Security – gHacks Technology News http://www.ghacks.net The independent technology news blog Sun, 26 Mar 2017 19:51:13 +0000 en-US hourly 1 https://wordpress.org/?v=4.7.3 Full Last Pass 4.1.42 exploit discovered http://www.ghacks.net/2017/03/21/full-last-pass-4-1-42-exploit-discovered/ http://www.ghacks.net/2017/03/21/full-last-pass-4-1-42-exploit-discovered/#comments Tue, 21 Mar 2017 15:09:13 +0000 http://www.ghacks.net/?p=131423 Tavis Ormandy, a prolific member of Google's Project Zero initiative, revealed that he discovered a new security issue in LastPass 4.1.42 (and maybe earlier). Ormandy revealed that he discovered an exploit, but did not reveal it. Project Zero discoveries are reported to the companies who produce the affected products. The companies have 90 days to […]

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Full Last Pass 4.1.42 exploit discovered appeared first on gHacks Technology News.

]]>
Tavis Ormandy, a prolific member of Google's Project Zero initiative, revealed that he discovered a new security issue in LastPass 4.1.42 (and maybe earlier).

Ormandy revealed that he discovered an exploit, but did not reveal it. Project Zero discoveries are reported to the companies who produce the affected products. The companies have 90 days to react, usually by creating a new product version that they make available publicly to all customers.

The information is scarce at this point in time, but it does paint a grim picture. On Twitter, he said the following:

Oops, new LastPass bug that affects 4.1.42 (Chrome&FF). RCE if you use the "Binary Component", otherwise can steal pwds. Full report on way.

He mentions the latest version of LastPass for Google Chrome and Firefox explicitly (version 4.1.42), and that the exploit can be used for remote code execution, or the stealing of passwords.

lastpass 4.1.42 exploit

Later on he revealed that he has a full working exploit that works without any prompts on Windows, and is just two lines of code. Also, he noted that the exploit could also work on other platforms.

I have a full exploit working without any prompts on Windows, could be made to work on other platforms. Sent details to LastPass.

Full exploit is two lines of javascript. #sigh ¯\_(ツ)_/¯

LastPass posted a message on Twitter stating that it is aware of the reported issue, and that it is working on a solution, and has put a workaround in place.

We are aware of the report by @taviso and our team has put a workaround in place while we work on a resolution. Stay tuned for updates.

Soon thereafter, the company posted a second message that the reported issue was resolved.

The issue reported by Tavis Ormandy has been resolved. We will provide additional details on our blog soon.

According to the tweet, no user action is required at this point in time. Note: We will update the news article when the LastPass blog post goes live.

This new LastPass bug is not the first that Tavis Ormandy discovered. Ormandy discovered a remote compromise vulnerability in LastPass back in mid-2016.

In 2015, LastPass detected suspicious activity on the company network, and more recently, in 2017, issues were discovered in the password manager's mobile application for Android.

It is unclear how attackers may exploit the newly discovered security issue. LastPass customers who want to be on the safe side of things should consider disabling the password manager for the time being until the security issue is patched. Those who cannot do that should be very careful when it comes to the sites they visit on the Internet.

Update: LastPass has published its own security report on the issue. According to the company, no "sensitive user data was lost or compromised" to the company's knowledge. This means, that users don't need to change their master passwords, or any site credentials.

All extensions for browsers have been patched, and one issue was fixed on the server-side.

Now You: Do you use a password manager?

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Full Last Pass 4.1.42 exploit discovered appeared first on gHacks Technology News.

]]>
http://www.ghacks.net/2017/03/21/full-last-pass-4-1-42-exploit-discovered/feed/ 18
Pwn2Own 2017: Windows, Ubuntu, Edge, Safari, Firefox exploited http://www.ghacks.net/2017/03/17/pwn2own-2017-windows-ubuntu-edge-safari-firefox-exploited/ http://www.ghacks.net/2017/03/17/pwn2own-2017-windows-ubuntu-edge-safari-firefox-exploited/#comments Fri, 17 Mar 2017 06:44:13 +0000 http://www.ghacks.net/?p=131272 The tenth anniversary of the Pwn2Own gathering of hackers, Pwn2Own 2017, saw eleven teams attempt to exploit products across four categories. The products that teams were allowed to target this year included operating systems and web browsers, but also the new product categories Enterprise applications and server-side. Programs like Adobe Reader, and Apache Web Server, […]

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Pwn2Own 2017: Windows, Ubuntu, Edge, Safari, Firefox exploited appeared first on gHacks Technology News.

]]>
The tenth anniversary of the Pwn2Own gathering of hackers, Pwn2Own 2017, saw eleven teams attempt to exploit products across four categories.

The products that teams were allowed to target this year included operating systems and web browsers, but also the new product categories Enterprise applications and server-side.

Programs like Adobe Reader, and Apache Web Server, were added as targets by the Pwn2Own committee.

The first two days of the conference have passed already, and they saw successful, unsuccessful, and withdrawn exploit attempts.

On day one, teams managed to successfully exploit Adobe Reader (twice), Apple Safari (twice), Microsoft Edge, and Ubuntu Desktop. Attacks against Google Chrome and Microsoft Windows failed.

Additional attacks against Edge and Safari failed or were withdrawn however.

pwn2own 2017

On day two, teams exploited Adobe Flash (twice), Microsoft Edge (twice), Apple Safari, Mac OS X, Mozilla Firefox, Apple Safari and Windows successfully.

Other attacks against Firefox, Windows, Microsoft Edge, Apple Mac OS X, failed, where withdrawn, or disqualified.

Day three will see three additional attempts being made against the following targets: Microsoft Edge (twice), and VMWare Workstation. We will update the article once the results are published.

Update: Microsoft Edge was attacked successfully twice, and the guest to host attack against VMWare Workstation succeeded as well.

Analysis

Three of the four product categories of the Pwn2Own 2017 gathering are interesting to computer users.

