Harry Cobb

Are Too Many Companies Putting Identity and Access at Unnecessary Risk in Their Move to the Cloud?

I was chatting with the CSO of a Fortune 500 company a couple of weeks ago and the topic came around to cloud services. Her company is famously cloud-averse.

“I know you guys don’t do cloud,” I began, “but are you moving to Office 365?”

“Probably. Eventually. I think we’re going to get dragged there whether we want to go or not,” she replied.

Identity Access Risks in CloudMicrosoft Office has long been the most popular business productivity software suite. Now the Redmond-based giant is aggressively promoting their cloud-based version, Office 365, to organizations of all sizes. The promise of Office 365 is better collaboration (do we really need to email 12Mb Word docs around all the time?), which should increase user productivity. In theory, creative employees can use it to collaborate anytime, anywhere, from any device.

For small businesses particularly, the lure of a few dollars each month for the cloud version instead of hundreds of dollars per employee for the desktop suite is a huge temptation and given the choice, they’ll just go with it. I would, skinflint that I am.

But larger organizations, such as the one run by the CSO I was chatting with, want to be more proactive about their cloud security. And she’s right to think that way; most Office 365 deployments result in user credentials (including C-level usernames and passwords) going to the cloud whether they mean to or not.

Don’t believe me? Let’s look at the three identity and access management models used by Office 365.

Cloud Identity Model – All your passwords belong to Microsoft.

The simplest Office365 identity model is the Cloud Identity Model, where user names and passwords are managed solely in the cloud with Office 365 creating a user identity. The user identity is stored in and verified by Azure Active Directory.

Synchronized Identity Model – Passwords hashed on-premises and in the cloud.

In the Synchronized Identity Model, an organization’s on-premises server manages user identity, while the user account and password hashes are synchronized to Azure AD. Users enter the same password on premises as they would in the cloud, with their password hashes verified by Azure Active Directory.

Federated Identity Model—The most secure, but still sees mobile user passwords.

The Federated Identity Model is the most secure method to access Office 365. It is similar to the Synchronized Identity Model but uses an on-premises identity provider to verify the user password hash. That means the password hash does not need to be synchronized to Azure Active Directory.

The Federated Identity model suffers from a mobile client password gap. Nearly all mobile email clients use the ActiveSync protocol. ActiveSync doesn’t support federation and transmits the user password to Azure AD. Azure AD sends the password back to the on-premises identity manager for verification over an encrypted tunnel, but is that good enough?

What’s the Threat Model Here, Anyway?

Here’s a short list of possible threat vectors you’d consider if you were doing a threat model assessment for any of cloud passwords management models (including the three above):

· Cloud breach

· Man-in-the-middle attack

· Rogue cloud employee

· Nation-state (subpoena)

· Accidental credential logging

· Phishing attack

Where possible, Microsoft has clearly done what it can to avoid seeing user passwords, but they still do. And there are plenty of examples of all of the above threats being realized. Whether or not these threat vectors fall into your assessment model is up to your organization.

Closing the Gap

Many organizations have decided that they are comfortable with this gap. No model is 100 percent secure, right? But a few CSOs want to close the gap before they make the switch. Right now, the way to do it is to intercept and proxy ActiveSync connections from the client to an on-premises proxy which then encrypts the passwords before they transit to Azure AD.

The final step is to implement adaptive multi-factor authentication (MFA). Adaptive MFA is risk-based authentication and can include certificate checks and context-aware, one-time passwords (OTP) via email.

Most organizations say they support MFA but when you drill down, they’re only providing it to select users (C-levels, hopefully, and IT, and a few others). MFA that covers only some users isn’t ideal, but it’s better than no MFA at all.

Cloud Should Be More Than Someone Else’s Computer

Getting back to the conversation with that CSO. Even though her organization is famously cloud-adverse, she knows they’re going to end up editing Word documents and PowerPoint files in the cloud. When they do, there will be no turning back. Her staff’s real challenge will be managing the risk before – and when - that happens.

view counter

David Holmes is an evangelist for F5 Networks' security solutions, with an emphasis on distributed denial of service attacks, cryptography and firewall technology. He has spoken at conferences such as RSA, InfoSec and Gartner Data Center. Holmes has authored white papers on security topics from the modern DDoS threat spectrum to new paradigms of firewall management. Since joining F5 in 2001, Holmes has helped design system and core security features of F5's Traffic Management Operating System (TMOS). Prior to joining F5, Holmes served as Vice President of Engineering at Dvorak Development. With more than 20 years of experience in security and product engineering, Holmes has contributed to security-related open source software projects such as OpenSSL. Follow David Holmes on twitter @Dholmesf5.

