signing into a Microsoft account.For a much larger set of tools, open a command prompt and use one of the two built-in BitLocker administrative tools, manage-bde or repair-bde, with one of its available switches. The simplest and most useful of these is manage-bde -status, which displays the encryption status of all available drives. Note that this command works on all editions, including Windows 10 Home.For a full list of switches, type manage-bde -? or repair-bde -?Finally, Windows PowerShell includes a full set of BitLocker cmdlets. Use Get-BitLockerVolume, for example, to see the status of all fixed and removable drives on the current system. For a full listing of available BitLocker cmdlets, see the PowerShell BitLocker documentation page.

How do I save and use a BitLocker recovery key?

Under normal circumstances, you unlock your drive automatically when you sign in to Windows using an account that’s authorized for that device. If you try to access the system in any other way, such as by booting from a Windows 10 or Windows 11 Setup drive or a Linux-based USB boot drive, you’ll be prompted for a recovery key to access the current drive. You might also see a prompt for a recovery key if a firmware update has changed the system in a way that the TPM doesn’t recognize.As a system administrator in an organization, you can use a recovery key (manually or with the assistance of management software) to access data on any device that is owned by your organization, even if the user is no longer a part of the organization.The recovery key is a 48-digit number that unlocks the encrypted drive in those circumstances. Without that key, the data on the drive remains encrypted. If your goal is to reinstall Windows in preparation for recycling a device, you can skip entering the key and the old data will be completely unreadable after setup is complete.Your recovery key is stored in the cloud automatically if you enabled device encryption with a Microsoft account. To find the key, go to https://onedrive.com/recoverykey and sign in with the associated Microsoft account. (Note that this option works on a mobile phone.) Expand the listing for any device to see additional details and an option to delete the saved key.If you enabled BitLocker encryption by joining your Windows 10 or Windows 11 device with an Azure AD account, you’ll find the recovery key listed under your Azure AD profile. Go to Settings > Accounts > Your Info and click Manage My Accounts. If you’re using a device that’s not registered with Azure AD, go to https://account.activedirectory.windowsazure.com/profile and sign in with your Azure AD credentials.Find the device name under the Devices & Activity heading and click Get BitLocker Keys to view the recovery key for that device. Note that your organization must allow this feature for the information to be available to you.Finally, on business editions of Windows 10 or Windows 11, you can print or save a copy of the recovery key and store the file or printout (or both) in a safe place. Use the management tools available in File Explorer to access these options. Use this option if you enabled device encryption with a Microsoft account and you prefer not to have the recovery key available in OneDrive.

Can I use BitLocker to encrypt removable drives?

Removable storage devices need encryption too. That includes USB flash drives as well as MicroSD cards that can be used in some PCs. That’s where BitLocker To Go works.To turn on BitLocker encryption for a removable drive, you must be running a business edition of Windows 10 or Windows 11. You can unlock that device on a device running any edition.As part of the encryption process, you need to set a password that will be used to unlock the drive. You also need to save the recovery key for the drive. (It’s not automatically saved to a cloud account.)Finally, you need to choose an encryption mode. Use the New Encryption Mode (XTS-AES) option if you plan to use the device exclusively on Windows 10 or Windows 11. Choose Compatible Mode for a drive you might want to open on a device running an earlier version of Windows.The next time you insert that device into a Windows PC, you’ll be prompted for the password. Click More Options and select the checkbox to automatically unlock the device if you want easy access to its data on a trusted device that you control.That option is especially useful if you’re using a MicroSD card for expanded storage capacity on a device such as a Surface Pro. After you sign in, all of your data is immediately available. If you lose the removable drive or it is stolen, its data is inaccessible to the thief.  

Windows 11 More

Sitel has been named as the third-party allegedly responsible for a recent security incident experienced by Okta. In a briefing on Wednesday, David Bradbury, Chief Security Officer at Okta, told virtual attendees that the incident has been “an embarrassment for myself and the entire Okta team.”

