Monday, July 26, 2021

Microsoft Windows Core Memory Integrity

Microsoft Windows 10 memory integrity, or "core isolation", uses hardware virtualization to protect memory used by Windows system processes from manipulation (often by malware). This is generally a good security feature to enable, though it may interfere with older device drivers. This option is not automatically turned on by some vendors, so you will need to check this yourself.

Read about Microsoft's Core Isolation.

A recently purchased MS Windows 10 chromebook from Dell had this option turned off, so Core Integrity should be checked even on factory-delivered machines. The Dell chromebook was runing the Windows version known as "Windows 10 Home in S mode". 

For any Windows 10, check if Windows is running with virtualization by looking in Task Manager. Press Start button, and type: task manager
Choose the Task Manager app. 

In Task Manager, click the Performance tab, then CPU. Look in the lower right for Virtualization. In the following picture of Task Manager, hardware virtualization is enabled. Alternatively, open a command prompt, run systeminfo, and look for the Hyper-V line.











If Virtualization is not enabled, reboot the machine and press a key for BIOS setup (often a function key or the DEL key). In the BIOS setup utility, look for virtualization or "VT" and turn it on. Save the BIOS settings and restart the machine. Here are a couple different BIOS pictures:

After rebooting and starting Windows, go to the Settings app (press the Start button, press the gear icon). In the Settings app, type: security
Press the Open Windows Security button. In the Windows Security app, on the left hand list, press Device Security, then select Core Isolation Details. 


If you do not see Memory Integrity, you will need to restart the computer and enter the BIOS settings and look for virtualization options. 

If Memory Integrity is already turned on, your machine is configured to use core memory integrity and your are done. 

If Memory Integrity is off, try to turn it on. In some cases it will turn on. In other cases it will want a reboot. In more challenging cases it will find incompatible drivers, and you can decide how to correct each driver.


It may take a restart to fully set to on. If it finds incompatible drivers, press the Review link.


Some incompatible drivers must be completely removed. In one case, I encountered an incompatible Realtek sound driver that I removed, rebooted, turned on Memory Integrity, and then was able to reinstall the same sound driver while successfully keeping Memory Integrity turned on.



In this example, the Realtek sound driver and the ViMicro web cam drivers are incompatible. To remove these drivers, look in device manager and uninstall the drivers. In this case, the old ViMicro driver "oem3.inf" could not be removed through device manager, though it was able to be removed from the command line using pnputil /delete-driver.

If a driver will not uninstall, you can also remove it by hand (or rename it). Look in folder C:\Windows\System32\drivers.

When done resolving incompatible drivers, the Memory Integrity setting in Windows Security Center should look like this.











When finished, you may want to create a restore point. Press the Start button and type: restore point
Configure and Create the new restore point. 

You should now check for corrupt Windows files. This will run the Windows Module Installer and verify and correct the Windows software.


Monday, July 19, 2021

Ubuntu logon info and message of the day (motd)

This post will show you how to determine your public-facing IP address from the command line.

Upon an interactive logon, Ubuntu prints some brief machine information. This includes a header, sysinfo from /usr/bin/landscape-sysinfo and a summary of available patches.

You may add your own scripts by creating a bash script in /etc/update-motd.d and set the execute permission on the file. The files in the directory have a particular naming convention, and are run in alphabetical (numeric) order.

On external facing machines, I often create a script which will print the external IP address following the networking info of the landscape-sysinfo script.

Create file /etc/update-motd.d/61-external-ip owned by root
and give it execute permission:
sudo chmod 755 /etc/update-motd.d/61-external-ip


Place the following in this new file:

ONE=$(/usr/bin/curl -s
TWO=$(/usr/bin/curl -s

if [ $ONE = $TWO ]
    printf "  External IPv4: "
    printf $ONE
    printf "  External IPv4 may be: "
    printf $ONE
    printf " or"
    printf $TWO
printf "\n"

Save the file, then logon to the machine and look at the interactive logon messages. Some of the output will look like:

Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-77-generic x86_64)

  System information as of Mon 19 Jul 2021 01:30:42 PM MDT

  System load:              0.58
  Usage of /:               5.4% of 1.79TB
  Memory usage:             15%
  Swap usage:               0%
  Temperature:              44.0 C
  Processes:                173
  Users logged in:          1
  IPv4 address for enp0s25:
  External IPv4: 123.456.7.89

Friday, July 02, 2021

Fix Corrupt Microsoft Windows Files

Anyone who suspects they have corrupt Microsoft Windows system files (possibly from virus or malware) may try the built-in tools before re-installing the operating system. If you suspect Microsoft Windows Update is not running correctly, you may also try to repair it.