Previous Columns by David Holmes:


SecurityWeek RSS Feed

blog-power-shell-remote-management-commands_sqUsing PowerShell for managing remote computers quickly and efficiently has been one of its main advantages. If you’re not familiar with it, these commands will get you up to speed.

Sure, you’ve heard about this PowerShell thing for years, but the OS is called Windows, not Shells, and the GUI and you have been friends for years. After all, you spent good money on your mouse and you’re going to get your money’s worth out of it. I get it, I too have resisted for years dropping to the prompt in Windows, which is strange considering I feel very comfortable in BASH.

To help you see the value in this, I wanted to share eleven very useful PowerShell commands you can use to remotely manage Windows machines. That’s right, you don’t have to RDP into a server and then open PowerShell. You can do it all from your desktop and still run PS cmdlets on remote systems. And some of those cmdlets are dead useful. So, if this sounds like something you could use, read on!

Of course, you should have PowerShell on your local machine, have your remote machine enabled for remote PowerShell, and have admin rights to the systems you want to remotely manage. And if you’re going to run scripts, you may want to adjust the execution policy. Here’s how to get that all lined up.

Download the latest version of PowerShell from Microsoft and install it. All current versions of Windows should have PowerShell, but the latest version is worth installing, and you can get that as a part of the Windows Management Framework 5.0 from https://www.microsoft.com/en-us/download/details.aspx?id=50395.

Make sure that for all computers you wish to manage remotely the WinRM service is set to start automatically and is running. You can do this in the services.msc GUI, or through local PowerShell (admin) using this cmdlet: set-service winrm -startuptype automatic

Enable remote PowerShell management on the machines to be managed using that same PowerShell (admin) session: Enable-PSRemoting -Force

If you need to set that on multiple computers, see our post http://www.gfi.com/blog/how-to-manage-your-servers-remotely-with-powershell/ for how to do this using a GPO.

Remember that, in addition to the above, if you’re executing remote commands on a server (or workstation) you need to have admin rights on that remote system, as well as your local system where you will be opening the PS session as an administrative one. If your account on the local machine is not an admin on the remote one, you will have to provide the explicit credentials for an account that is admin on the remote machine.

The first cmdlet is really the most important one for us, as it is what enables you to start a PS session on the remote machine. Click the title for the MSDN page with all the details, but here’s an example to get you started.

Enter-PSSession -ComputerName RemoteServer -Port 5353 -Credential DomainUsername

The cool thing is that your prompt will be updated to reflect the remote hostname as a reminder of which box you’re on when executing commands. The title for each of the cmdlets below is linked to the online documentation in case you want more information.

This very useful cmdlet lets you call scripts you have either saved to the remote machine, or can get to by drive or UNC path. You can use it instead of Enter-PSSession if you want to do a one-off, or use a comma-delimited list of computer names to run the same thing on multiple systems.

Invoke-Command -ComputerName RemoteServer -Credential DomainUsername -ScriptBlock PScommand

Just like it sounds, this cmdlet lets you retrieve and view the Event Log from a remote system (or of course locally) and filter based on type, ID, keyword, etc.

Get-EventLog -LogName System -InstanceID c0ffee -Source “LSA

Three cmdlets that are closely related, and let you see what processes are running, start new processes, and stop processes. These processes can be applications or scripts, and can be background or interactive on the Desktop.

Start-Process -FilePath “notepad” -Wait -WindowStyle Maximized

Another set of cmdlets that are best together, with which you can query what volumes are attached to a system and manipulate them, including mounting/dismounting and changing drive letters. How often do you need to check free disk space across all your servers?

Get-Volume -DriveLetter C

These two cmdlets can get and modify the ACL on any resource, be it file system or registry. This can simplify auditing, configuration, and specific settings for applications deployed on multiple systems.

Get-Acl -Path “HKLM:SystemCurrentControlSetControl” | Format-List

These two do exactly what it sounds like they do. Bounce or shutdown the remote machine as appropriate.

Restart-Computer -ComputerName “Server01”, “Server02”, “Server03”

Would not PING by any other name be just as good? Probably, and in this case, there are some useful parameters that you can use in scripts to first confirm a system is up before trying to do something else, or to just test a connection from a user’s workstation without having to first explain to them how to open a CMD prompt and then how to spell PING.