ZDNet Recommends

Okta has become the subject of scrutiny following the leak of screenshots by the LAPSUS$ hacking group earlier this week. The images appeared to show that the attackers had obtained access to “Okta.com Superuser/Admin and various other systems.”The identity and authentication services company said there was a five-day window in which the intrusion occurred.”The report from the forensic firm highlighted that there was a five-day window of time between January 16 – 21, 2022, when the threat actor had access to the Sitel environment, which we validated with our own analysis,” the CSO said. According to Bradbury, a customer support engineer’s laptop was the source of the intrusion, and the device was “owned and managed by Sitel.” Sitel is one of Okta’s sub-processors. The executive said that the attackers used the remote desktop protocol (RDP) to access the laptop:”The scenario here is analogous to walking away from your computer at a coffee shop, whereby a stranger has (virtually in this case) sat down at your machine and is using the mouse and keyboard. So while the attacker never gained access to the Okta service via account takeover, a machine that was logged into Okta was compromised and they were able to obtain screenshots and control the machine through the RDP session.”After analyzing 125,000 login entries, the company now says that up to 366 customers may have been impacted. An alert was issued on January 20 that a new multi-factor authentication (MFA) addition was “attempted” on the Sitel support engineer’s account. The executive says that within “minutes”, Okta sessions were terminated, pending an investigation. However, Bradbury claimed that the “attempted” MFA enrollment was “unsuccessful.”A day later, indicators of compromise (IoCs) were shared by Okta with Sitel, which also hired investigative help. Okta later received a summary of the incident, but the full report was not released until yesterday. “I am greatly disappointed by the long period of time that transpired between our initial notification to Sitel in January and the issuance of the complete investigation report just hours ago,” the CSO said. “Upon reflection, once we received the Sitel summary report last week, we should have, in fact, moved more swiftly to understand its implications.” Bradbury said that the ‘Superuser’ mode shown in the screenshots does not provide “god-like” access. Instead, support engineers can only use their accounts for “basic duties and handling inbound support queries.”As a result, the executive says that while the threat actor had access to the Sitel environment, it was “highly constrained.” “We are of the opinion that no corrective action needs to be taken by customers,” Bradbury added. However, in the interest of “transparency,” potentially impacted customers will be sent an incident report. “This incident will only serve to strengthen our commitment to security […],” Bradbury commented. “We will continue to work tirelessly to ensure that you have a dependable and a secure, Okta service.”A spokesperson from Sykes, part of the Sitel Group, told ZDNet:”Following a security breach in January 2022 impacting parts of the Sykes network, we took swift action to contain the incident and to protect any potentially impacted clients.Further to the actions taken by our global security and technology teams, a worldwide cybersecurity leader was enlisted to conduct an immediate and comprehensive investigation of the matter […] As a result of the investigation, along with our ongoing assessment of external threats, we are confident there is no longer a security risk.We are unable to comment on our relationship with any specific brands or the nature of the services we provide for our clients.”See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A prolific hacking gang has been making a name for itself with a string of cyberattacks against a range of high-profile targets. In the space of just a few days, a group known as Lapsus$ revealed that it has stolen data from big-name organisations including Microsoft and Okta.  The aim of the Lapsus$ campaign appears to be soliciting ransom payments, with threats to leak stolen information if its extortion demands aren’t met. While this tactic is a familiar one, often used by ransomware gangs as extra leverage to force victims to pay a ransom for a decryption key, in the case of Lapsus$, there’s no sign that ransomware is part of the attacks because no data is encrypted. 

