Information Technology

Researchers have exposed a Mustang Panda campaign that is taking advantage of the Russia-Ukraine conflict to spread new malware.On March 23, researchers from ESET said that Mustang Panda, a Chinese cyberespionage group also tracked as TA416, RedDelta, and Bronze President has been spreading a new Korplug/PlugX Remote Access Trojan (RAT) variant. 

Ukraine Crisis

Korplug is a RAT previously used in attacks against the Afghanistan and Tajikistan militaries, targets across Asia, and high-value organizations in Russia. Researchers say that Chinese threat actors have used variants of the Trojan since at least 2012. The new variant, however, has remained under the radar until now. ESET has named the new sample Hodur. The new version has some similarities to Thor, a variant of the malware detected by Palo Alto Networks in 2021 deployed during the Microsoft Exchange Server debacle.Hodur is being spread through a phishing campaign leveraging topics of interest in Europe, including Russia’s current invasion of Ukraine. The attack wave is still ongoing but has taken different forms since August 2021, depending on current events. By adapting its phishing methods to include current hot topics, conflicts, and news items, Mustang Panda has managed to successfully infiltrate research organizations, internet service providers (ISPs), and systems belonging to European diplomatic initiatives across countries including Mongolia, Vietnam, Myanmar, Greece, Russia, South Africa, and Cyprus.While ESET is not sure of the campaign’s source, phishing and watering hole attacks are likely as the means for initial access. Custom downloaders for Hodur have been found in several decoy documents with names including:Situation at the EU borders with Ukraine.exeCOVID-19 travel restrictions EU reviews list of third countries.exeState_aid__Commission_approves_2022-2027_regional_aid_map_for_Greece.exeREGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL.exeThe decoys were also packaged up with .doc and .PDF extensions. If an intended victim opens the decoy document and executes the package, a malicious .DLL file, an encrypted Korplug file, and an executable vulnerable to DLL search-order hijacking land on the target machine. The .exe file loads the .DLL, and then the RAT is decrypted and unpacked. The Korplug RAT variant will then establish a backdoor, connect to its command-and-control (C2) server, and perform reconnaissance on the infected system. In other security news this week, Google has removed a popular Android app from the Play Store after Pradeo warned that the application contained a Trojan able to harvest Facebook account credentials.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Business email compromise (BEC) remains the biggest source of financial losses, which totaled $2.4 billion in 2021, up from an estimated $1.8 billion in 2020, according to the Federal Bureau of Investigation’s (FBI) Internet Crime Center (IC3). The FBI says in its 2021 annual report that Americans last year lost $6.9 billion to scammers and cyber criminals through ransomware, BEC, and cryptocurrency theft related to financial and romance scams. In 2020, that figure stood at $4.2 billion. 

ZDNet Recommends

Last year, FBI’s Internet Crime Complaint Center (IC3) received 847,376 complaints about cybercrime losses, up 7% from 791,790 complaints in 2020. SEE: This sneaky type of phishing is growing fast because hackers are seeing big paydaysBEC has been the largest source of fraud for several years despite ransomware attacks grabbing most headlines. “In 2021, BEC schemes resulted in 19,954 complaints with an adjusted loss of nearly $2.4 billion,” said Paul Abbate, deputy director of the FBI, in an introduction to the report.”In 2021, heightened attention was brought to the urgent need for more cyber incident reporting to the federal government.”IC3’s statistics in its annual reports are based on information the public submits to its website www.ic3.gov. Since 2017, the IC3 has received 2.76 million complaints that indicate US consumers and businesses have lost $18.7 billion. BEC scams have evolved with technology, such as AI-created audio and video deep fakes, as the pandemic forced businesses to move to online video meetings via Zoom or Microsoft Teams. Originally, BEC scams relied on spoofing or hacking a business email account of a senior officer and then instructing a subordinate to wire funds to the scammer’s bank account. The emails often targeted real estate companies. “Now, fraudsters are using virtual meeting platforms to hack emails and spoof business leaders’ credentials to initiate the fraudulent wire transfers. These fraudulent wire transfers are often immediately transferred to cryptocurrency wallets and quickly dispersed, making recovery efforts more difficult,” the FBI noted. In those meetings, the fraudster would insert a still picture of the CEO with no audio, or a ‘deep fake’ audio, though which fraudsters, acting as business executives, would then claim their audio/video was not working properly. The fraudster then uses video to instruct employees to complete a wire transfer or use an executive’s compromised email to deliver wiring instructions.Cryptocurrency laundering was a huge business last year. Blockchain analysis firm Chainalysis reported that cyber criminals washed about $8.6 billion worth of cryptocurrency in 2021. North Korean hackers stole around $400 million in cryptocurrency last year, and used cryptocurrency mixer or ‘tumbler’ software that splits funds into small sums and blends it with other transactions before sending the amounts to a new address. IC3 received 3,729 complaints about ransomware attacks that amounted to adjusted losses of more than $49.2 million. The FBI noted that ransomware groups use phishing emails, stolen remote desktop protocol (RDP) credentials, and software flaws to infect victims with ransomware. In February, IC3 reported an uptick in “high-impact” ransomware attacks during 2021 based on data from the FBI, National Security Agency, and cybersecurity agencies from the UK and Australia. The other major trends are ransomware-as-a-service, where the attackers provide ransom negotiation services, and the rise of access brokers, who supply compromised accounts to ransomware gangs.  SEE: What is cloud computing? Everything you need to know about the cloud explainedThe notorious Conti ransomware gang got a special mention in IC3’s report. IC3 only started tracking ransomware targeting US critical infrastructure operators in June, covering attacks on US operators of water and waste water systems, food and agriculture, healthcare and emergency medical services, law enforcement, 911 dispatch centers, and firms in chemical, energy, finance and tech sectors.       The IC3 received 51 reports about REvil ransomware attacks, 58 reports about Lockbit 2.0, and 87 reports about Conti attacks.     “Of all critical infrastructure sectors reportedly victims by ransomware in 2021, the healthcare and public health, financial services, and information technology sectors were the most frequent victims,” IC3 said, suggesting it anticipates an increase in critical infrastructure victimization in 2022, but that it doesn’t encourage paying a ransom to criminals. The US is reorganizing how critical infrastructure operators report significant hacks. Newly passed legislation requires operators to report these hacks and ransom payments to the Cybersecurity and Infrastructure Security Agency (CISA) versus the FBI. CISA has committed to immediately share reports it receives with the FBI. More