On the operating system side, Windows, Mac OS X and Ubuntu Desktop were exploited successfully.

On the browser side, Microsoft Edge, Firefox, and Safari were exploited successfully. The one attack attempt against Chrome failed, and a second attack against Firefox failed as well. Both Edge and Safari were exploited multiple times.

On the application side, Adobe's Flash Player and Reader products were exploited successfully multiple times.

It is surprising that the most secure browser, according to Microsoft, was exploited successfully several times.

As far as browsers go, Chrome was the only browser not exploited successfully. Please note that Chromium-based browsers like Vivaldi or Opera were not part of the product range that teams could attack this year.

Companies with successfully exploited products are usually fast when it comes to releasing security updates for their products. It is likely that this trend will continue this year, so expect updates soon for affected products.

Last year's Pwn2Own saw successful exploits of Windows, Apple OS X, Safari, Edge, Chrome and Adobe Flash.

Videos

You can check out videos of the results of the first day below. If additional videos are posted, we will add them to the article as well.

Additional information on this year's Pwn2Own event is available on the TrendMicro Zero Day Initiative blog.

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Pwn2Own 2017: Windows, Ubuntu, Edge, Safari, Firefox exploited appeared first on gHacks Technology News.

]]>
http://www.ghacks.net/2017/03/17/pwn2own-2017-windows-ubuntu-edge-safari-firefox-exploited/feed/ 7
Security issues found in nine password managers for Android (LastPass, Dashlane..) http://www.ghacks.net/2017/03/02/security-issues-found-in-nine-password-managers-for-android-lastpass-dashlane/ http://www.ghacks.net/2017/03/02/security-issues-found-in-nine-password-managers-for-android-lastpass-dashlane/#comments Thu, 02 Mar 2017 07:48:41 +0000 http://www.ghacks.net/?p=130906 Security researchers of the Fraunhofer Institute found severe security issues in nine password managers for Android that they analyzed as part of their research. Password managers are a popular option when it comes to storing authentication information. All promise secure storage either locally or remotely, and some may add other features to the mix such […]

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Security issues found in nine password managers for Android (LastPass, Dashlane..) appeared first on gHacks Technology News.

]]>
Security researchers of the Fraunhofer Institute found severe security issues in nine password managers for Android that they analyzed as part of their research.

Password managers are a popular option when it comes to storing authentication information. All promise secure storage either locally or remotely, and some may add other features to the mix such as password generation, automatic sign ins, or the saving of important data such as Credit Card numbers or Pins.

A recent study by the Fraunhofer Institute looked at nine password managers for Google's Android operating system from a security point of view.  The researchers analyzed the following password managers: LastPass, 1Password, My Passwords, Dashlane Password Manager, Informaticore's Password Manager, F-Secure KEY, Keepsafe, Keeper, and Avast Passwords.

Some of the apps have more than 50 million installations, and all at least 100,000 installations.

Password Managers on Android security analysis

android password managers

The team's conclusion should have anyone worried who implements a password manager on Android. While it is unclear whether other password manager applications for Android have vulnerabilities as well, there is at least a chance that this is indeed the case.

The overall results were extremely worrying and revealed that password manager applications, despite their claims, do not provide enough protection mechanisms for the stored passwords and credentials. Instead, they abuse the users` confidence and expose them to high risks.

At least one security vulnerability was identified in each of the apps the researchers analyzed. This went as far as some applications storing the master key in plain text, and others using hard-coded cryptographic keys in code. In another case, installation of a simple helper application extracted the passwords stored by the password application.

Three vulnerabilities were identified in LastPass alone. First a hard-coded master key, then data leaks in browser search, and finally a vulnerability affecting LastPass on Android 4.0.x and lower which allows attackers to steal the stored master password.

  • SIK-2016-022: Hardcoded Master Key in LastPass Password Manager
  • SIK-2016-023: Privacy, Data leakage in LastPass Browser Search
  • SIK-2016-024: Read Private Date (Stored Masterpassword) from LastPass Password Manager

Four vulnerabilities were identified in Dashlane, another popular password manager application.  These vulnerabilities allowed attackers to read private data from the app folder, abuse information leaks, and run an attack to extract the master password.

  • SIK-2016-028: Read Private Data From App Folder in Dashlane Password Manager
  • SIK-2016-029: Google Search Information Leakage in Dashlane Password Manager Browser
  • SIK-2016-030: Residue Attack Extracting Masterpassword From Dashlane Password Manager
  • SIK-2016-031: Subdomain Password Leakage in Internal Dashlane Password Manager Browser

The popular 1Password application four Android had five vulnerabilities including privcacy issues and password leaking.

  • SIK-2016-038: Subdomain Password Leakage in 1Password Internal Browser
  • SIK-2016-039: Https downgrade to http URL by default in 1Password Internal Browser
  • SIK-2016-040: Titles and URLs Not Encrypted in 1Password Database
  • SIK-2016-041: Read Private Data From App Folder in 1Password Manager
  • SIK-2016-042: Privacy Issue, Information Leaked to Vendor 1Password Manager

You can check out the full list of apps analyzed and the vulnerabilities on the Fraunhofer Institute website.

Note: All disclosed vulnerabilities have been fixed by the companies who develop the applications. Some fixes are still in development. It is recommended that you update the applications as soon as possible if you run them on your mobile devices.

The conclusion of the research team is quite devastating:

While this shows that even the most basic functions of a password manager are often vulnerable, these apps also provide additional features, which can, again, affect security. We found that, for example, auto-fill functions for applications could be abused to steal the stored secrets from the password manager application using “hidden phishing” attacks. For a better support of auto-filling password forms in web pages, some of the applications provide their own web browsers. These browsers are an additional source of vulnerabilities, such as privacy leakage.

Now You: Do you use a password manager application? (via The Hacker News)

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Security issues found in nine password managers for Android (LastPass, Dashlane..) appeared first on gHacks Technology News.

