The first malware program to lock up people’s files and ask for a ransom was the PC Cyborg Trojan in 1989.
It was created by Harvard-trained evolutionary biologist Dr. Joseph Popp, who was working on several AIDS-related projects at the time. Dr. Popp sent a floppy disk containing a program covering AIDS information, teaching, and testing to tens of thousands of mailing list subscribers.
At startup, a crude EULA warned users they had to pay for the program—and the author reserved the legal right to “ensure termination of your use of the programs ....
These program mechanisms will adversely affect other program applications on microcomputers.” Most people didn’t read the EULA and ran the program without paying for it. After 90 boots, the program crudely encrypted/obfuscated the user’s hard drive data, rendering it inaccessible, and asked for a payment of $189 to be sent to a Panamanian post office box. (Check out a great analysis of the Trojan.) Ransomware evolution Early ransomware used symmetric key encryption, and the cipher algorithm was often poorly constructed.
Encryption experts could frequently break the ransomware easily, and because the symmetric key was the same shared key in every infection, every computer touched by the same ransomware program could be unlocked at once. Eventually, ransomware authors learned to use public key cryptography (where both a private key and a second public key is involved) and started to use popular, well-known, well-tested cipher algorithms.
A different key pair was generated for each infection, which made ransomware a very difficult problem to solve. By the middle 2000s, tough-to-break ransomware was becoming very popular, but the problem of how hackers would collect their money remained. Real money and credit card transactions can be traced. Enter CryptoLocker, the first widespread ransomware program to demand bitcoin payments.
CryptoLocker first appeared in 2013. When matched with randomly generated email addresses and “darknet” pathways, it became almost impossible to catch ransomware hackers. Ransomware writers and distributors are now making tens, if not hundreds of millions, of dollars off their victims. These days ransomware keeps getting more dangerous and targeted. Ransomware programs are now being developed to attack specific types of data, such as database tables, mobile devices, IoT units, and televisions.
This page chronicles all the significant developments from the last year or so. Defeating ransomware First, you need to verify that you’ve actually been hit by ransomware. Less sophisticated programs merely take over your current browser session or computer screen.
They make the same blackmail claims as a more sophisticated ransomware program, but don’t encrypt any files.
All you need to do is reboot the computer and/or use a program like Process Explorer to remove the malicious file. Nothing beats a good backup. Nothing beats a current, offline backup.
The “offline” part is important because many ransomware programs will look for your online backups and render them unusable, too. Get patched. Making sure your system is fully patched is a great way to prevent any malware from infecting your computer.
But also see if they are the real patches from the real vendors. Unfortunately, fake patches often contain ransomware. Don’t get tricked. Don’t let yourself get socially engineered into installing ransomware.
In other words, don’t install anything sent to you in email or offered to you when visiting a website.
If a website says you need to install something, either leave the website and don’t go back—or leave the website and install the software directly from the legitimate vendor’s website. Never let a website install another vendor’s software for you. Use antimalware software. Everyone needs to run at least one antimalware program. Windows comes with Windows Defender, but there are dozens of commercial competitors and some good freebies. Ransomware is malware.
Antimalware software can stop the majority of variants before they hit. Use a whitelisting program. Application control or whitelisting programs stop any unauthorized program from executing.
These programs are probably the best defense against ransomware (besides a good offline backup).
Although many people think application control programs are too cumbersome to use, expect them to become much more accepted as ransomware continues to grow, at least in business computing.
The days of allowing employees to run any program they want are numbered. What to do if you’re locked up If all your critical data is backed up and safe, then you’ll be back in business in a few hours’ time. You’ll still need to reformat/reset/restore your device, however. Luckily, that process gets easier with each new operating system version. Using another safe, uninfected computer, restore your backup.
Apply all critical security patches, restore your data, and resolve never to do what you did that got your device locked up in the first place. If you don’t have a clean backup copy of your critical data and absolutely need the data, you have two options: Find an unlock key or pay the ransomware demand. Using another safe, trusted computer, research as much as you can about the particular ransomware variant you have.
The screen message presented by the ransomware will help you identify the variant. If you’re lucky, your ransomware variant may already have been unlocked. Many antimalware vendors have programs to detect and unlock ransomware (if it recognizes the variant and has the unlock key). Run that program first. It may take an offline scan to get rid of the ransomware.
Several websites also offer unlocking services, free and commercial, for particular ransomware variants. Here’s an example of a ransomware unlocker.
Also, believe it or not, ransomware distributors will even occasionally apologize and release their own unlocking programs. Lastly, many people choose to pay the ransomware to recover their files. Most experts and companies recommend against paying ransom because it only encourages the ransomware creators and distributors. Yet quite often it works.
It’s your computer and data, so it’s up to you whether to pay the ransom. Be aware that in many cases people have paid up and their files have remained encrypted.
But these cases seem to be in the minority.
If ransomware didn’t unlock files after the money was paid, everyone would learn that—and ransomware attackers would make less money. I hope you never become a ransomware victim.
The odds of infection, unfortunately, are getting worse as ransomware gains popularity and sophistication.
Some antivirus companies that are big in Europe don't get as much mindshare here in the US.
G Data is one such security software maker.
According to the G Data website, G Data developed the very first antivirus in 1985; while some dispute that claim, the company has clearly been around for a while.
G Data Antivirus 2017 is the company's latest, and it does a good bit more than the basics of antivirus protection.
At $39.95 per year for a single license, G Data is in good company price-wise.
Bitdefender, Kaspersky Anti-Virus, Norton, and Webroot are among the numerous products at that price point.
For another $10, you can install G Data on up to three PCs.
If you go for a multi-PC license, you create an account for the first installation, then log in to that account for the rest.
G Data's main window features a bold red banner across the top. Not red for danger, or for stop—it's just red.
The rest of the main window displays the status of the product's numerous protection features, in several groups.
A green checkmark icon indicates that the feature is fully active.
For a partially disabled component, the icon changes to a yellow exclamation point; a fully disabled feature gets a grey dash icon. Naturally, you want to see green across the board.
G Data participates in testing with three of the five independent testing labs that I follow.
In Virus Bulletin's RAP (Reactive And Proactive) test, it scored 85.19 percent.
The average score for products I follow is 81.99 percent, so G Data comes in above average. PC Pitstop PC Matic scored highest in the latest test, with 94.75 percent, but failed overall due to many false positives.
Testers at AV-Test Institute look at antivirus products from three different perspectives, assigning up to six points for each of the criteria.
G Data earned 6 points in the all-important protection category, and by avoiding false positives (detection of valid programs as malicious) it managed another six points for usability.
A small impact on performance dragged its score in that category down to five points, however.
The overall score of 17 points wasn't quite enough to earn it a Top Product rating, but it's good.
In that same test, Kaspersky scored a perfect 18 points.
Bitdefender, Quick Heal, and Trend Micro Antivirus+ Security got 17.5 points.
These four earned the designation Top Product.
Most of the lab tests I follow report a range of results. MRG-Effitas takes a different tack.
To pass the banking Trojans test, a product must protect against every sample used; anything less is failure. Over 70 percent of tested products fail, G Data among them.
Due to the binary pass/fail nature of this test, I give it less weight when calculating an aggregate lab score.
G Data's three lab results worked out to an aggregate score of 8.7 points, which better than most companies manage. However, based on tests from all five labs, Kaspersky took 9.8 of 10 available points, the best aggregates score.
Avira Antivirus and Norton managed 9.7 points, each tested by three of the five labs.
Effective Malware Blocking
Your antivirus utility has many opportunities to save your PC from malware attack.
It can block access to the malware-hosting website, eliminate the threat on download, detect and delete known malware based on its signature, and even detect unknown malware based on behavior alone.
G Data includes all of these layers of protection, and my hands-on testing showed them in action.
In addition to scanning files on access, G Data scans your computer any time it's idle.
Between real-time protection and idle-time scanning, there isn't a screaming need for a full scan of your whole computer.
If you want a full scan, you click the Idle Time Scan link on the main window and choose Check Computer.
A full scan of my standard test system took an hour and 40 minutes, over twice the current average of about 45 minutes.