Test-Connection -ComputerName “Server01” -Count 3 -Delay 2 -TTL 255 -BufferSize 256 -ThrottleLimit 32

Similar to cmdlets to manipulate processes, these two can query and set the services on the remote system, like using services.msc

Get-Service | Where-Object $ _.Status -eq “Running”

This cmdlet can let you feed a number of lines into a run block, or invoke a PS1 script accessible on the remote machine by file path.

Start-Job -FilePath “c:scriptssample.ps1”

11. Set-RemoteDesktopConfig

And just in case you really need that GUI (I certainly do) you can use Set-RemoteDesktopConfig to enable and configure RDP on servers. This is very useful considering that it’s off by default, even with Server 2016.

Of course, there are a couple of alternatives to learning the PS names for the cmdlets that do the things you’ve done for years in the cmd prompt. The first is to use PSEXEC from Microsoft to simply run commands remotely on target computers. I’ve been doing that for years and have a hard time convincing myself to use PowerShell when PSEXEC works so well. But since PowerShell is the future, I am trying to do the right thing.

The second is to use the PowerShell cmdlet set-alias to create cmd prompt-like names for the PS cmdlets you are using, so at least you can work with familiar commands. There are a ton of aliases already set in PS. Just enter alias in a PS session to see what is already set. Either way, you have remote cmd-line management in the bag.

You may also like:

  • The most important new features in Windows Server 2016
  • 10 new Windows 10 features for sysadmins
  • 33 quick and dirty tips for Windows sysadmins

GFI Blog

A criminal group dubbed Cobalt is behind synchronized ATM heists that saw machines across Europe, CIS countries (including Russia), and Malaysia being raided simultaneously, in the span of a few hours. The group has been active since June 2016, and their latest attacks happened in July and August.

Cobalt hackers are behind synchronized ATM heists

Setup and execution of the attacks

The group sent out spear-phishing emails – purportedly sent by the European Central Bank, the ATM maker Wincor Nixdorf, or other banks – to the target banks’ employees. The emails delivered attachments containing an exploit for an MS Office vulnerability.

“If the vulnerability is successfully exploited, the malicious module will inject a payload named Beacon into memory. Beacon is a part of Cobalt Strike, which is a multifunctional framework designed to perform penetration testing. The tool enables perpetrators to deliver the payload to the attacked machine and control it,” the researchers explained in a recently released paper.

Additional methods and exploits were used to assure persistence in the targeted machines, to gain domain administrator privileges, and ultimately to obtain access to the domain controller. From that vantage point, they were able to obtain Windows credentials for all client sessions by using the open source Mimikatz tool.

The attackers would ultimately gain control over a number of computers inside the bank’s local network. Some of them are connected to the Internet, and others not, but the latter would receive instructions from the central Cobalt Strike console through the former.

“After the local network and domain are successfully compromised, the attackers can use legitimate channels to remotely access the bank, for example, by connecting to terminal servers or via VPN acting as an administrator or a standard user,” the researchers noted. The attacker have also installed a modified version of the TeamViewer remote access tool on the compromised devices, just in case.

Once constant access was assured, the criminals searched for workstations from which they could control ATMs. They would load the ATMs with software that allows them to control cash dispensers.

The final strikes happened in a few hours on the same day, when money mules would go to the targeted ATMs, send an SMS with the code identifying the ATM to a specific phone number, the criminals would make it spit out all the cash, and the mules would leave with it.

Some interesting things about the gang’s capabilities

The Cobalt gang uses a number of legitimate, open and closed source tools – Cobalt Strike (a tool for penetration testing), Mimikatz, SDelete (a free tool available on the Microsoft website that deletes files beyond recovery), and TeamViewer.

“Once an ATM is emptied, the operator launches the SDelete program, which removes les used with a special algorithm, which prevents information from being recovered. Thereafter, the ATM restarts,” the researchers explained. “In addition, operators disable the bank’s internal servers involved in the attack using the MBRkiller malware that removes MBR (master boot record). Such a careful approach significantly complicates further investigation.”

The ATM manipulation software also contains code that allows it to record a log containing information about the banknotes dispensed – the gang obviously does not trust the money mules to correctly report the amount that was stolen from each ATM.

Which banks were hit?