]]>
http://www.ghacks.net/2017/03/02/security-issues-found-in-nine-password-managers-for-android-lastpass-dashlane/feed/ 14
CloudBleed: check if you visited sites affected by CloudFlare’s security issue http://www.ghacks.net/2017/02/26/cloudbleed-check-if-you-visited-sites-affected-by-cloudflares-security-issue/ http://www.ghacks.net/2017/02/26/cloudbleed-check-if-you-visited-sites-affected-by-cloudflares-security-issue/#comments Sun, 26 Feb 2017 06:37:06 +0000 http://www.ghacks.net/?p=130863 CloudBleed is the unofficial name for a security issue discovered on February 17th, 2017 that affected CloudFlare's reverse proxies. CloudFlare is a large provider that is used by more than 5.5 million Internet properties according to the company's website. It offers CDN and DDOS protection, optimization technologies for websites, dedicated SSL and a lot more. […]

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post CloudBleed: check if you visited sites affected by CloudFlare’s security issue appeared first on gHacks Technology News.

]]>
CloudBleed is the unofficial name for a security issue discovered on February 17th, 2017 that affected CloudFlare's reverse proxies.

CloudFlare is a large provider that is used by more than 5.5 million Internet properties according to the company's website. It offers CDN and DDOS protection, optimization technologies for websites, dedicated SSL and a lot more.

The basic service is offered for free, but webmasters and organizations may upgrade to a paid plan for additional features and better protection.

The security issue at hand caused the servers to "run past the end of a buffer" which returned memory that contained private information. Among other things, it might have included HTTP cookies, authentication tokens, HTTP Post bodies, and other sensitive data.

The issue was disclosed by Google's Project Zero, and has since been fixed by CloudFlare.

Cloudbleed

cloudflare security issue cloudbleed

The main issue for Internet users is that their authentication cookies or data may have leaked. Search engines may have cached the data, and attackers may have exploited the issue as well to gather the data.

Since there is no record whether individual user data was leaked or not, some experts suggests that users change passwords on all sites and services that use CloudFlare. This is a difficult thing for most users however, as it is quite time consuming to find out whether services and sites use CloudFlare.

The Firefox add-on and Chrome Extension CloudBleed changes that. Designed by the NoSquint Plus author, it is parsing the browsing history of the browser to reveal any site or service that uses CloudFlare.

This enables you to go quickly through the listing to identify sites that you have an account on.

The extensions work identical in both browsers. Simply install it in your browser of choice, and click on the icon that it adds to the main toolbar of the browser.

The page that loads includes a short explanation, and a search button that you need to click on. The extension goes through the browsing history then, and checks whether sites in the history were affected by the issue.

Some sites may appear multiple times in the listing. An option to filter sites by domain, or subdomain, would have been useful.

The author notes that all processing is done on the local system. All that is left afterwards is to go through the list to identify the sites with accounts.

Closing Words

CloudBleed is a handy browser extension for Google Chrome and Firefox. You may use it to reveal sites affected by CloudFlare's recent security issue quickly, provided that you did not delete the browsing history in the meantime.

Now You: Have you changed account passwords of affected sites?

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post CloudBleed: check if you visited sites affected by CloudFlare’s security issue appeared first on gHacks Technology News.

]]>
http://www.ghacks.net/2017/02/26/cloudbleed-check-if-you-visited-sites-affected-by-cloudflares-security-issue/feed/ 36
Google discloses Edge and IE vulnerability http://www.ghacks.net/2017/02/25/google-discloses-edge-and-ie-vulnerability/ http://www.ghacks.net/2017/02/25/google-discloses-edge-and-ie-vulnerability/#comments Sat, 25 Feb 2017 11:25:55 +0000 http://www.ghacks.net/?p=130860 Google disclosed a security vulnerability in Microsoft Edge and Internet Explorer yesterday that Microsoft failed to patch up until now. This is the second vulnerability that Google disclosed this mean. Last week, the company disclosed a Windows vulnerability that affected the gdi32.dll dynamic link library in Windows. The new vulnerability that Google disclosed yesterday affects […]

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Google discloses Edge and IE vulnerability appeared first on gHacks Technology News.

]]>
Google disclosed a security vulnerability in Microsoft Edge and Internet Explorer yesterday that Microsoft failed to patch up until now.

This is the second vulnerability that Google disclosed this mean. Last week, the company disclosed a Windows vulnerability that affected the gdi32.dll dynamic link library in Windows.

The new vulnerability that Google disclosed yesterday affects the web browsers Microsoft Internet Explorer and Microsoft Edge.

The issue is described as type confusion in HandleColumnBreakOnColumnSpanningElement. Basically, what it allows an attacker to do is create a specifically crafted web page that crashes the web browser and may allow an attacker to execute code on the machine.

The technical details of the vulnerability, as well as proof of concept code, are published on Google's Project Zero website.

Edge and IE vulnerability

edge ie vulnerability

The bug was found on November 25th, and has been hidden from the public for a 90 day period.

Google reports vulnerabilities that its Project Zero team finds to the companies responsible for the affected products. It is Google's policy to disclose any vulnerability after 90 days if the notified company did not publish a publicly available patch for the issue.

This is why last week's and this week's vulnerability in Windows and the default Windows browsers were disclosed publicly.

The idea behind the 90 day deadline is to pressure companies in releasing patches for their products. If Google would not disclose the reported vulnerabilities after 90 days, companies might consider not producing patches or updates at all for their products.

The downside to the disclose is that attackers may use the information that Google discloses to create attacks against software or systems affected by it.

Microsoft postponed the February 2017 patch day due to a last minute issue that the company discovered shortly before the Patch day. It is still unclear what that last minute issue was, only that it must have been serious enough to move all security patches of February 2017 to March.

It is unclear whether patches for the vulnerabilities that Google disclosed would have been part of the February 2017 Patch Day. If that would have been the case, the vulnerabilities would have still been disclosed publicly, but the impact of the disclosure would not be critical at all as patches for the issues would have been available already.

