Microsoft

Microsoft: Meltdown and Spectre Check via PowerShell

Like many folks around the world, I was wondering if this Meltdown and Spectre flaw would impact my computers and virtual machines.  Microsoft has started to release emergency fixes for Windows 10 and its been said that Windows 8 and legacy 7 will also receive patches.

Microsoft has released a PowerShell script that lets users check whether they have protection in place.

Steps to take:

  1. Open PowerShell (I like to use PowerShell ISE)
  2. Run PowerShell as as Administrator.
  3. Type Install-Module SpeculationControl and press Enter.
  4. When the installation completes, type Import-Module SpeculationControl and press Enter.
  5. Type Get-SpeculationControlSettings and press Enter.

In the list of results that’s displayed, you’re looking to see that a series of protections are enabled — this will be listed as True.  Ref: https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in

Should reassemble 

Speculation control settings for CVE-2017-5715 [branch target injection]

  • Hardware support for branch target injection mitigation is present: True
  • Windows OS support for branch target injection mitigation is present: True
  • Windows OS support for branch target injection mitigation is enabled: True

Speculation control settings for CVE-2017-5754 [rogue data cache load]

  • Hardware requires kernel VA shadowing: True
  • Windows OS support for kernel VA shadow is present: True
  • Windows OS support for kernel VA shadow is enabled: True
  • Windows OS support for PCID optimization is enabled: True

 

 

 

Meltdown & Spectre Vulnerabilities

Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer.  Malicious programs can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs obtaining passwords, logon details and what was once thought to be secured information.

Meltdown and Spectre work on personal computers, mobile devices, and in the Cloud – AWS, Azure, and other 3rd party Cloud / IaaS Providers.

Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system. If your computer has a vulnerable processor and runs an un-patched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure.

Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.

 

Vendor recommendations:

Information on the vulnerabilities:

 

Current known list of affected vendors and their respective advisories and/or patch announcements below

Vendor Advisory/Announcement
Amazon (AWS) AWS-2018-013: Processor Speculative Execution Research Disclosure
AMD An Update on AMD Processor Security
Android (Google) Android Security Bulletin—January 2018
Apple HT208331: About the security content of macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan
HT208394: About speculative execution vulnerabilities in ARM-based and Intel CPUs
ARM Vulnerability of Speculative Processors to Cache Timing Side-Channel Mechanism
Azure (Microsoft) Securing Azure customers from CPU vulnerability
Microsoft Cloud Protections Against Speculative Execution Side-Channel Vulnerabilities
Chromium Project Actions Required to Mitigate Speculative Side-Channel Attack Techniques
Cisco cisco-sa-20180104-cpusidechannel – CPU Side-Channel Information Disclosure Vulnerabilities
Citrix CTX231399: Citrix Security Updates for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754
Debian Debian Security Advisory DSA-4078-1 linux — security update
Dell SLN308587 – Microprocessor Side-Channel Attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell products
SLN308588 – Microprocessor Side-Channel Attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell EMC products (Dell Enterprise Servers, Storage and Networking)
F5 Networks K91229003: Side-channel processor vulnerabilities CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754
Google’s Project Zero Reading Privileged Memory with a Side-Channel
Huawei Security Notice – Statement on the Media Disclosure of the Security Vulnerabilities in the Intel CPU Architecture Design
IBM Potential CPU Security Issue
Intel INTEL-SA-00088 Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method
Lenovo Lenovo Security Advisory LEN-18282: Reading Privileged Memory with a Side Channel
Microsoft Security Advisory 180002: Guidance to mitigate speculative execution side-channel vulnerabilities
Windows Client guidance for IT Pros to protect against speculative execution side-channel vulnerabilities
Windows Server guidance to protect against speculative execution side-channel vulnerabilities
SQL Server Guidance to protect against speculative execution side-channel vulnerabilities
Important information regarding the Windows security updates released on January 3, 2018 and anti-virus software
Mozilla Mozilla Foundation Security Advisory 2018-01: Speculative execution side-channel attack (“Spectre”)
NetApp NTAP-20180104-0001: Processor Speculated Execution Vulnerabilities in NetApp Products
nVidia Security Notice ID 4609: Speculative Side Channels
Security Bulletin 4611: NVIDIA GPU Display Driver Security Updates for Speculative Side Channels
Security Bulletin 4613: NVIDIA Shield TV Security Updates for Speculative Side Channels
Raspberry Pi Foundation Why Raspberry Pi isn’t vulnerable to Spectre or Meltdown
Red Hat Kernel Side-Channel Attacks – CVE-2017-5754 CVE-2017-5753 CVE-2017-5715
SUSE SUSE Linux security updates CVE-2017-5715
SUSE Linux security updates CVE-2017-5753
SUSE Linux security updates CVE-2017-5754
Synology Synology-SA-18:01 Meltdown and Spectre Attacks
Ubuntu Ubuntu Updates for the Meltdown / Spectre Vulnerabilities
VMware NEW VMSA VMSA-2018-0002 VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution
Xen Advisory XSA-254: Information leak via side effects of speculative execution