IB Group did not name them, but only noted that they are based in Armenia, Belarus, Bulgaria, Estonia, Georgia, Kyrgyzstan, Moldova, the Netherlands, Poland, Romania, Russia, Spain, the UK and Malaysia.

According to Reuters, Diebold Nixdorf and NCR, the world’s two largest ATM makers, have provided banks with information on how to prevent or at least minimize the impact of these attacks.

It is unknown how much money the group was able to steal.

Help Net Security

Bugtraq ID: 94455 Class: Failure to Handle Exceptional Conditions CVE: CVE-2016-7433 Remote: No Local: Yes Published: Nov 21 2016 12:00AM Updated: Nov 22 2016 12:12AM Credit: Brian Utterback of Oracle, and Sharon Goldberg and Aanchal Malhotra of Boston University. Vulnerable: NTP NTP 4.3.90
NTP NTP 4.2.8
NTP NTP 4.1.2
NTP NTP 4.3.93
NTP NTP 4.3.92
NTP NTP 4.2.8p8
NTP NTP 4.2.8p7
NTP NTP 4.2.8p6
NTP NTP 4.2.8p5
NTP NTP 4.2.8p4
NTP NTP 4.2.8p3-RC1
NTP NTP 4.2.8p3
NTP NTP 4.2.8p2
NTP NTP 4.2.8p1
NTP NTP 4.2.7p385 Not Vulnerable: NTP NTP 4.3.94
NTP NTP 4.2.8p9

SecurityFocus Vulnerabilities

Oracle today announced that it has signed an agreement to acquire Dyn, a cloud-based Internet Performance and DNS provider that monitors, controls, and optimizes Internet applications and cloud services.

Oracle buys Dyn

Dyn’s solution is powered by a global network that drives 40 billion traffic optimization decisions daily for more than 3,500 enterprise customers, including preeminent digital brands such as Netflix, Twitter, Pfizer and CNBC.

Adding Dyn’s DNS solution extends the Oracle cloud computing platform and provides enterprise customers with a one-stop shop for Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS).

“Oracle already offers enterprise-class IaaS and PaaS for companies building and running Internet applications and cloud services,” said Thomas Kurian, President, Product Development, Oracle. “Dyn’s immensely scalable and global DNS is a critical core component and a natural extension to our cloud computing platform.”

“Oracle cloud customers will have unique access to Internet performance information that will help them optimize infrastructure costs, maximize application and website-driven revenue, and manage risk,” said Kyle York, Chief Strategy Officer, Dyn. “We are excited to join Oracle and bring even more value to our customers as part of Oracle’s cloud computing platform.”

Help Net Security

Mozilla has released Firefox Focus, an iOS app that lets you browse the Internet without having to worry who’s tracking your online activity.


The app can be used independently, or can be integrated with the existing (installed) Firefox and Safari apps (more details about the usage can be found here).

Firefox Focus blocks ad, analytics, and social trackers, as well as other content trackers (e.g. embedded videos, photo slideshows, and news article embeds that track users). It also blocks some parts of web pages from loading, or it loads them with different fonts (as it also blocks Web fonts). All of this results in faster loading of web content.

But the most important thing about this app is that it makes “private browsing” extremely easy to use.

“If you download Firefox Focus and start to browse, you will notice a prominent ‘Erase’ button in the upper right-hand corner of the screen. If you tap that button, the Firefox Focus app erases all browsing information including cookies, website history or passwords,” Denelle Dixon-Thayer, Mozilla’s Chief Legal and Business Officer, explains.

“Of course, you can erase this on any other browser but we are making it simple here – just one tap away,” she noted. “Burying the tools to clear browsing history and data behind clicks or taps means that fewer people will do it. By putting the ‘Erase’ button front and center, we offer users a simple path to healthy online behaviors — protecting their online freedom and taking greater control of their personal data.”

“We at Mozilla believe that protecting one’s privacy should be as simple as a single tap. Firefox Focus is an experiment to see what happens when we make this radically simple,” she concluded.

Help Net Security

The amount of phishing emails containing a form of ransomware grew to 97.25 percent during the third quarter of 2016 up from 92 percent in Q1.

encryption ransomware hits

PhishMe’s Q3 2016 Malware Review identified three major trends previously recorded throughout 2016, but have come to full fruition in the last few months:

Locky continues to dominate: While numerous encryption ransomware varieties have been identified in 2016, Locky has demonstrated adaptability and longevity.

