Leave a comment

My Apple Mobile Device stopped charging over USB on W10!

secRMM has always been able to offer a feature that blocks mobile devices (well, any removable storage for that matter) from mounting their file system to Windows when Apple_Mobile_Deviceattached over USB but still lets it pull power from the USB port.  This is the best of both worlds for the end-user and the security administrator because the end-user can still charge their mobile device and/or listen to their music while the security administrator can be assured that the end-user cannot copy files to the device.  Regardless of secRMM, Apple has made it pretty difficult to transfer files to the Apple device.  However, secRMM comes with GUI programs that exposes more of the Apple mobile devices file system, allowing the end-user to copy files to and from the device into their app data directory(s).  That is contradictory to secRMMs security features but some organizations require file transfer functionality to Apple devices, especially if they have large amounts of data to transfer.  The secRMM GUI still adheres to the secRMM security policies (of course).  That is not the subject of this blog however.

SCCM

We received a support incident from one of our customers.  He said that when they upgraded to Windows 10, their users were complaining that their Apple devices stopped pulling power when connected to the USB port.  Searching the Internet took us to https://discussions.apple.com/thread/6773753?start=0&tstart=0.  If you do a text search in your browser (once you are on the URL) for “Fix 2:”, you will see how to fix the issue.  There were lots of responses to the suggested fix, from SCCM Administrators.  So, we knew we had to pursue this approach.  

We did end up making a SCCM script application since the fix had to be implemented on all the W10 machines in the environment.  Below is the CMD script that we deployed via SCCM.  You need to make sure that the two Apple MSI files (appleapplicationsupport64.msi and applemobiledevicesupport6464.msi) are in the same directory as the script.  I am sure someone out there will be able to offer improvements to the script…so we are anxious to hear from you!

In summary, secRMM continues to help IT organizations and security professionals manage the events around removable storage, especially mobile technology but sometimes, you have to tweak the environment!  Please let us know what you think.

 

 