Office 365: Use Content Search to delete unwanted Emails from Organization

Office 365: Use Content Search to delete unwanted Emails from Organization

As an admin you can use the Content search located under Security & Compliance to search for and delete email message from select or all mailbox in your organization.  This is particularly useful to remove high-risk emails such as:

  • Message that contains sensitive data
  • Messages that were sent in error
  • Message that contain malware or viruses
  • Phishing message

 

To start the process, we begin with creating a content search:

  1. Log into your Office 365 protection center – https://protection.office.com
  2. Click on Search & investigation, then select Content search
  3. From Content search click on the “New” Icon
  4. Enter a name for this search job
  5. Select either specific mailboxes or “all mailboxes”
  6. Select “Search all sites”, public folders are an option depending on your search criteria
  7. Click Next
  8. Enter in keywords to search of leave blank to search for all content
  9. Add Conditions – In my example I am looking for a subject (ex. Microsoft account unusual sign-in activity)

  10. Click Search

 

The search will start and results will be displayed in the right pane.

When completed you a preview the results and export to computer as a report.

Now the you have generated a search you can move to deleting the content you had searched for.

To do this we will need to connect to the Security & Compliance Center using remote PowerShell.

$UserCredential = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid -Credential $UserCredential -Authentication Basic -AllowRedirection

Import-PSSession $Session -AllowClobber -DisableNameChecking

$Host.UI.RawUI.WindowTitle = $UserCredential.UserName + ” (Office 365 Security & Compliance Center)” 

 

Once successful authenticated, and connected to the compliance center you can creation a new action to delete the items found in our previous search.

This is done by using the following example:

New-ComplianceSearchAction -SearchName “Phishing” -Purge -PurgeType SoftDelete

 

Bitlocker Powershell Script to check encryption status | Thanks Jijo Chacko

Big thanks to “Jijo Chacko” for sharing this script with me.  Very useful to check the Bitlocker encryption status of computers in your environment. 

 

 

Function Get-BitlockerInfo()
<#
.SYNOPSIS
Retrieves Bitlocker Encryption information.
.DESCRIPTION
Retrieves Bitlocker Encryption information from Multiple computers.
.PARAMETER Machinelist
File name and path of the file contains machine information.
.B.N.E
Bit-locker Not Enabled
.EXAMPLE
Get-BitlockerInfo -Machinelist C:\Users\jijo\Desktop\Check.txt -LogfileName C:\Users\jijo\Desktop\Bitlocker.csv
.CREATED BY
Jijo Chacko,jijochacko2005@gmail.com
#>
{
[CmdletBinding()]
Param(
[Parameter(Mandatory=$True)][string]$Machinelist,
[Parameter(Mandatory=$True)] [String]$LogfileName
)
Clear-Host
$machines=Get-Content -Path $Machinelist
$Bitlockerforprint=@()
Foreach($Computer in $Machines)
{
$ping = Test-Connection $Computer -Count 1 -ErrorAction SilentlyContinue
if ($ping.statuscode -eq 0)
{
Try
{
$EncryptionStatus=Manage-bde -computername $Computer -status C:
$Size=$EncryptionStatus|Where-Object{$_ -like ‘*Size:*’}
If ($size -ne $null)
{
$Newsize=$size.Substring(26)
}
Else
{
$Newsize=”B.N.E”

