Tag: Cyber Security

Automating CrowdStrike Driver Fix

July 19, 2024 / Tim Nott

It’s a big one

In a global outage that is about as big as they come CrowdStrike made an update that has incapacitated Windows systems around the world. Individually the fix is not so taxing but in an enterprise with 1000s of endpoints down and a handful of IT workers to fix them it’s a mammoth task.

The Fix

Boot Windows into Safe Mode or the Windows Recovery Environment.
- Restart and press F8 repeatedly (May be F4 or F5).
Navigate to the C:\Windows\System32\drivers\CrowdStrike directory.
- Similar to normal Windows file exploring.
Locate the file matching “C-00000291*.sys” and delete it.
- Make sure you find the right one.
Reboot the host normally.

Why that file?

Deleting that specific CrowdStrike driver file likely fixes the BSOD because:

The file may be corrupted or incompatible with the current system configuration.
It could be conflicting with other drivers or system components.
Removing it allows Windows to use a default or fallback driver instead.
The BSOD was potentially caused by an issue within that particular CrowdStrike driver file.

Solution for Automating This?

I came across a post on the r/CrowdStrike thread for this problem. It claims to have an automated solution to this problem for enterprise environments.

Create a modified WinPE image
Add command to startnet.cmd in WinPE image:
- del C:\Windows\System32\drivers\CrowdStrike\C-00000291*.sys
Exit.
Set up PXE server with modified WinPE image.
Configure affected systems to boot from network.
Systems boot from PXE server.
WinPE environment loads on target systems.
startnet.cmd executes, deleting problematic driver.
Systems automatically reboot.
Normal boot process resumes without CrowdStrike issue.

WinPE

A modified WinPE (Windows Preinstallation Environment) image is a customized version of Microsoft’s lightweight operating system used for deployment, recovery, and troubleshooting. It’s tailored to include specific drivers, tools, or scripts to meet particular needs. Modified WinPE images are often used by IT professionals for tasks like system deployment or data recovery.

PXE Server

A PXE (Preboot Execution Environment) server allows network-based booting and installation of operating systems on client computers. It provides boot images and configuration files over the network, enabling diskless workstations or computers without local boot media to start up and install an OS remotely. PXE servers are commonly used in large-scale deployments and network management.

Intel i350 T4

Using Storage Sense

Are Passkeys just better?

March 13, 2024 / Tim Nott

Internet security is an ever-increasing issue for all of us. Let me ask you something. How do you keep track of your passwords? Memorise them all? Yeah, sure. Write them down in a little black book with random passwords and usernames scribbled all over the place? Or maybe use a password manager such as Dashlane, BitWarden etc? How about two-factor authentication?

What if I were to tell you about a, relatively, new way to sign in? Passkeys use public key cryptography to safeguard your accounts but is this better than using any of the above? Well for a start anything is better than memorising all the passwords, they would have to be far too basic and repetitive, and what happens if you lose your device and little black book at the same time? Don’t even think about it.

Passkeys are more secure than both username/password and two-factor authentication (2FA).

It is true. Passkeys are based on public key cryptography. This means that the user has a public key and a private key. The private key is never given to anyone but the public key is available to the website during the registration/login process. When the user wants to sign in, the website sends them a large, never used before, random number which the user signs (encrypts) with their private key. This is then sent to the website which uses the user’s public key to decrypt the number and compares it with the original it sent out. If it matches then the authentication is approved. (Simplified, but you get the idea.)

The point here is that the website never stores any ‘secret’ that belongs to the user so in the event of a breach there is nothing for an attacker to obtain.

Now compare this with traditional logins and two-factor authentication. Both of these require the website to store secrets that belong to the user. The username, hashed password and 2FA key, all of which can be stolen, either from the websites storage servers or in transit as the authentication process takes place.

Passkeys are more convenient – no need to remember passwords or enter codes.

Yes using passkeys is almost too easy and actually feels less secure than 2FA. Usually it is just a case of agreeing to login using your passkeys.

Is it that simple?

Well sadly no. If the website still uses traditional logins as on option to login then a lot of the security gained from using passkeys is naturally lost. During the transition phase as passkeys are, hopefully, fully adopted then this scenario will remain widespread. If you can then try and have this option disabled and have your credentials removed from their servers. Also if you do use a dedicated password manager, two thirds of internet users don’t, then remove the entries for username and password for the account. This will deny attackers of the password manager these credentials.