But once again, unless you actively suspect an infestation you should be able to just rely on the idle-time scan.
When I opened the folder containing my current collection of malware samples, G Data started examining them.
The process was slower than with many competing products, but clearly very thorough.
In most cases, it offered to quarantine the item as its default action; for a few, it advised simply blocking the file from execution.
By the time it finished, 97 percent of the samples were either quarantined or deactivated.
I keep a second set of samples on hand; these are modified versions of the originals.
To create each modified sample, I change the filename, append nulls to change the file size, and overwrite some non-executable bytes.
G Data detected all of the same samples, even in their tweaked form.
In addition, it detected all the remaining samples after execution, for a 100 percent detection rate. Webroot SecureAnywhere AntiVirus, F-Secure, and Ashampoo Anti-Virus 2016 also detected 100 percent of the samples. PC Matic also blocked 100 percent of the samples, but then, it blocks any unknown program.
Webroot managed a perfect 10 points in this test.
G Data, like F-Secure Anti-Virus, allowed a few executable traces to hit the test system, but the 9.8 points both of them earned is still very respectable.
For another view of each product's ability to protect against malware, I use a feed of current malware-hosting URLs supplied by MRG-Effitas.
I launch each URL in turn, discarding any that are defective, and noting whether the antivirus blocks access to the URL, wipes out the malware download, or fails to respond at all.
I keep at it until I've accumulated data for 100 malicious URLs.
G Data earned a 78 percent detection rate in this test, in most cases by blocking access to the malware-hosting URL.
That's just a middling score.
Symantec Norton AntiVirus Basic and PC Pitstop managed 98 percent protection, with Avira close behind at 75 percent.
I didn't see G Data's behavior monitoring kick in during these tests, because other protection layers beat it to the punch.
In any case, behavior monitoring in some antivirus products bombards the user with dire warnings about good and bad programs alike.
For a sanity check, I installed about 20 old PCMag utilities, programs that tie into the operating system in ways that malware might also do.
G Data didn't flag any of the PCMag utilities, but it did give the stink-eye to two of my hand-written test programs.
It popped up a clear warning that the test program might be malicious, with a detailed list of its reasons, and its reasons made total sense.
A program that launches Internet Explorer and manipulates it to download malware? That's suspicious! I'm pleased to see that behavior monitoring kicks in for a pattern of suspicious behavior, not for every little potential problem.
So-So Phishing Protection
Writing a data-stealing Trojan and getting it somehow installed on victim PCs can be a tough job.
Simply tricking users into giving away their passwords and other personal data can be quite a bit easier. Phishing websites masquerade as financial sites, Web-based email services, even online games.
If you enter your username and password on the fraudulent site, you've given the fraudsters full access to your account.
If the website looks just like PayPal but the URL is something goofy like armor-recycling.ru, at least some users will detect the fraud.
But sometimes the URL is so close to the real thing that only those with sharp eyes will spot it as a fake.
Antivirus programs that have a Web protection component usually attempt to protect users against phishing as well, and G Data is no exception.
To test the efficacy of a product's antiphishing component, I first scour the Web for extremely new phishing URLs, preferably URLs that were reported as fraudulent but that haven't yet been analyzed and blacklisted.
I launch each simultaneously in one browser protected by the product under test and another protected by long-time fraud fighter Norton.
I also launch each URL in instances of Chrome, Firefox, and Internet Explorer, relying on the browser's built-in phishing detection.
Because the collection of fraudulent sites differs every time, I report results in relative terms rather than absolute detection rate.
Very few products do better than Norton in this test, but many come closer than G Data did.
G Data's detection rate came in 45 percentage points below Norton's, which a is poor result.
Internet Explorer and Chrome both did a better job than G Data. Yes, G Data beat Firefox, but Firefox hasn't been doing very well lately.
The lesson here? Don't turn off your browser's built-in phishing protection.
Along with the expected antivirus features, G Data gives you several features that you'd expect to see in a security suite.
I tested its exploit protection by hitting the test system with about 30 exploits generated by the CORE Impact penetration tool.
It identified 30 percent of the exploits by name and blocked another 20 percent using more generic detection.
That 50 percent detection total is as good as what Kaspersky Internet Security managed in this test. Norton leads this test, with 63 percent protection.
Like Safepay in Bitdefender Antivirus Plus 2017 and Kaspersky's Safe Money, G Data's BankGuard feature aims to protect your financial transactions.
Bitdefender uses a whole separate desktop to run Safepay, and Kaspersky puts a glowing green border around the browser protected by Safe Money.
By contrast, BankGuard works invisibly to protect all your browsers.
The only way to see it in action is to encounter a Trojan that attempts a man-in-the-browser attack or other data-stealing technique.
The related keylogger protection feature was easier to test than BankGuard.
I installed a popular free keylogger, typed some data into Notepad, typed into my browsers, and then typed in Notepad again. When I brought up the keylogger's keystroke capture report, it showed no keystrokes between the two uses of Notepad.
To test G Data's ransomware protection component, I first turned off every other feature related to real-time malware protection. When I launched a ransomware sample, it quickly popped up a warning about suspicious behavior that suggests encrypting ransomware, with the caveat that if you are actively running an encryption utility yourself, you can ignore the warning. My G Data contact noted that in most cases, some other layer of protection will block the ransomware before it gets to this point.
G Data has long featured the ability to manage the programs that launch automatically when your system boots.
Its Autostart Manager can delay launch of any such program for from one to 10 minutes, or set it to never launch at startup. You can also configure it to launch the program when the system's startup activity has died down.
This is a more fine-grained control than you get with the similar feature in Norton.
A Mature Product
G Data has been around longer than almost any of its competitors, and G Data Antivirus 2017 is a mature product.
Since my last review, it has added components specifically designed to protect against exploits, keyloggers, banking Trojans, and ransomware.
It earned a great score in my hands-on malware-blocking test, and took decent scores from the independent testing labs. However, it proved less effective at blocking access to malicious and fraudulent URLs.
Bitdefender Antivirus Plus and Kaspersky Anti-Virus earn top scores from the independent labs.
Symantec Norton AntiVirus Basic scored high in all of my hands-on tests, and includes an impressive set of bonus features. Webroot SecureAnywhere Antivirus goes even farther with behavior-based detection, making it the tiniest antivirus around.
And a single license for McAfee AntiVirus Plus lets you install protection on every device in your household. Out of the huge range of antivirus products, these five have earned the title Editors' Choice.
PCMag may earn affiliate commissions from the shopping links included on this page.
These commissions do not affect how we test, rate or review products.
Find that machine, open the command prompt and pretend to do something important. "I'll be watching you." Gatford instructed your reporter to visit the burger barn because he practices a form of penetration testing called "red teaming", wherein consultants attack clients using techniques limited only by their imagination, ingenuity, and bravado. He wanted me to break the burger-builder to probe my weaknesses before he would let The Register ride along on a red-team raid aimed at breaking into the supposedly secure headquarters of a major property chain worth hundreds of millions of dollars. Before we try for that target, Gatford, director of penetrations testing firm HackLabs, wants to know if I will give the game away during a social engineering exploit. Chris Gatford (Image: Darren Pauli / The Register) So when the McDonald's computer turns out to have been fixed and my fake system administrator act cancelled, we visit an office building's lobby where Gatford challenges me to break into a small glass-walled room containing a shabby-looking ATM. I can't see a way into the locked room.
I think I see a security camera peering down from the roof, but later on I'm not sure I did.
I can't think of a way in and I'm trying to look so casual I know I'm certain to look nervous. Time's up.
Gatford is finished with the lobby clerk. He asks how I would get in, and hints in my silence that the door responds to heat sensors. I mutter something stupid about using a hair dryer.
Gatford laughs and reminds me about heat packs you'd slip into gloves or ski boots. "Slide one of those under the crack," he says. I've failed that test but stayed cool, so Gatford decides he's happy to have me along on a red-team raid, if only because red teams seldom face significant resistance. "At the end of the day, people just want to help," Gatford says. Red alert Costume is therefore an important element of a red team raid.
For this raid, our software exploits are suits and clipboards.