But that doesn’t mean that the attacks aren’t damaging: Microsoft Security notes that there’s evidence of a destructive element to the attacks for victims that won’t give in to extortion demands. SEE: This sneaky type of phishing is growing fast because hackers are seeing big paydaysEnterprise identity and access management provider Okta is one of the biggest victims of Lapsus$, in an incident in which the company says attackers might have accessed information of around 2.5% of Okta customers – a figure that the company says represents 366 organisations. Okta disclosed the breach on March 22, and the company said it “contained” an attempted security breach in January. However, Lapsus$ has since claimed that is was able to access a support engineer’s laptop and have posted screenshots claiming access to systems. In a blog post, Okta says the laptop belonged to a support engineer working for a third-party provider and that Okta itself hasn’t been compromised. However, the company says it has contacted those affected.Microsoft has also confirmed that it was compromised by Lapsus$. While the company says the attackers gained limited access, the hackers have posted a torrent file claiming to hold source code from Bing, Bing Maps, and Cortana. While claiming Okta and Microsoft as victims has drawn eyes to Lapsus$, the group isn’t brand new, having been active since at least December 2021 and claiming a number of victims in recent months.One of the first victims of the group was the Brazilian Ministry of Health, which saw over 50TB worth of data stolen and deleted from its systems. Among this haul was data relating to the COVID-19 pandemic, including cases, deaths, vaccinations, and more. It took a month before systems were up and running again. Other victims of Lapsus$ attacks in recent months include a number of technology and gaming companies. In February, Nvidia fell victim to a cybersecurity incident that was attributed to Lapsus$. The group claims to have stolen over 1TB of data from the microchip manufacturer, including employee passwords. Another high-profile victim of Lapsus$ is Samsung, which confirmed that data had been breached in an attack, including source code relating to Samsung Galaxy smartphones. Samsung says no personal information was stolen in the attack.Lapsus$ also claims to have compromised video game developer Ubisoft. The company said it fell victim to a “cybersecurity incident” that forced password refreshes across the organisation. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)   Not much is known about Lapsus$ itself, other than that it’s a cyber-criminal gang – believed to operate out of South America – that hacks into the networks of large organisations to steal data and extort payments. Unlike ransomware gangs, which use dark web websites to publish stolen data, Lapsus$ uses a Telegram channel to share information about its attacks – and information stolen from its victims – directly with anyone who is subscribed to it. When it comes to conducting attacks, Lapsus$ appears to be the same as many other cyber-criminal operations, exploiting public-facing remote desktop protocol (RDP) capabilities and deploying phishing emails to gain access to accounts and networks. The group also buys stolen credentials from underground forums and searches public dumps of usernames and passwords for credentials that can be exploited to gain access to accounts. Lapsus$ also uses its public-facing Telegram channel to post messages, encouraging potential malicious insiders to come forward offering virtual private network (VPN), virtual desktop infrastructure (VDI), or Citrix credentials in exchange for an unspecified payment in an undisclosed currency. It’s unlikely the attacks will suddenly stop – the group might even be emboldened after claiming several high-profile victims – but there are steps businesses can take to help avoid falling victim to cyberattacks by Lapsus$ or other criminal hacking groups. This includes securing remote-working technologies like VPN and RDP with strong, difficult-to-guess passwords and bolstering that defence with multi-factor authentication. In addition, any users who think their account has been compromised should change their password immediately. Businesses should also train staff to identify and report phishing emails. MORE ON CYBERSECURITY More

The average Conti ransomware group member earns a salary of $1,800 per month, a figure you might consider low considering the success of the criminal gang. On Wednesday, Secureworks published a set of findings based on the group’s internal chat logs, leaked earlier this month and poured over by cybersecurity researchers ever since. 

