@dashrender said in Technologies Begging to be Ransomwared:

@obsolesce said in Technologies Begging to be Ransomwared:

The last two enterprises I was at we decommissioned AD and did away with local accounts. Totally not needed anymore with Windows.

You decomm'ed AD and did away with local accounts? Then how did you log in?

AAD

@dashrender said in Technologies Begging to be Ransomwared:

@scottalanmiller said in Technologies Begging to be Ransomwared:

@dashrender said in Technologies Begging to be Ransomwared:

Consider a one user to many devices.

We do this with Linux and NextCloud and/or Zoho WorkDrive. This is so natural and obvious I just can't fathom the question. Like... I can't find the challenge that you are looking to solve. And I can't think of any way that AD or mapped drives would improve this in a meaningful way.

Having users without AD is just as easy (or easier) than having them with it. Just create users where you want them, have NC installed automatically through countless automated processes, have them log in once and voila. Everything covered.

This isn't just easy, it's literally "out of the box" behaviour in several operating systems. Ubuntu, for example, doesn't require the NC client, it has integration with NC, Google, and other cloud services out of the box. Just sign in when you first log in and ... easy peasy. Makes the AD / mapped drive approach seem .... unnecessarily convoluted. And no need to reboot after putting in access, either.

You missed one part though - the creating that user's account on all of those devices.

AD allows a user to log into any computer joined to AD (at least by default it does). If I have 20 computers spread out at several different offices front desks, I need those 20 people to be able to log into any of them and get there stuff. A centralized authentication solution provides this ability to me.

I'll absolutely give you that scripting solves the rest of the issues - i.e. mapped printers, NC/GD, etc.

But what do you do about creating the user accounts themselves?

A key requirement for me is that a user be able to lock the computer while apps are running to prevent anyone else from gaining access to those apps.

If windows wasn't required - I might consider a Linux based Terminal server and have everyone run remote sessions. Then they could just disconnect from the session and reconnect to it from anywhere....but - windows is required.

The last two enterprises I was at we decommissioned AD and did away with local accounts. Totally not needed anymore with Windows.

But, a major factor in all this ransomware is the fact that nobody should have "full" permissions to to the data in a mapped drive in the first place.

@scottalanmiller said in So Audacity needs forked:

Over 50 have happened. That's Jared's point. No clear, well backed winner.

Welcome to Linux.

@jaredbusch said in What Are You Doing Right Now:

@obsolesce said in What Are You Doing Right Now:

You don't get a lot of northern hemisphere summer vacationers down there at this time?

Meh, they are basically on the equator.. there is no winter.

Note they are still in the Northern Hemisphere.

My point was that most people take their vacations june/july/august in most northern hemisphere countries like US/CA/EU and typically go much more south for vacations. I was asking if he doesn't get a lot of those during this time.

@scottalanmiller said in What Are You Doing Right Now:

@dashrender said in What Are You Doing Right Now:

@scottalanmiller said in What Are You Doing Right Now:

https://www.instagram.com/p/CQWrvYGLqvt/

When is everyone heading down here?

When will you have open rooms?

From now until ~December. It's the slow season here (local winter), so lots of open space.

You don't get a lot of northern hemisphere summer vacationers down there at this time?

An XPS with Ubuntu is very hard to beat for work. I used to have a setup like that. My needs changed lately and now is most efficient to run Win10/11, however, possibly 2nd quarter next year I'll be back to running Ubuntu mainly after I finish some Windows related projects.

@pete-s said in Kaseya customers ransomware attack:

@obsolesce said in Kaseya customers ransomware attack:

Ransomware is a legacy tech concern, not a modern one.

What do you mean by modern? Are you talking about running kubernetes in the cloud or something else that would not be subject to ransomware?

I'm not talking about any specific product, e.g. K8s... Even with that, you could still implement poor data storage using legacy practices and technologies.

Think about it.

What important company data is being ransomware'd.... where is this data? How is the data presented? How did ransomware effect it? What technologies were used to provide and/or host the data?

@scottalanmiller said in Kaseya customers ransomware attack:

Well, EVERYTHING is subject to it, lol.

Obviously. I'm saying for all intents and purposes.

@scottalanmiller said in Kaseya customers ransomware attack:

@pete-s said in Kaseya customers ransomware attack:

The real problem I think is not to protect yourself from ransomware - I don't think that is possible. Not with zero-day exploits and the amount of places where an organization can be attacked.

Not entirely, of course not. But you can do a LOT to make ransomeware dramatically less likely (nearly all attacks use the same handful of vectors, all of which are legacy artefacts), and make it ineffective (have backups.) You can't stop it, but you can make yourself a worthless target.

Also, another big thing @Pete-S might not be considering, is that restoring from backup typically means there will be guaranteed data loss. When you use legacy tech and practices, it most certainly means your backups are not up to date at every microsecond of the day. So when you do get ransomware (because you definitely will when your focus is on the wrong thing regarding ransomware), and you have to restore, you better hope all your data was just backed up 1 microsecond ago, and that it only took 1 microsecond to perform the backup, and that it's inaccessible to ransomware. Otherwise, you are losing data anyways.

You can totally avoid ransomware by not focusing on backups as a way to avoid ransomware. All you have to do is not use anything that is vulnerable to it. Some people find that very hard to understand, despite how easy it is to do. Ransomware is a legacy tech concern, not a modern one.

