Across the Academy

 

"Brave Protest"

 

Hall, Franklin. Atomic Power with God

 It is very difficult to break the fast properly and very important. The importance of breaking the fast correctly and wisely cannot be over-emphasized. If you wish to avoid any consequences after your fast, please use plain common sense as well as heeding the following directions carefully. Very often an individual takes a fast of several weeks and gets along fine in the fast, but to his disappointment has uncomfortable physical difficulties while he is in the process of breaking the fast, which in practically all cases can be traced directly to his impatience to begin eating the accustomed rations days and weeks too soon. If you have fasted very long, or have taken a complete fast, you have practically a brand new stomach and it will have to be adjusted to food again. If you had your automobile engine overhauled, it would be necessary to break it in slowly for so many miles. If it were a major overhaul, you would have to run it at a lower R.P.M. even longer. The same thing applies to a new engine.

Hall, Franklin. Atomic Power with God, Thru Fasting and Prayer (p. 102). Mockingbird Press LLC. Kindle Edition. 

The final state of observation approaches

The final state of observation approaches the actual substance of mind where you observe that both existence and non-existence are not real, and yet both existence and non-existence are real. Emptiness (samadhi) and phenomena are both false, and emptiness and phenomena are also both valid. This is madhyamika, or the Middle Way, where you see that emptiness and phenomena coexist but you don't abide in either: you perceive both realms, but fall into neither. Yes, you rest your mental realm in the quiet of samadhi, and yes, you allow the phenomenal world (including the physical body) to continually transform but without your falling into any sort of clinging to this realm. That which knows is freely born and freely functions, but it doesn't abide in either of these states. It doesn't dwell. There's no affirmation or negation or arguing in this state of attainment, there's just the middle way. This is the true path of observation—observing emptiness and phenomena—the middle way of prajna. And this is also philosophy, science, psychology, and the study of our true ontological essence. But in our explanation, it's just the step of observation. After you understand this, you proceed to another step called “returning,” which means returning to one's original nature, or “original face.” What do you return to? This is hard to explain, so a story will have to suffice.

Bodri, William; Shu-Mei, Lee. Twenty-Five Doors to Meditation: A Handbook for Entering Samadhi (pp. 29-30). Red Wheel/Weiser. Kindle Edition. 

Retrieves local Administrators group members, filters out default accounts, and exports the results to a CSV file.

 <#

.SYNOPSIS

    Retrieves local Administrators group members, filters out default accounts, and exports the results to a CSV file.

    Optionally removes the file if it's empty.

.DESCRIPTION

    This script gathers members of the local Administrators group, excludes well-known system SIDs, and formats the output with computer name, 

    date/time, and other relevant information. The output is saved to a CSV file in a specified network location. 

    If the resulting CSV file is empty (after filtering), the file is deleted.

.PARAMETER OutputPath

    Specifies the network path where the CSV output file should be saved. Defaults to "\\XXXXX\ScriptRunResults".

.EXAMPLE

    .\Get-LocalAdmins.ps1 -OutputPath "\\server\share"

    Exports local Administrators group members to "\\server\share\LocalAdminOutput-HOSTNAME.csv".

.EXAMPLE

    .\Get-LocalAdmins.ps1

    Exports local Administrators group members to "\\XXXXX\ScriptRunResults\LocalAdminOutput-HOSTNAME.csv".

.NOTES

    This script requires PowerShell 3.0 or later.

    Ensure the script execution context has appropriate permissions to access the network share.

    The script filters out built-in SIDs: Administrator (500), Domain Admins (512), and two potentially environment-specific SIDs (17741 and 23112).

    Adjust the filtered SIDs as needed for your environment.

    ------------------------------------------------------------------------------------------------------------------------------

    .DISCLAIMER  This script has been uploaded to and delivered by the Absolute Platform.

    A digital signature is used to ensure integrity, authenticity, and non-repudiation, but does not imply that Absolute is the author.

    Details about who uploaded and who executed the script are available in the Absolute console.