The internal messaging records were leaked online after Conti, tracked as Gold Ulrick by Secureworks, declared its public support for Russia’s invasion of Ukraine, an ongoing conflict.   Conti is a prolific ransomware group suspected to be of Russian origin that has claimed hundreds of victim organizations worldwide. The group will infiltrate a network — whether independently or through the purchase of initial access through underground forums — steal data, encrypt networks, and will then demand a ransom. Victims who refuse to pay up may find their information leaked online.  Conti’s average ransomware demand is roughly $750,000, but depending on the size and annual revenue of a victim, blackmail payments can be set far higher, sometimes reaching millions of dollars.  Check Point researchers have previously scoured the Conti chat logs and exposed a rather “mundane” operation, the type you’d expect a typical software development business to run. This included a business infrastructure offering office, hybrid, or remote work options, performance reviews, bonuses, and a hiring process for coders, testers, system administrators, and HR.  While new members are interviewed, not everyone is told they are applying to work with a criminal outfit, as some ’employee’ messages have revealed. However, they may be offered salaries far higher than the local average to stay when the truth comes out.  According to Secureworks’ analysis of the logs, containing 160,000 messages exchanged between almost 500 individuals between January 2020 and March 2022, there were 81 people involved in payroll, with an average salary of $1,800 per month.  Payroll message to group leader Stern (Russian translation)
Secureworks
While core operators likely take a far larger slice of the pie, it is estimated that the average Russian household brings in $540 per month — and so the ‘salary’ offered by cybercriminal groups could be a strong lure. Furthermore, with the value of the Ruble tumbling due to international sanctions, this may entice more to enter this market. In addition, Secureworks has found leaks between the “designated leader” of Conti, dubbed “Stern,” and other cybercriminal groups.  Stern is a figure described as someone who makes “key organizational decisions, distributes payroll, manages crises, and interacts with other threat groups.” The team suspects that they also hold a leadership position in Gold Ulrick (Trickbot/BazarLoader).  Secureworks also found connections to the cybercriminal groups Gold Crestwood (Emotet), Gold Mystic (LockBit), and Gold Swathmore (IcedID), although this may just be for communication and/or collaborative purposes.  “The chats reveal a mature cybercrime ecosystem across multiple threat groups with frequent collaboration and support,” the researchers say. “Members of groups previously believed to be distinct collaborated and frequently communicated with members of other threat groups. This interconnectivity shows these groups’ motivations and relationships. It highlights their resourcefulness and ability to leverage subject matter expertise within the groups.” On March 20, an unnamed researcher — believed to come from Ukraine — also published a recent version of the Conti ransomware source code. The package was uploaded to VirusTotal for the benefit of cybersecurity defense teams but may also be adapted for use by threat actors.  See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Okta has again updated its blog post related to the LAPSUS$ intrusion from January first revealed by the hacking gang on Tuesday. “After a thorough analysis of these claims, we have concluded that a small percentage of customers — approximately 2.5% — have potentially been impacted and whose data may have been viewed or acted upon. We have identified those customers and are contacting them directly,” Okta CSO David Bradbury said. “If you are an Okta customer and were impacted, we have already reached out directly by email.” Earlier this month in its fourth-quarter results, the company said it had 15,000 customers, of which 2.5% is 375.The company said it would be conducting a pair of technical webinars on the event on Wednesday. See also: Okta: Lapsus$ attackers had access to support engineer’s laptop For its part, LAPSUS$ said it gained access to a superuser portal that could reset the password and multifactor authentication of 95% of clients. “For a company that supports zero-trust, support engineers seem to have excessive access to Slack? 8.6k channels?” the group said. “The potential impact to Okta customers is NOT limited, I’m pretty certain resetting passwords and MFA would result in complete compromise of many clients systems.”The group called on Okta to hire a cybersecurity firm and to publish any report they complete. It also claimed Okta was storing AWS keys within Slack. LAPSUS$ also added that many of its members were on holidays for the rest of the month. “We might be quiet for some times,” the group said.”Thanks for understand us — we will try to leak stuff ASAP.” Meanwhile at Redmond: Microsoft confirms LAPSUS$ hit account with limited access after gang released alleged Bing and Cortana sourceSpeaking to ZDNet last week, Cisco advisory CISO Helen Patton said CISOs were separating themselves operationally from breach reporting requirements. “So now we’ve got lawyers who are making a decision about whether something is material enough to require a report, which is not really the spirit of the regulation. But I’ve seen it in Australia, and I’m seeing it overseas as well,” she said. “This is a coping mechanism because the reporting requirements are sort of vague.” Patton said due to legal folk wanting to contain events as much as possible, they would start low and escalate the impact of events rather than starting high and walking back. “That puts the rest of the rest of us at risk, actually,” the advosry CISO said. “So the question is, what is the right level to go with? Do you oversell it or undersell it, in order to not only protect yourself, but protect the ecosystem that you’re working in?” “We are rewarded by underselling … in a lot of ways reputationally, legally, but from a risk perspective, we might want to actually oversell it because that gets more people on alert faster and hopefully gives you a faster response.” Patton said companies that issued multiple upwards revisions could appear as though they did not know what they were doing. “It’s not until you’ve had a certain amount of time to explore the incident, respond to the incident, learn from the incident that you really have good quality information,” she said. “But our regulators want us to tell them immediately when something looks funny. And there’s lots of things that look funny in our environments, because our environments they’re inherently odd. “They’re going to get a lot of really bad signals early on, and we’re going to have to work out how do you talk about that publicly when the information is really asymmetrical in terms of what you know, and what’s actually happening. It’s a problem.” Updated at 01:35pm AEDT, 23 March 2022: Added further information on LAPSUS$. Related Coverage More