Sometimes it's high-visibility tradie vests, hard hats, or anything that makes a security tester appear legitimate. Once dressed for the part, practitioners use social-engineering skills to manipulate staff into doing their bidding.
Fans of Mr Robot may recall an episode where the protagonist uses social engineering to gain access to a highly secure data centre; this is red teaming stylised.
Think a real-world capture the flag where the flags are located in the CEO's office, the guard office, and highly secure areas behind multiple layers of locked doors. By scoring flags, testers demonstrate the fallibility of physical defences. Only one manager, usually the CEO of the target company, tends to know an operation is afoot. Limited knowledge, or black-box testing, is critical to examine the real defences of an organisation. Red teamers are typically not told anything outside of the barebones criteria of the job, while staff know nothing at all.
It catches tech teams off guard and can make them look bad.
Gatford is not the only tester forced to calm irate staff with the same social engineering manipulation he uses to breach defences. Red teamers almost always win, pushing some to more audacious attacks. Vulture South knows of one Australian team busted by police after the black-clad hackers abseiled down from the roof of a data centre with Go-Pro cameras strapped to their heads. Across the Pacific, veteran security tester Charles Henderson tells of how years back he exited a warehouse after a red-teaming job. "I was walking out to leave and I looked over and saw this truck," Henderson says. "It was full of the company's disks ready to be shredded.
The keys were in it." Henderson phoned the CEO and asked if the truck was in-scope, a term signalling a green light for penetration testers.
It was, and if it weren't for a potential call to police, he would have hopped into the cab and drove off. Henderson now leads Dell's new red-teaming unit in the United States, which he also built from the ground up. "There are some instances where criminal law makes little distinction between actions and intent, placing red teams in predicaments during an assignment, particularly when performing physical intrusion tasks," Nathaniel Carew and Michael McKinnon from Sense of Security's Melbourne office say. "They should always ensure they carry with them a letter of authority from the enterprise." Your reporter has, over pints with the hacking community, heard many stories of law enforcement showing up during red-team ops. One Australian was sitting off a site staring through a military-grade sniper scope, only to have a cop tap on the window.
Gatford some years ago found himself face-to-face in a small room with a massive industrial furnace while taking a wrong turn on a red-team assignment at a NSW utility. He and his colleagues were dressed in suits.
Another tester on an assignment in the Middle East was detained for a day by AK-47-wielding guards after the CEO failed to answer the phone. Red teamers have been stopped by police in London, Sydney, and Quebec, The Register hears. One of Australia's notably talented red teamers told of how he completely compromised a huge gaming company using his laptop and mobile phone. Whether red teaming on site or behind the keyboard, the mission is the same: breach by any means necessary. Equipment check A fortnight after the ATM incident, The Register is at HackLabs' Manly office.
It's an unassuming and unmarked door that takes this reporter several minutes to spot. Upstairs, entry passes to international hacker cons are draped from one wall, a collection of gadgets on a neighbouring shelf.
Then there's the equipment area.
Scanners, radios, a 3D printer, and network equipment sit beside identity cards sporting the same face but different names and titles.
There's a PwnPlug and three versions of the iconic Wi-Fi Pineapple over by the lockpicks.
A trio of neon hard hats dangle from hooks. "What do you think?" Gatford asks.
It's impressive; a messy collection of more hacking gadgets than this reporter had seen in one place, all showing use or in some stage of construction.
This is a workshop of tools, not toys. "No one uses the secure stuff, mate." In his office, Gatford revealed the target customer. The Register agrees to obscure the client's name, and any identifying particulars, so the pseudonym "Estate Brokers" will serve.
Gatford speaks of the industry in which it operates, Brokers' clientele, and their likely approach to security. The customer has multiple properties in Sydney's central business district, some housing clients of high value to attackers.
It reads the most common frequencies used by the typically white rigid plastic door entry cards that dangle from staffer waists.
There are more secure versions that this particular device does not read without modification. "No one uses the secure stuff, mate," Gatford says with the same half-smile worn by most in his sector when talking about the pervasive unwillingness to spend on security. I point to a blue plastic card sleeve that turns out to be a SkimSAFE FIPS 201-certified anti-skimming card protector.
Gatford pops an access card into it and waves it about a foot in front of the suitcase-sized scanner.
It beeps and card number data flashes up on a monitor. "So much for that," Gatford laughs. He taps away at his Mac, loading up Estate Brokers' website. "We'll need employee identity cards or we'll be asked too many questions," Gatford says. We are to play the role of contractors on site to conduct an audit of IT equipment, so we will need something that looks official enough to pass cursory inspection. The company name and logo image is copied over, a mug shot of your reporter snapped, and both are printed on a laminated white identity card.
Gatford does the same for himself. We're auditors come to itemise Estate Brokers' security systems and make sure everything is running. "We should get going," he says as he places hacking gear into a hard shell suitcase.
So off we go. Beep beep beep beepbeepbeep Our attack was staged in two parts over two days.
Estate Brokers has an office in a luxurious CBD tower. We need to compromise that in order to breach the second line of defences. We'll need an access card to get through the doors, however, and our laptop-sized skimmer, which made a mockery of the SkimSAFE gadget, will be the key. It is 4:32pm and employees are starting to pour out of the building.
Gatford hands me the skimmer concealed in a very ordinary-looking laptop bag. "Go get some cards," he says. Almost everyone clips access cards on their right hip.
If I can get the bag within 30cm of the cards, I'll hear the soft beep I've been training my ear to detect that signals a successful read. Maybe one in 20 wear their access cards like a necklace. "Hold your bag in your left hand, and pretend to check the time on your watch," Gatford says.
That raises the scanner high enough to get a hit. I'm talking to no one on my mobile as I clumsily weave in and out of brisk walking staff, copping shade from those whose patience has expired for the day.
Beep, beep, beep, beep, beepbeepbeepbeep.
There are dozens of beeps, far too many to count.
Then we enter a crowded lift and it's like a musical.
It's fun, exhilarating stuff.
The staff hail from law firms, big tech, even the Federal Government.
And we now have their access cards. Estate Brokers is on level 10, but we need a card to send the lift to it. No matter, people just want to help, remember? The lady in the lift is more than happy to tap her card for the two smiling blokes in suits.
Gatford knows the office and puts me in front. "Walk left, second right, second left, then right." I recite it. With people behind us, I walk out and start to turn right, before tightening, and speeding up through the security door someone has propped open. We enter an open-plan office. "They are terrible for security," I recall Gatford saying earlier that day.
It allows attackers to walk anywhere without the challenge of doors. Lucky for us.
Gatford takes the lead and we cruise past staff bashing away their final hour in cubicles, straight to the stationery room. No one is there as Gatford fills a bag with letter heads and branded pens, while rifling through for other things that could prove useful. We head back to the lobby for a few more rounds of card stealing. Not all the reads come out clean, and not all the staff we hit are from Estate Brokers, so it pays to scan plenty of cards. "Look out for that guard down there," Gatford says, indicating the edge of the floor where a security guard can be seen on ground level. "Tell you what, if you can get his card, I'll give you 50 bucks." "You're on," I say. The guard has his card so high on his chest it is almost under his chin.
At this point I think I'm unbeatable so after one nerve-cooling circuit on the phone, I walk up to him checking my watch with my arm so high I know I look strange.
I don't care, though, because I figure customer service is a big thing in the corporate world and he'll keep his opinions to himself.
I ask him where some made-up law firm is as I hear the beep. Silver tongue It is 8:30am the next day and I am back in Gatford's office. We peruse the access cards. He opens up the large text file dump of yesterday's haul and tells me what the data fields represent. "These are the building numbers; they cycle between one and 255, and these are the floor numbers," he says.
There are blank fields and junk characters from erroneous scans. He works out which belong to Estate Brokers and writes them to blank cards.
They work. More reconnaissance.
Estate Brokers has more buildings that Gatford will test after your reporter leaves. He fires up Apple Maps, and Google Maps Street View. With the eyes of a budding red teamer I am staggered by the level of detail it offers.
Apple is great for external building architecture, like routing pathways across neighbouring rooftops, Gatford says, while Google lets you explore the front of buildings for cameras and possible sheltered access points.