@ECHO OFF
REM **************************************************************************
REM
REM Module: AppleDriverFix.cmd version 3
REM
REM Purpose: Fix registry so that apple device drivers can be upgraded
REM
REM Reason: On W10, if the apple drivers are not loaded and the apple
REM mobile device is not mounted to the W10 OS but physically
REM connected with a USB cable, the apple mobile device does not
REM charge (i.e. pull power thru the USB cable). This will happen
REM if you use the “Enforce when device is plugged in” on one of
REM the secRMM policy(s).
REM
REM Copyright (c) 2017 Squadra Technologies
REM
REM **************************************************************************
setlocal EnableExtensions EnableDelayedExpansion
set regkeyroot=HKEY_CLASSES_ROOT\Installer\Products
set regvalue=ProductName
set regvalue2=Version
set regvaluevaluetofind=Apple Application Support (64-bit)
set secRMMVersionFix=3
set AppleInstall1=”%~dp0%appleapplicationsupport64.msi”
set AppleInstall2=”%~dp0%applemobiledevicesupport6464.msi”
REM set logToNetworkShare=
set logToNetworkShare=\\Server1\Apps\SysUtils\SecRMM\AppleDriverFixLogs\
if “%logToNetworkShare%” == “” (
set log=”%~dp0%COMPUTERNAME%_%~n0.log”
) else (
set log=”%logToNetworkShare%%COMPUTERNAME%_%~n0.log”
)
set regfile=”%~dp0%~n0.reg”
if exist %log% del %log%
if exist %regfile% del %regfile%
@echo %COMPUTERNAME% > %log%
call :GetAppleApplicationSupportProduct
if defined regkey (
@echo Found registry key !regkey! as !regvaluevalue! >> %log%
call :GetAppleApplicationSupportVersion
if defined regvalueVersion (
@echo Found registry value %regvalue2% value as !regvalueVersion! >> %log%
IF EXIST %AppleInstall1% (
IF EXIST %AppleInstall2% (
if NOT “!regvalueVersion!” == “0x0” (
CALL :UpdateRegistry 0
if !UpdatedRegistry! EQU 0 (
call :CallMsiexecForAppleDrivers
) else (
@echo Registry fix for %regkey% failed >> %log%
)
) else (
echo regkey Version is already 0 !regvalueVersion! >> %log%
CALL :UpdateRegistry 1
if !UpdatedRegistry! EQU 0 (
call :CallMsiexecForAppleDrivers
) else (
@echo Registry fix for %regkey% failed >> %log%
)
)
) ELSE (
@echo %AppleInstall2% NOT FOUND. >> %log%
)
) ELSE (
@echo %AppleInstall1% NOT FOUND. >> %log%
)
) else (
echo regkey Version is not found >> %log%
)
) else (
echo regkey is not found >> %log%
)
exit /b 0
REM ==========================================================================
:GetAppleApplicationSupportProduct
FOR /F “usebackq tokens=1-2,*” %%A IN (`REG QUERY %regkeyroot% /F %regvalue% /s`) DO (
IF “%%B” == “” (
SET regkey=%%A
) ELSE (
SET regvalue1=%%A
SET regdatatype=%%B
SET regvaluevalue=%%C
IF “!regvaluevalue!” == “!regvaluevaluetofind!” (
goto :FoundRegKey
)
)
)
:FoundRegKey
exit /b 0
REM ==========================================================================
:GetAppleApplicationSupportVersion
FOR /F “usebackq skip=2 tokens=1-2,*” %%A IN (`REG QUERY %regkey% /F %regvalue2%`) DO (
set regvalueVersion=%%C
goto :FoundVersion
)
:FoundVersion
exit /b 0
REM ==========================================================================
:UpdateRegistry
echo Windows Registry Editor Version 5.00 > %regfile%
echo( >> %regfile%
echo ^; ProductName=Apple Application Support ^(64-bit^) fix 5010000 >> %regfile%
echo [%regkey%] >> %regfile%
if “%1″==”0” (echo “Version”=dword:0 >> %regfile%)
echo “secRMMVersionFix”=dword:%secRMMVersionFix% >> %regfile%
@echo Calling reg import. >> %log%
REG.exe IMPORT %regfile% > nul 2>&1
if %ERRORLEVEL% EQU 0 (
@echo Registry fix for %regkey% succeeded >> %log%
set UpdatedRegistry=0
) else (
set UpdatedRegistry=1
)
exit /b !UpdatedRegistry!
REM ==========================================================================
:CallMsiexecForAppleDrivers
IF EXIST %AppleInstall1% (
IF EXIST %AppleInstall2% (
set MsiexecAppleInstall1=msiexec /i %AppleInstall1% /quiet
set MsiexecAppleInstall2=msiexec /i %AppleInstall2% /quiet
@echo %MsiexecAppleInstall1% >> %log%
%MsiexecAppleInstall1%
@echo %MsiexecAppleInstall2% >> %log%
%MsiexecAppleInstall2%
) ELSE (
@echo %AppleInstall2% NOT FOUND. >> %log%
)
) ELSE (
@echo %AppleInstall1% NOT FOUND. >> %log%
)
exit /b 0
REM ==========================================================================
:EOF
endlocal
Advertisements
Leave a comment

GDPR – Compliance will require addressing USB Data Loss

What is GDPR in Europe and how can it impact non-EU businesses?

General Data Protection Regulation (GDPR) is rapidly approaching, organizations need to get their compliance practices in place or face some pretty steep fines.  GDPR is the new regulation to protect EU citizens’ personal data, replacing the current directive from 1995 and establishing a single set of rules across the European Union. GDPR outlines a set of obligations organizations have with respect to data encryption and storage, handling personal data as well as record keeping and breach notification.  Failure to meet those obligations can be costly, with fines ranging up to €20 million, or 4% of a company’s total worldwide sales, whichever is greater.

Non-European companies don’t escape the reach of GDPR.  By having even a single European customer a non-EU based company is required to meet the GDPR requirements.

