I have a graphml context diagram of a system which I want to do Threat Modeling on.
I would like to be able to translate the graphml model to a tm7 model.
I understand that the tm7 model is a xml which includes some ID which makes it hard to read or edit manually
I would like to create a tool that does this translation
Is there any documentation on how the tm7 file is created so that we can create a translation tool?
Believing that "people in ONE DRIVE" will keep my account safe, I kept my contacts in one drive not on my phone memory. As my account is hacked today, not only it was quite embarrassing my contacts received terrible messages, I lost them. I change the password, let the outlook that my a/c had been used someone else, I still can not receive e-mails.
Question 1: Should I completely stop using this a/c?
Question 2: If the answer is no, how will I get my contacts back?
Thanks,
How to correctly model in Threat Modeling Tool a native application (A) (which is a some kind of server) running on Windows machine? I also have a client (native application) which is trying to connect and exchange data with A using some clear text protocol
What are the advantages/disadvantages of implementing the MS SDL if we compare with other maturity models available around like SAMM, BSIMM2?
Thanks in advance.
Hi,
I'm trying to use Attack Surface Analyzer.
So, On a virtual machine W7 Pro, dotnet4.0 installed, I install Attack_Surface_Analyzer_x64.msi.
asa.exe and some other files are in c:\program files\Attack Surface Analyzer folder.
No shortcut.
If I run asa.exe in command line, .cab are created in an user folder, data seems OK.
But : no way to get the GUI to run an analysis to compare 2 .cab !!
asa.exe /? give nothing.
I 've read the readme file, search, but nothing at all...
Any Idea ?
Best Regards Thomas
The threat modeling tool has experienced and unhandled exception situation. I've uninstalled, cleaned up reg, reinstalled and rebooted countless times.
How can it be fixed? How do you get support for <g class="gr_ gr_8 gr-alert gr_gramm gr_run_anim Punctuation multiReplace" data-gr-id="8" id="8">this.</g> It is a good app shame support is lame.
Hi,
I am attempting to run Microsoft Attack Surface Analyzer on Server 2016. However, it is consistently crashing. Can you help, please?
Best Regards,
Jon B.
I entered the following in an administrator command prompt:
C:\Program Files\Microsoft BinScope 2014>binscope.exe /target "\Release"
Microsoft BinScope 2014
BinScope: The path "\Release" did not exist or was a directory. BinScope accepts only paths to existing files.
BinScope is newly installed. The folder does exist on the C: drive and there are multiple exe files in the folder. I first tried this specifying a folder on my D: drive but got the same error. I also tried "/target "C:\Release" and got the same error. This is on a Windows 7 64-bit desktop.
I was using the previous version of BinScope (1.2 I think) and had no problems using the GUI to scan my binaries. This is my first attempt at using the new BinScope 2014 version.
Hello
I am using mosh on WSL but I have a Network issue (see here 1,2,3),This issue was fixed in 15002,I gonna know when it will be fixed on Current Branch(14393)?
thanks
1 https://github.com/mobile-shell/mosh/issues/781
2 https://github.com/Microsoft/BashOnWindows/issues/1140
3 https://github.com/Microsoft/BashOnWindows/issues/170#issuecomment-251247840
15002 https://msdn.microsoft.com/en-us/commandline/wsl/release_notes?f=255&MSPPError=-2147217396#build-15002
I'm so frustrated with all the restrictions I have on my own computers. Is there anyway to get around them? It's my computer, why can't I do anything I want on my own computer?
I'm currently traveling and created an offline share on my home development machine and have synced on my laptop. So, here I am 1000 miles from home and I got to fix a bug in some of my code. But when I try to save my changes to the shared folder, I get a message saying "File Not Saved" with no other explanation (this particular file was an Excel document). Then when I went to the offline shared folder on my laptop and simply tried to create a new txt document, I got the following message:
"File Access Denied
"You need permission to perform this action.
"You require permission from the computer's administrator to make changes to this file."
Why do I need permission to create a file on my own computer? Also, I am the administrator and as far as I can tell I've given full access to everyone. I'm even logged on with the same windows account that I log on with my home computer.