Some mapping services even let you go inside lobbies. Today's mission is to get into the guards' office and record the security controls in place.
If we can learn the name and version of the building management system, we've won.
Anything more is a bonus for Gatford's subsequent report. We take the Estate Brokers stationery haul along with our access cards and fake identity badges and head out to the firm's second site. "Don't hesitate, be confident." But first, coffee in the lobby. We chat about red teaming, about how humans are always the weakest link. We eat and are magnanimous with the waiting staff.
Gatford gets talking to one lady and says how he has forgotten the building manager's name. "Jason sent us in," he says, truthfully. Jason is the guy who ordered the red team test, but we don't have anything else to help us.
The rest is up to Gatford's skills. It takes a few minutes for the waitress to come back.
The person who she consulted is suspicious and asks a few challenging questions. Not to worry, we have identity cards and Gatford is an old hand.
I quietly muse over how I would have clammed up and failed at this point, but I'm happily in the backseat, gazing at my phone. We use the access cards skimmed the day earlier to take the lift up to an Estate Brokers level.
It is a cold, white corridor, unkempt, and made for services, not customers.
There's a security door, but no one responds to our knocks.
There are CCTV cameras. We return down to the lobby. Michael is the manager Gatford had asked about. He is standing at the lifts with another guy, and they greet us with brusque handshakes, Michael's barely concealed irritation threatening to boil over in response to our surprise audit. He rings Jason, but there's no answer.
I watch Gatford weave around Michael's questions and witness the subtle diffusion.
It's impressive stuff. Michael says the security room is on the basement level, so we head back into the lift and beep our way down with our cards. This room is lined with dank, white concrete and dimly lit. We spy the security room beaming with CCTV. "Don't hesitate, be confident," Gatford tells me. We stride towards the door, knock, and Gatford talks through the glass slit to the guard inside. Gatford tells him our story. He's a nice bloke, around 50 years old, with a broad smile.
After some back-and-forth about how Jason screwed up and failed to tell anyone about the audit, he lets us in. My pulse quickens as Gatford walks over to a terminal chatting away to the guard.
There are banks of CCTV screens showing footage from around the building.
A pile of access cards.
Some software boxes. I hear the guard telling Gatford how staff use remote desktop protocol to log in to the building management system, our mission objective. "What version?" Gatford asks. "Uh, 7.1.
It crashes a lot." Bingo. Day one, heading up in a crowded lift.
Shot with a pen camera I look down and there are logins scrawled on Post-it notes. Of course.
I snap a few photos while their backs are turned. Behind me is a small room with a server rack and an unlocked cabinet full of keys.
I think Gatford should see it so I walk back out and think of a reason to chat to the guard.
I don't want to talk technology because I'm worried my nerves will make me say something stupid.
I see a motorbike helmet. "What do you ride?" I ask. He tells me about his BMW 1200GS. Nice bike.
I tell him I'm about ready to upgrade my Suzuki and share a story about a recent ride through some mountainous countryside. Gatford, meanwhile, is out of sight, holed up in the server room snapping photos of the racks and keys. More gravy for the report. We thank the guard and leave.
I feel unshakably guilty. From the red to the black Gatford and I debrief over drinks, a beer for me, single-malt whiskey for him. We talk again about how the same courtesy and acquiescence to the customer that society demands creates avenues for manipulation. It isn’t just red teamers who exploit this; their craft is essentially ancient grifts and cons that have ripped off countless gullible victims, won elections or made spear phishing a viable attack. I ask Gatford why red teaming is needed when the typical enterprise fails security basics, leaving old application security vulnerabilities in place, forgetting to shut down disused domains and relying on known bad practice checkbox compliance-driven audits. "You can't ignore one area of security just to focus on another," he says. "And you don't do red teaming in isolation." Carew and McKinnon agree, adding that red teaming is distinct from penetration testing in that it is a deliberately hostile attack through the easiest path to the heart of organisations, while the former shakes out all electronic vulnerabilities. "Penetration testing delivers an exhaustive battery of digital intrusion tests that find bugs from critical, all the way down to informational... and compliance problems and opportunities," they say in a client paper detailing aspects of red teaming [PDF]. "In contrast, red teaming aims to exploit the most effective vulnerabilities in order to capture a target, and is not a replacement for penetration testing as it provides nowhere near the same exhaustive review." Red teaming, they say, helps organisations to better defend against competitors, organised crime, and even cops and spys in some countries. Gatford sells red teaming as a package.
Australia's boutique consultancies, and those across the ditch in New Zealand, pride themselves on close partnerships with their clients.
They point out the holes, and then help to heal.
They offer mitigation strategies, harass vendors for patches, and help businesses move bit by bit from exposed to secure. For his part, Gatford is notably proud of his gamified social engineering training, which he says is designed to showcase the importance of defence against the human side of security, covering attacks like phishing and red teaming. He's started training those keen on entering red teaming through a three-day practical course. "Estate Brokers", like others signing up for this burgeoning area of security testing, will go through that training.
Gatford will walk staff through how he exploited their kindness to breach the secure core of the organisation. And how the next time, it could be real criminals who exploit their willingness to help. ®
It's not easy to make all those things happen at once, but chips that can help are starting to emerge. On Tuesday at ARM TechCon in Silicon Valley, ARM will introduce processors that are ...
If your list included Baidu, Qihoo 360, or Quick Heal, you're probably in China.
These vendors are huge in China but much less famous in the west. My last review showed that Quick Heal, at least, deserved its obscurity.
I'm happy to say that Quick Heal AntiVirus Pro 17 is much better than the version I reviewed nearly two years ago.
Even so, there are areas and features that could use even more enhancement. I've observed lately that the going rate for a one-device one-year antivirus license seems to be around $39.95. On that basis, Quick Heal's $30 subscription is a bargain.
For $60, you get a three-license subscription. Anybody can download a 30-day trial of the program.
The initial download is just a stub that downloads the latest version of the actual software, automatically choosing 32-bit or 64-bit as appropriate.
To upgrade to a paid version, you enter your license key on the About page. Quick Heal wants to know quite a bit about you.
In addition to an email address, it wants your full name, a phone number, and your country, state, and city. Picking your country and state from a drop down list is common, but I was surprised when choosing California caused the next entry to display a list of every city in California. Immediately after installation, you're prompted to connect with Quick Heal Remote Device Management. You create an online account, with your email address and a password, and enter the product key again.
Then you turn on the feature within Quick Heal, which gives you a one-time password that must be entered back in the online console.
This complicated handshake might be a bit daunting for the neophyte user.
In any case, the Remote Device Management account is only truly useful for mobile devices. The components of the program's main window haven't changed, but they're colored and arranged slightly differently. You still see a big banner reporting the system's security status above four panels representing Files & Folders, Emails, Internet & Network, and External Drives & Devices.
A News panel now appears at the bottom, with links to educational articles on security. Mixed Lab ResultsWhen I reviewed the previous version of Quick Heal, it appeared in almost none of the lab tests I follow.
Things have changed for the better since then. Quick Heal received certification for malware detection from ICSA Labs.
This sort of certification is different from scored lab tests.
If a vendor's product doesn't initially achieve certification, ICSA Labs helps the vendor remediate any problems and attain certification. Quick Heal is now also on the radar of the experts at AV-Test Institute, who evaluate antivirus products three different ways. Naturally they measure how effective the antivirus is at protecting against malware infestation.
They rate its effect on system performance.
And they calculate a usability score that's highest when the product exhibits the fewest false positives (valid programs or websites flagged as malicious).
A product can earn 6 points in each category; Quick Heal got 5.5 in each, for a total of 16.5 points.
That's decent, but in this same test Bitdefender Antivirus Plus 2017, Kaspersky, and Trend Micro Antivirus+ Security earned a perfect 18 points. Quick Heal also now participates in four of the five tests by AV-Comparatives that I follow.
A product that simply passes one of this lab's tests earns Standard certification.
Those that go above and beyond the minimum needed to pass get certified at the Advanced or Advanced+ level. Quick Heal earned Advanced+ in the performance test and the static file detection test.