USB Data Loss Risk

One area that has potential to be overlooked in the technical implementation of GDPR requirements is USB and removable media.  Removable media accessed through USB is an extremely convenient and reliable way to easily transfer data.  However, as was recently highlighted with the Heathrow Airport USB leak, a single lost USB drive can have serious consequences for your organization.  Fold GDPR into the mix and that thumbdrive containing customer data accidentally dropped in a parking lot or left in a taxi can have extreme financial consequences.

How can secRMM Help?

Implementing a DLP solution such as secRMM can be a key piece of technology to address the GDPR requirements that impact USB and removable media.  First, secRMM provides the ability to restrict the copying of specific files or folders to USB mounted devices. This can be a mechanism to ensure the only specific data is permitted to be copied to removable storage.  The second is encryption. Using secRMM you can ensure that the only connected USB devices are corporate approved encrypted thumbdrives.  Lastly, secRMM has extensive auditing capabilities.  GDPR has stringent record keeping requirements, using secRMM you will have extremely detailed audit logs capturing details of files transferred to storage, the type of device transferred to as well as which user and computer facilitated the transfer.  

GDPR is coming quickly and will be enforced May, 2018.  Take the time now to ensure that USB and removable media are part of your data protection plan.

What to do next?

Contact us to see a demonstration of our solution.

Or watch an overview of the secRMM integration with Microsoft Systems Center.

Or if you’re really impatient, jump right to downloading the trial.

 

Leave a comment

Heathrow Lost USB Underscores Importance of DLP

This past week a USB stick was found on the ground in the Queen’s Park area of London UK.  It turns out the USB drive contained confidential details of the security practice for Heathrow Airport.  The man who found the drive provided it to a British newspaper – The Sunday Mirror who then provided it to the authorities.  Contained on the drive was 2.5 GB of data across 76 folders, many files being marked as “Confidential” or “Restricted”.  The contents outlined sensitive details on tunnels linking the airport to the Heathrow Express Line, as well as airport screening procedures for VIP’s and Cabinet Ministers.

Risk (or challenge) Removable Media Poses

This example highlights the risk that removable media can pose to an organization.  While there are a multitude of enterprise and cloud file sharing solutions in the market today, none are simpler than plugging removable media into a USB port.  Ease of file sharing and transportation make removable media an often used tool inside many organizations.  However, as this example with Heathrow shows us, that tool can also be a risk to your organization.  Sensitive data can be easily copied to USB devices.  Once outside the control of your organization, the lifecycle of the data is no longer managed and under your control.  Removable devices (including smartphones) being small can be lost or stolen, exposing your organization to negative PR, legal issues and even lost revenue if they contained sensitive data.

How a DLP Solution can Help

DLP stands for Data Loss Prevention (or Data Leak Prevention if you prefer).  The purpose of a DLP solution is to prevent incidents such as the Heathrow Lost USB.  Outright disabling the USB ports on a computer is an extreme tactic to preventing data from being copied to unmanaged removable devices, however that can be a significant barrier to productivity. DLP solutions can allow you to manage the data and removable devices instead.  Every business is unique in DLP requirements.  Some may require authenticated removable devices (such as managed smartphones) where only known and authenticated devices can be mounted and files transferred.  Others may allow only encrypted USB sticks, while others still may block specific files from being written to removable storage and allowing others.  Implementing a DLP solution can help provide your organization with the control necessary to prevent data from leaking outside the boundaries of your company.

What to do next?

Contact us to see a demonstration of our solution.

Or watch an overview of the secRMM integration with Microsoft Systems Center.

Or if you’re really impatient, jump right to downloading the trial.

Leave a comment

Tech Forecast: Cryptocurrencies Have DLP Implications

Cryptocurrencies such as BitCoin and Ethereum are getting a lot of attention these days. Bitcoin, created in 2009, is arguably the largest and most well known cryptocurrency with a market cap of over $99 billion. With explosive growth and popularity it’s no wonder that organizations are beginning to embrace cryptocurrencies, whether for payment transactions with customers and employee’s or as a more multi-purpose ledger leveraging bleeding edge technology such as smart-contracts.