A “large scale” attack is targeting Microsoft Azure developers through malicious npm packages.  On Wednesday, cybersecurity researchers from JFrog said that hundreds of malicious packages have been identified, created to steal valuable personally identifiable information (PII) from developers. 

ZDNet Recommends

According to researchers Andrey Polkovnychenko and Shachar Menashe, the repositories were first detected on March 21 and steadily grew from roughly 50 malicious npm packages to over 200 in a matter of days. The miscreants responsible for the npm repositories have developed an automated script that targets the @azure npm scope, alongside @azure-rest, @azure-tests, @azure-tools, and @cadl-lang.  The script is responsible for creating accounts and uploading the npm sets, which include container services, a health bot, testers, and storage packages.  JFrog says that typosquatting has been used to try and dupe developers into downloading the files. At the time of writing, these packages contained information stealer malware.  Typosquatting is a form of phishing in which small changes are made to an email address, file, or website address to mimic a legitimate service or content. For example, an attacker could target users of “your-company.com” by registering a domain name with “your-c0mpany.com” — and by replacing a single letter, they hope that victims do not notice that the resource is fraudulent.  In this case, malicious packages are created with the same name as an existing @azure scope package, but they have dropped the scope.  The legitimate packageThe malicious counterpart, missing the scope
JFrog
“The attacker is relying on the fact that some developers may erroneously omit the @azure prefix when installing a package,” the researchers say. “For example, running npm install core-tracing by mistake, instead of the correct command — npm install @azure/core-tracing.”Furthermore, all of the npm packages were given high version numbers, which could indicate dependency confusion attack attempts. “Since this set of legitimate packages is downloaded tens of millions of times each week, there is a high chance that the typosquatting attack will successfully fool some developers,” JFrog added. JFrog has provided a full list of the malicious npm packages detected so far. Npm maintainers have removed the malicious files, but Azure developers should be on the alert for further activity from this threat actor.  See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Only 4% of IT decision-makers in Singapore are able to correctly identify phishing SMS and email messages. Despite the apparent lack of judgement, 47% remain unconcerned about the risk of phishing attacks to their organisation. Some 32% of these IT leaders tapped their work phones for personal activities, higher than 18% of employees who did likewise, according to a study commissioned by KnowBe4, which provides security awareness training. Its chief hacking officer and reformed hacker Kevin Mitnick designed the US vendor’s training modules.The study further found that 53% of IT decision-makers in Singapore were concerned about phishing as a risk to their organisation, while 40% expressed similar concerns about business email compromise attacks. Conducted last December by YouGov, the online survey polled 200 IT decision-makers and 1,012 employees in the city-state. 

A further 36% of IT decision-makers used their work email for personal activities, compared to 29% of office workers. In addition, 51% of IT leaders expressed confidence they would the steps they had to take following a cybersecurity incident or data breach in their organisation. And while 54% believed employees in their organisation understood the business impact of cybersecurity breach, 43% felt confident their staff could identify phishing and business email compromise attacks. Another 40% believed their employees would report email messages they deemed suspicious. KnowBe4’s Asia-Pacific security awareness advocate Jacqueline Jayne said: “When those charged with keeping a business secure are unaware of the risks and unable to identify scam email and SMS messages, their organisations are at significant risk…If those in charge of security are unaware of best practices, then they cannot educate and train employees.”Jayne noted that employees were more likely to fall for phishing scams if they used their work email for personal activities, such as online shopping. “Having a clear separation between work and personal activities makes it much easier to spot when an email is a scam–if you know you never shop online using your work email address, then you know that email from Amazon cannot be real,” she said. Singapore’s Anti-Scam Centre last year received more than 23,800 reports, with losses totalling almost SG$520 million. More than 12,600 bank accounts were frozen and SG$102 million recovered. The KnowBe4 study revealed that 88% of Singapore IT decision-makers planned to spend more on cybersecurity this year, with 65% indicating such investment would go towards cybersecurity awareness training. Another 57% planned to direct their spend towards cybersecurity tools, while 55% would invest in infrastructure and 55% on cybersecurity insurance.  RELATED COVERAGE More

Getty Images
One of the most amazing things about open-source isn’t that it produces great software. It’s that so many developers put their egos aside to create great programs with the help of others. Now, however, a handful of programmers are putting their own concerns ahead of the good of the many and potentially wrecking open-source software for everyone.