In a test that measures how thoroughly products clean up malware that all of them detect, Quick Heal took an Advanced certification.
And in the important whole-product dynamic test it was certified at the Standard level. These aren't bad scores, but Avira Antivirus Pro 2016 took an Advanced+ rating in all four of the same tests.
Bitdefender and Kaspersky Anti-Virus did the same in all five of the tests that I follow. Overall, though, Quick Heal made a much better showing than when I reviewed it last. Scan ChoicesA full scan of my standard clean system took Quick Heal just 36 minutes.
That's pretty quick, given that the current average is 45 minutes.
It finished a second scan in just 7 minutes, demonstrating some form of optimization during the first scan.
Some products take that optimization even further.
For example, a repeat scan with F-Secure Anti-Virus 2016 finished in just two minutes. You can choose to just scan for malware in memory, or to scan a specific drive or folder, if you prefer.
For malware that manages to resist the normal scan, you can choose a Boot Time Scan instead, either a full scan or a quick scan of areas where malware commonly lurks. When you reboot the system, the text-only Boot Time Scan goes into action at the very beginning of the boot process, before rootkits and other persistent malware types have had a chance to load. It's always possible that malware could render your PC unusable, either accidentally, due to bad coding, or on purpose, locking you out until you pay a ransom. Quick Heal does offer screen locker protection in the form of a special keystroke that can break you free from certain screen locking ransomware types.
But sometimes you just can't run Windows, or can't run Quick Heal.
That's where the Emergency Disk comes in. As soon as you install Quick Heal, you should click the Tools menu and click Create Emergency Disk.
A wizard guides you to download the latest content for the disk, and then handles the task of creating a bootable USB or CD/DVD.
I had some trouble booting my test system from the Emergency Disk, which is not surprising given that I test on a virtual machine.
It did boot, but then rebooted over and over.
I did see enough to know that it boots in to a portable Windows environment, not a Linux variant. Also on the Tools page is a separate AntiMalware scanner that focuses on edge cases like spyware, adware, fake antivirus, and so on. When I ran this scan it finished in a trice, reporting no malware found. Some Slipups in Malware RemovalI continued my testing by opening the folder that contains my current set of malware samples. Quick Heal started picking them off right away, eliminating 58 percent of the samples on sight. Others have done much better at this stage of testing.
For example, Check Point ZoneAlarm PRO Antivirus + Firewall 2017 killed off 81 percent of the samples on sight, and Trend Micro whacked 94 percent of them. Next, I launched each sample that survived the initial purge.
Every single one of them launched and at least started to install.
That's quite different from my experience with McAfee AntiVirus Plus, which so thoroughly quashed execution for most of the samples that it freaked Windows out, causing a "file not found" error. Quick Heal did detect almost all of the samples during installation, for a total detection rate of 94 percent. However, it allowed half of those it detected to plant one or more malware executables on the test system.
Those executable files dragged its malware blocking score down to 8.5. For a different look at Quick Heal's ability to protect against malware attack, I started with a feed of malware-hosting URLs from MRG-Effitas, URLs no more than a day old.
I launched each and noted whether Quick Heal steered the browser away from the URL, eliminated the malware download, or sat idly doing nothing. Out of 100 verified malware-hosting URLs, Quick Heal blocked 92 percent, almost all of them by keeping the browser from ever reaching the URL.
That puts it among the top few contenders in this test.
Symantec Norton AntiVirus Basic blocked 98 percent of its challenge URLs, and Avira blocked 99 percent. So-So Phishing ProtectionThe same Web-level protection that fends off malicious URLs also serves to steer naïve users away from phishing sites, frauds that try to steal login credentials by imitating financial sites or other secure sites.
In fact, the warning page that appears in the browser is precisely the same for a malicious URL as for a fraudulent one. However, Quick Heal wasn't quite as effective against the frauds. Phishing websites are ephemeral, because they quickly get blacklisted and shut down.
That doesn't bother the fraudsters; they just open another fake site.
But it does mean that I need the very newest phishing URLs for testing.
I scrape phishing-oriented websites to capture URLs that have been reported as fraudulent but that haven't yet been analyzed. The phishing URLs are different each time, and different fraud styles come and go. Rather than report hard detection-rate numbers, I report the difference between product's protection rate and Norton's. Why Norton? For ages it has consistently done a really good job detecting the very latest phishing frauds.
It beats almost all the competition; Bitdefender, Kaspersky, and Webroot SecureAnywhere AntiVirus are the only recent products to outperform Norton. Quick Heal didn't join those products in the top tier.
In fact, it lagged 32 percentage points behind Norton, and 24 points behind the protection built into Chrome.
It eked out a 5 percentage point advantage over Internet Explorer and handily drubbed Firefox. On the plus side, the previous edition of Quick Heal didn't even offer phishing protection, so this is a big step up. Uneven FirewallThe first challenge for any third-party firewall is that it must protect the system at least as well as the built-in Windows Firewall. Quick Heal fell down at this step. While it stealthed almost all of my test system's ports, it left the all-important HTML port 80 wide open.
In addition, one of my Web-based tests revealed that it let the system respond to what's called a ping echo, a technique used by malefactors to troll the Internet for victims.
That's not a good start. Program control is the other main feature of most third-party firewalls.
In Quick Heal this feature is a bit simplistic.
Some settings are extreme.
At the Low level, the firewall just allows all traffic.
At the Block level, it blocks all traffic, including Quick Heal's own.
There's also a mode to only allow Internet access for known and trusted programs. When I turned on this mode, trying to go online using my hand-coded tiny browser didn't trigger any kind of warning.
It just displayed an error message. In between all these extremes are firewall levels Medium (the default) and High.
At the Medium level, the firewall displays a message when it detects suspicious incoming network traffic.
At the High level it warns of suspicious incoming or outgoing traffic.
I ran a handful of leak test utilities, but just one of them proved suspicious enough to trigger a warning. The Intrusion Prevention System is considered a separate feature from the firewall, though they have similar tasks.
I didn't see it spring into action when I hit the test system with 30 exploits generated by the CORE Impact penetration tool. However, the antivirus component eliminated the malware payload for almost half of the exploits, identifying most of them by name. While the firewall's protection may not be top-tier, it's tough, at least.
I couldn't find any way a malware coder could disable its protection.
Significant values in the registry are protected against tampering.
I couldn't find any way to kill its 12 distinct processes. Likewise, all of the nine essential Windows services associated with this program were hardened against anything I could do. Browser SandboxAccording to the help system, the Browser Sandbox "applies a strict security policy for all untrusted and unverified websites" and can "isolate any possible infection." I had trouble seeing just how this feature works during my last review, but I gamely dug in again, hoping to gain understanding. This feature is turned off by default, and turning it on requires a reboot.
By default, it displays a green border around any Chrome, Firefox, or Internet Explorer border that it's protecting. You can turn the border off, but seeing it is a good reminder.
Also by default, it opens downloaded documents in a sandboxed environment. You can up the protection level by banning the browser from any access to folders you define as confidential, and you can also prevent any browser-related process from making changes in protected folders.
For testing, I defined the Desktop folder as confidential and set it to protect the Documents folder. I uploaded a tiny text editor that I wrote myself to Dropbox, then tried to download it to the desktop on the test system.
I got an Access Denied warning—Browser Sandbox at work! I downloaded the file to the Downloads folder instead, then launched it and edited a text file in the Documents folder.
I thought Quick Heal should prevent that, but it didn't. My contacts at the company explained that Browser Sandbox very specifically manages code running in the browser itself, for example, a malicious browser extension or drive-by download.
It didn't let the browser download a program to the protected folder, but once the program was downloaded, it wasn't under observation or control by Browser Sandbox.
This feature might protect you in some situations, but it's not the same as the hardened browser feature in Bitdefender, Avast Pro Antivirus 2016, and others. See How We Test Security Software Bonus FeaturesI mentioned the AntiMalware scanner and the Emergency Disk earlier.
The Tools page contains several other items that can be helpful, starting with Hijack Restore.
It's not uncommon for malware to tweak your system settings in ways that make removal harder, or reset your browser home page and other defaults to unwanted value. Hijack Restore puts back the defaults for browser settings.
