Blog entry by Les Bell

Les Bell
Security News: 2023-03-24
by Les Bell - Friday, 24 March 2023, 8:03 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

CISA Releases Incident Response Tool for Microsoft Clouds

The Cybersecurity & Infrastructure Security Agency has released a new tool to help SOC analysts and threat hunters detect potentially malicious activity in Microsoft Azure, Azure Active Directory and Microsoft 365 environments. Untitled Goose adds novel authentication and data gathering methods in order to run a full investigation against these environments, enabling users to:

  • Export and review AAD sign-in and audit logs, M365 unified audit log (UAL), Azure activity logs, Microsoft Defender for IoT (internet of things) alerts, and Microsoft Defender for Endpoint (MDE) data for suspicious activity.
  • Query, export, and investigate AAD, M365, and Azure configurations.
  • Extract cloud artifacts from Microsoft’s AAD, Azure, and M365 environments without performing additional analytics.
  • Perform time bounding of the UAL.
  • Extract data within those time bounds.
  • Collect and review data using similar time bounding capabilities for MDE data.

Untitled Goose was developed by CISA with support from Sandia National Laboratories.

cisagov, untitledgoosetool, GitHub project, 23 March 2023. Available onlline at https://github.com/cisagov/untitledgoosetool.

New Security Features in Windows 11 Insider Preview Build 25324

The latest preview build of Windows 11 has a number of new features, some of them specifically related to security.

First of all, Windows is finally getting support for the SHA-3 family of hash digest functions, which won NIST's competition for a new hash function many years ago. Earlier hash functions like MD5 and the SHA-1 and SHA-2 series use the Merkel-Damgaard construction and are vulnerable to length extension attacks, which led NIST to search for an alternative. The winner was the Keccak algorithm, developed by a team including Joan Daemen (of AES/Rijndael fame), and which uses sponge construction, solving the length extension attack problem (and several others). The Windows CNG library will now support a range of SHA-3 and related functions:

  • SHA3-256, SHA3-384, SHA3-512 (SHA3-224 is not supported)
  • HMAC-SHA3-256, HMAC-SHA3-384, HMAC-SHA3-512
  • extendable-output functions (XOF) (SHAKE128, SHAKE256), customizable XOFs (cSHAKE128, cSHAKE256), and KMAC (KMAC128, KMAC256, KMACXOF128, KMACXOF256).

The omission of SHA3-224 is of no real significance - the primary use of SHA2-224 was to prevent length extension attacks, and SHA3 is not vulnerable.

Other new features include support for camera selection for Windows Hello sign-in, and warnings against re-use of Windows passwords on sites and apps, including a UI warning on unsafe copy and paste.

Langowski, Amanda and Brandon LeBlanc, Announcing Windows 11 Insider Preview Build 25324, Windows Blog, 23 March 2023. Available online at https://blogs.windows.com/windows-insider/2023/03/23/announcing-windows-11-insider-preview-build-25324/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
Permalink