Is there some way I can configure all my computers so I never have this problem again? I thought that if I had administrator access, I could do anything I want. That's what I want. I'm the only one who ever uses any of my computers. Plus I have hardly anything on my computers that I'm worried about someone damaging. I have a separate personal computer for all that.
So, in summary, I want to do anything I want with any of my dev computers without having to jump through all these hoops every time I want to perform a simple function. Can someone tell me the steps to configure my computers that way?
Thank you!!
FYI (all)
Dear sir (RMS @ GNU),
my apologies. That e-mail concerned the embedding (secretly) of personal information during the make process of certain gnu software but there's a new developent and I'm extremely mad : I have been looking for ways to de-obscurify certain (gnu) Make processes.
During my search I found a certain GITHUB repo that provided a way to do that. It was not "AO" but another... In reality it was a virus and/or a magic trigger that broke and destroyed All my systems in a manner of 2 hours or so.
It's a special case, methods used are not mentioned anywhere on internet. This one is multi-os aware and brokethrough a running virtualbox installation (I suppose via I/O hooks exploits yet unknown ). Both host and guest gets destroyed, independant of OS!
from what I have seen:
- the maker has somehow trojaned the Freedesktop.org desktop-daemon- input dbus helper software to gain and maintain root via init. Virtually everydebian based is thereby vulrenable.
- the maker has found a new way (unknown to every antivirus software) to gain Admin acces to windows system via lowlevel IO and/or abused "signed drivers" - and mmaps itselfs there to propagate..
- the virus broke through running virtualbox installations (latest installation, new installations, old VDI's) and they got all destroyed, first guest and hours or days later both host and guest installations.... also new.
- the virus injects itself on every network IF / download / and propagates on installation (triggered) within the virtualbox installation. This happens on the host too, but hours later.
- it eventually kills every document on every OS by spawning hundreds of processes to kill documents (overwrite, move, symlink)
The strange thing about this, is that GNU sources / software like the sourcecode for GLIBC and GCC was left alone! Because of that and the mentioning of GNU on that repo I contacted GNU. On my windows system there was even a special message "Thanks to Freedesktop
and embedded Ruby".
The virus was obviously not meant for worldwide propagation but to target a certain audience (I suppose people like me), it's been engineered beyond belief and I triggered it somehow. In order to clean my system I tried a ISO/USB boot from AVG (linux based.)
I booted from that USB and it got infected upon scanning... amazing.!!
Anyhow.. sorry to have bothered you.
Regards,
To microsoft: Windows : is trojaned via virtualbox Usb I/O and/or other lowlevel I/O trickery. Obviously new methods are used, hard to reproduce and I can only mention a few details : virtualbox breakage like this is not yet mentioned anywhere and no admin priviledges are needed to reproduce. this "virus" has no signature known to clamav/kaspersky/mssc/avg/macafee. New exploits are obviously used, unknown and/or used in a similar manner. Microsoft should investigate this on their own.
To FreeDesktop DBUS daemon: has been abused (and this darn thing is used in many debian based INIT scripts etc, in order to gain and maintain root (or worse). There was a note left on my system "thanks to freedesktop and embedded...": every Linux instance,
new or old (2.6 to 3.2xxx was infected immediately). FreeDesktop: I *** your** because similar trickery is mentioned since 2009.
To certain people at Debian: thanks for not taking me seriously or even understand what you are doing. Clueless.
To Oracle: Every HOST that mounts an infected VDI, gets infected immediately upon boot. Or the other way around: upon scanning the filesystem. The scanning OS itself gets trojaned (reproduced via multiple USB installations/Gpart ISO, AVG iso) and gets destroyed
. Even within virtualbox ..... the ISO grows to hunderds of gigs. Virtually. I suppose it's hooked via USB transport to gain accces over keyboard and mouse. In fact it doent matter what OS is used, the killing process is "universal" because it happens within
the hooked kernelspace.