Microsoft did release a security update for the built-in versions of Adobe Flash on February 22, but that has been the only security update the company released in February 2017.

Failure to release or produce patches for the security vulnerabilities means unfortunately that Windows users may be attacked using exploits based on the vulnerabilities.

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Google discloses Edge and IE vulnerability appeared first on gHacks Technology News.

]]>
http://www.ghacks.net/2017/02/25/google-discloses-edge-and-ie-vulnerability/feed/ 5
Google discloses another unpatched Windows vulnerability http://www.ghacks.net/2017/02/17/google-discloses-another-unpatched-windows-vulnerability/ http://www.ghacks.net/2017/02/17/google-discloses-another-unpatched-windows-vulnerability/#comments Fri, 17 Feb 2017 18:40:47 +0000 http://www.ghacks.net/?p=130558 Google Project Zero member Mateusz Jurczyk disclosed a gdi32.dll vulnerability in the Windows operating system to Microsoft on November 16, 2016. The report itself is quite technical and it would go too far to go into details here on the site. The following describes the turn of events however. Jurczyk disclosed issues with gdi32.dll to […]

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Google discloses another unpatched Windows vulnerability appeared first on gHacks Technology News.

]]>
Google Project Zero member Mateusz Jurczyk disclosed a gdi32.dll vulnerability in the Windows operating system to Microsoft on November 16, 2016.

The report itself is quite technical and it would go too far to go into details here on the site. The following describes the turn of events however.

Jurczyk disclosed issues with gdi32.dll to Microsoft back in March, 2016. He described methods back then that would allow attackers to exploit an issue in the dynamic link library. The issue was that records failed to perform exhaustive sanitization.

Microsoft released the security bulletin MS16-074 in June 2016 which fixed issues in the Windows Graphics Component (gdi32.dll) among other things.

gdi32 dll vulnerability

Turns out, Microsoft did not do a good enough job in resolving the issues described on Google's Project Zero website.

Jurczyk checked the updated version of gdi32.dll again to see if the patching was successful, or if vulnerabilities would still exist.

Turns out, the patching was not sufficient. He notes in the new report that MS16-074 did fix some of the bugs, but not all of them.

However, we've discovered that not all of the DIB-related problems are gone.

[..]

As a result, it is possible to disclose uninitialized or out-of-bounds heap bytes via pixel colors, in Internet Explorer and other GDI clients which allow the extraction of displayed image data back to the attacker.

Google gives companies 90 days after disclosure of vulnerabilities to fix the issue. If the time period elapses without a patch that is made available to the public, the vulnerability is disclosed to the public.

Jurczyk reported the issue to Microsoft on November 16, 2016. Microsoft did not release a patch in time, which is why the system revealed the issue and the example exploit code.

Good news for Windows users is that the issue should not be of major concern as it requires access to the machine to exploit the issue. Woody notes that an attacker would have to log on to the machine to execute a specially prepared EMF file to exploit the issue.

Still, this is another unpatched Windows vulnerability after the zero-day SMB vulnerability that came to light in the beginning of February 2017. You need to add the unpatched Flash Player in Edge to that as well.

It is possible that Microsoft had plans to release a security update for the reported vulnerability on the February 2017 Patch day. But that patch day did not happen, as Microsoft announced the postponing of the patch day to March.

We don't know whether Microsoft has a patch for the issue in the pipeline that would have made Google's deadline, or if a SMB vulnerability patch would have been made available in February.

Microsoft has yet to reveal why it postponed the patch day a whole month.

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Google discloses another unpatched Windows vulnerability appeared first on gHacks Technology News.

]]>
http://www.ghacks.net/2017/02/17/google-discloses-another-unpatched-windows-vulnerability/feed/ 12
Researchers develop cross-browser fingerprinting technique http://www.ghacks.net/2017/02/14/researchers-develop-cross-browser-fingerprinting-technique/ http://www.ghacks.net/2017/02/14/researchers-develop-cross-browser-fingerprinting-technique/#comments Tue, 14 Feb 2017 15:08:36 +0000 http://www.ghacks.net/?p=130445 Researchers have developed a cross-browser fingerprinting technique that uses operating system and hardware level features. Fingerprinting has been limited for the most part to individual web browsers in the past. If a user switched browsers regularly, fingerprinting could not be used to link the user to these browsers. Fingerprinting tests like the Electronic Frontier Foundation's […]

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Researchers develop cross-browser fingerprinting technique appeared first on gHacks Technology News.

]]>
Researchers have developed a cross-browser fingerprinting technique that uses operating system and hardware level features.

Fingerprinting has been limited for the most part to individual web browsers in the past. If a user switched browsers regularly, fingerprinting could not be used to link the user to these browsers.

Fingerprinting tests like the Electronic Frontier Foundation's Panopticlick or BrowserPrint, try to gather data about the browser and underlying operating system. They use all the data to create a fingerprint of the browser/computer combination, and may be able to do the same in future sessions.

Cross-browser fingerprinting was out of the picture up until now. While other methods existed to track users across browsers, for instance by requiring them to sign into accounts to use a service or recording IP addresses, no fingerprinting method came close to providing a working solution.

Cross-browser fingerprinting

cross browser fingerprinting

The researchers who published the research paper (Cross-)Browser Fingerprinting via OS and
Hardware Level Features think that they have found a way.

In the paper, we propose a (cross-)browser fingerprinting based on many novel OS and hardware level features, e.g., these from graphics card, CPU, audio stack, and installed
writing scripts. Specifically, because many of such OS and hardware level functions are exposed to JavaScript via browser APIs, we can extract features when asking the browser to perform certain tasks through these APIs. The extracted features can be used for both single- and cross-browser fingerprinting.

They have created an online service that demonstrates the fingerprinting technique. It is called Unique Machine, and works on any device that supports JavaScript.