Open Source

For example, JavaScript’s package manager maintainer RIAEvangelist, Brandon Nozaki Miller, wrote and published an open-code npm source-code package called peacenotwar. It did little but print a message for peace to desktops. So far, so harmless. Miller then inserted malicious code into the package to overwrite users’ filesystems if their computer had a Russia or Belarus IP address. He then added it as a dependency to his popular node-ipc program and instant chaos! Numerous servers and PCs went down as they updated to the newest code and then their systems had their drives erased. Miller’s defense, “This is all public, documented, licensed and open source,” doesn’t hold up. Liran Tal, the Snyk researcher who uncovered the problem said, “Even if the deliberate and dangerous act [is] perceived by some as a legitimate act of protest, how does that reflect on the maintainer’s future reputation and stake in the developer community?  Would this maintainer ever be trusted again to not follow up on future acts in such or even more aggressive actions for any projects they participate in?” Miller is not a random crank. He’s produced a lot of good code, such as node-ipc, and Node HTTP Server. But, can you trust any of his code to not be malicious? While he describes it as “not malware, [but] protestware which is fully documented,” others venomously disagree. As one GitHub programmer wrote, “What’s going to happen with this is that security teams in Western corporations that have absolutely nothing to do with Russia or politics are going to start seeing free and open-source software as an avenue for supply chain attacks (which this totally is) and simply start banning free and open-source software — all free and open-source software — within their companies.” As another GitHub developer with the handle nm17 wrote, “The trust factor of open source, which was based on the good will of the developers is now practically gone, and now, more and more people are realizing that one day, their library/application can possibly be exploited to do/say whatever some random dev on the internet thought ‘was the right thing they to do.'”Both make valid points. When you can’t use source code unless you agree with the political stance of its maker, how can you use it with confidence? Miller’s heart may be in the right place — Slava Ukraini! — but is open-source software infected with a malicious payload the right way to protect Russia’s invasion of Ukraine? No, it’s not. The open-source method only works because we trust each other. When that trust is broken, no matter for what cause, then open-source’s fundamental framework is broken. As Greg Kroah-Hartman, the Linux kernel maintainer for the stable branch, said when students from the University of Minnesota deliberately tried to insert bad code in the Linux kernel for an experiment in 2021 said, “What they are doing is intentional malicious behavior and is not acceptable and totally unethical.”People have long argued that open-source should include ethical provisions as well. For example, 2009’s Exception General Public License (eGPL), a revision of the GPLv2, tried to forbid “exceptions,” such as military users and suppliers, from using its code. It failed. Other licenses such as the JSON license with its sweetly naive “the software shall be used for good, not evil” clause still being around, but no one enforces it.  More recently, activist and software developer Coraline Ada Ehmke introduced an open-source license that requires its users to act morally.  Specifically, her Hippocratic license added to the MIT open-source license a clause stating: “The software may not be used by individuals, corporations, governments, or other groups for systems or activities that actively and knowingly endanger, harm, or otherwise threaten the physical, mental, economic, or general well-being of underprivileged individuals or groups in violation of the United Nations Universal Declaration of Human Rights.”Sounds good, but it’s not open source. You see, open-source is in and of itself an ethical position. Its ethics are contained in the Free Software Foundation’s (FSF)’s Four Essential Freedoms. This is the foundation for all open-source licenses and their core philosophy. As open-source legal expert and Columbia law professor Eben Moglen, said at the time that ethical licenses can’t be free software or open-source licenses: “Freedom zero, the right to run the program for any purpose, comes first in the four freedoms because if users do not have that right with respect to computer programs they run, they ultimately do not have any rights in those programs at all.  Efforts to give permission only for good uses, or to prohibit bad ones in the eyes of the licensor, violate the requirement to protect freedom zero.” In other words, if you can’t share your code for any reason, your code isn’t truly open-source. Another more pragmatic argument about forbidding one group from using open-source software is that blocking on something such as an IP address is a very broad brush. As Florian Roth, security company Nextron Systems’ Head of Research, who considered “disabling my free tools on systems with certain language and time zone settings,” finally decided not to. Why? Because by doing so, “we would also disable the tools on systems of critics and freethinkers that condemn the actions of their governments.” Unfortunately, it’s not just people trying to use open-source for what they see as a higher ethical purpose that are causing trouble for open-source software. Earlier this year, JavaScript developer Marak Squires deliberately sabotaged his obscure, but vitally important open-source Javascript libraries ‘colors.js’ and ‘faker.js.” The result? Tens of thousands of JavaScript programs blew up.Why? It’s still not entirely clear, but in a since-deleted GitHub post, Squires wrote, “Respectfully, I am no longer going to support Fortune 500s ( and other smaller-sized companies ) with my free work. There isn’t much else to say. Take this as an opportunity to send me a six-figure yearly contract or fork the project and have someone else work on it.” As you might imagine, this attempt to blackmail his way to a paycheck didn’t work out so well for him. And, then there are people who deliberately put malware into their open-source code for fun and profit. For example, the DevOps security firm JFrog discovered 17 new JavaScript malicious packages in the NPM repository that deliberately attack and steal a user’s Discord tokens. These can then be used on the Discord communications and digital distribution platform.Besides creating new malicious open-source programs that look innocent and helpful, other attackers are taking old, abandoned software and rewriting them to include crypto coin stealing backdoors. One such program was event-stream. It had malicious code inserted into it to steal bitcoin wallets and transfer their balances to a Kuala Lumpur server. There have been several similar episodes over the years.With each such move, faith in open-source software is worn down. Since open-source is absolutely vital to the modern world, this is a lousy trend. What can we do about it? Well, for one thing, we should consider very carefully indeed when, if ever, we should block the use of open-source code. More practically, we must start adopting the use of Linux Foundation’s Software Package Data Exchange (SPDX) and Software Bill of Materials (SBOM). Together these will tell us exactly what code we’re using in our programs and where it comes from. Then, we’ll be much more able to make informed decisions.Today, all-to-often people use open-source code without knowing exactly what they’re running or checking it for problems. They assume all’s well with it. That’s never been a smart assumption. Today, it’s downright foolish. Even with all these recent changes, open-source is still better and safer than the black-box proprietary software alternatives. But, we must check and verify code instead of blindly trusting it. It’s the only smart thing to do going forward.Related Stories: More

When it comes to security at home and in your small business, you’re on your own. Large businesses typically have dedicated IT staff tasked with ensuring the security of a corporate network and preventing outsiders from stealing data or planting ransomware. You have … yourself.