Image: StackCommerce
Microsoft has confirmed the hacking gang LAPSUS$ was able to compromise an account with limited access, but that it has left the question of source code exfiltration hanging in the air. “No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity,” Microsoft said. “Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk. “Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion. This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact.” On Tuesday, LAPSUS$ posted a torrent file claiming to contain source code from Bing, Bing Maps, and Cortona. “Bing maps is 90% complete dump. Bing and Cortana around 45%,” the group said. Microsoft’s confirmation of the compromise was contained in a blog post, which listed the techniques of the group. “Their tactics include phone-based social engineering: SIM-swapping to facilitate account takeover, accessing personal email accounts of employees at target organizations, paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication approval; and intruding in the ongoing crisis-communication calls of their targets,” Microsoft said. “Tactics and objectives indicate this is a cybercriminal actor motivated by theft and destruction.” The group, named DEV-0537 by Microsoft, has been observed using vulnerabilities in Confluence, JIRA, and GitLab to elevate privileges, calling helpdesks to get passwords reset, stealing Active Directory databases, and making use of NordVPN to appear as though they are in similar geography to targets. “If they successfully gain privileged access to an organization’s cloud tenant (either AWS or Azure), DEV-0537 creates Global Admin accounts in the organization’s cloud instances, sets an Office 365 tenant level mail transport rule to send all mail in and out of the organization to the newly-created account, and then removes all other Global Admin accounts, so only the actor has sole control of the cloud resources, effectively locking the organization out of all access,” Microsoft said. “After exfiltration, DEV-0537 often deletes the target’s systems and resources. We’ve observed deletion of resources both on-premises (for example, VMWare vSphere/ESX) and in the cloud to trigger the organization’s incident and crisis response process.” The group has also used internal messaging services to understand how victims are reacting. “It is assessed this provides DEV-0537 insight into the victim’s state of mind, their knowledge of the intrusion, and a venue to initiate extortion demands,” Microsoft said. “Notably, DEV-0537 has been observed joining incident response bridges within targeted organizations responding to destructive actions. In some cases, DEV-0537 has extorted victims to prevent the release of stolen data, and in others, no extortion attempt was made and DEV-0537 publicly leaked the data they stole.” In the past 24 hours, LAPSUS$ also claimed making a hit on Okta. In response, Okta said the group had access to a support engineer’s laptop over a five-day period. Retorting to Okta, the group said the compromised device was a thin client, and it gained access to a superuser portal that could reset the password and multifactor authentication of 95% of clients. “For a company that supports zero-trust, support engineers seem to have excessive access to Slack? 8.6k channels?” the group said. “The potential impact to Okta customers is NOT limited, I’m pretty certain resetting passwords and MFA would result in complete compromise of many clients systems.” The group called on Okta to hire a cybersecurity firm and to publish any report they complete. It also claimed Okta was storing AWS keys within Slack. Related Coverage More