Ransomware encryption: The proportion of phishing emails analyzed that delivered some form of ransomware has grown to 97.25 percent, leaving only 2.75 percent of phishing emails to deliver all other forms of malware utilities.

Increase in deployment of ‘quiet malware’: PhishMe identified an increase in the deployment of remote access Trojan malware like jRAT, suggesting that these threat actors intend to remain within their victims’ networks for a long time.

During the third quarter of 2016, PhishMe Intelligence conducted 689 malware analyses, showing a significant increase over the 559 analyses conducted during Q2 2016. Research reveals that the increase is due, in large part, to the consistent deployment of the Locky encryption ransomware. Locky executables were the most commonly-identified file type during the third quarter, with threat actors constantly evolving the ransomware to focus on keeping this malware’s delivery process as effective as possible.

“Locky will be remembered alongside 2013’s CryptoLocker as a top-tier ransomware tool that fundamentally altered the way security professionals view the threat landscape,” explained Aaron Higbee, CTO at PhishMe. “Not only does Locky distribution dwarf all other malware from 2016, it towers above all other ransomware varieties. Our research has shown that the quarter-over-quarter number of analyses has been on a steady increase since the malware’s introduction at the beginning of 2016. Thanks to its adaptability, it’s showing no signs of slowing down.”

encryption ransomware hits

While ransomware dominates the headlines, PhishMe’s Q3 Malware Review reveals that other forms of malicious software delivered using remote access Trojans, keyloggers and botnets still represent a significant hazard in 2016.

Unlike ransomware, so-called ‘quiet malware’ is designed to avoid detection while maintaining a presence within the affected organization for extended periods of time. While only 2.75 percent of phishing emails delivered non-ransomware malware, the diversity of unique malware samples delivered by these emails far exceeded that of the more numerous ransomware delivery campaigns.

Rohyt Belani, CEO at PhishMe added, “The rapid awareness of and attention to ransomware has forced threat actors to pivot and iterate their tactics on both payload and delivery tactics. This sustained tenacity shows that awareness of phishing and threats is not enough. Our research shows that without a phishing defense strategy, organizations are susceptible to not just the voluminous phishing emails used to deliver ransomware, but also the smaller and less-visible sets of emails used to deliver the same malware that has been deployed for years. We must empower people to act as both human sensors for detecting attacks and partners in preventing threat actors from succeeding.”

Help Net Security

Android spyware secretly collecting user data was found preinstalled on a budget smartphone sold through various retailers and although the company responsible claimed it was standard data collection, one expert said this software went overboard.

Researchers at Kryptowire, a mobile security firm jumpstarted by the Defense Advanced Research Projects Agency and the Department of Homeland Security, based in Fairfax, Va., said they first came across the mobile spyware on a $ 59 BLU R1 HD smartphone bought from Amazon. The Android spyware "collected sensitive personal data about their users and transmitted this sensitive data to third-party servers without disclosure or the users' consent" under the guise of offering better spam filtering.

"These devices actively transmitted user and device information including the full-body of text messages, contact lists, call history with full telephone numbers and unique device identifiers including the International Mobile Subscriber Identity and the International Mobile Equipment Identity. The firmware could target specific users and text messages matching remotely defined keywords," Kryptowire wrote in a blog post. "The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices."

Liviu Arsene, senior e-threat researcher at Romania-based antimalware firm Bitdefender, told SearchSecurity there are less invasive ways to provide spam filtering.

"Filtering out spam messages and calls is a nice to have feature, but there are other technical approaches towards doing it besides forwarding full text messages and contact details, infringing on users privacy," Arsene said. "That's why metadata and message fingerprinting technologies exist, so that users' personal data is never sent as-it-is, protecting their privacy."

The company behind this firmware and to whom the user data was sent was Shanghai ADUPS Technology Co. Ltd., commonly known as ADUPS, which provides professional firmware over-the-air (FOTA) update services for smartphones. According to the ADUPS website, the company has 700 million active users wordwide.

ADUPS said BLU objected to the Android spyware collecting data without user consent in June 2016 and "ADUPS took immediate measures to disable that functionality on BLU phones." There was no comment on the use of this firmware on other Android devices, but ADUPS assured customers that "no information associated with that functionality, such as text messages, contacts, or phone logs, was disclosed to others and that any such information received from a BLU phone during that short period was deleted."

Arsene said the speed of the fix was commendable.