ZDNet Recommends

The worst time to start thinking about security for the PCs on your network is after you’ve experienced a catastrophic incident. The best time is right now, which is why we’ve put this guide together.Following the steps we lay out here should help you understand which security issues are most important and, based on that knowledge, to establish a security baseline. This isn’t a set-it-and-forget-it task, unfortunately. Online attackers are determined, and the threat landscape is constantly evolving. Maintaining effective security requires continued vigilance and ongoing effort.In this guide, we focus on more than just the Windows 11 device itself, because many of the threats come from outside. To stay secure, you need to pay close attention to network traffic, email accounts, authentication mechanisms, and unsophisticated users.This guide focuses primarily on the needs of PC owners managing Windows 11 PCs in a home or small business environment, without full-time IT staff. For installations where you’re required to connect to a business network, you’ll need to coordinate your personal security configuration with corporate policies. In some cases, device management policies will prevent you from adjusting some settings.Before you touch a single Windows setting, though, take some time for a threat assessment. In particular, be aware of your legal and regulatory responsibilities in the event of a data breach or other security-related event. Even small businesses can be subject to compliance requirements; if that applies to you, consider hiring a specialist who knows your industry and can ensure that your systems meet all applicable requirements.

Where can I get an overview of Windows 11 security?

☑ Monitor the Windows Security app regularlyIn Windows 10, Microsoft introduced the Windows Security app, which consolidates security settings and status information into a single location. The Windows 11 version of this app adds some features and should be a regular part of your security monitoring.From this starting point, you can inspect (and adjust) settings for antivirus and antimalware software, device security, firewall and network protection, and other crucial security options. Green checkmarks indicate there are no issues that need immediate attention. Yellow and red icons indicate security issues that need to be addressed.When visiting an app like this, the natural temptation is to click every category and turn on every option you see. Resist that urge, especially in the Exploit Protection section. Changes you make here can have unintended consequences in everyday activities, especially with older apps. The default settings should be adequate for most systems. If you choose to make changes here, do so gradually, and don’t make any additional changes until you’re certain that the previous adjustments worked as expected.

What’s the best way to keep Windows 11 up to date?

☑ Set an installation/deferral policy for security updatesThe single most important security setting for any Windows 11 PC is ensuring that updates are being installed on a regular, predictable schedule. That’s true of every modern computing device, of course, but the “Windows as a service” model that Microsoft introduced with Windows 10 changes the way you manage updates.Before you begin, though, it’s important to understand the different types of Windows updates and how they work.Quality updates are delivered monthly through Windows Update on the second Tuesday of each month. They address security and reliability issues and do not include new features. (These updates also include patches for microcode flaws in Intel processors.) For particularly severe security issues, Microsoft might choose to release an out-of-band update that is not tied to the normal monthly schedule. All quality updates are cumulative, so you no longer have to download dozens or even hundreds of updates after performing a clean install of Windows 11. Instead, you can install the latest cumulative update and you will be completely up to date.Feature updates are the equivalent of what used to be called version upgrades. They include new features and require a multi-gigabyte download and a full setup. Microsoft’s current policy is to release one Windows 11 feature update per year, in the second half of the year. Feature updates are delivered through Windows Update and are not installed automatically unless the current version has reached the end of its support lifecycle.Using default settings, Windows 11 downloads and installs quality updates shortly after they’re made available on Microsoft’s update servers. On devices running Windows 11 Home, there’s no supported way to specify exactly when these updates are installed; on PCs running business editions of Windows 11 (Pro, Enterprise, or Education), you can use Group Policy settings to automatically defer installation of quality updates on PCs by up to 30 days after their release. Regardless of what edition is installed, users can manually pause all updates for up to five weeks.As with all security decisions, choosing when to install updates involves a trade-off. Installing updates immediately after they’re released offers the best protection; deferring updates makes it possible to minimize unscheduled downtime associated with those updates.Using the Windows Update for Business features built into Windows 11 Pro, Enterprise, and Education editions, you can defer installation of quality updates by up to 30 days. You can also delay feature updates by as much as two years, depending on the edition.Deferring quality updates by 7 to 15 days is a low-risk way of avoiding the possibility of installing a flawed update that can cause stability or compatibility problems. In Windows 11, the only way to adjust Windows Update for Business settings is by using the Local Group Policy Manager (Gpedit.msc); the relevant policies are in Computer Configuration > Administrative Templates > Windows Components > Windows Update.On enterprise networks, administrators can manage updates using Group Policy or mobile device management (MDM) software. Updates can also be managed centrally using a management tool such as System Center Configuration Manager or Windows Server Update Services.Finally, your software update strategy shouldn’t stop at Windows itself. Make sure that updates for Windows applications, including Microsoft Office and Adobe applications, are installed automatically.

How do I configure user accounts for maximum security?

