How to Directly Upload Hardware Hashes to an MS Intune MDM Service Without USB
Need to register a device with Microsoft Intune? Whether you're setting up a new device or working with an existing one, here's how to upload the hardware hash directly to Intune
For New Devices During Windows Setup (OOBE)
During the initial setup of Windows when you reach the sign-in prompt, you can quickly register your device:
- Press `Shift+F10` to open a command prompt
- Type `powershell.exe` to launch PowerShell
- Continue to the PowerShell commands section below
What Happens Next?
- You'll be prompted to install NuGet from PSGallery - accept this installation
- When you run `Get-WindowsAutopilotInfo -Online`, you'll see a Microsoft Entra ID sign-in window
- Sign in with an account that has Intune Administrator privileges
- On your first run, you'll need to approve the app registration permissions
- The hardware hash will upload automatically
Important Notes
- For new devices still in OOBE: Restart your device after the upload. This will trigger the Windows Autopilot profile and start the provisioning process
- Always verify that the upload was successful by checking your registered Windows Autopilot devices in Intune
- Make sure you're using an account with sufficient administrative privileges in Intune
And you're all set!
Why should we stop using SMS-based two-factor authentication?
One of the most widely used methods of 2FA is an SMS-based code, where the user needs to enter a code sent to them through the SMS service to verify their identity. Almost every mobile device in the world supports a text messaging service, and developers might prefer it based on its simplicity and availability. Adding text-based 2FA on top of simple user ID- and password-based authentication might be safer than not having one, but it is not the most secure way of implementing multifactor authentication.
So, what makes the SMS service vulnerable, and why is it not considered a secure method of authentication for 2FA? Here are a few vulnerabilities of SMS which make it the most insecure method for two-factor authentication:
SIMJacking
SIMJacking, also referred to as a port-out scam or SIM swap scam, is a type of attack where one would gain access to someone’s phone number by switching the service to another carrier. Port-out is a feature offered to users by their telecommunication companies where a customer can switch to different carriers and keep their current phone number. Usually, carriers require some form of identification before they provide a PIN to port out a phone number. Hackers are using sophisticated social engineering attacks and using publicly available information about a victim to gain access to their phone numbers by switching them to another carrier. After getting control over the phone number, the attacker would be able to gain access to 2FA codes.
SIMJacking, also referred to as a port-out scam or SIM swap scam, is a type of attack where one would gain access to someone’s phone number by switching the service to another carrier. Port-out is a feature offered to users by their telecommunication companies where a customer can switch to different carriers and keep their current phone number. Usually, carriers require some form of identification before they provide a PIN to port out a phone number. Hackers are using sophisticated social engineering attacks and using publicly available information about a victim to gain access to their phone numbers by switching them to another carrier. After getting control over the phone number, the attacker would be able to gain access to 2FA codes.
Unencrypted protocol
SMS works through the Signaling System No 7 (SS7) protocol, sending clear text that is not encrypted by any encryption protocol. Because of this weakness, it is easy for hackers to intercept information sent via SMS. Since it doesn't use any encryption and the information is transmitted on a radio frequency, SMS is vulnerable to man-in-the-middle attacks, and third parties can get access to 2FA codes sent via SMS if they use the right tools and codex.
Device vulnerability
SMS security also depends on the receiving device. If the phone is vulnerable, there is a risk of the 2FA code being stolen. SIM cards are also vulnerable to attack where a hacker could monitor all the conversations by installing malware on them.
As mentioned above, SMS-based 2FA is not the best way to implement multifactor authentication because of the multiple risks as described, and there are other better alternatives. Below we discuss two key alternatives to SMS-based authentication.
Hardware-based authentication
Hardware-based authentication uses dedicated physical hardware to generate authentication codes. These devices use time-based codes that expire after a certain time. New codes will be continuously generated based on the configured time. After logging in with a username and password, the user also needs to provide the 2FA code from the device before they are granted access to the application. Since users need to have this device with them physically to get the access code, this eliminates the risk of the code being compromised by an attacker through the internet.
Software-based authentication
Software-based authentication works similarly to hardware-based, but instead of a physical device, it uses software to generate the 2FA codes. This provides user flexibility as they can install the application on their existing device. Google Authenticator and Microsoft Authenticator are two examples of widely used 2FA applications. Some hardware-based 2FAs also provide software applications that can be used in the same way without the need for hardware. Since the codes are generated locally without information being sent through insecure channels, it is considered more secure than SMS-based 2FA.
