Category: cloud

Feb 12 2018

Windows Defender Advanced Threat Protection coming to Windows 7 and 8.1

(credit: Jerry Raia)

Windows Defender Advanced Threat Protection (ATP), Microsoft's security software that combines end-point security and data collection with cloud analytics, has hitherto been unique to Windows 10. But no longer; Microsoft announced today that it's bringing the same features to Windows 7 and Windows 8.1.

Coming this summer, the Endpoint Data and Response (EDR) portions of ATP will be available for these older operating systems, allowing their health and status to be managed through the cloud interface. This will be paired with either third-party anti-virus for endpoint protection or Windows Defender/System Center Endpoint Protection.

This move shows the contradictory position Microsoft finds itself in. On the one hand, Microsoft wants enterprises to deploy and use ATP, as it continues to build its cloud-based device management and monitoring software. On the other hand, Redmond wants those same companies to upgrade to Windows 10. This creates a tension: having ATP as a Windows 10 exclusive feature makes Windows 10 more attractive—Microsoft says that security is one of the major reasons enterprises cite for moving to the new operating system—but with many organizations still having Windows 7 and Windows 8.1 systems that they need to support, the inability to monitor those machines makes ATP less attractive.

Read 1 remaining paragraphs | Comments

Sep 14 2017

Azure Confidential Computing will keep data secret, even from Microsoft

Enlarge / The Trusted Execution Environment means that, even if the application and operating system are compromised, the green code and data can't be accessed. (credit: Microsoft)

Microsoft announced today a new feature coming to its Azure cloud platform named "Confidential Compute." The feature will allow applications running on Azure to keep data encrypted not only when it's at rest (in storage) or in transit (over a network) but when it's being computed on in-memory. This ability to encrypt data when it's in-use means that it can be kept secure even from Microsoft's administrators, government warrants, and hackers.

Confidential Computing will have two modes: one is built on virtual machines, while the other uses the SGX ("Software Guard Extensions") feature found in Intel's recently introduced Skylake-SP Xeon processors. Both modes will allow applications to ringfence certain parts of their code and data so that they operate in a "trusted execution environment" (TEE). Code and data that are inside a TEE cannot be inspected from outside the TEE.

The virtual machine mode uses the Virtual Secure Mode (VSM) functionality of Hyper-V that was introduced in Windows 10 and Windows Server 2016. With VSM, most parts of an application will run in a regular virtual machine atop a regular operating system. The protected, TEE parts will run in a separate virtual machine containing only a basic stub operating system (enough that it can communicate with the regular VM) and only those parts of the application code that need to handle the sensitive data.

Read 4 remaining paragraphs | Comments

Mar 01 2016

Windows Defender Advanced Threat Protection uses cloud power to figure out you’ve been pwned

WDATP can detect anomalous behavior even when the malware scanner doesn't find anything wrong. (credit: Microsoft)

Microsoft is beefing up Windows Defender, the anti-malware program that ships with Windows 10, to give it the power to tell companies that they've been hacked after it has happened.

Attacks that depend on social engineering rather than software flaws, as well as those taking advantage of unpatched zero-day vulnerabilities, can evade traditional anti-malware software. Microsoft says that there were thousands of such attacks in 2015, and that on average they took 200 days to detect, and a further 80 days to contain, giving attackers ample time to steal data, and incurring average costs of $12 million per incident. The catchily named Windows Defender Advanced Threat Protection is designed to detect this kind of attack, not by looking for specific pieces of malware, but rather by detecting system activity that looks out of the ordinary.

For example, a social engineering attack might encourage a victim to run a program that was attached to an e-mail, or execute a suspicious looking PowerShell command. The Advanced Persistent Threat (APT) software that's typically used in such attacks may scan ports, connect to network shares to look for data to steal, or to remote systems to seek new instructions and exfiltrate data. Windows Defender Advanced Threat Protection can monitor this behavior and see how it deviates from normal, expected system behavior. The baseline is the aggregate behavior collected anonymously from more than 1 billion Windows systems. If systems on your network start doing something that the "average Windows machine" doesn't, WDATP will alert you.

Read 6 remaining paragraphs | Comments

Sep 28 2015

Storing secret crypto keys in the Amazon cloud? New attack can steal them

(credit: martinak15)

Piercing a key selling point of commercial cloud computing services, computer scientists have devised a hack that allows an attacker using Amazon's EC2 platform to steal the secret cryptographic keys of other users.

The proof-of-concept attack is significant because Amazon Web Services and many other cloud service providers already blocked a previous key-recovery attack on co-located virtual machines that was unveiled in 2009. The paper was one of the first to highlight the security risks that come when someone uses the same physical piece of hardware as an advanced attacker. Cloud providers and makers of cryptography and virtual-machine software patched many of the weaknesses that made the attack possible. As a result, many of the techniques that gave the 2009 attack a high degree of accuracy are no longer possible.

Now a separate team of researchers has constructed a new method for recovering the full private key used in a modern implementation of the widely used RSA crypto system. Like the 2009 work, the new research implements a CPU cache attack across two Amazon accounts that happen to be located on the same chip or chipset. They recently used their technique to allow one Amazon instance to recover the entire 2048-bit RSA key used by a separate instance, which they also happened to control. The newer technique works by probing the last level cache of the Intel Xeon processor chipsets used by Amazon computers.

Read 3 remaining paragraphs | Comments