☑ Sign in using a Microsoft account with multi-factor authentication☑ Create standard accounts for inexperienced users☑ Install a password manager for every user☑ Set up multi-factor authentication on all online accounts☑ For home PCs, consider setting up family safety featuresMicrosoft sparked controversy with its decision to require a Microsoft account when setting up a PC with Windows 11 Home edition for the first time. I’ve also seen some online angst over the recent announcement that Microsoft plans to extend that requirement to Windows 11 Pro machines set up for personal use.If you already have a personal Microsoft account tied to services like Microsoft 365 Home or Family or an Xbox Live account, signing in with a Microsoft account makes it easy to access your Office apps and OneDrive storage and online gaming.Even if you have no Microsoft services, however, there’s a solid security benefit behind that design decision. When you sign in with a Microsoft account, the system drive is encrypted by default, and the recovery key is backed up to a secure location, accessible by signing in to that Microsoft account. That minimizes the risk that a forgotten password can lead to catastrophic data loss.If you don’t use Microsoft services, feel free to create a brand-new Microsoft account on the fly, as part of the setup process, and use that new account exclusively for signing in to Windows 11. You get the benefits of full system disk encryption, multi-factor authentication, and (if you choose to use it) 5 GB of OneDrive storage, at no extra cost. Just think of it as a local account whose username has @microsoft.com on the end.If you’re still determined to use a local account, set up using a throwaway Microsoft account first, and then make the switch to a local account. Just be aware that doing so means you’ll also have to find a different encryption option, and you won’t have any recovery mechanism if you forget your sign-in credentials.With all that out of the way, do the following as well:Set up multi-factor authentication for your Microsoft account. (You’ll find full instructions here: “How to lock down your Microsoft account and keep it safe from outside attackers.”)Create standard accounts for other users (and even for yourself). Your primary account, by default, has administrator privileges. If other people (employees or family members) use the same PC, give them standard accounts that are unable to change system settings or install untrusted software without your approval. You can also give yourself a standard account for everyday use, but that’s a needless precaution that will simply force you to type in a password instead of clicking OK to a User Account Control dialog box.Install a password manager and make sure all your online accounts have strong, unique login credentialsSet up multi-factor authentication for online accounts wherever it’s available. (See “Multi-factor authentication: How to enable 2FA to step up your security.”)For PCs at home, set up children’s access using standard accounts and consider setting up the family safety features in Windows 11. You can use those options to set authorized times for young people to be online and to help keep them from straying into unsavory corners of the internet. You’ll find all the links you need in the Windows Security app.

How do I keep Windows 11 hardware secure?

☑ Check the status of your TPM☑ Ensure that Secure Boot is enabled☑ Turn on Windows Hello, using biometric authentication if it’s availableMicrosoft’s hardware compatibility rules for Windows 11 upped the security game for PCs, although not without controversy. Previously, the governing principle for every new Windows version involved maximum backward compatibility, with even 10-year-old PCs being eligible to install the new operating system.That all changed with Windows 11. For the first time ever, the official hardware specifications were (a) dramatically increased from the previous version and (b) applied not just to new hardware from PC makers but also to upgraders.The biggest change is the requirement for a Trusted Platform Module (TPM) version 2.0, along with the requirement to enable Secure Boot (a feature that uses cryptographic signatures to ensure that a device boots with an operating system that hasn’t been tampered with. (If you’re willing to make a few registry edits, you can install Windows 11 on a PC with an older TPM version and an unsupported CPU. For details, see this Microsoft support document: “Ways to install Windows 11.”)From the Device Security page in the Windows Security app, you can check both of these settings. If you see entries for Security Processor and Secure Boot, you’re good to go. If one or both of those entries are missing, you’ll need to go into the device’s firmware settings to re-enable the setting. Although there are advanced configurations in which you might need to disable Secure Boot for troubleshooting purposes, it’s best to leave this setting alone.Finally, set up a Windows Hello PIN and enable biometric authentication if your device has a fingerprint reader or an infrared camera that supports facial recognition.

What’s the best way to protect data files?

