Microsoft SCCM as the ride a malicious hitchhiker would love

sccm-vUsing a Microsoft-Tool for Software- and patch-distribution can’t be wrong, can it? I have tried a while to come up with a couple of good reasons to use SCCM, but after this mental exercise I just feel less inclined to recommend it.

The Redmond company has invested many a Dollar in making randomness part of our operating systems. As a test, start off with three computers, same build and model, identically configured and install the OS on them at the same time, only to see that the automated (non SCCM-driven) update-process for each of them takes a different turn – a wonderful proof of the randomness in Microsoft enhancing our dull lives with the IT equivalent of a one-way, dead-end street ever so often.

The same company brings us a wonderful patch- and release-management tool:

SCCM is a platform that allows for an enterprise to package and deploy operating systems, software, and software updates. It allows for IT staff to script and push out installations to clients in an automated manner. You can kind of think of it as a customizable, scriptable WSUS.” -Matt Nelson, Veris Group

SCCM operates in a “Client-Server” architecture by installing an agent on workstations/servers that will check in periodically to its assigned site server for updates. On the backend, SCCM uses a SQL database and WMI classes to store and access various types of information. (Source)

In a perfect world, such an institution would increase the health, security and availability of our systems.

As it turns out, the world we live in is not exactly what we can call perfect. Not even close. This is, where the randomness comes as a bit of an additional hindrance to arrive at the level of health, security and availability we desire for our systems – especially in a case, where we are not dealing with a red team in a Red Team engagement, but with real organization data predators. We do replace the update randomness by installing an even more worrisome vulnerability.

In short this is the risk: “If you can gain access to SCCM, it makes for a great attack platform. It heavily integrates Windows PowerShell, has excellent network visibility, and has a number of SCCM clients as SYSTEM just waiting to execute your code as SYSTEM.”

Think about what a malicious actor in an IT-service organization could do after getting access to SCCM. Think about inserting payloads. Check out PowerShellEmpire  for more information.

For any attacker that has gained domain admin to a network, using any centralized administration software that is part of the Microsoft universe and is actively participating in it, is like finding the golden pot at the end of the rainbow. An attacker can find nodes and map out the network, see where users spend most of their time and find critical assets.

So it didn’t take long before someone came up with some smart ideas on how to deploy payloads and manipulate the assets by using SCCM. In order to interact with SCCM, you need to have administrative rights on the SCCM server, however you do not need to have domain administrative rights on the network. SCCM is a cornerstone for an attacker to stay under the radar in a Red Team situation, e.g. to persist in the network after elevated access is achieved. PowerSCCM is one of these nifty developments Red Team members came up with (in this case, check out enigma0x3 – you might actually find more than you expected).

It takes a few steps to deploy malicious packages/scripts to clients through SCCM, and offensive manipulation/deployment is only currently supported through WMI SCCM sessions. SCCM deployments need three parts- a user/device collection of targets, a malicious application to deploy, and a deployment that binds the two together.

As a countermeasure, the easiest one is avoiding SCCM in critical environments completely and instead opt for a tool that does not participate in the wonderful, rainbow-colored world of Microsoft for patch-, release and disaster-recovery. By doing so, you might find out, that you are at the same time saving quite a bit of project-management time and cost.


Why we endorse Antsle

Once in a while, things happen that have incredible potential, and a couple of months down the road, everyone thinks “I could have had this idea!”. Antsle is one of them.

Looking like a smallish box, it is actually a blue ocean. It is oriented towards the creative maker-power of the developers, not at the end-user in the first instance (in spite of the fact, that it is easy enough to satisfy these, too). Don’t confuse it with a storage device that carries the misleading name of “cloud”, this is something from a different galaxy.

Just thinking about the endless opportunities, this little sweet box which serves as your home-based internet node and server brings, waters my mouth. A couple of them come to mind immediately:

create a firewall for your IoT device collection

With the advent of all kinds of “smart” things populating your living rooms, from wearables to big-brother-TV-sets, we are all game for the predator-like data collectors. Why not have a control-unit developed which sits in your own cloud server at home in your basement or attic, that acts as a firewall for your IoT units that might send out tons of things you don’t want them to?

Hey, if all the flurry.coms of this world permanently want your information, why the heck don’t they pay you for your data? They could take every other installment for the new TV set, couldn’t they?

At least while your mobile is logged into your home network, you might cut the wire to these data-sucking hoovers that give a toss about your privacy.

Do your own home-automation locally without sharing stuff

A creative developer could come to the conclusion that home-automation is a great idea and having a look at the home via a security cam as well, without having the wish to “share” all this information with potential hackers and the manufacturers, Apple, Samsung, Sony and all kinds of interested third parties, including of course, potential burglars.

There are pretty clever approaches on the market and already enabled and integrated in a lot of connected devices.

However, all this assumes a limitless level of trust between the user and the manufacturers, as well as the cloud operators involveld.

As long as the Agile development cycle is not yet the standard, this trust is not justified at all. We live in a world, where the “Hello Barbie” might silently share kids’ secrets with third parties and without parents having control over what goes out of the home.

So why not put the gearbox for your home automation and connected life into your own hands? For a maker creator, the Antsle is a wonderful platform.

These are just some examples of ideas that come to mind immediately between day and dream.

Not a server, but an ocean

What dreams may come, when the creative folks find this platform and make innovative use of it?

The antsle has the capability to be the gearbox between the SOHO office or home and the world, bypassing the vampires and vultures of the internet and sharing only what was meant to be shared, in a conscious decision process and keeping in store the earlier decisions and making sure the home or office is connected, but not as an open system, but as a controlled perimeter.

The use cases are myriad. The makers can count on many things which are easy to plug into with their ideas and easy to realize. So…..

Antsle is a platform that supports all kinds of small applications running independently from each other in a server-type environment in a coll alumnium box without noise. It is the basis for developing loads of things that can be marketed in an ecosystem.

A good example for this kind of ecosystem is Sonos. They developed a meshed-WiFi-music system, that has since grown into an impressive ecosystem, due to the quality and absolute ease of use and administration. Loyal followers (like the early Apple users) due to a strong committment to backwards compatibility and superior quality of build. This is the basis for makers. This is the mindset of creators.

What’s missing?

Of course, there are always compromises when starting something new. It would be terriffic, if there was a forum or platform, where like-minded developers could meet with regards to the antsle and share ideas, get together, inspire each other, share solutioins for puzzling questions and exchange open source code.

This could be something easily created on one of the new antsles, but of course, it’s not yet there.

Also, while the antsle smart OS is a great idea and has a lot going for it, I would have simply loved to see the concept of qubes-OS taken into the commercial world. Joanna Rutkowska deserves to be lauded for an innovative idea and it could basically be the fifth gear for a security-antsle in the future… Folks, how about this for the next release? Maybe someone in antsle is interested to explore this….

On the other hand, the OS choice is with the creators and it makes a lot of sense in many respects – the team at antsle have researched the necessities down to the question which RAM to use (only ECC will do) and how to assure data integrity and safety (by mirroring SSDs). So they probably have spent months on analysing what would be the best basis. But we do have a lot of sympathy for Joanna.

December 15th, crowdfunding for antsle will start. We will order our first antsle right away and contribute to the crowdfunding. We do hope the spirit of innovation will become inspiring for the developer community and are anxious to see the next news about it.

(Antsle is THE solution for Autonomous Web Hosting! Own your data, run hundreds of VM’s – all in one powerful and 100% silent home-based server.)

Go see: Autonomous Web Hosting – and get it while they are hot and new! Be one of the first and be one of the early flock!

Minix 3.3.0 out!

Andrew S. Tanenbaum publishes Minix 3.3.0. Tanenbaum is one of the lighthouse open source folks out there (don’t forget: his last university lecture is coming up in the Aula of Vrije Universiteit – and we are invited for free coffee!).

Minix is cool, based on a microkernel of less than 13,00 LOC.

It is largely compatible with NetBSD, and runs thousands of packages. Does ARM, too. Go get it.

Prof. Tanenbaum retires from Vrije Universiteit

I only dimly remember the mid-90s, but one event sticks out from all: The opportunity to listen to a presentation given by Prof. Andy Tanenbaum during the Unix User Group conference in Wiesbaden. This was the time, when I was mightily upsetting my fellow colleagues by bringing my own device (a shiny black NeXT cube with a 400 dpi black and white printer and a brilliant black and white display) into the office, and whenever any Windows machine in the office needed to be rebooted, I would observe the number of months my machine was running without any flaw…  Oh, nobody was bringing their own device then and there. I was frowned upon, but on the other hand, my reports always looked best.

Of course, there was a small group of consultants who gave me the “taste” of it, really top guys, Volker Herminghaus and Thomas Brox. I adored them, and what beautiful things they were doing with their UNIX machines, while everybody else still thought, the Windows workhorse was the bees’ knees.

Coming back to Professor Tanenbaum, who is famous for his Minix system, and many other thoughts on shared resources (you know, using somebody elses computing power and disk space through communication lines, like, cloud? Amazon, anyone?). He came to talk about layered complexity and layered assumptions (starting with the hardware developers, the embedded controller manufgacturer, the OS developers, the development language developers, the application developers….) causing an endless combination of assumptions that may be right – but could also be totally wrong, but only in certain situations.

He was illustrating this with a practical example of why a plane-crash happened shortly prior to the event: The combination of speed of wheels and altitude, airplane-speed and braking power did not take into account the isolated event of “aquaplaning” which happened due to extreme weather conditions and torretial rains. It was easy to understand and easy to follow. And it was fairly easy to learn: there is always a special condition, that we cannot take into account, because we can’t imagine it. It is, so to say, the “unknown unknown”.

Phiolosophically, the example shows us the fallacy of calculating the odds of Fukushima happening beforehand, as well as many other examples of “manageable” risks. But it also illustrates the arrogance of developers today: We rely on the layers we choose to ignore, because it is only the odd hacker that analyzes the code on machine language level to see, what really is going on. We think we understand stuff, but we are scratching the surface only, and even feel we are above the rest in doing what we do.

Tanenbaum gave me a lecture that I never forgot and that I still keep as a fond memory from the mid-nineties. He has now decided to leave his post as a professor in University in Amsterdam, and we may say thank you for a great contribution of thought and knowledge. It would be a great idea to sit in class on 23 October 2014 in the Aula of the Vrije Universiteit, which is in the main building, at 11:45 sharp. The organizers say, coffee will be served outside the Aula starting at 11:00. You may well be seeing one of the greatest minds in open source software delivering his last university lecture as a professor (I doubt he will stop thinking!). And I would assume, it will be a great lecture once again.

Tanenbaum’s office wall