To reproduce : I cannot give much details and its hard to traceback or reconstuct the order of events but I wanted to look for a way to de-obscurify a certain gnu-make process (in particular a piece of GNU software (for ..keys) from which I suspected to embed
privacy information about the user and this software is used on virtually every OS and in many software packages as building block. And I certainly found one. I guess some magic 0xUL that passed my system or action I did -triggered this OS independant
chainreaction or "OSkiller" process. I should have suspected this.. well. Even github trickery was (AB)used ~/.git / gitprocesses are used for some reason because every new download got the "make" process treatment instantly. Tricks to use parts of sha1 signatures
(actually the gitters identification. Some people are aware of these methods and are abusing this system, not to "watermark" but to pull off this kind of work?
The result: all my virtual Linux / Freebsd VDI/VMDK installations were completely destroyed within a manner of minutes and later the host (windows7, regular update cycle, well maintained and secured) too. It was hard to traceback and/or/try forensics because
the host got infected too -- obviously no way to sandbox. (maybe I'm not clever enough). Mounting from another OS is killing that OS too. Amazing. The reason I wanted to traceback or mount a certain partition was because it contained my work on my research.
I had backups (even incremental) of some instances and they all got destroyed too (unaware of the systemhooks that were luring for the magic).
Reproducable? Yes. But hard to pull off and therefore I suppose this "virus" is not meant to propagate worldwide but targetted at a certain audience. The maker(s) has/have deep profound knowledge of windows internals, virtualbox exploits,, linux exploits, methods
not seen by any anti-vir software I got running. It means there's a whole bunch of multi-os exploits, application exploits, not used or mentioned anywhere, bundled in a well prepared trap for anyone who gets the magic. I still have the infected VDI's. cannot
tell if they are completely destroyed because I dare not mount it in ANY way. (I tried virtually every way possible!!!!!). Forensics could do some work on the raw material.
Here's a brief list of software that must have already been trojaned / to kill the running OS's (on host/guest) of a target:
- "nonfree" linux-firmware. Certain IO/dev (dbus?) userspace layers (linux)
- linux or windows virtualbox guest addition(s): CERTAIN debian updates (* triggers the killing process). Especially the RE-make of IO kernelmods process caused a chainreaction in one case. The maker(s) did some magic there because one should assume that KERNEL
code is well maintained (like Theo.d.r. does :-) )
- (gnu) remake processes of kernel mods (RT/Pre-emt) -> guest additions. I could only reproduce this a few times because my host got killed.
- github trickery....
- techniques: callbacks via IO hooks on both HID and available network devices and injects itself via sockets (because every download was infected)
- I suppose no known shellcode was used or not recognised. *Every* virusscanner that I got running got killed and infected upon scan, both *windows and linux based, clamav and AVG* mssc, macafee, kaspersky etc etc. Even a simple mount gets a host killed. Amazing.
and all of this must have been "packaged" for a special occasion? Its profoundly layered, multi-disciplined and networked (I guess there are more related triggers to this network) and this OS killer must have been ready or "waiting" for months, none of the
exploits I've witnessed are mentioned on internet or have been used on seperate occasions (except for the dbus trickery: there have been rumors but no real actions by ubuntu or debian etc etc). All these multi-cpu/os/software exploits (means transports) events
that happened on my systems, both metal and virtual, are not mentioned anywhere or seperately used on other occasions or else someone would have mentioned it? Even the slightest kernel breakage or trojaned kernel in this respect should gained prestige for
certain w/b hat hackers. This is beyond belief. The guest/host breakage is amazing, multi-os and the killer does its work profoundly.
- so oracle can deal with this virtualbox breakage from host to guest and vice versa
- linus gets his multi-OS io / kernelspace breakage, kills of every mount or gets triggered by even mmapping.
- microsoft no idea.... no blame this should have been recognised within the security framework, but there's obviously not yet a signature known.