Ultimately, SMS is convenient and easy to use, but it comes with risks when used as part of 2FA. Information sent through an unencrypted channel should never be trusted as secure. Physical devices that generate 2FA codes are much more secure than SMS-based solutions. Software-based 2FA codes provide better flexibility and are a much stronger solution than SMS. Since improper authentication could result in data breaches and losses to organizations, it is critical to select a secure multifactor authentication system.
What is Ransomware & How to Prevent it?
What is ransomware?
Ransomware is a software that is designed to block access to any system, files or operating system until we pay a certain amount to the attacker. Most of the time the attacker will encrypt the files of the computer and they will provide the key to decrypt only after paying the amount they are demanding. Most of the ransomware attack will give very limited time to the victim to pay the demanded amount and if they fail to decrypt it within the timeframe ransomware is able to automatically corrupt and delete files from the victim. Although, there is no guarantee of getting access to files and system after paying the ransom to the attacker.
How to Prevent Ransomware?
Ransomware is a serious threat as it can permanently encrypt important files and delete it from the computer. Therefore, it is very important to prevent these kinds of ransom malware and the steps mentioned below will help to prevent ransomware attacks.
- Regularly update your Operating System and other software because this will help you to apply required patches on your OS released by the vendor. Applying patches will fix the known bugs on OS and software which will prevent your computer from being the target of bad guys.
- Use a trusted antivirus and antimalware program to prevent possible ransomware on your computer. As antivirus and antimalware software regularly update their signature for known malware and virus we must install trusted antivirus software on our computer to get rid of the ransomware. Also, it is important to regularly update the antivirus program.
- Never Install unknown and untrusted software with administrative privileges, if you give administrative privilege to bad software they might modify system files and create a backdoor. Therefore, it is not a good idea to give administrative privileges to software from unknown sources and malicious nature.
- Don't install any third party software if you don't know what that software is doing on your computer. Only install software that you need from a trusted source and from an official link only.
- Don't open email attachments without knowing the sender of the email or without knowing what is attached in the email. If you find anything suspicious you can check those attachments on sandbox environment or in a virtual machine. Also, don't click on suspicious links that you get on email, you can be a victim of a phishing attack and ransomware.
- It is always recommended to make a backup of your important data. You can make a backup of your data in your local hard drive or in the cloud. In case if our computer is infected with ransomware we will have backup data with us so that we can wipe our hard drive and re-install the OS.
- Never pay attacker ransom if your computer is infected with ransomware as there is no guarantee of getting access to the file after paying. Paying ransom means you are funding bad guys and motivating them for bad works, so never pay the ransom. Instead of paying the ransom, wipe your hard drive and restore your files from backup.
If you follow the guidelines mentioned in this article then you can get rid of ransomware from your computer. If you find this article helpful, please share it with your friends, thank you for reading.
Triton: A Malware That can Kill Human
When we think of malware we think of a program that is designed to harm a computer device, servers or network. But these days bad guys are creating malware targetting the critical infrastructure which can deliberately kill people. Malware that is targetting critical infrastructure and human damage is not new in the cyberspace as there were few other cases before like Stuxnet but nowadays such malware is increasing at an alarming rate.
Recently one malware was detected by an experienced cyber responder Julian Gutmanis which could pose a serious threat to human life. The malware was found on the server of the petrochemical plant in Saudi Arabia in the summer of 2017. The initial vector of malware infection is still unknown but it could be the result of a phishing attack. Hacker managed to deploy their malicious program on the plant's safety instrumented system so that they could have full control of the safety system of the plant. Hackers were able to control the plant's system which manages the safety system inside the plant remotely by installing the malware.
After gaining access to the safety system of the plant, hacker could disrupt, take down or destroy the industrial process. In the worst case scenario, the malware could have led to the release of toxic hydrogen sulfide gas or caused explosion, which could kill a lot of people working at the facility and in the surrounding area. Luckily the malware was detected before it could do any damage on the system.
From this incident, it is clear that malware that targets industrial control system are becomming more aggressive and more sophisticated. We have a lot of critical plants which were build before anyone has imagined such cyberattacks. Therefore, it is time to update the industrial control system to defend the possible cyber attacks.
Read Article →
Recently one malware was detected by an experienced cyber responder Julian Gutmanis which could pose a serious threat to human life. The malware was found on the server of the petrochemical plant in Saudi Arabia in the summer of 2017. The initial vector of malware infection is still unknown but it could be the result of a phishing attack. Hacker managed to deploy their malicious program on the plant's safety instrumented system so that they could have full control of the safety system of the plant. Hackers were able to control the plant's system which manages the safety system inside the plant remotely by installing the malware.