It can also fix a raft of malware-induced configuration problems, restoring access to Control Panel, Windows Update, Regedit, Task Manager, and other useful tools. Track Cleaner deletes traces of computer usage such as most recent file lists, along with cookies, cache files, history, and other traces of Web surfing.
It wipes MRU lists for 7-Zip, Acrobat, and Microsoft Office programs, among others.
And it sweeps away browsing traces for Chrome, Internet Explorer, Edge, Opera, and Safari (but not Firefox). Almost all modern malware spreads via the Internet, but there are still some that use infected USB drives as a primary or secondary mode of infection. Quick Heal's USB Drive Protection modifies a USB drive so that, although a malware process can still copy itself to the drive, it can't configure itself to launch automatically when the drive is plugged in.
The USB Vaccine feature in Panda Antivirus Pro 2016 and K7 Antivirus Plus 15 works in much the same way. Disabled by default, Anti-Keylogger claims to prevent capture of your keystrokes.
In testing, I found it did not work.
I turned off antivirus protection in order to load a popular free keylogger.
I typed some random search terms in my browser.
And I found that the keylogger totally captured what I typed.
In any case, keystroke capture is just one feature of these spy programs.
The one I chose also captures screenshots, logs chat activity, records the websites you visit, notes which programs you launch, and more.
I'm not impressed with this feature. Diagnostic ToolsThe remaining three tools aren't for you.
Don't mess with them unless you're an antivirus expert.
These are present so a Quick Heal support technician who's remote-controlling your system can use them to get information. System Explorer displays all running processes, a bit like Task Manager, and it can kill processes like Task Manager.
The main difference is that it offers plenty of detail about the selected process. When you drag the crosshairs from Windows Spy onto a visible window, you get a detailed property list for the application that owns that window.
And support agents can exclude specific file instructions from the product's scan for troubleshooting purposes. A Big ImprovementQuick Heal AntiVirus Pro 17 is much better than version 16.
It earned decent scores from the independent labs and did well in some, but not all, of our hands-on tests.
Its bonus firewall didn't test well, though, and while it offers quite a few bonus features, they're not all top-notch. I track almost four dozen antivirus products, and from that crowd I've identified five worthy of being designated Editors' Choice.
Bitdefender Antivirus Plus and Kaspersky Anti-Virus consistently get top ratings from the independent labs.
Symantec Norton AntiVirus Basic does well too, and offers an impressive Intrusion Prevention System.
An unusual behavioral detection system makes Webroot SecureAnywhere Antivirus the smallest antivirus around, and it aced my hands-on malware-blocking test.
And while it doesn't test out quite as high as the rest, McAfee AntiVirus Plus lets you protect every device in your household, across multiple platforms. One of these will surely be the right antivirus for you. Back to top PCMag may earn affiliate commissions from the shopping links included on this page.
These commissions do not affect how we test, rate or review products.
InfoWorld’s Woody Leonard breaks down which version of Windows 10 to use.
The following Windows 10 security guide focuses on standard Windows 10 installations -- not Insider Previews or Long Term Servicing Branch -- and includes Anniversary Update where relevant. The right hardware Windows 10 casts a wide net, with minimum hardware requirements that are undemanding.
As long as you have the following, you’re good to upgrade from Win7/8.1 to Win10: 1GHz or faster processor, 2GB of memory (for Anniversary Update), 16GB (for 32-bit OS) or 20GB (64-bit OS) disk space, a DirectX 9 graphic card or later with WDDM 1.0 driver, and an 800-by-600-resolution (7-inch or larger screens) display.
That describes pretty much any computer from the past decade. But don’t expect your baseline machine to be fully secure, as the above minimum requirements won’t support many of the cryptography-based capabilities in Windows 10. Win10’s cryptography features require Trusted Platform Module 2.0, which provides a secure storage area for cryptographic keys and is used to encrypt passwords, authenticate smartcards, secure media playback to prevent piracy, protect VMs, and secure hardware and software updates against tampering, among other functions. Modern AMD and Intel processors (Intel Management Engine, Intel Converged Security Engine, AMD Security Processor) already support TPM 2.0, so most machines bought in the past few years have the necessary chip.
Intel’s vPro remote management service, for example, uses TPM to authorize remote PC repairs.
But it’s worth verifying whether TPM 2.0 exists on any system you upgrade, especially given that Anniversary Update requires TPM 2.0 support in the firmware or as a separate physical chip.
A new PC, or systems installing Windows 10 from scratch, must have TPM 2.0 from the get-go, which means having an endorsement key (EK) certificate preprovisioned by the hardware vendor as it is shipped.
Alternatively, the device can be configured to retrieve the certificate and store it in TPM the first time it boots up. Older systems that don’t support TPM 2.0 -- either because they don’t have the chip installed or are old enough that they have only TPM 1.2 -- will need to get a TPM 2.0-enabled chip installed. Otherwise, they will not be able to upgrade to Anniversary Update at all. While some of the security features work with TPM 1.2, it’s better to get TPM 2.0 whenever possible.
TPM 1.2 allows only for RSA and SHA-1 hashing algorithm, and considering the SHA-1 to SHA-2 migration is well under way, sticking with TPM 1.2 is problematic.
TPM 2.0 is much more flexible, as it supports SHA-256 and elliptical curve cryptography. Unified Extensible Firmware Interface (UEFI) BIOS is the next piece of must-have hardware for achieving the most secure Windows 10 experience.
The device needs to be shipped with UEFI BIOS enabled to allow Secure Boot, which ensures that only operating system software, kernels, and kernel modules signed with a known key can be executed during boot time.
Secure Boot blocks rootkits and BIOS-malware from executing malicious code.
Secure Boot requires firmware that supports UEFI v2.3.1 Errata B and has the Microsoft Windows Certification Authority in the UEFI signature database. While a boon from a security perspective, Microsoft designating Secure Boot mandatory for Windows 10 has run into controversy, as it makes it harder to run unsigned Linux distributions (such as Linux Mint) on Windows 10-capable hardware. Anniversary Update won’t install unless your device is UEFI 2.31-compliant or later. Beefing up authentication, identity Password security has been a significant issue in the past few years, and Windows Hello moves us closer to a password-free world as it integrates and extends biometric logins and two-factor authentication to "recognize" users without passwords. Windows Hello also manages to be simultaneously the most accessible and inaccessible security feature of Windows 10. Yes, it is available across all Win10 editions, but it requires significant hardware investment to get the most of what it has to offer. To protect credentials and keys, Hello requires TPM 1.2 or later.
But for devices where TPM is not installed or configured, Hello can use software-based protection to secure credentials and keys instead, so Windows Hello is accessible to pretty much any Windows 10 device. But the best way to use Hello is to store biometric data and other authentication information in the on-board TPM chip, as the hardware protection makes it more difficult for attackers to steal them.
Further, to take full advantage of biometric authentication, additional hardware -- such as a specialized illuminated infrared camera or a dedicated iris or fingerprint reader -- is necessary. Most business-class laptops and several lines of consumer laptops ship with fingerprint scanners, enabling businesses to get started with Hello under any edition of Windows 10.
But the marketplace is still limited when it comes to depth-sensing 3D cameras for facial recognition and retina scanners for iris-scanning, so Windows Hello’s more advanced biometrics is a future possibility for most, rather than a daily reality. Available for all Windows 10 editions, Windows Hello Companion Devices is a framework for allowing users to use an external device -- such as a phone, access card, or wearable -- as one or more authenticating factors for Hello. Users interested in working with Windows Hello Companion Device to roam with their Windows Hello credentials between multiple Windows 10 systems must have Pro or Enterprise installed on each one. Windows 10 formerly had Microsoft Passport, which enabled users to log in to trusted applications via Hello credentials. With Anniversary Update, Passport no longer exists as a separate feature but is incorporated into Hello.
Third-party applications that use the Fast Identity Online (FIDO) specification will be able to support single sign-on by way of Hello.
For example, the Dropbox app can be authenticated directly via Hello, and Microsoft’s Edge browser enables integration with Hello to extend to the web.