While there is a lot of opportunity in a shift to digital currency, there is also the typical security pitfalls that come with new technologies. In this forecast we’ll take a closer look at the mechanics of storing cryptocurrencies and the downstream DLP implications that exist.

Primer: What is a Cryptocurrency?

A cryptocurrency is a type of digital asset protected with cryptography and stored in a public decentralized blockchain ledger. Anytime people want to transfer money around there are transactions describing digital asset movement from one account to another account, and these transactions are stored in a digital and publicly viewable ledger. Cryptography is used to secure the transactions and be sure that only valid account holders can actually spend the currency.

Bitcoin and Ether are the two most well known examples of a cryptocurrency based on blockchain technology, though tens of new currencies are being created monthly. The underlying details of how a cryptocurrency works is deeper than we’ll go today, but there are great resources online for more information. Cryptocurrencies, however, do have implications when it comes to Data Leak Prevention – that implication comes in the form of the Wallet.

What is a Wallet?

A ‘cryptocurrency wallet’ is the place where you store your cryptocurrency.  To be accurate; the actual currency is not stored in the wallet, but cryptographic information about the currency you hold is.  The wallet is a software program that stores the account identity information and cryptographic private keys used to “spend” the cryptocurrency.  Wallets can be local software to your phone or computer, or hosted by wallet providers.

Implications on DLP.

Much like a physical wallet, if someone has access to your cryptocurrency wallet they could potentially steal all of your cash.  Wallets can be protected by encrypting the contents with passphrases; however this assumes that users implement a strong password (which we know isn’t always the case).

Unlike a physical wallet, if your crypto-wallet is stolen you may have no idea until you attempt to use your money. This is where the DLP concern comes in. How can you detect if somebody tries to exfiltrate your wallet? There’s obviously a lot of different ways that an attacker could steal your wallet, but we’re specifically concerned with somebody that has physical access to your machine.

For the geeks out there, here’s where you’ll find the Bitcoin wallet on Windows & Mac:

  • Windows: C:\Users\YourUserName\Appdata\Roaming\Bitcoin\wallet.dat
  • Mac: ~/Library/Application Support/Bitcoin/wallet.dat

Given the decentralized nature of cryptocurrencies; there is no company that will protect you from the liability of stolen currency.  If the wallet is lost or stolen that currency is gone forever.

Without proper monitoring and controls, if your crypto-wallet is leaked outside your organization on a USB drive, you may never be aware that the account is at risk and the funds could disappear at any time in the future.

As organizations looking to embrace the use of cryptocurrencies, it is critical to protect crypto-wallets and have appropriate monitoring and data leak prevention controls to ensure your corporate or employee funds are not at risk. Squadra’s secRMM can easily track wallet.dat files, reporting any occurrence of wallet.dat being copied or moved to removable media.

 

What do do next?

Contact us to see a demonstration of our solution.

Or watch an overview of the secRMM integration with Microsoft Systems Center.

Or if you’re really impatient, jump right to downloading the trial.

Get Ready! NIST 800-171 Is Coming & Has Implications for Mobile DLP

Since December 2015 there has been a DFARS clause (225.204-7012) requiring contractors to institute the standards outlined in NIST Special Publication (SP) 800-171. There was an implementation window of two years, and that window runs out as of December 31st, 2017, making compliance with SP 800-171 a full-stop requirement.

In case you’re just catching this now, SP 800-171 covers the protection of sensitive federal information, dubbed “Controlled Unclassified Information” or CUI, while that information is residing on non-federal systems. NIST specifically states the purpose of 800-171 as the following:

“The protection of sensitive federal information while residing in nonfederal information systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations, including those missions and functions related to the critical infrastructure.”

A High-Level Overview of the Key Requirements in NIST SP 800-171

nist_overview

If you’re coming at this new standard from the mobile device perspective there’s a few different areas that we think are particularly relevant and interesting to understand, namely Access Control, Audit & Accountability and Media Protection. We’ll review the key section for mobility below.