☑ Turn on BitLocker encryption for all data drives☑ Back up your encryption keys☑ Back up data files to the cloud☑ Back up critical data files to local storageReplacing a stolen laptop is inconvenient and expensive. Dealing with lost or stolen data is a nightmare. Physical security has its own challenges, but when it comes to keeping your data secure, you have two key goals:Encrypt your data files. If your computer or storage device is stolen, the thief can’t access your files that are protected with robust encryption and a strong password.Back up your data files. With a good backup plan, you can restore files that are lost or damaged (even if the cause is hardware failure) and get back to work with a minimum of downtime.Those precautions are especially important for files containing sensitive personal or financial information for customers or clients. If you work in a regulated industry or you’re subject to data breach laws, the impact is even worse.On a Windows 11 device, the single most important configuration change you can make is to enable BitLocker Device Encryption on the system drive and on all secondary drives, including USB flash drives. (BitLocker is the brand name that Microsoft uses for the encryption tools available in business editions of Windows. BitLocker features are identical on Windows 10 and Windows 11.)With BitLocker enabled, every bit of data on the device is encrypted using the XTS-AES standard. BitLocker uses the Trusted Platform Module (TPM) chip to store the encryption keys.The steps to turn on BitLocker Device Encryption are different depending on which edition of Windows 11 is installed:Windows 11 Home: This edition supports strong device encryption, but only if you’re signed in with a Microsoft account. It doesn’t allow the management of a BitLocker device.Windows 11 Pro, Enterprise, or Education: These business editions provide full access to BitLocker management tools. For full management capabilities, you’ll need to set up BitLocker using an Active Directory account on a Windows domain or an Azure Active Directory account. On an unmanaged device running a business edition of Windows 11, you can set up BitLocker using a local account or a Microsoft account, but you’ll need to use the BitLocker Management tools to enable encryption on available drives.It is crucial that you backup the recovery key for a BitLocker-encrypted drive. In the event that you ever have to reinstall Windows or experience account problems, you’ll need that 48-digit number to access the data.If you sign in with a Microsoft account, the BitLocker recovery key is saved in OneDrive by default. You can access it by signing in at onedrive.com/recoverykey. I recommend that you print a copy of that key and file it in a safe place, just in case.On a managed PC using a domain or AAD account, the recovery key is saved in a location that is available to the domain or AAD administrator. On a personal device, you can use the Manage BitLocker app to save or print a copy of that recovery key.Don’t forget to encrypt portable storage devices. USB flash drives, MicroSD cards used as expansion storage, and portable hard drives are easily lost, but the data can be protected from prying eyes with the use of BitLocker To Go, which uses a password to decrypt the drive’s contents. For details, see “Protect removable storage devices with BitLocker encryption.”)Finally, make sure that crucial data files are backed up to the cloud and to local storage (on an encrypted drive, naturally). This precaution can be invaluable if you suffer a disk crash, and it’s also excellent protection against ransomware attacks.If you’re concerned about putting sensitive files in the cloud, encrypt the files using third-party software such as Boxcryptor, or consider a zero-knowledge service that has no access to your encryption keys, such as SpiderOak CrossClave.

How do I protect my Windows 11 PC from malicious software?

☑ Configure security software☑ Configure anti-spam protection☑ Manage which apps standard user accounts are allowed to runSecurity software is one layer in a defensive strategy designed to keep threats from ever reaching a PC. It’s no longer the most important layer, but it’s still crucial to have up-to-date security software.Every installation of Windows 11 includes built-in antivirus, anti-malware software called Microsoft Defender Antivirus, which updates itself using the same mechanism as Windows Update. Microsoft Defender Antivirus is designed to be a set-it-and-forget-it feature and doesn’t require any manual configuration. If you install a third-party security package, Windows disables the built-in protection and allows that software to detect and remove potential threats.To check the status of Microsoft Defender Antivirus, use the Virus & Threat Protection page in the Windows Security app. (You’ll find ransomware protection options under the Controlled Folder Access heading.)Large organizations that use Windows Enterprise edition can deploy Microsoft Defender for Endpoint, a security platform that monitors Windows 11 PCs and other managed devices using behavioral sensors. Using cloud-based analytics, these tools can identify suspicious behavior and alert administrators to potential threats.For smaller businesses, the most important challenge is to prevent malicious code from reaching the PC in the first place. Microsoft’s SmartScreen technology is another built-in feature that scans downloads and blocks the execution of those that are known to be malicious. The SmartScreen technology also blocks unrecognized programs but allows the user to override those settings if necessary.It’s worth noting that SmartScreen in Windows 11 works independently of browser-based technology such as Google’s Safe Browsing service and the SmartScreen Filter service in Microsoft Edge.On unmanaged PCs, SmartScreen is another feature that requires no manual configuration. You can adjust its configuration using the App & Browser Control settings in the Windows Security app.Another crucial vector for managing potentially malicious code is email, where seemingly innocuous file attachments and links to malicious websites can result in infection. Although email client software can offer some protection in this regard, blocking these threats at the server level is the most effective way to prevent attacks on PCs.An effective approach for preventing users with standard accounts from running unwanted programs (including malicious code) is to configure a Windows 11 PC so it’s prevented from running any apps except those you specifically authorize. To adjust these settings on a single PC, go to Settings > Apps > Apps & Features; under the Choose Where To Get Apps heading, select The Microsoft Store Only. This setting allows previously installed apps to run, but prevents installation of any downloaded programs from outside the Store.

What’s the best way to prevent attacks over the network?

☑ Use a hardware firewall☑ Leave the Windows firewall turned on☑ Protect your Wi-Fi accountThe gateway for your cable, fiber, DSL, or other wired internet connection should include a firewall feature that prevents outsiders from connecting to PCs that are on your internal network. Check the management interface for that device (access is typically through a web-based portal that connects to a private IP address like 192.168.1.1 or 10.0.0.1). Make sure those security features are enabled, and consider changing the default administrative credentials (admin/password is common) to something more secure.Every version of Windows shipped in the past two decades has included a stateful inspection firewall. In Windows 11, this firewall is enabled by default and doesn’t need any tweaking to be effective. As with its predecessors, the Windows 11 firewall supports three different network configurations: Domain, Private, and Public. Apps that need access to network resources can generally configure themselves as part of the initial setup.To adjust basic Windows firewall settings, use the Firewall & Network Protection tab in the Windows Security app. For a far more comprehensive, expert-only set of configuration tools, click Advanced Settings to open the legacy Windows Defender Firewall with Advanced Security console. On managed networks, these settings can be controlled through a combination of Group Policy and server-side settings.From a security standpoint, the biggest network-based threats to a Windows PC arise when connecting to wireless networks. Large organizations can significantly improve the security of wireless connections by adding support for the 802.1x standard, which uses access controls instead of shared passwords as in WPA2 wireless networks. Windows 10 and Windows 11 will prompt for a username and password when attempting to connect to this type of network and will reject unauthorized connections. On networks that use a shared password, make sure that visitors connect to a separate guest network.For times when you must connect using an untrusted wireless network, the best alternative is to set up a virtual private network (VPN). Windows 11 supports the most popular VPN packages used on corporate networks; to configure this type of connection, go to Settings > Network & Internet > VPN. Small businesses and individuals can choose from a variety of Windows-compatible third-party VPN services.