This Microsoft document describes file system checker tool with DISM and SFC. The following examples are for Microsoft Windows 10.

Open a command prompt with elevated privileges:
  • Press Start button
  • Type: cmd
  • Right-click on "Command Prompt" and choose "Run as administrator"

Set up the operating system deployment image. In the command prompt window, type:

  • DISM.exe /Online /Cleanup-image /Restorehealth


It will look like:

C:\WINDOWS\system32>DISM.exe /Online /Cleanup-image /Restorehealth

Deployment Image Servicing and Management tool
Version: 10.0.19041.844

Image Version: 10.0.19042.985

The restore operation completed successfully.
The operation completed successfully.

When the DISM command has finished, you may run the file system checker. It may take hours to run.

  • sfc /scannow


If problems are found, it will look like:

C:\WINDOWS\system32>sfc /scannow

Beginning system scan.  This process will take some time.

Beginning verification phase of system scan.
Verification 100% complete.

Windows Resource Protection found corrupt files and successfully repaired them.
For online repairs, details are included in the CBS log file located at
windir\Logs\CBS\CBS.log. For example C:\Windows\Logs\CBS\CBS.log. For offline
repairs, details are included in the log file provided by the /OFFLOGFILE flag.

Note the location of the log, which you may review.

Next, you may want to check that Microsoft Windows Update is running.

Run the troubleshooter which may be found in the old Control Panel.

  • Press Start button and type: control panel
  • Click on the Control Panel app to run it.
  • In the Control Panel app, top right search box, type: update

  • Click on Troubleshooting

  • Press Next to run the troubleshooter and then follow the prompts.

Sunday, June 20, 2021

GSM data security in GPRS 2G

Mobile carriers have been phasing out older mobile technologies and frequencies. This makes older service using GPRS 2G less prevalent. One form of attack is to purposefully force downgrade to the older 2G service, which has weaknesses. This paper of June 2021, Cryptanalysis of the GPRS Encryption Algorithms GEA-1 and GEA-2, describes how the 64 bit security is effectively only 40 bit. The authors speculate the standard was purposefully weakened.

There is no practical reason to allow modern phones to use 2G service, so users should disable this service. Android users can typically look in settings to turn off 2G service.

This leads to the obvious question of what vulnerabilities may exist in the newer 4G and 5G standards. Many people are beginning to use apps such as Signal which runs it's own security on top of whatever communications are being used (4G, 5G, or wifi).

While you are in Android settings, you may want to review the Google setting which allows for silent install of movement tracking applications. It is not clear if setting "COVID-19 Exposure Notifications" to off prevents silent install of the tracking apps, or if it allows the download but does not make the app visible to the user. Completely disabling installs will likely require stopping of Google Play Services.

Thursday, February 11, 2021

MS WIndows 10 Border Width

Microsoft made super-skinny border widths on Windows 10. While there has been a couple years for this design mistake to be corrected, it appears this will not be changing in the pending release of Window 11.
It is well past a reasonable amount of time for Microsoft to fix the super-skinny window borders.

The skinny window borders make it challenging to place and align windows. It also makes it challenging for older or disabled persons to grab the side of the window.

The straight-forward method to have fat window borders is to turn on the high visibility theme. This will produce drastic visual changes, make websites look different than what you may expect, and remove backgrounds such as desktop color or picture. You may want to try this change and then decide if fat window borders are worth the other visual changes in the theme.

Standard MS Windows 10 borders look like this.



Press the Start button and type: themes

Choose the app for "Themes and related settings".

In the Settings window, scroll down and click on "High contrast settings".



Turn on the high contrast slider, then choose theme "High Contrast White" in the drop down list box.



While visually jarring at first, the High Contrast White theme does increase the window border width.