3.1.18 Control Connection of Mobile Devices

3-1-18

Mapping 3.1.18 to AC-19 in NIST SP 800-53 we can see that control includes the following for mobile devices:

  1. Establish usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices;
  2. Authorize the connection of mobile devices to organizational systems; and
  3. Protect and control mobile devices when outside of controlled areas.

Our Interpretation

Ensure you understand which devices are approved and which aren’t, and don’t allow unapproved devices to mount their filesystems.

Highlight: secRMM has the ability to unmount non-whitelisted devices from the operating system, allowing users to charge but not transfer. See it LIVE here.

3.1.21 Limit Use of Organizational Portable Storage Devices on External Information Systems

3-1-21

Mapping 3.1.21 to AC-20(2) in NIST SP 800-53 we can see that “use of external information systems” includes the following for devices:

  1. Access the system from external systems; and
  2. Process, store, or transmit organization-controlled information using external systems

Our Interpretation

Ensure you limit or remove the use of portable storage devices, but if they are used ensure you appropriately track Controlled Unclassified Information being transferred to the devices.

Highlight: secRMM can limit the use of portable storage devices using whitelisting policy rules such as AllowedSerialNumbers, AllowedInternalIds, AllowedUsers, AllowedPrograms. See it LIVE here.

3.3.1 Create, Protect and Retain System Audit Records to the Extent Needed to Enable the Monitoring, Analysis, Investigation, and Reporting of Unlawful, Unauthorized or Inappropriate System Activity

3-3-1

This is a fairly broad requirement that maps to many of the NIST 800-53 audit security controls (AU-2,3,6 and 12). We’ll reference the one we think is most important, AU-3, which states that audit records must include “what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.”

Our Interpretation

Ensure you have audit records that track any device connections or transfers of Controlled Unclassified Information, including the full range of audit details to track the 4W’s (who, what, where, when).

Highlight: All required data is collected by secRMM, and audit event data is stored in Windows “event log files”, easily allowing both centralized log storage and historical archival.

3.8.7 Control the use of removable media on information system components

3-8-7

Mapping 3.8.7 to MP-7 in NIST SP 800-53 we can see that “control the use of removable media” includes the following:

  1. Prohibit the use of organization-defined media on organization-defined components using organization-defined safeguards; and
  2. Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner

Our Interpretation

Ensure you define safeguards around which devices can connect to which systems, and that devices with no identifiable owner cannot be used.

Highlight: A large range of removable media devices can be whitelist controlled via secRMM, including USB/thumb drives (encrypted and non-encrypted), mobile devices (Apple, Android, Windows, BlackBerry),  external hard drives, CD/DVD/BluRay and SD-Cards.

3.8.8 Prohibit the use of portable storage devices when such devices have no identifiable owner

3-8-8.png

To hammer home the point, SP 800-171 also maps a separate 3.8.8 to subsection MP-7(1) in SP 800-53, specifically calling out the restriction on devices which have no identifiable owner. They go on to say:

  • Requiring identifiable owners for portable storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices.

Our Interpretation

Ensure you block devices where an owner cannot be associated with connection or data transfer events.

Highlight: There are two key mechanism in secRMM which can map identifiable owners to devices, and can force users to authenticate from mobile devices to successfully connect. See AD Integration LIVE here.

3.8.9 Protect the confidentiality of backup CUI at storage locations.

3-8-9.png

Mapping 3.8.9 to CP-9 in NIST SP 800-53 we can see that “protecting the confidentiality” includes the following:

  1. Conduct backups of user-level information contained in the system;
  2. Conduct backups of system-level information contained in the;
  3. Conduct backups of system documentation including security-related documentation; and
  4. Protect the confidentiality, integrity, and availability of backup information at storage locations.

Our Interpretation

Ensure that all security and audit information related to mobile devices or portable storage devices is redundantly backed up, stored securely, and the integrity of the backups is assured.

Highlight: All secRMM event data is contained in standalone Windows Event Log Backup files (evtx) files.  These files are easily compressible using COTS compression software which can be password protected and encrypted when necessary.