@pete-s said in Miscellaneous Tech News:

@mlnews said in Miscellaneous Tech News:

Hackers exploited 0-day, not 2018 bug, to mass-wipe My Book Live devices

Western Digital removed code that would have prevented the wiping of petabytes of data.
Last week’s mass-wiping of Western Digital My Book Live storage devices involved the exploitation of not just one vulnerability but a second critical security bug that allowed hackers to remotely perform a factory reset without a password, an investigation shows. The vulnerability is remarkable because it made it trivial to wipe what is likely petabytes of user data. More notable still was that, according to the vulnerable code itself, a Western Digital developer actively removed code that required a valid user password before allowing factory resets to proceed.

That sucks. Like ransomware but without the hope...

And the same problem too - vulnerabilities don't care about your carefully planned zero trust architecture and short-lived tokens and what not.

That's why you don't use shitty tech and practices that's insanely vulnerable ransomware, and other risks like what happened in that article.

@pete-s said in Kaseya customers ransomware attack:

@obsolesce said in Kaseya customers ransomware attack:

@pete-s said in Kaseya customers ransomware attack:

The real problem is the recovery.

I disagree. Your company being shut down due to ransomware is absolutely avoidable when you don't use technology, infrastructure design, and security practices that's incredibly prone to it in the first place.

It's not that simple. Let me provide you with some info from FBI's cybersecurity team (IC3):

"As ransomware techniques and malware continue to evolve and become more sophisticated, even the most robust prevention controls are no guarantee against exploitation. This makes contingency and remediation planning crucial to business recovery and continuity. Those plans should be tested regularly to ensure the integrity of sensitive data in the event of a compromise."

So of course you have to do what you can to prevent cyberattacks. But I think businesses have to be really prepared for a total restore av all their systems from offline backup. If they're not, it's going to take a VERY long time to recover. Like weeks or months.

Then when something happens, you of course HOPE that you don't really need to restore everything. And that not all of your systems have been affected.

Problem is that when something serious happens, you need to shutdown everything. Because you don't know what is affected and what is not. So even an attack that is limited and only affects a part of your infrastructure, will cause downtime and cost money.

I agree a company should always have a back up of their data needed to run the business. That's just an of course thing. But that's not what I'm talking about at all...

@pete-s said in Kaseya customers ransomware attack:

The real problem is the recovery.

I disagree. Your company being shut down due to ransomware is absolutely avoidable when you don't use technology, infrastructure design, and security practices that's incredibly prone to it in the first place.

@mlnews the closer you are to the equator, the worse the rise in sea level. No idea the time line though.

That sucks, but at least it's nothing that isn't already public.

@pete-s said in Audit for Saved Credentials on Windows:

Sounds like you're solving the wrong problem.

He explained the problem he's trying to solve... you must have missed it.

@travisdh1 said in Audit for Saved Credentials on Windows:

After getting the stored credentials, getting rid of them is easy enough Remove-StoredCredential -Target CredentialName.

Right, there you need to know the exact name of the target to remove it, which you can't obtain with just the module itself. So instead of installing a 3rd party module and having to use the cmdline tool anyways, best to just use the one that does it all.

Unless of course every machine you are searching uses the exact same known target, and they don't differ in any way, which is very unlikely. One target may be \\server\folder1, another might be \\server\folder2 and then it would start missing removals.

Using the cmdline tool, you can get a list of all targets, and match all those that have just \\server and remove them, without the requirement of using a 3rd party module.

@travisdh1 said in Audit for Saved Credentials on Windows:

The Microsoft documentation I saw didn't mention a thing about needing a module for it

What microsoft documentation?

There's isn't a good way to manage the Windows Credential Manager via PowerShell with built-in cmdlets, or the CredentialManager module unless you know what you're looking for, so a more reliable way to do it if you don't, is with the command-line utility cmdkey.exe.

I came up with some quick scratch-work to show an example, which gets the job done in my testing, but I have no mapped drives so I couldn't do a proper test.

# $targetMatch = '\\servername'
$targetMatch = 'TESTTEST'

$cmdkeyList = ((cmdkey.exe /list) | Where-Object {$_ -match "Target:"}) -replace "\s\s\s\s"
foreach ($line in $cmdkeyList) {
    $target = ($line -split 'target=')[1]
    if ($target -match $targetMatch) {
        Write-Host "`nRemoving stored credential target: [$target]"
        cmdkey.exe /delete:$target
    }
}

@travisdh1 said in Audit for Saved Credentials on Windows:

@scottalanmiller said in Audit for Saved Credentials on Windows:

So from time to time, someone will type in some credentials when mapping a drive and save them causing a mapped session to have permissions that are not intended for the user. If we are sitting at a computer, it is relatively easy to manually go look for this to have happened.

But if we have thousands of computers across many companies, we can't realistically go computer by computer, account by account manually looking for these entries.

Does anyone know of a good way, likely with PowerShell, to do an audit for saved credentials so that we can list them and, almost certainly, remove them?

I've never done this myself, but I'd think you'd start with Get-StoredCredential

That requires a public module that won't let you remove a secret unless you know the exact target you're looking for, which is fine, but might limit what you want to do.

No more having to go into control panel...