After gaining access to the safety system of the plant, hacker could disrupt, take down or destroy the industrial process. In the worst case scenario, the malware could have led to the release of toxic hydrogen sulfide gas or caused explosion, which could kill a lot of people working at the facility and in the surrounding area. Luckily the malware was detected before it could do any damage on the system.
From this incident, it is clear that malware that targets industrial control system are becomming more aggressive and more sophisticated. We have a lot of critical plants which were build before anyone has imagined such cyberattacks. Therefore, it is time to update the industrial control system to defend the possible cyber attacks.
NSA Releases Open Source Software Reverse Engineering Tool called Ghidra
Research Directorate of National Security Agency (NSA) has released an Open Source Software Reverse Engineering tool called Ghidra. This software is very useful for a software developer and security researcher to analyze the source code of various programs. Especially this software can be helpful to find the malicious code inside a malware and can be used to gather information on how malware is functioning. This software has a lot of features, some of the most important features include the ability to disassembly, assembly, decompilation, graphing and scripting. It also supports plugin so one can develop their own plug-in using Java or Python.
Currently, it is available for Windows, Mac OS & Linux and it only supports 64bit version of OS. Ghidra doesn't use traditional installation file to install the program, it comes with a compressed file and it can be extracted on any file directory to run the program.
Ghidra requires Java Runtime and Development Kit on the path to run the application and NSA recommends using OpenJDK distribution from jdk.java.net for a most stable experience.
Here are the download link and other information for Ghidra
Official Website
Download Link
Ghidra Installation Guide
Frequently Asked Questions
Wiki
GitHub Repository
Read Article →
Currently, it is available for Windows, Mac OS & Linux and it only supports 64bit version of OS. Ghidra doesn't use traditional installation file to install the program, it comes with a compressed file and it can be extracted on any file directory to run the program.
Ghidra requires Java Runtime and Development Kit on the path to run the application and NSA recommends using OpenJDK distribution from jdk.java.net for a most stable experience.
Here are the download link and other information for Ghidra
Official Website
Download Link
Ghidra Installation Guide
Frequently Asked Questions
Wiki
GitHub Repository
Five Ways to Get Rid of Cryptojacking Malware
Cryptojacking is a growing threat in 2018 and there are several ways to prevent this threat. Few of the methods to prevent this emerging online threat are discussed below.
Installing browsing extension
Most of the crypto mining malware works from the web browser so we can stop that malware by installing a browser extension. There are few browser extensions like ublock origin & Malwarebytes that will help to block any cryptojacking scripts. If we have these extensions installed on the browser, they will automatically stop those scripts from running on the browser which will prevent the browser from running the mining code. Those extensions are available for free and they regularly update their signature. Since they will automatically filter the mining codes we don’t need to check them manually. Therefore, installing a proper extension will help to get rid of cryptojacking malware.
Installing only trusted applications
Another big source of crypto mining malware is untrusted applications from untrusted sources. Mostly untrusted adware comes with the bundle of cryptocurrency mining bots, so we shouldn’t install those applications in our computer if we want our computer to be safe from mining malware. For smartphones also, untrusted apps are the number one source for mining malware. Fake apps and untrusted apps with fake promises are found on the internet and these applications are designed to trap the users to install the mining malware on their computer. We must verify the legitimacy and sources of all the applications that we are installing on our computer. So, staying away from untrusted applications will help a lot to get rid of cryptojacking malware.
Installing Antivirus & Antimalware tools
Antivirus and antimalware software will block the crypto mining software before they execute. This software will prevent the landing of crypto mining malware on the computer. We might not be able to maintain our internet safety ourselves and there is always a risk of getting malware injected on our computer unknowingly. If our computer is already infected with mining malware then we can use the antimalware software to scan and remove it from our computer. Therefore, the use of antivirus and antimalware software will help us to block those websites and programs if we executed it accidentally and to remove the malware that is already on the computer.
Firewall
A firewall can be installed and configured to block all the website that hosts the cryptocurrency mining codes. Also, we can block the websites that provide the API for mining cryptocurrencies. This is very effective to block the crypto malware mining malware. It prevents the bad websites from being loaded on the browser of the user which will prevent the cryptojacking malware from entering in the system.
Education
If we are aware of safe internet browsing then there is less chance that we will fall for mining malware victim. Educating people on identifying fake applications and fake websites that host the malicious code will help to reduce the harm of crypto malware. Providing internet security trainings and awareness programs will not help to get rid of crypto mining malware but it also helps people identify other online threats and social engineering. Therefore, educating people should be considered as one of the security measures by organizations.