Windows 11 More

A hands-on guideIf your PC were lost or stolen, you’d probably cringe at the cost of replacing it. But that’s nothing compared to what you’d stand to lose if someone had unfettered access to the data on that device. Even if they can’t sign in using your Windows user account, a thief could boot from a removable device and browse the contents of the system drive with impunity. The most effective way to stop that nightmare scenario is to encrypt the entire device so that its contents are only available to you or someone with the recovery key.

Windows 11 FAQ

Everything you need to know

What’s new in Windows 11? What are its minimum hardware requirements? When will your PC be eligible for the upgrade? We’ve got the answers to your questions.

Read More

All editions of Windows 10 and Windows 11 include XTS-AES 128-bit device encryption options that are robust enough to protect against even the most determined attacks. Using management tools, you can increase the encryption strength to XTS-AES 256. On modern devices, the encryption code also performs pre-boot system integrity checks that detect attempts to bypass the boot loader. BitLocker is the brand name that Microsoft uses for the encryption tools available in business editions of Windows (desktop and server). A limited but still effective subset of BitLocker device encryption features is also available in Windows 10 and Windows 11 Home editions. Here’s how to make sure your data is protected.

What are the hardware requirements for BitLocker?

The most important hardware feature required to support BitLocker Device Encryption is a Trusted Platform Module chip, or TPM. The device also needs to support the Modern Standby feature (formerly known as InstantGo).Virtually all devices that were originally manufactured for Windows 10 meet these requirements. All devices that are compatible with Windows 11, without exception, meet these requirements.

How does BitLocker work in Windows 10 and Windows 11?

On all devices that meet the BitLocker hardware requirements (see the previous section for details), device encryption is automatically enabled. Windows Setup automatically creates the necessary partitions and initializes encryption on the operating system drive with a clear key. To complete the encryption process, you must perform one of the following steps:Sign in using a Microsoft account that has administrator rights on the device. That action removes the clear key, uploads a recovery key to the user’s OneDrive account, and encrypts the data on the system drive. Note that this process happens automatically and works on any Windows 10 or Windows 11 edition.Sign in using an Active Directory account on a Windows domain or an Azure Active Directory account. Either configuration requires a business edition of Windows 10 or Windows 11 (Pro, Enterprise, or Education), and the recovery key is saved in a location that is available to the domain or AAD administrator.If you sign in using a local account on a device running a business edition of Windows 10, you need to use the BitLocker Management tools to enable encryption on available drives.On self-encrypting solid-state drives that support hardware encryption, Windows will offload the work of encrypting and decrypting data to the hardware. Note that a vulnerability in this feature, first disclosed in November 2018, could expose data under certain circumstances. In those cases, you’ll need a firmware upgrade for the SSD; on older drives where that upgrade is not available, you can switch to software encryption using the instructions in this Microsoft Security Advisory: Guidance for configuring BitLocker to enforce software encryption.Note that Windows 10 and Windows 11 still support the much older Encrypted File System feature. This is a file- and folder-based encryption system that was introduced with Windows 2000. For virtually all modern hardware, BitLocker is a superior choice.

How do I manage BitLocker encryption?

For the most part, BitLocker is a set-it-and-forget-it feature. After you enable encryption for a drive, it doesn’t require any maintenance. You can, however, use tools built into the operating system to perform a variety of management tasks.The simplest tools are available in the Windows graphical interface, but only if you are running Pro or Enterprise editions. Open File Explorer, right-click any drive icon, and click Manage BitLocker. That takes you to a page where you can turn BitLocker on or off; if BitLocker is already enabled for the system drive, you can suspend encryption temporarily or back up your recovery key from here. You can also manage encryption on removable drives and on secondary internal drives. On a system running Windows Home edition, you’ll find an on-off button in Settings. In Windows 10, look under Update & Recovery > Device Encryption. In Windows 11, this setting is under Privacy & Security > Device Encryption. A warning message will appear if device encryption hasn’t been enabled by signing into a Microsoft account.For a much larger set of tools, open a command prompt and use one of the two built-in BitLocker administrative tools, manage-bde or repair-bde, with one of its available switches. The simplest and most useful of these is manage-bde -status, which displays the encryption status of all available drives. Note that this command works on all editions, including Windows 10 Home.For a full list of switches, type manage-bde -? or repair-bde -?Finally, Windows PowerShell includes a full set of BitLocker cmdlets. Use Get-BitLockerVolume, for example, to see the status of all fixed and removable drives on the current system. For a full listing of available BitLocker cmdlets, see the PowerShell BitLocker documentation page.

How do I save and use a BitLocker recovery key?