A click on Get My Fingerprint starts the process. It works, if JavaScript is enabled, and if connections to a few sites are allowed. The scan takes a couple of seconds to complete.

get fingerprint

The result is a browser fingerprint, and also a computer fingerprint; the latter is not finalized yet and still in development.

You may hit the details button on the Unique Machine website for the list of tested cross-browser features.

The following features are tested currently:

  • Time Zone.
  • Number of CPU Cores.
  • Fonts.
  • Audio.
  • Screen Ratio and depth.
  • WebGL.
  • Ad Blocking.
  • Canvas.
  • Cookies.
  • Encoding.
  • GPU.
  • Hash values of GPU rendering results.
  • Language.
  • Plugins.

The idea is now that you will get similar results when you use a different browser on the same system to run the fingerprinting test a second time.

The researchers state that the technique identified 99.2% of users correctly. The sample size is a bit small, 1903 users and 3615 fingerprint samples.

I ran tests on a machine using different browsers, and results were mixed. The computer fingerprint was identical when I ran the fingerprinting test in Chrome, Chrome Canary and Vivaldi, but different in Firefox and Edge.

The three browsers the hash was identical in are all based on Chromium. This is probably the reason why the fingerprint was identical.

The source code of the cross browser fingerprinting site is available on GitHub.

Now You: Did you cross-browser fingerprinting work on your devices?

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Researchers develop cross-browser fingerprinting technique appeared first on gHacks Technology News.

]]>
http://www.ghacks.net/2017/02/14/researchers-develop-cross-browser-fingerprinting-technique/feed/ 36
SMB Zero-Day affects Windows 8, 10 and Server http://www.ghacks.net/2017/02/03/smb-zero-day-affecting-windows-8-10-and-server/ http://www.ghacks.net/2017/02/03/smb-zero-day-affecting-windows-8-10-and-server/#comments Fri, 03 Feb 2017 12:55:51 +0000 http://www.ghacks.net/?p=130084 The United States Computer Emergency Readiness Team (US-CERT) published a vulnerability note yesterday about a new zero-day vulnerability affecting Microsoft Windows 8, 10 and Server editions. It reads: Microsoft Windows contains a memory corruption bug in the handling of SMB traffic, which may allow a remote, unauthenticated attacker to cause a denial of service or […]

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post SMB Zero-Day affects Windows 8, 10 and Server appeared first on gHacks Technology News.

]]>
The United States Computer Emergency Readiness Team (US-CERT) published a vulnerability note yesterday about a new zero-day vulnerability affecting Microsoft Windows 8, 10 and Server editions.

It reads:

Microsoft Windows contains a memory corruption bug in the handling of SMB traffic, which may allow a remote, unauthenticated attacker to cause a denial of service or potentially execute arbitrary code on a vulnerable system.

Attackers may cause a denial of service attack against affected versions of Windows by causing Windows devices to connect to a malicious SMB share. US-CERT notes that the possibility exists that the vulnerability may be exploited to execute arbitrary code with Windows kernel privileges.

Attacked systems may throw a blue-screen on successful attacks.

smb zero-day windows

The vulnerability description offers additional information:

Microsoft Windows fails to properly handle traffic from a malicious server. In particular, Windows fails to properly handle a server response that contains too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure. By connecting to a malicious SMB server, a vulnerable Windows client system may crash (BSOD) in mrxsmb20.sys. It is not clear at this point whether this vulnerability may be exploitable beyond a denial-of-service attack. We have confirmed the crash with fully-patched Windows 10 and Windows 8.1 client systems.

US-CERT confirmed the vulnerability on fully-patched Windows 8.1 and Windows 10 client systems. Bleeping Computer notes that security researcher PythonResponder claimed that it affects Windows Server 2012 and 2016 as well.

While there is no official confirmation of that yet, it seems likely that the Server products are also affected by the vulnerability.

Severity and suggested workarounds

US-CERT classifies the vulnerability with the highest severity rating of 10 using the Common Vulnerability Scoring System (CVSS).  Factors that play a role in determining the severity of a vulnerability include whether it is remotely exploitable, and how much expertise attackers require to successfully exploit the vulnerability.

Microsoft has not released a security advisory yet, but it is probably only a matter of time before the company publishes a security advisory to inform customers about the vulnerability and mitigation options.

US-CERT recommends to block outbound SMB connections on TCP port 139 and 445, and UDP ports 137 and 138 from the local network to the WAN. to protect Windows devices.

Home user networks may be affected by the vulnerability, but WANs are not that widely used in home environments.

To find out whether your version of Windows has any SMB connections, do the following:

  1. Tap on the Windows-key, type Powershell, hold down the Ctrl and Shift keys, and hit the Enter-Key.
  2. Confirm the UAC prompt that appears.
  3. Run the command Get-SmbConnection.

We will update the article once Microsoft publishes a security advisory for the vulnerability. (via Born City)

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post SMB Zero-Day affects Windows 8, 10 and Server appeared first on gHacks Technology News.

]]>
http://www.ghacks.net/2017/02/03/smb-zero-day-affecting-windows-8-10-and-server/feed/ 17
Malwarebytes 3.0.6 with stability and performance improvements http://www.ghacks.net/2017/01/26/malwarebytes-3-0-6-with-stability-and-performance-improvements/ http://www.ghacks.net/2017/01/26/malwarebytes-3-0-6-with-stability-and-performance-improvements/#comments Thu, 26 Jan 2017 20:21:06 +0000 http://www.ghacks.net/?p=129877 Malwarebytes 3.0.6 is the latest version of the popular security program for Windows that is available as a free and premium version. The company, also called Malwarebytes, released version 3.0 of the program not too long ago. The update changed things around quite a bit, and not all for the better. The new Malwarebytes unified […]

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Malwarebytes 3.0.6 with stability and performance improvements appeared first on gHacks Technology News.

]]>
Malwarebytes 3.0.6 is the latest version of the popular security program for Windows that is available as a free and premium version.