Read Article →
Installing browsing extension
Most of the crypto mining malware works from the web browser so we can stop that malware by installing a browser extension. There are few browser extensions like ublock origin & Malwarebytes that will help to block any cryptojacking scripts. If we have these extensions installed on the browser, they will automatically stop those scripts from running on the browser which will prevent the browser from running the mining code. Those extensions are available for free and they regularly update their signature. Since they will automatically filter the mining codes we don’t need to check them manually. Therefore, installing a proper extension will help to get rid of cryptojacking malware.
Installing only trusted applications
Another big source of crypto mining malware is untrusted applications from untrusted sources. Mostly untrusted adware comes with the bundle of cryptocurrency mining bots, so we shouldn’t install those applications in our computer if we want our computer to be safe from mining malware. For smartphones also, untrusted apps are the number one source for mining malware. Fake apps and untrusted apps with fake promises are found on the internet and these applications are designed to trap the users to install the mining malware on their computer. We must verify the legitimacy and sources of all the applications that we are installing on our computer. So, staying away from untrusted applications will help a lot to get rid of cryptojacking malware.
Installing Antivirus & Antimalware tools
Antivirus and antimalware software will block the crypto mining software before they execute. This software will prevent the landing of crypto mining malware on the computer. We might not be able to maintain our internet safety ourselves and there is always a risk of getting malware injected on our computer unknowingly. If our computer is already infected with mining malware then we can use the antimalware software to scan and remove it from our computer. Therefore, the use of antivirus and antimalware software will help us to block those websites and programs if we executed it accidentally and to remove the malware that is already on the computer.
Firewall
A firewall can be installed and configured to block all the website that hosts the cryptocurrency mining codes. Also, we can block the websites that provide the API for mining cryptocurrencies. This is very effective to block the crypto malware mining malware. It prevents the bad websites from being loaded on the browser of the user which will prevent the cryptojacking malware from entering in the system.
Education
If we are aware of safe internet browsing then there is less chance that we will fall for mining malware victim. Educating people on identifying fake applications and fake websites that host the malicious code will help to reduce the harm of crypto malware. Providing internet security trainings and awareness programs will not help to get rid of crypto mining malware but it also helps people identify other online threats and social engineering. Therefore, educating people should be considered as one of the security measures by organizations.
How to Identify Cryptojacking Malware?
There are several ways to identify the hidden crypto mining malware on our computer. We can either detect and identify that malware manually or by using the third-party antivirus or antimalware tools. These are the few ways to identify the cryptojacking malware on our computer.
Monitoring CPU usage
If we see unusual CPU usage behavior then our computer might be infected with cryptojacking malware. Usually, there won’t be much CPU usage when the computer is idle. We only see a spike in CPU usage when we are using heavy programs, so if we see high CPU usage on our computer when we are not using any programs on the computer then this might be the result of cryptojacking malware. We can manually monitor the CPU usage of our computer when we open any web browser or open any website. If the CPU usage is increasing when we open any website then there might be cryptojacking code on the website, we can then block those websites from being loaded on our computer. If we see high CPU usage when opening a browser or any other application, then this might be due to the hidden mining codes in that software. Monitoring CPU usage is one of the best ways to identify the cryptojacking malware.
Analyzing fan sound
One of the ways to detect crypto jacking malware is to monitor the CPU usage but checking CPU usage frequently might be impractical. Instead of checking CPU usage we can also check the sounds of a computer fan. If the computer is infected with cryptojacking then it will increase the CPU usage which will result on the increasing temperature of the CPU so the cooler fan of the computer will rotate rapidly making the sounds notable. If we can hear the loud noise of fan frequently then our computer might be infected with the cryptojacking malware. There are lots of fanless laptops and ultra-books available, also the mobile devices will not have a fan to cool down the CPU. For that kind of computers and mobile devices, we can monitor the temperature of CPU rather than monitoring the fan sound.
Analyzing the performance of the computer
If the computer is infected with crypto mining virus then one of the major symptoms is the slow performance. Since most of the CPU will be allocated for the mining purpose computer can’t handle the assigned task and the performance of the computer will reduce. If our computer started performing slowly suddenly then it can be the result of cryptojacking. When we open any website infected with mining malware it makes the browser and other application very slow. Sometime the browser might freeze due to high CPU usage by the application. With the modern operating system, we can see the CPU usage of individual tabs on the browser so if any tab is making the computer slower, the website opened in that page might be mining the cryptocurrency.