Under normal circumstances, you unlock your drive automatically when you sign in to Windows using an account that’s authorized for that device. If you try to access the system in any other way, such as by booting from a Windows 10 or Windows 11 Setup drive or a Linux-based USB boot drive, you’ll be prompted for a recovery key to access the current drive. You might also see a prompt for a recovery key if a firmware update has changed the system in a way that the TPM doesn’t recognize.As a system administrator in an organization, you can use a recovery key (manually or with the assistance of management software) to access data on any device that is owned by your organization, even if the user is no longer a part of the organization.The recovery key is a 48-digit number that unlocks the encrypted drive in those circumstances. Without that key, the data on the drive remains encrypted. If your goal is to reinstall Windows in preparation for recycling a device, you can skip entering the key and the old data will be completely unreadable after setup is complete.Your recovery key is stored in the cloud automatically if you enabled device encryption with a Microsoft account. To find the key, go to https://onedrive.com/recoverykey and sign in with the associated Microsoft account. (Note that this option works on a mobile phone.) Expand the listing for any device to see additional details and an option to delete the saved key.If you enabled BitLocker encryption by joining your Windows 10 or Windows 11 device with an Azure AD account, you’ll find the recovery key listed under your Azure AD profile. Go to Settings > Accounts > Your Info and click Manage My Accounts. If you’re using a device that’s not registered with Azure AD, go to https://account.activedirectory.windowsazure.com/profile and sign in with your Azure AD credentials.Find the device name under the Devices & Activity heading and click Get BitLocker Keys to view the recovery key for that device. Note that your organization must allow this feature for the information to be available to you.Finally, on business editions of Windows 10 or Windows 11, you can print or save a copy of the recovery key and store the file or printout (or both) in a safe place. Use the management tools available in File Explorer to access these options. Use this option if you enabled device encryption with a Microsoft account and you prefer not to have the recovery key available in OneDrive.

Can I use BitLocker to encrypt removable drives?

Removable storage devices need encryption too. That includes USB flash drives as well as MicroSD cards that can be used in some PCs. That’s where BitLocker To Go works.To turn on BitLocker encryption for a removable drive, you must be running a business edition of Windows 10 or Windows 11. You can unlock that device on a device running any edition.As part of the encryption process, you need to set a password that will be used to unlock the drive. You also need to save the recovery key for the drive. (It’s not automatically saved to a cloud account.)Finally, you need to choose an encryption mode. Use the New Encryption Mode (XTS-AES) option if you plan to use the device exclusively on Windows 10 or Windows 11. Choose Compatible Mode for a drive you might want to open on a device running an earlier version of Windows.The next time you insert that device into a Windows PC, you’ll be prompted for the password. Click More Options and select the checkbox to automatically unlock the device if you want easy access to its data on a trusted device that you control.That option is especially useful if you’re using a MicroSD card for expanded storage capacity on a device such as a Surface Pro. After you sign in, all of your data is immediately available. If you lose the removable drive or it is stolen, its data is inaccessible to the thief.  

Windows 11 More

Sitel has been named as the third-party allegedly responsible for a recent security incident experienced by Okta. In a briefing on Wednesday, David Bradbury, Chief Security Officer at Okta, told virtual attendees that the incident has been “an embarrassment for myself and the entire Okta team.”

ZDNet Recommends

Okta has become the subject of scrutiny following the leak of screenshots by the LAPSUS$ hacking group earlier this week. The images appeared to show that the attackers had obtained access to “Okta.com Superuser/Admin and various other systems.”The identity and authentication services company said there was a five-day window in which the intrusion occurred.”The report from the forensic firm highlighted that there was a five-day window of time between January 16 – 21, 2022, when the threat actor had access to the Sitel environment, which we validated with our own analysis,” the CSO said. According to Bradbury, a customer support engineer’s laptop was the source of the intrusion, and the device was “owned and managed by Sitel.” Sitel is one of Okta’s sub-processors. The executive said that the attackers used the remote desktop protocol (RDP) to access the laptop:”The scenario here is analogous to walking away from your computer at a coffee shop, whereby a stranger has (virtually in this case) sat down at your machine and is using the mouse and keyboard. So while the attacker never gained access to the Okta service via account takeover, a machine that was logged into Okta was compromised and they were able to obtain screenshots and control the machine through the RDP session.”After analyzing 125,000 login entries, the company now says that up to 366 customers may have been impacted. An alert was issued on January 20 that a new multi-factor authentication (MFA) addition was “attempted” on the Sitel support engineer’s account. The executive says that within “minutes”, Okta sessions were terminated, pending an investigation. However, Bradbury claimed that the “attempted” MFA enrollment was “unsuccessful.”A day later, indicators of compromise (IoCs) were shared by Okta with Sitel, which also hired investigative help. Okta later received a summary of the incident, but the full report was not released until yesterday. “I am greatly disappointed by the long period of time that transpired between our initial notification to Sitel in January and the issuance of the complete investigation report just hours ago,” the CSO said. “Upon reflection, once we received the Sitel summary report last week, we should have, in fact, moved more swiftly to understand its implications.” Bradbury said that the ‘Superuser’ mode shown in the screenshots does not provide “god-like” access. Instead, support engineers can only use their accounts for “basic duties and handling inbound support queries.”As a result, the executive says that while the threat actor had access to the Sitel environment, it was “highly constrained.” “We are of the opinion that no corrective action needs to be taken by customers,” Bradbury added. However, in the interest of “transparency,” potentially impacted customers will be sent an incident report. “This incident will only serve to strengthen our commitment to security […],” Bradbury commented. “We will continue to work tirelessly to ensure that you have a dependable and a secure, Okta service.”A spokesperson from Sykes, part of the Sitel Group, told ZDNet:”Following a security breach in January 2022 impacting parts of the Sykes network, we took swift action to contain the incident and to protect any potentially impacted clients.Further to the actions taken by our global security and technology teams, a worldwide cybersecurity leader was enlisted to conduct an immediate and comprehensive investigation of the matter […] As a result of the investigation, along with our ongoing assessment of external threats, we are confident there is no longer a security risk.We are unable to comment on our relationship with any specific brands or the nature of the services we provide for our clients.”See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More