#>

[CmdletBinding()]

param(

    [Parameter(Mandatory = $false)]

    [string]$OutputPath = "\\XXXXX\ScriptRunResults"

)

# Get computer hostname and current date/time for output file and data

$hostname = $env:COMPUTERNAME

$datetime = Get-Date -Format "yyyyMMdd_HHmmss"

# Construct the output filename

$filename = "LocalAdminOutput-$( $hostname ).csv"

# Construct the full output filepath

$filepath = Join-Path -Path $OutputPath -ChildPath $filename

try {

    # Retrieve and filter local Administrators group members

    Get-LocalGroupMember -Group Administrators |

        Where-Object { $_.SID -notmatch "500$|512$|17741$|23112$|1000" } |

        Select-Object @{ Name = "ComputerName"; Expression = { $hostname } },

                      Name,

                      ObjectClass,

                      PrincipalSource,

                      @{ Name = "DateTime"; Expression = { $datetime } },

                      SID |

        Export-Csv -Path $filepath -NoTypeInformation -Encoding UTF8 #Use UTF8 encoding for better compatibility

    # Check if the exported file is empty and remove if so

    if ((Get-Content -Path $filepath | Measure-Object).Count -eq 0) {

        Remove-Item -Path $filepath -Force #Added -Force to avoid confirmation prompts.

        Write-Verbose "Removed empty file: $filepath"

    } else {

        Write-Verbose "Successfully exported data to: $filepath"

    }

}

catch {

    # Handle any errors that occur during script execution

    Write-Error $_

}

Protestors...

 

data_decoder.mojom.DataDecoderService

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=6952,i,10858419173244041618,8725912151972485119,262144 --variations-seed-version --mojo-platform-channel-handle=6420 /prefetch:8

 This command line is launching the Microsoft Edge web browser in a specific configuration to perform a data decoding task. Let's break down the key parts:

• "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe": This is the path to the Edge executable file.
• --type=utility: Indicates that Edge is being launched as a utility process, not the main browser window.
• --utility-sub-type=data_decoder.mojom.DataDecoderService: Specifies the type of utility process, in this case, a data decoder service. This suggests the process will be used to decode or process some kind of data.
• --lang=en-US: Sets the language for the process to English (US).
• --service-sandbox-type=service: This likely refers to the security sandbox environment that the process will run in, providing isolation and security.
• --string-annotations --always-read-main-dll --field-trial-handle=6952,i,10858419173244041618,8725912151972485119,262144 --variations-seed-version: These are internal flags and parameters likely related to debugging, testing, or specific feature configurations within Edge.
• --mojo-platform-channel-handle=6420: Mojo is an inter-process communication mechanism used in Chromium-based browsers. This flag likely specifies a handle for communication with other processes.
• /prefetch:8: This might be related to prefetching resources or data for faster loading.

In simpler terms:

Edge is being launched in the background to act as a tool for decoding some data. The specific details of what data is being decoded and why are hidden in the internal flags and parameters. This is likely part of Edge's internal workings and not something a regular user would interact with directly.

Possible reasons for this:

• Handling different data formats: Web browsers deal with various data formats (images, videos, compressed files, etc.). This process might be responsible for decoding a specific format.
• Security and sandboxing: Running the decoder in a separate process with a specific sandbox type enhances security by isolating it from the main browser.
• Experimentation and testing: The field-trial-handle suggests that this might be related to A/B testing or experimenting with new features or decoding mechanisms.

Sic Semper Tyrannis

 

It happened. Someone intercepted a SMS MFA request for the CEO and successfully logged in.

 https://www.reddit.com/r/sysadmin/comments/1ivz152/it_happened_someone_intercepted_a_sms_mfa_request/?share_id=psImgA6DspEXUTwAyMnKi&utm_content=1&utm_medium=android_app&utm_name=androidcss&utm_source=share&utm_term=1&rdt=46341 

I summarized all comments here

• Implement Phishing-Resistant MFA:
  • Use device-bound passkeys.
  • Utilize FIDO2 security keys. These are considered especially useful if you need to support logins from unmanaged devices.
  • Consider Entra Certificate-Based Authentication (CBA), but note it requires PKI understanding and can be complex to set up.
• Disable SMS MFA:
  • SMS is not secure and has known vulnerabilities.
  • Consider alternatives like Microsoft Authenticator, security keys, or Windows Hello.
    