Setting Up Passkeys

Let’s actually set up a login to Amazon using Passkeys

Go to Your Account > Login & Security

Scroll down to:

Now follow instructions:

Then supply password for security:

Dashlane, my password manager:

And the setup is complete.

Now when we sign in to Amazon we get the option to use a passkey.

So what are we waiting for?

It is a good question. Passkeys have been around for some time now but the internet is moving slowly in adopting them. At the time of writing Chrome will allow Passkeys for Amazon but Firefox will not. These things take time to mature and for people to feel safe switching to new technologies. Most dedicated password managers are supporting passkeys but not all browsers are. Find out more:

Passkey Support by Major Organizations: A Work in Progress

Here’s a glimpse into the current state of support by some key players:

Apple: A frontrunner in Passkeys, Apple has implemented them in iOS and macOS. You can expect smooth Passkey integration if you use Apple devices and Safari browser.
Google: While not fully rolled out yet, Google is actively developing Passkey support for Chrome and Android. We can expect wider availability from Google soon.
Microsoft: While not directly offering Passkeys yet, Microsoft has a strong focus on passwordless authentication with options like Windows Hello. Their approach might converge with Passkeys in the future.
Browser Support: Support for Passkeys is gradually increasing. Look for updates in popular browsers like Chrome and Firefox. You can check resources like Passkeys.directory for the latest compatibility information: https://passkeys.directory/.

Additional Resources:

Apple Passkey Information: https://support.apple.com/guide/iphone/use-passkeys-to-sign-in-to-apps-and-websites-iphf538ea8d0/ios
Using Passkey on Multiple Devices (Amazon): https://www.amazon.com/gp/help/customer/display.html?nodeId=TsfzMlkp9pNh0GzriE (assuming Amazon implements Passkeys more broadly)
Mozilla Support Forum: While announcements might be pending, you can check discussions on Passkeys in Firefox here: https://support.mozilla.org/en-US/products/firefox/support-forum

Remember: Passkey adoption is ongoing. These resources will help you stay updated on which websites and platforms offer this secure login method.

Enrolled in GICAST, The Open University.

July 12, 2022 / Tim Nott / 0 Comments

I have enrolled and at the time of writing am halfway through this course provided by The Open University. Personally I find the ‘gamified’ element to be a bit strange but the actual content is relevant and a useful round up of the fundamentals of Cyber Security .

Main page here.

“The ‘Gamified Intelligent Cyber Aptitude and Skills Training’ (GICAST) course is developed by the Cyber security experts from The Open University and funded by Nesta and the Department for Education.”

“This course uses unique game-based assessment, which presents you with a series of cyber security scenarios to help assess your intuitive cyber behaviour and current understanding of cyber security concepts.”

“On completing the game, you’ll be provided with a personalised course pathway to support you with developing knowledge and understanding in cybersecurity.”

Website Under Attack!

June 29, 2022 / Tim Nott / 0 Comments

The website is under attack.

This is clearly the reality of the internet. Many random attempts at gaining access into any web server that is available/insecure/badly configured. As far as I can tell so far none of these attempts has actually succeeded.

First response I had was to limit the Login Attempts to 1 allowed try and 24 hours until reset. This worked well but actually restricted me from getting in a couple of times. I ended up with these settings to restrict the attack as much as possible without making it a pain if I got the password wrong.

I have always used a strong password to protect the site and even though this seems like a lot of attacks it would take centuries, maybe even millennia to luck upon the right password that these bot-nets are guessing.

To make it effectively impossible for these particular attacks to gain access I have added a plugin called WordFence to add Multi-Factor Authentication to the mix.

On top of this looking in the WPScan plug in it is telling me that the XML-RPC is enabled and this will significantly increase your site’s attack surface which means there are many more points of entry that the attackers can use to attempt access to the site.

The WPScan blog has a good post on this https://blog.wpscan.com/is-wordpress-xmlrpc-a-security-problem/

Unfortunately it’s not a simple fix especially if you want to fully shut it down which many of the usual plug-ins won’t do.

For now the plan is to find one of these plug-ins to close it down as much as possible until I can figure out how to fully disable XML-RPC.

Update 11/07/22

After a couple of efforts at inserting code to disable XML-RPC I have gone with the XML-RPC Security plug-in as a quick fix. Let’s see how the failed attempts fare after this.

Now the WPS Scan is clear.

Final Update 14/07/22

So the XML-RPC disable plug in has fixed the problem. Reducing the size of the attack surface available to web has made all the difference.