It’s possible to turn on the feature in a third-party mobile device management platform, as well. The password-less future is coming, but not quite yet. Keeping malware out Windows 10 also introduces Device Guard, technology that flips traditional antivirus on its head.
Device Guard locks down Windows 10 devices, relying on whitelists to let only trusted applications be installed. Programs aren’t allowed to run unless they are determined safe by checking the file’s cryptographic signature, which ensures all unsigned applications and malware cannot execute.
Device Guard relies on Microsoft’s own Hyper-V virtualization technology to store its whitelists in a shielded virtual machine that system administrators can’t access or tamper with.
To take advantage of Device Guard, machines must run Windows 10 Enterprise or Education and support TPM, hardware CPU virtualization, and I/O virtualization.
Device Guard relies on Windows hardening such as Secure Boot. AppLocker, available only for Enterprise and Education, can be used with Device Guard to set up code integrity policies.
For example, administrators can decide to limit which universal applications from the Windows Store can be installed on a device. Configurable code integrity is another Windows component which verifies that the code running is trusted and sage. Kernel mode code integrity (KMCI) prevents the kernel from executing unsigned drivers.
Administrators can manage the policies at the certificate authority or publisher level as well as the individual hash values for each binary executable.
Since much of commodity malware tends to be unsigned, deploying code integrity policies lets organizations immediately protect against unsigned malware. Windows Defender, first released as standalone software for Windows XP, became Microsoft’s default malware protection suite, with antispyware and antivirus, in Windows 8.
Defender is automatically disabled when a third-party antimalware suite is installed.
If there is no competing antivirus or security product installed, make sure that Windows Defender, available across all editions and with no specific hardware requirements, is turned on. For Windows 10 Enterprise users, there is the Windows Defender Advanced Threat Protection, which offers real-time behavioral threat analysis to detect online attacks. Securing data BitLocker, which secures files in an encrypted container, has been around since Windows Vista and is better than ever in Windows 10. With Anniversary Update, the encryption tool is available for Pro, Enterprise, and Education editions. Much like Windows Hello, BitLocker works best if TPM is used to protect the encryption keys, but it can also use software-based key protection if TPM does not exist or is not configured. Protecting BitLocker with a password provides the most basic defense, but a better method is to use a smartcard or the Encrypting File System to create a file encryption certificate to protect associated files and folders. When BitLocker is enabled on the system drive and brute-force protection is enabled, Windows 10 can restart the PC and lock access to the hard drive after a specified number of incorrect password attempts. Users would have to type the 48-character BitLocker recovery key to start the device and access the disk.
To enable this feature, the system would need to have UEFI firmware version 2.3.1 or later. Windows Information Protection, formerly Enterprise Data Protection (EDP), is available only for Windows 10 Pro, Enterprise, or Education editions.
It provides persistent file-level encryption and basic rights management, while also integrating with Azure Active Directory and Rights Management services.
Information Protection requires some kind of mobile device management -- Microsoft Intune or a third-party platform such as VMware’s AirWatch -- or System Center Configuration Manager (SCCM) to manage the settings.
An admin can define a list of Windows Store or desktop applications that can access work data, or block them entirely. Windows Information Protection helps control who can access data to prevent accidental information leakage. Active Directory helps ease management but is not required to use Information Protection, according to Microsoft. Virtualizing security defenses Credential Guard, available only for Windows 10 Enterprise and Education, can isolate “secrets” using virtualization-based security (VBS) and restrict access to privileged system software.
It helps block pass-the-hash attacks, although security researchers have recently found ways to bypass the protections.
Even so, having Credential Guard is still better than not having it at all.
It runs only on x64 systems and requires UEFI 2.3.1 or greater.
Virtualization extensions such as Intel VT-x, AMD-V, and SLAT must be enabled, as well as IOMMU such as Intel VT-d, AMD-Vi, and BIOS Lockdown.
TPM 2.0 is recommended in order to enable Device Health Attestation for Credential Guard, but if TPM is not available, software-based protections can be used instead. Another Windows 10 Enterprise and Education feature is Virtual Secure Mode, which is a Hyper-V container that protects domain credentials saved on Windows. Other security goodies Windows 10 supports mobile device management across all editions, but needs to be integrated with a separate MDM platform, such as Microsoft Intune or a third-party platform such as VMware’s AirWatch.
If MDM is on the list, the best scenario would be to avoid Windows 10 Home, as not all capabilities are available in that edition. MDM and SCCM platforms can also use the Windows Device Health Attestation Service, available across all editions, to manage conditional access scenarios. Group Policy is a powerful tool for Windows administrators, but it is available with only Pro, Enterprise, and Education editions.
Domain join and Azure Active Directory Domain join, which enable single sign-on for cloud-hosted applications, are also powerful administrator tools available for Pro, Enterprise, and Education editions.
Azure Directory Domain join requires a separate Azure Active Directory. Though not strictly a security feature, Assigned Access lets administrators lock down the interface on Windows 10 devices so that users are limited to specific tasks.
Available only with an Enterprise E3 subscription (or Education), Assigned Access can restrict access to services; block access to Shut Down, Restart, Sleep, and Hibernate commands; and prevent changes to the Start menu, the taskbar, or the Start screen. Organizations that have deployed DirectAccess infrastructure for remote access will need Windows 10 Enterprise or Education to connect. Picking what you need While Windows 10 Home may be the most limited of the desktop editions when it comes to security, that doesn’t mean users have to shell out for Enterprise to get any of the new features. Regardless of edition, Windows 10 is Microsoft’s most secure operating system to date, and a constant release of security patches, feature updates, and version upgrades will keep it that way.
Everyone’s security needs are different. Make sure to buy the edition and establish the configuration that gives you the optimal security you are looking for. Related resources
Stone was kind enough to give Ars a call (in fact, a Facetime call) to talk about the film's creation. We had so many questions for Mr.
Stone about collaborating with Edward Snowden, how he thinks American warfare has changed, and how much of his film is based on a work of fiction. Here's a transcript of our Friday conversation, edited for flow and for Mr.
Stone's requested redactions. Ars: To start, I was curious: How much did your film draw from the forums of Ars Technica, where Edward Snowden was apparently a longtime member and commenter? Stone: Well, quite a bit of stuff [in my film] had not appeared [up until now].
There was a lot of information that only... let’s say no one really knew.
Bart Gellman [the British journalist who appeared in Citizenfour] told me that when he saw the film, he said, there’s stuff here no one knows.
And James Bedford [author of The Puzzle Palace], who I respect, they’ve been on the frontier of this, he said [classified programs] like Heartbeat, Epic Shelter—these things, nobody had talked about them. Sure, but those weren't mentioned on our forums.
But there were other stories, like injuries he sustained during basic training—not to mention some of the snarkier or more vulgar attitude that we saw on Ars' forums that didn't necessarily make it into the film. We obviously tried to verify his stories.
Ed was a little elusive with us. He, you know, he made certain comments at Ars Technica that were pretty strong. We all know that.
Do you grant that? Strong sentiments, yeah. We tried to bring out quickly that side, that libertarian side of him, in the early part of the movie.
There's an argument with Lindsay Mills on the walk in the park in front of the White House, where you see him very devoted to getting revenge and going to Iraq at the most dangerous time. You understand the mentality, you can call it conservative, some would say libertarian. Well, libertarian doesn’t fit, because you wouldn’t join the army... Let’s put it this way: Ed was in a different place when we saw him. He was a different man than that young man.
That’s what this movie is about: the evolution of a consciousness. Your films in the past have focused on the issue of a major war machine in America, but with Snowden, the lens is focused perhaps differently: on America's transition to machine wars. What do you find has changed about the American military that this film reflects on in particular? You’re talking about the surveillance wars, the data mining that goes on.
That builds into drone attacks, and it builds into cyber warfare itself.
It comes from intricate knowledge of beings, you go in and hack them, sometimes cyber offensive weapons. [Snowden] was involved not only in taking down Chinese hackers but planting malware, he was one of those people. He saw the offensive side of cyber. He condemns it.
It’s fine to protect the United States.
It’s another to use a weapon offensively, which we did in Iran in 2007. We didn’t take credit, it’s classified, but we definitely used it.