    
    
• Conditional Access Policies (CAP):
  • Enforce device compliance by allowing logins only from Intune-compliant devices.
  • Block logins from outside the user's normal country if they are not traveling.
  • Block medium or high-risk sign-ins.
  • Use CA to encrypt tokens to the hardware to make them harder to use if stolen.
  • Block access from consumer VPNs.
  • Implement risk-based CA policies.
  • Require phishing-resistant MFA.
    
    
    
• Monitor and Audit:
  • Enable risky sign-in monitoring.
  • Regularly review audit logs for any unusual activity.
  • Set up alerts for new users, mail rules, and admin account changes.
  • Review email and audit logs to determine if any actions were taken on the user's behalf.
  • Check for new applications being added to the account.
  • Look for forwarding rules that were established to maintain access.
    
    
    
• Device Security:
  • Disable iCloud Private Relay at an MDM level on corporate-managed devices.
  • Block access to known proxy addresses.
  • Run security scans on devices, especially phones and laptops.
    
    
    
• Account Security:
  • Require TAPs (temporary access passes) to add MFA devices.
  • Disable SSPR (self-service password reset) for non-admin accounts.
  • Educate users about phishing and other threats.
    
    
    
• Network Security:
  • Block all but signed apps with low-risk permissions.
  • Geo-blocking entire countries at the firewall level.
    
    
• Other Considerations:
  • Consider that a compromised iCloud account can be used to intercept SMS messages.
  • Be aware of SS7 vulnerabilities.
  • Infostealer malware can compromise non-corporate devices.
  • Token theft is a common attack vector.
  • Threat actors are using AiTM (Adversary-in-The-Middle) attacks.
  • Legacy authentication should be blocked in Conditional Access.
  • Ensure that users cannot add unauthorized apps.
    
    
• Rapid Response:
• Revoke MFA tokens in Entra ID.
• Force logout and change the password immediately upon suspicion of compromise.
• Revoke all sessions.
• Block sign-in and revoke sessions in Entra, then rotate the password.

• AAD P2 License: It is recommended to pay for an AAD P2 license for C-level executives and enable risky sign-in monitoring and the CAPs (Conditional Access Policies) that support it.
• Conditional Access (CA) policies: Microsoft needs you to buy the Entra ID P2 license to add the CA policy that blocks session hijack from another new IP.
• The original poster (OP) mentions they are a relatively small company and the cost of upgrading to Business Premium to get Intune licensing would cost roughly $50k more a year.

Other ways that Conditional Access policies can help in protecting against attacks:

• Use CA to encrypt the tokens to the hardware to make them much harder to use if stolen.
• Use a Travel group to allow access to email outside your countries IP GeoBlock and lock down any other access from outside countries where employees and contractors live.
• Set shorter token expiry for users authenticating from traveling locations.
• Block access from Consumer VPN's.
• Unless you’re requiring phishing resistant MFA, it is highly recommend a conditional access policy to only allow logins from hybrid joined or compliant devices.
• Risk based CA policies would’ve got the job done.
• Make sure Legacy authentication is blocked in your CA. If this is not blocked, MFA can easily be bypassed.
• Enable access from company managed devices only even if they have a successful MFA or steal am access token they still can't access the account.

The future of Communication

 

recruiting@omnicare365.com - Phish email.

https://voiceover.core-marks.com/OxPG9?=



Missed CaII Notifications powered by VolpLine Ref_b5ca943d545bab36e94938db63bc38eb5a57892e.
from:
RIngCentral- FIle_ Audlo CaII Service ID_b5ca943d545bab36e94938db63bc38eb5a57892e
<recruiting@omnicare365.com>