The company, also called Malwarebytes, released version 3.0 of the program not too long ago. The update changed things around quite a bit, and not all for the better.

The new Malwarebytes unified the company's three individual products Malwarebytes Anti-Malware, Anti-Exploit, and Anti-Ransomware into a single product. All three were available as a free version previously, but that changed with the release of the new program version.

The company pulled the standalone products, so that they could only be used from that moment on in Malwarebytes 3.0 Premium.

There were other things in Malwarebytes 3.0 that user worried about. Especially the program's memory consumption was mentioned in this regard, but users complained about the performance and the stability of the security application as well.

Malwarebytes 3.0.6 with stability and performance improvements

malwarebytes 3.0.6

Malwarebytes released several versions since the initial release of Malwarebytes 3.0. All included stability and performance improvements, as well as other fixes. This is not different with today's release of Malwarebytes 3.0.6. The new version is available for free and premium users alit.

Highlights of the Malwarebytes 3.0.6.1469 release are:

  1. Malware detection and remediation improvements.
  2. Startup time improvements.
  3. Memory leaks plugged.
  4. CPU usage after scan completion reduced.
  5. Fixed issue where "Real-Time Protection turned off" notifications were displayed incorrectly.
  6. Patched several crash and blue screen issues.
  7. Fixed individual issues in Edge, Windows Insider Previews, and PowerPoint.

The full change log is displayed when you start the update. You may also check it out on the Malwarebytes site once the release history is updated.

Malwarebytes addressed several issues in this new version of the software. At least some users who upgraded their version to Malwarebytes 3.0.6 are reporting that they are still experiencing issues including crashes, Access Denied Code 5 error messages during the upgrade, or that Web Protection does not start.

On a personal note: I did experience the "Real-Time Protection turned off" notification issue, and it was quite annoying. I have to monitor this more closely, but it seems indeed fixed in this release.

Memory consumption of MBAMService.exe is still quite high, and it is not the only process that is used by the application.

Now You: What's your experience with the new Malwarebytes 3.0?

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Malwarebytes 3.0.6 with stability and performance improvements appeared first on gHacks Technology News.

]]>
http://www.ghacks.net/2017/01/26/malwarebytes-3-0-6-with-stability-and-performance-improvements/feed/ 90
Web Security: add rel=noopener to external links http://www.ghacks.net/2017/01/24/web-security-add-relnoopener-to-external-links/ http://www.ghacks.net/2017/01/24/web-security-add-relnoopener-to-external-links/#comments Tue, 24 Jan 2017 10:55:11 +0000 http://www.ghacks.net/?p=129791 Don't touch my tabs! (rel=noopener) is a Firefox add-on that adds rel="noopener" to external links on sites open in Firefox automatically. Noopener_by_default is a userscript that does the same for links. Did you know that sites that you load by clicking on links may manipulate the page the link was posted on? Imagine two HTML […]

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Web Security: add rel=noopener to external links appeared first on gHacks Technology News.

]]>
Don't touch my tabs! (rel=noopener) is a Firefox add-on that adds rel="noopener" to external links on sites open in Firefox automatically. Noopener_by_default is a userscript that does the same for links.

Did you know that sites that you load by clicking on links may manipulate the page the link was posted on?

Imagine two HTML pages: index.html the first page with a link pointing to omg.html. When you click on the omg.html page on index.html, that page gets open in the browser in a new tab if the target blank attribute is added to the link (the latter is a requirement for this to work).

The page omg.html may use the window.opener property to manipulate content on index.html. Since this happens in the background, it often happens without the user noticing a thing about it.

In worst case, this may be used to display a fake login page on the source web page to phish user data.

The link attribute rel="noopener" will set the window.opener property to null, so that target sites won't be able to manipulate the originating page.

You are probably wondering why browsers are not simply adding rel="noopener" to all links that open in new tabs and be done with it. Browser makers state that this will break certain sites and services on the Internet.

You can test it for yourself on this web page. Click on the first or second link on the page to get started. It opens a new page in a new tab. When you go back afterwards to the originating page, you will see that it has been modified by the target page.

Solutions

rel noopener browser issue

There are a couple of solutions that prevent this type of manipulation:

  1. Middle-click on links to open them instead of left-clicking on them.
  2. Install the Firefox add-on Don't touch my tabs! (rel=noopener). It adds the rel="noopener" attribute to all external links, but not same-origin links. Please note that this works from Firefox 52 on only, as this will be the version of Firefox that supports rel="noopener).
  3. The userscript noopener_by_default adds rel="noopener" to any link that uses target="_blank".

The rel="noopener" attribute works only if the browser supports it. Chrome, Opera, Vivaldi and Safari do already, Firefox will with the release of Firefox 52 on March 7, 2017.

Middle-clicking on links works regardless of that.

Side note: We add rel="noopener" to links here on Ghacks so that you are safe from this when clicking on links here on the site.

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Web Security: add rel=noopener to external links appeared first on gHacks Technology News.

]]>
http://www.ghacks.net/2017/01/24/web-security-add-relnoopener-to-external-links/feed/ 57
Beware: new sophisticated Gmail phishing attacks http://www.ghacks.net/2017/01/19/beware-new-sophisticated-gmail-phishing-attacks/ http://www.ghacks.net/2017/01/19/beware-new-sophisticated-gmail-phishing-attacks/#comments Thu, 19 Jan 2017 18:07:39 +0000 http://www.ghacks.net/?p=129670 Researchers have discovered a new phishing attack that is currently underway that is targeting Google Gmail accounts in a sophisticated way. What's interesting about this specific attack is that it uses a new method, one that could even lure tech savvy users into its trap. The attacks begin with compromised Gmail accounts. The attackers use […]

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Beware: new sophisticated Gmail phishing attacks appeared first on gHacks Technology News.

]]>
Researchers have discovered a new phishing attack that is currently underway that is targeting Google Gmail accounts in a sophisticated way.

What's interesting about this specific attack is that it uses a new method, one that could even lure tech savvy users into its trap.