I don't know if I should call this a virus. It uses virus-like techniques but on so many levels happening at once. I dont think oracle or microsoft or linux / freebsd /solaris is targetted. It looks like a well contained (only propagating on the host/guest,
even socks are targetted only at localhost) - trap, the killing process is very persistant and for a reason. If this was used in a network-propagating carrier virus it should raise a Major worldwide alert. I think this unknown network of suddenly revealed
exploits are means to immediatly shutdown/completely kill the running system(s) of a certain audience (like me). It's like a network and eventually a killswitch, a "destroyer" which I happened to trigger while I was investigating some things concerning privacy
issues (in fact building blocks for signing of public keys). This message should raise some questions.
And about that github repo. It's not AO.
Thats all folks.
When using the modeling tool and switching between design and analysis view, I lost the Threat List and the app crashes.
I can get all the windows back, EXCEPT, the Threat List. Uninstalled and reinstalled, verified registry and program files were cleaned up. Now I'm at the point where this tool useless on this system.
System.NullReferenceException: Object reference not set to an instance of an object.
at ThreatModeling.DashboardControl.ChangeEventHandler(Object sender, SubscribableEventArgs args)
at ThreatModeling.Model.SubscribableEventDelegate.Invoke(Object sender, SubscribableEventArgs args)
at ThreatModeling.ViewModel.DashboardViewModel.OnChange(SubscribableEventClass eventClass, Dictionary`2 args)
at ThreatModeling.ViewModel.DashboardViewModel.ObjectModelEventInterceptor(Object sender, ObjectModelChangeEventArgs args)
at ThreatModeling.ViewModel.DashboardViewModel.ObjectModel_ObjectModelChanged(Object sender, ObjectModelChangeEventArgs args)
at ThreatModeling.Model.ObjectModelChangeDelegate.Invoke(Object sender, ObjectModelChangeEventArgs args)
at ThreatModeling.Model.ObjectModel.OnObjectModelChange(ObjectModelChangeCause cause, Object objectOfChange)
at ThreatModeling.ViewModel.NotesCommand.Execute(Object parameter)
at MS.Internal.Commands.CommandHelpers.CriticalExecuteCommandSource(ICommandSource commandSource, Boolean userInitiated)
at System.Windows.Controls.MenuItem.InvokeClickAfterRender(Object arg)
at System.Windows.Threading.ExceptionWrapper.InternalRealCall(Delegate callback, Object args, Int32 numArgs)
at System.Windows.Threading.ExceptionWrapper.TryCatchWhen(Object source, Delegate callback, Object args, Int32 numArgs, Delegate catchHandler)
Hi
trying to restore from a system image on a windows 10 PC. had some file corruptions so was trying to start from a system image i saved from a couple weeks before, i booted fro a recovery CD, they system see's my backup, runs the restore al the way through then comes back with an error " the system image restore failed. Error Details: The parameter is incorrect. (0x80070057)" no hardware has changed on my PC, even the same hard drive. hard drive tests good, no other devices have been added. i had seen about removing extra drives so i disconnected my Data Drive and tried again, same issue. anyone have any other work arounds to get this restored?
So far the documentation tells me about AMSI and its interfaces available as COM interfaces, such as IAntimalware , IAmsiStream etc. Application can implement these interfaces to obtain data from AMSI.
Not interested in bringing COM related burden to my application. Anything available in native C++ interface ? Is there a provider in ETW through which my application can listen for AMSI?
An early reply is appreciated.
Thanks
Hi,
we want to integrate a customer's Hardware security module into Windows that should manage keys for different algorithms. As far as we know the CNG-API is currently the correct API for that purpose, e.g. to implement a key storage provider. Is that the recommend solution or are there newer frameworks?
Ive read somewhere that Microsoft Threat Modelling Tool is going to provide GDPR compliance help, for instance, the ability to add what kind of personal data is stored in a database and what is transferred and how?
And also, is the transfer done encrypted or not...
When is this going to come? - I dont see it in the current version of the Threat modeling tool...
I have been using Threat Model for several years, I most recently was using Threat Model 2016 but recently downloaded the newest Threat Model, See screen shot of about:
When I start the newly downloaded Threat Model I get the following error:
I am not sure what this is telling me. Please advise.