That was when he pulled out.
That was the last straw, I think, when he pulled out of Hawaii, he just didn’t think it was right. His loyalty was to the Constitution, not to the NSA. So how do you feel that warfare has changed on a larger scale? Especially based on your perspective, having made a lot of films about American war for so many years. I know people scoff when I say it, but I’m a dramatist.
I try to follow the story as told to me by others, as it was felt by others.
I didn’t have an agenda here.
In the process I learned a lot.
It’s ironic that America is still doing the old-fashioned kind of war... what do they call it? Boots on the ground. We’re in Afghanistan and Iraq, advisors in Syria, Libya, and so forth. We have 800 bases, we have special commands in practically every country.
It’s still bodies, commandos, special forces.
That kind of army. There’s this other kind of army, there's a word for it, we accuse Russia of it all the time, the H war? Hybrid war, that’s it, that’s the new terminology from the Pentagon, what they accuse Russians of doing in Ukraine, and we’ve been doing it for dozens of years.
It’s a form of soft power, using cyber tools when necessary, propaganda, all kinds of information war to create disturbances in other countries.
That’s very powerful and continues to be the main form of attack.
For example, we’ll come in, start criticizing another dictatorship for killing off freedoms. We name that person week after week in the media, until that person becomes the center of, say, hate week, you know? We’re very good at creating that kind of enemy and building them up.
I call that hybrid warfare. We didn’t think of that kind of warfare when we were young.
It could lead to nuclear war, quite frankly. When we went into Iran and blew up their centrifuges, and they rebuilt them in 6-7 months, but no one knew what they were! There was a guy who broke the code, who understood what Stuxnet really was.
And not only what it was but who had launched it. My point being that here we are now in this present world, making accusations against other countries, "they hacked this, they did that," but it’s very hard to know.
But it takes time to know.
The nature of that war is so proxied, hiding, secret, not disclosing who the force is.
The DNC leaks could have come from an insider, nobody knows! It’s easy to blame an enemy.
That’s what’s changed, subtler warfare.
In the young days, it was a little more blunt, but as you look, you see a lot of soft hybrid warfare is going on. What relationship have you been able to discern between Snowden and the Kremlin? I have made it very clear, I don’t think there’s any relationship.
I don’t think he’s met anybody.
I’m sure they asked him in the first place when he first arrived if he had anything.
I don't think they know that they did.
But he wasn’t carrying information in Russia. He deleted it in Hong Kong. He made that very clear.
The movie mentions that twice. No spy that I know of, unless you know of one, in recent memory, has ever turned his information over to newspapers for free.
This was done out of patriotism, out of a desire to inform the people of the United States what their government was doing and to see for themselves.
In his mind, and mine too, his loyalty was to the Constitution. A recent New York Times report about the film's making said that you brought Snowden a bunch of American keepsakes. What was his response, and what did Snowden seem to miss the most about the United States? I'll have to read that.
Do you know [what we gave him]? I don't have the article handy.
I think there was a baseball cap? I remember early on we brought him some DVDs of films I’d done so he could familiarize himself with that. Probably a baseball cap, yes. His needs are minimal. He’s not a materialist, I’ll tell you that. He probably spends most of his time behind a computer, like you. Having met him, how did you feel it was most important to humanize him in this film's portrayal? His relationship with Ms. Mills, which was marginalized by the press, was important to him.
It meant a lot to him. You have to realize that to do what he did, you have to turn away from your life completely.
The fact that he kept her in the dark for so long... he’s a human being, and that’s what the movie does, it humanizes him. You don’t do these things [to a loved one] coldly. Did Snowden have specific input on what should be in the film and how it should be told? A message that he wanted conveyed? He didn’t have any message that way. He just told us—in fragments, obviously, I went there nine times ultimately—how this kind of war came out.
It wasn’t like he ever said, "you’ve got to get this into the movie." He understood that the nature of drama is to condense. He wanted to be as helpful to us getting the facts as close as possible to the movies.
It was a story that took place over nine years.
This movie is just over two hours. Did he advise technically in any capacity? I’m a craftsman and a dramatist.
I tell a story that I think works for drama.
But the issues he addresses are crucial. You have to make sure the audience understands what’s going on, because the language is very thick.
The technical stuff was corrected by him.
It’s important to get the language right.
I mean, we don’t write about the NSA, we don’t know what they’re doing! There wouldn’t have been an Edward Snowden If they’d been more honest about things. How much of this film was based on the novel that is mentioned in the credits roll? Well, The Guardian was heavily involved in the story; one of the film's parallel plots involved The Guardian and the decision to publish this story.
The book, The Guardian owns the book, Luke Harding's Snowden Files, I believe.
At that time, being fresh material, it was not all correct, and it had several errors in it.
Those were corrected in the latest version that was published.
Snowden helped us with the corrected information, as well. No, I mean The Time of the Octopus, written by Snowden's Russian lawyer. How much of this film was based on that book? That book was a work of fiction. We didn’t have all of the facts right while in development.
There were long articles in Wired and Vanity Fair, they did a good job.
But we bought the book when we went to Russia in January 2014, because we didn’t know what direction this film was going to take. We didn’t know if Mr.
Snowden was going to collaborate with us.
Therefore, we could’ve done this film in a more fictional way with an alias, another name, an American dissident in Russia.
A whistleblower, taking refuge, and he’s interrogated in this book by a Russian lawyer.
It’s an interesting conversation they have about totalitarian states.
But it’s fiction.
After we got the cooperation of Mr. Snowden in June 2014, we went ahead with information based on his real life.
The hack works by plugging a flash-sized minicomputer into an unattended computer that's logged in but currently locked.
In about 20 seconds, the USB device will obtain the user name and password hash used to log into the computer.
Fuller, who is better known by his hacker handle mubix, said the technique works using both the Hak5 Turtle ($50) and USB Armory ($155), both of which are USB-mounted computers that run Linux. "First off, this is dead simple and shouldn’t work, but it does," mubix wrote in a blog post published Tuesday. "Also, there is no possible way that I’m the first one that has identified this, but here it is (trust me, I tested it so many ways to confirm it because I couldn’t believe it was true)." The pilfered authentication hash can either be cracked or downgraded to another hash that can be used to gain unauthorized access.
In the event the machine is running an older version of Windows, the returned NTLMv1 hash can be converted to NTLM format no matter how complex the underlying plaintext password is.
And from there, it can be used in pass-the-hash-style attacks.
A NTLMv2 hash used by newer versions of Windows would require more work.
In mubix's tests, hashes returned by even a fully up-to-date El Capitan Mac were able to be downgraded to a susceptible NTLMv1 hash. The Hak5 Turtle and USB Armory are both full Linux computers that are capable of emulating a USB Ethernet device. Mubix outfitted them with simple configuration modifications that present the hardware as a DHCP server.
The status makes the USB device the default gateway that's able to receive network traffic. Using the a hacking app known as Responder, the device can then receive authentication tokens. Mubix reports that some people have gotten a similar setup to work on a RaspberriPi Zero, making the cost of this hack $5 and about 10 minutes of configuration setup. Here's a video of it in action:
USB credential stealing while screen is locked In an e-mail, Fuller wrote: What is happening in the video, is the USB Armory is being plugged into a locked (but logged in) system.
It boots up via the USB power, and starts up a DHCP server, and Responder. While it's doing this, the victim is recognizing it as a Ethernet adapter.
The victim then makes route decisions and starts sending the traffic it was already creating to the Armory instead of the "real" network connection. Responder does its job and responds to all kinds of services asking for authentication, and since most OSs treat their local network as "trusted" it sees the authentication request and automatically authenticates.
Seeing that the database of Responder has been modified the Armory shuts down (LED goes solid). The demo underscores the age-old maxim equating physical access with owning or "pwning" a device.
Still, the lock screen is a regular feature in most offices for users who don't want to turn off or physically bring their computer with them while using the restroom.
And for that reason, a hack that surreptitiously steals the passwords of such computers in 20 seconds is noteworthy. Mubix said he's working on a follow-up post suggesting ways to prevent the attack.
In the meantime, he's referring people to this mitigation technique, which he says works "pretty well."