The attacks begin with compromised Gmail accounts. The attackers use the compromised account to send emails to email addresses in the compromised account's address book.

These emails come from a legitimate address therefore, and the attackers seem to use legitimate email messages for the attacks. They contain what looks like an attachment, a PDF or spreadsheet for instance, something that may have been sent in the past already.

When you click on the attachment, you are taken to a Gmail login page on a new tab in the browser.

gmail phishing

This page looks like Google's Gmail login page, and the only indication that something is wrong comes from the address field.

It does not begin with https://accounts.google.com/, but with data:text/html. Also, since the page is not HTTPS, you don't get a green or red indicator either. Those are the only indicators that something is wrong. If you copy and paste the URL, you will notice that it contains whitespace after the official Gmail URL, and then an obfuscated string.

The main issue that helps the attacker is that it happens that Gmail may ask you to sign in again to your account at times, and that the actual Gmail address is listed in the address bar as well.

If you just glance at it, you may see https:// accounts.google.com/, and think that everything is alright.

You should be save if you follow the basic rules when it comes to phishing, as one of them is that you have to check the address of the page at all times before you do anything on it. 

In short, if the URL does not start with https:// it is definitely fake, at least in the case of Gmail and any modern service that supports https://.

I can see how even experienced users fall for that trap though, considering that the emails come from a legitimate contact and not some fake address.

It may also be easy enough to overlook the fact that the attached PDF is an embedded image instead.  You may notice that something is wrong when the attachment takes you to another page.

The attackers try their best to hide the that fact, as they use the page title "you have been signed out" which users may focus on instead of the actual web address they are on.

Another thing that should let the alarm bells ring is that the page that opens asks for the user's email address and password. Google usually won't when that happens.

Accounts with two-factor authentication are better protected against these phishing attacks. It is however possible for attackers to request the two-factor authentication code from the user as well if they attack the account in real-time.

Google seems to consider adding a "not secure" tag to data: and blob: elements in the address bar, but nothing is set in stone yet.

Data is not entirely new when it comes to phishing. We reported about data being used for phishing attacks back in 2014, and that is probably not the first occasion it was used for that.

The attackers target Gmail currently, but nothing is stopping them from moving on to a different email provider.

Now You: Would you have fallen for the attack?

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Beware: new sophisticated Gmail phishing attacks appeared first on gHacks Technology News.

]]>
http://www.ghacks.net/2017/01/19/beware-new-sophisticated-gmail-phishing-attacks/feed/ 14
WhatsApp Security: make this change right now! http://www.ghacks.net/2017/01/13/whatsapp-security-make-this-change-right-now/ http://www.ghacks.net/2017/01/13/whatsapp-security-make-this-change-right-now/#comments Fri, 13 Jan 2017 12:58:26 +0000 http://www.ghacks.net/?p=129291 Security researchers found a backdoor in the popular messaging application WhatsApp recently that could allow WhatsApp to intercept and read user messages. Facebook, the owner of WhatsApp, claims that it is impossible to intercept messages on WhatsApp thanks to the services end-to-end encryption. The company states that no one, not even itself, can read what […]

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post WhatsApp Security: make this change right now! appeared first on gHacks Technology News.

]]>
Security researchers found a backdoor in the popular messaging application WhatsApp recently that could allow WhatsApp to intercept and read user messages.

Facebook, the owner of WhatsApp, claims that it is impossible to intercept messages on WhatsApp thanks to the services end-to-end encryption. The company states that no one, not even itself, can read what is sent when both sender and recipient use the latest version of the application.

WhatsApp's end-to-end encryption ensures only you and the person you're communicating with can read what is sent, and nobody in between, not even WhatsApp. Your messages are secured with a lock, and only the recipient and you have the special key needed to unlock and read your message. For added protection, every message you send has a unique lock and key. All of this happens automatically: no need to turn on settings or set up special secret chats to secure your messages.

It turns out however that there is a way for WhatsApp to read user messages, as security researcher Tobias Boelter (via The Guardian) found out.

Update: In a statement sent to Ghacks, a WhatsApp spokesperson provided the following insight on the claim:

"The Guardian posted a story this morning claiming that an intentional design decision in WhatsApp that prevents people from losing millions of messages is a “backdoor” allowing governments to force WhatsApp to decrypt message streams. ** This claim is false. **

WhatsApp does not give governments a “backdoor” into its systems and would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security
notifications to alert them to potential security risks. WhatsApp published a technical white paper on its encryption design, and has been transparent about the government requests it receives, publishing data about those requests in the Facebook Government Requests Report. (https://govtrequests.facebook.com/)"

WhatsApp has the power to generate new encryption keys for users who are not online. Both the sender and the recipient of messages are not made aware of that, and the sender would send any message not yet delivered again by using the new encryption key to protect the messages from third-party access.

The recipient of the message is not made aware of that. The sender, only if Whatsapp is configured to display security notifications. This option is however not enabled by default.

While WhatsApp users cannot block the company -- or any state actors requesting data -- from taking advantage of the loophole, they can at least activate security notifications in the application.

The security researcher reported the vulnerability to Facebook in April 2016 according to The Guardian. Facebook's response was that it was "intended behavior" according to the newspaper.

Activate security notifications in WhatsApp

whatsapp security notifications

To enable security notifications in WhatsApp, do the following:

  1. Open WhatsApp on the device you are using.
  2. Tap on menu, and select Settings.
  3. Select Account on the Settings page.
  4. Select Security on the page that opens.
  5. Enable "show security notifications" on the Security page.

You will receive notifications when a contact's security code has changed. While this won't prevent misuse of the backdoor, it will at least inform you about its potential use.

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post WhatsApp Security: make this change right now! appeared first on gHacks Technology News.