"From a technical perspective, declaring to have disabled the feature and removed all collected data in such a short time is commendable," Arsene said. "This means they knew what the problem was and how to quickly fix it."

ADUPS said in a statement that it takes "user privacy very seriously" and claimed the software in question was designed to help eliminate spam.

"In response to user demand to screen out junk texts and calls from advertisers, our client asked ADUPS to provide a way to flag junk texts and calls for users. We developed a solution for ADUPS FOTA application," ADUPS wrote in a blog post. "The customized version collects messages to identify junk texts using back-end aggregated data analysis in order to improve mobile phone experience. ADUPS FOTA application flags texts containing certain language associated with junk texts and flags numbers associated with junk calls and not in a user's contacts."

Arsene said data collection in general is not uncommon and can help to accurately deliver updates to specific devices in case security issues arise."

"However, users should always be notified when such information is being collected, as some might want to opt out and dismiss such features," Arsene said. "It's mandatory for any software provider to inform its customers in regards to what type if information they're collecting -- whether for marketing, commercial or for offering various functionalities. The fact that such a disclaimer was missing is a big deal as it borders [on] espionage malware practices."

Next Steps

Learn more about China targeting Hong Kong protestors with Android spyware.

Find out about Android spyware possibly linked to the Hacking Team.

Get info on the danger of dormant Android permissions. 

SearchSecurity: Security Wire Daily News

blog-w7vsw10_sqSticking to Windows 7 may seem logical for you and your company, but are you aware of all the features you’re missing out, which can make daily system administration much easier.

Are you still on the fence about upgrading to Windows 10? Stubbornly sticking to Windows 7 and having no intentions of changing any time soon? Maybe you have some legacy applications that are preventing the move to newer Windows operating systems? Well, part of me cannot really blame you, since Windows 7 was a great operating system, and it may still fully meet the needs of your users.

But what about security, patching, administration? Is Windows 7 offering the same feature set as Windows 10? It may seem like a similar OS, but the newly introduced features brought many cool things, especially for IT professionals. In this post, we’ll give you an overview on some of the compelling features that Windows 10 brought, making the upgrade a good thing for you as a sysadmin, but also for your users.

But first, a word on supportability. Windows 7’s current Service Pack is SP1, and there’s no indication that there will ever be an SP2. Since SP1 came out in February 2011, and hit extended support in January 2015, that means that there won’t be any new features or capabilities introduced to Windows 7. With this in mind, the list below gains more importance.

Security patches will continue to be made available until January 2020, so you won’t be at an extended risk from hacks, as long as you patch regularly. But the longer you remain on Windows 7, the more likely you will run into applications you want to run, but cannot.

There are some great features that end users might not care about, but sysadmins will, and these can make a compelling case for the upgrade. Here are the top ones to consider:

1. Security features

Protecting user data and credentials has been upgraded to a totally new level in Windows 10, even in comparison with Windows 8, let alone the 7-years-old Windows 7 (yes, it’s been that long). Device Guard can help you protect against zero-day attacks in downloads, while Credential Guard helps defeat credential stealing, including the dreaded Pass the Hash and Golden Ticket attacks, by virtualizing the Local Security Authority (LSA).

Finally, Windows Defender ATP includes endpoint sensors, analytics, and intelligence to help manage your enterprise security. Combine these with specialized tools like GFI LanGuard to ensure your operating systems and third party apps are fully patched, and your environment just got a whole lot more secure.

2. Deployment scenarios

Windows 10 can be joined to a local domain and AD environment, or managed through a cloud-based Azure AD environment. This should be very appealing to companies with a more decentralized infrastructure or those that support BYOD and/or remote users. If you’re expecting a PC renewal streak in the next year, it’s obvious that these new deployment scenarios will make your job much simpler and faster, even with remote users.

3. New and improved functions

There have been several core functionality improvements with Windows 10 which raised the bar when it comes to data protection. Sure, BitLocker was introduced back in Windows Vista, but it has now been upgraded to support hard drives with physical encryption, bringing more resilience in remote restart scenarios, and protection against both brute force and cold-start attacks. There is also now support for individual file encryption.

4. Administrative enhancements

If you manage your users’ workstations with Group Policy, you will be amazed at the number of additional settings that you can now control using GPO in Windows 10. There are almost 200 of them in total, several of which address security in the operating system or modern versions of the Office suite. Admins can also use the Windows Management Framework 5 on Windows 10, which includes PowerShell 5, that has some big gains in performance and functionality over earlier versions.

5. Shell improvements

Two words regarding the command line. Copy and Paste. Sure, you could do some basic copy and paste in the Command Prompt before, but it was unique to the shell. Now with Windows 10, Ctrl+C and Ctrl+V work just like they do in any other Windows app. There’s also more fonts available, and you now have transparency, which may have little to no practical value, but you know you want it.

Even better, for those of you who still have a Linux box because some things are just easier there, you can run the Ubuntu version of the Bash shell right on Windows. It’s not an emulator or a virtualized shell, or even PuTTY to another box – it’s the Bash shell, running right on your Windows machine.

If you are a power-user, using Windows 7 with no plan on upgrading your PC to a newer OS, here are a few of the end user features you’re missing out on. Take a look and see how many of these you would like to have.

1. Better performance on same hardware

On the exact same hardware, Windows 10 runs better than Windows 7, with faster boot up times, smoother transitions from one application to the next, and overall better system performance. If you are trying to get another year or two of life from older hardware, but your users are complaining that their machines are too slow, a straightforward upgrade to Windows 10 will have both perceived and actual benefits for performance.

2. Virtual Desktops

While Linux users have had multiple virtual desktops for years, it’s something that has eluded Windows users unless they wanted to buy an alternative shell. That is, until now. Windows 10 includes multiple virtual desktops, so you can really spread out if you are multitasking. Even without the virtual desktops, the task switcher (Alt+Tab) has been greatly improved, so you can see at a glance what you have open.

3. Edge Browser

Internet Explorer is not dead yet, but Edge is going to give Firefox and Chrome some serious competition for best alternative to IE. Beating many of its competitors in speed, Edge has quickly become the “weapon of choice” of many IT pros sick of Chrome’s memory-eating nature.

4. DirectX 12

The next two features are for the serious gamers, but they are also serious features. Windows 10 has DirectX 12, which in addition to unlocking some new future capabilities, is 10 to 20% faster than DirectX 11 for the same games on the same hardware. That’s another serious performance boost to eek a little more life out of older hardware.

5. Xbox One Streaming

And if you have an Xbox One, you can run your Xbox One games on your console, but play them from your laptop or desktop running Windows 10. This will solve many an argument with roommates or parents, and might even be a welcome boost for those who work from home, but need something to do while their “code compiles.”

Looking at just these 10 features that we’ve highlighted, and there are more of them, it seems that Windows 10 has a lot to offer both you and your users over Windows 7. If the reasons above aren’t enough to convince you, that’s okay, but sooner or later you will come across that third-party application or piece of hardware that won’t run on W7, and you know the clock is ticking on support. So, keep your eye on the calendar, and consider at least using Windows 10 on your new and redeployed systems, or you may find yourself in a situation where you have to upgrade everyone quickly, and that would be painful for all of you.

You may also like:

  • What is Defender ATP and how it protects your endpoints…
  • 10 new Windows 10 features for sysadmins
  • How to get the most out of Resource Monitor in…

GFI Blog

Dan Tentler. Image: Darren Pauli / The Register.

Dan Tentler at Kiwicon. Image: Darren Pauli / The Register.

Kiwicon When Dan Tentler hacked writer Kevin Roose's Mac, his chief problem wasn't trying to pop the shell; it was trying to reign in the hundreds of shells he spawned.

Tentler had been tasked with breaching Roose's computer for a documentary showcasing penetration testers' ability to compromise users.

Tentler, also known as "Viss", told the Kiwicon hacking conference in Wellington today how he manually wrote exploits to gain access to Roo's laptop after discovering it was a Mac, but soon had access to his webcam, email, and Nest CCTV cameras.

"Shells were spawning everywhere, hundreds, so I had to write some scripts to shut them down," Tentler told the conference.

"You can do a lot of damage, but a lot of it is manual [hacking]."

With Roose's laptop boned, Tentler set about pushing limits. He set the Mac's text to speech tool to utter various sentences to mess with the writer. In one instance he made the computer say "wouldn't it be funny if I started talking to you" while Roose was in a cafe, frightening the life out of the unsuspecting writer.

In another, he made the computer remark "you look bored" after spying on him through his open webcam.

Tentler continued the absurdity getting one of his friends to drive to Roose's house and stand in front of the writer's now compromised webcams with a sign reading "Viss was here". ®

Sponsored: 10 Reasons LinuxONE is the best choice for Linux workloads

The Register - Security