}
$Conversionstatus=$EncryptionStatus|Where-Object{$_ -like ‘*Conversion Status:*’}
If ($Conversionstatus -ne $null)
{
$newConversionstatus=$Conversionstatus.Substring(26)
}
Else
{
$newConversionstatus=”B.N.E”

}
$Percentage=$EncryptionStatus|Where-Object{$_ -like ‘*Percentage Encrypted:*’}
If ($Percentage -ne $null)
{
$newpercentage=$Percentage.Substring(26)
}
Else
{
$newpercentage=”B.N.E”

}
$Protectionstatus=$EncryptionStatus|Where-Object{$_ -like ‘*Protection Status:*’}
If ($Protectionstatus -ne $null)
{
$newprotectionstatus=$Protectionstatus.Substring(26)
}
Else
{
$newprotectionstatus =”B.N.E”

}

$details=New-object psobject
$details|Add-Member -Type NoteProperty -Name “Computer Name” -Value $Computer
$details|Add-Member -Type NoteProperty -Name Size -Value $Newsize
$details|Add-Member -Type NoteProperty -Name “Percentage Completed” -Value $newpercentage
$details|Add-Member -Type NoteProperty -Name “Protection Status” -Value $newprotectionstatus
$details|Add-Member -Type NoteProperty -Name “Conversion Status” -Value $newConversionstatus
$Bitlockerforprint += $details
$Newsize= $null
$newpercentage = $null
$newprotectionstatus = $null
$newConversionstatus = $null

}
Catch
{
Write-Host ($_.Exception.Message) -ForegroundColor Red
}
}
Else
{
Write-Warning “Destination Host Unreachable $Computer “
}
}
$Bitlockerforprint|Select-Object “Computer Name”,Size,”Percentage Completed”,”Conversion Status”,”Protection Status”|format-table -AutoSize
$Bitlockerforprint|Select-Object “Computer Name”,Size,”Percentage Completed”,”Conversion Status”,”Protection Status”|Export-Csv $LogfileName -force -encoding “unicode” -NoClobber -Append
}

Install Microsoft SQL on Linux – Ubuntu Server

I recently had the pleasure of installing Microsoft SQL Server on Linux – Ubuntu Server. This was a very straight-forward installed and just works. The following steps are what were taken to install and configure this server.

My Setup:

  • Ubuntu 17.10 Server – VMware Template
  • Network Connectivity
  • SQL Server Management Studio 17 – Testing connectivity to SQL Server

Prerequisites:

  • Ubuntu Linux Server – Memory: 3.25, Disk Space: 6GB, CPU (x64): 2 Cores
  • Internet Access – Offline Installs are also possible
  • Root or SU Access
  • Time – 5-6 Minutes

Steps:

  1. Log into Ubuntu Linux server via console or SSH (Preferred), su into root
  2. We need to import the repository GPG Keys by first downloading and adding it with he following command: curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add –
  3. Next we register the repository by entering: add-apt-repository “$(curl https://packages.microsoft.com/config/ubuntu/16.04/mssql-server-2017.list)”
  4. Next we need to upload the repository list and install SQL with the following commands: apt update | apt install mssql-server -y
  5. After the SQL Server package has completed installing.  You will be instructed to run mssql-config setup to setup the SQL Server version you will be installing, in addition to password credentials.  This is done by issue the following command: /opt/mssql/bin/mssql-conf setup
  6. Optional – Open your firewall if enabled to allow for SQL’s TCP/1433 from remote hosts.
  7. Test connecting to your newly install SQL Server via SSMS.
  8. Done!

Screenshot:

Video: