Interesting week this week for me. I uploaded a few new Powershell Scripts to my Github, mind you that while changing telephone numbers or unchecking an attribute box in AD is not sexy security, these scripts do show how to do some manipulation. The Attribute box for “Deny this user permission to Remote Desktop Session host server,” is the more interesting one due to Powershell having to manipulate the object using LDAP instead if normal AD commands. This is due to that attribute as part of the normal AD schema being buried in a single attribute that covers a bunch of odds and ends, and tough to manipulate otherwise. The idea of manipulating AD through LDAP does leave questions open to LDAP bugs being exploitable through Powershell, and how easy that could be. Also it means you have to make sure that some sort of LDAP logging is on, as some of the smaller attributes might not have changes logged by AD into the Windows Event Logs. I am going to investigate further into that.
One of the big things going on in our world is the whole Kaspersky debacle. So much information and/or misinformation has been floating around, that it really feels to me like a lot of this is PR posturing by the U.S. Government. What I want to point out is a few things.
- The data that was found using Kaspersky was not on a government machine. This was another Contractor that took classified materials out of the NSA and back to his house. This is important as we do not know the motives of this contractor. Yes I am going to go a little tin foil hat here, but what if it was a setup? What if said contractor intended for the data to get swiped from his home machine. I am not saying this is the case, but it is a possibility.
- The source of proving the Russians used Kaspersky to do this ex-filtration was Israel. More specifically Israeli hackers who had hacked into Kaspersky’s network. Think about that. If the Israelis hacked into Kaspersky’s network, why must Kaspersky have worked intentionally with the Russian government? Now Kaspersky being hacked is a black eye on the company, but we all know that there is no perfect security and anything can be hacked.
- Vendors work with Governments. Period. NSA had RSA put in a backdoor into its encryption. McAfee and Symantec have at times worked with the U.S. Government. It is a fact of life.
- Reuters reported that German intelligence found no evidence of Kaspersky software used for hacking. Now we start getting back into a he said/she said about what has happened.
- With all the cloud systems out there, this same hack is possible to do using Symantec, McAfee or any other AV vendor.
Now I am not saying that there are not issues, trust issues that Kaspersky has to work through, but this is the good ol’ U.S.A. here. We forgive Target, Home Depot, soon, Equifax, and all these other breaches of our own personal data. Keeping Kaspersky off Government machines I can understand, but it is still one of the top AV vendors and I will continue to recommend their software for home users until I see better proof not to. Remember in this day and age, it is all about who you want to have the data, and in the end it is probably everyone who does have it.