Conclusion

By December 31 of this year you must be compliant with NIST 800-171. There are implications for mobility and portable media, and we hope that the outline above simplifies the key requirements that you need to keep in mind.

Our secRMM product is a COTS product specifically designed for governments to meet the kind of stringent criteria that NIST publications require.

WHAT TO DO NEXT?

Contact us to see a demonstration of our solution.

Or watch an overview of the secRMM integration with Microsoft Systems Center.

Or if you’re really impatient, jump right to downloading the trial.

Leave a comment

Mobile apps not in an app store, how can I use it?

July 01,2017 Update: See how System Center Configuration Manager (SCCM) can handle mobile device “side-loading” in this YouTube video.

June 13, 2017 – secRMM has added a new utility called SafeSync. SafeSync lets you install mobile device apps and of course securely copy files to the mobile device.

Sometimes it makes sense to install a mobile app without going through the trouble of getting the mobile app published into the “app stores”. App stores are big databases accessible over the internet that let users select apps to install onto their mobile device. Anyone can access the app stores as long as the mobile device has an internet connection (using the devices WiFi and a hotspot or the cellular service providers network). Apple, Google and Microsoft have the biggest app stores. These software vendors offer apps for their mobile devices hardware and/or operating system. When you want an app to go into one of the app stores, you have to go through a process defined by the vendor before it can be published.

There are scenarios where an organization does not want to put their apps into the app stores. Mainly because they do not want just anyone to be able to use the apps. As an example, suppose the military were to develop some apps that helped them with field combat. Clearly, they would not want just anyone to be able to download their app from an app store. Another example is a company that writes apps for their workers to use. Perhaps the app has company sensitive information that needs to be protected from competitors.

For scenarios where you want to distribute a mobile app but do not want it in the app stores, a common and acceptable practice is install the app from another computer (commonly a Windows computer). The Windows computer and the mobile device cooperatively perform the install using a USB cable connection between them. The computer industry uses a slang term called “side-loading” to describe this process. The app (which is just a binary with a special extension) can reside on the Windows computers local hard drive or even on a network share (so many users can access it).
2
The secRMM SafeSync utility makes it easy to manage the side-loading process by providing a list of available apps which you can choose to install, uninstall or re-install.
3

4

In addition, the mobile app install or uninstall events get recorded so that security administrators can be aware of the activities. Because of secRMMs integration into System Center (and other backend monitoring systems), this event information can be included in the organizations security monitoring process.
5

SafeSync can also generate a script so that the install/uninstall/reinstall pattern can be repeated for many devices. SafeSync also exposes the mobile device properties which are important to understand and control before a device is deployed into the field. Lastly, SafeSync can copy files to the mobile device. These files might be data files that are used by the mobile apps. This allows a device to completely be prepared before it gets deployed into the field.
6
In summary, secRMM continues to help IT organizations and security professionals manage the events around removable storage and especially mobile technology.

Please feel free to contact Squadra Technologies to help with your security needs around removable storage and/or mobile device technology.  There is also a YouTube video about SafeSync at https://www.youtube.com/watch?v=Z2_ODEnr2XM.

Leave a comment

WME. A great partner!

December 15, 2016 – Being in the Microsoft System Centerwme-logo space is very exciting.  You get to work on leading edge software that helps your business operate and be successful.  System Center provides so many functions and features that sometimes getting a handle on all the bells and whistles it provides can be a little intimidating.  This is when you wish there were experts you can lean on to help you understand or even help you accomplish your System Center goals.  If you don’t know of any System Center experts, please check out one of Squadra Technologies technology partners named “Windows Management Experts” or WME for short.  Let me just tell you, these guys know System Center and they are cool guys.  For example, we just released a SCCM/InTune report for secRMM.  I was trying to understand the SCCM database schema to figure out how to pull the data for the report.  I shot an email over to my buddies at WME and within a day, they emailed me back an SQL query (quite complex one I might add) that enabled me to finish the report within a couple of hours!  So awesome!

So, if you are looking for System Center help, please consider WME.
Thanks for reading.