]]>
http://www.ghacks.net/2017/01/13/whatsapp-security-make-this-change-right-now/feed/ 29
Microsoft: Windows 10 Bitlocker is slower, but also better http://www.ghacks.net/2017/01/06/microsoft-windows-10-bitlocker-is-slower-but-also-better/ http://www.ghacks.net/2017/01/06/microsoft-windows-10-bitlocker-is-slower-but-also-better/#comments Fri, 06 Jan 2017 13:49:55 +0000 http://www.ghacks.net/?p=128689 If you encrypt the hard drive of a computer running Windows 7, and then on the same computer running Windows 10, you will notice that the encryption process is faster on Windows 7. Bitlocker is a built-in disk encryption program that you can use to encrypt data so that it cannot be accessed by third-parties. […]

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Microsoft: Windows 10 Bitlocker is slower, but also better appeared first on gHacks Technology News.

]]>
If you encrypt the hard drive of a computer running Windows 7, and then on the same computer running Windows 10, you will notice that the encryption process is faster on Windows 7.

Bitlocker is a built-in disk encryption program that you can use to encrypt data so that it cannot be accessed by third-parties. If you don't encrypt your hard drive, anyone can access the data on it even if the PC is not on.

With Bitlocker and other encryption software, this is prevented.

Side note: Bitlocker may not be as secure as it could be on Windows 10. Windows 10 seems to decrypt data on the drive during feature upgrade processes.

Reasons why Bitlocker is slower on Windows 10

bitlocker management

In Why Bitlocker takes longer to complete the encryption in Windows 10 as compared to Windows 7, Microsoft Support Escalation Engineer Ritesh Sinha describes why Bitlocker encryption is slower on Windows 10.

The answer is a bit technical, but it boils down to improvements made to the encryption process itself, and changes that went into Bitlocker that make it somewhat of a different product than the version for Windows 7.

The big change to the encryption process itself  is a new conversion mechanism that Microsoft calls Encrypt-On-Write. It ensures that all writes to disk are encrypted as soon as Bitlocker is enabled on the operating system. This works for internal drives only at the moment. Microsoft does not use the new conversion mechanism for removable drives for backwards compatibility reasons.

This change is important for data security, as you could not place important data on a drive on older versions of Windows before the Bitlocker conversion process reached 100% due to the fact that the data may not have been encrypted immediately.

The second reason for conversions to take longer on Windows 10 is that Microsoft configured the Bitlocker process to run less aggressively. This improves system performance while the encryption process is ongoing and results in a longer conversion process.

Microsoft notes that other improvements went into Bitlocker on Windows 10. These have no impact on the encryption process but may be beneficial in certain situations.

This includes support for encrypted hard drives, HDD and SSD hybrid disks, new means of administrating Bitlocker, new FIPS-compliance, or Bitlocker Network Unlock.

Closing Words

I have not seen any report on how longer the Bitlocker encryption process takes on Windows 10 compared to Windows 7.

This is obviously not that much of a problem if this is a one-time operation. So, home users may notice the extra time it takes but it is a one-time operation.

The extra time it takes to encrypt drives using Bitlocker on Windows 10 may be an issue however for system administrators who run the operation regularly on company devices.

Now You: Better data security but slower encryption, a good trade off? What's your opinion on this?

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Microsoft: Windows 10 Bitlocker is slower, but also better appeared first on gHacks Technology News.

]]>
http://www.ghacks.net/2017/01/06/microsoft-windows-10-bitlocker-is-slower-but-also-better/feed/ 16
Browser Autofill data may be phished http://www.ghacks.net/2017/01/05/browser-autofill-data-may-be-phished/ http://www.ghacks.net/2017/01/05/browser-autofill-data-may-be-phished/#comments Thu, 05 Jan 2017 20:10:33 +0000 http://www.ghacks.net/?p=128640 Most modern web browsers support comfortable features like auto-filling forms on sites using data that you have entered in the past. Instead of having to enter your name, email address or street address whenever you sign up for a new account for instance, you'd fill out the data once only and have the browser fill […]

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Browser Autofill data may be phished appeared first on gHacks Technology News.

]]>
Most modern web browsers support comfortable features like auto-filling forms on sites using data that you have entered in the past.

Instead of having to enter your name, email address or street address whenever you sign up for a new account for instance, you'd fill out the data once only and have the browser fill out the fields for you any time they are requested afterwards.

But autofill can also be a privacy issue. Imagine a site requesting that you enter your name and email address on a page. You would probably assume that this is the only data it requests, and that your browser will only fill out those fields and nothing else.

Watch what happens when the developer of a site adds hidden fields to a page.

autofill demo

Note that hidden in this regard means visible but drawn outside the visible screen.

The browser may fill out fields that you don't see but are there. As you can see, this may include personal data without you being aware that the data is submitted to the site. While you could analyze any page's source code before submitting anything, doing so is highly impracticable.

You can download the example index.html file from GitHub. Please note that this appears to work in Chrome but not in Firefox at the time of writing. It is likely that Chrome-based browsers will behave the same.

Chrome will only fill out the following information by default: name, organization, street address, state, province, zip, country, phone number and email address. Note that you may add other date, credit cards for instance, to autofill.

Since there is no way of stopping this from the user's end, it is best right now to disable autofill until the issue gets fixed.

It is interesting to note that this is not a new issue, but one that has been mentioned since at least 2010. A Chromium bug was reported in mid 2012, but it has not found any love yet.

Disable autofill in Chrome

chrome disable autofill

You can disable Google Chrome's autofill functionality in the following way:

  1. Load chrome://settings/ in the web browser's address bar.
  2. Click on "show advanced settings" at the end of the page.
  3. Scroll down to the "passwords and forms" section.
  4. Remove the checkmark from "Enable Autofill to fill out web forms in a single click".

Mozilla Firefox does not seem to be affected by this. You can find out about disabling autofill in Firefox on Mozilla's Support website.

Closing Words

There is the question whether browser add-ons that support automatic form filling may leak data to sites that use hidden form fields as well. I did not test this, but it would be interesting to find out.

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Browser Autofill data may be phished appeared first on gHacks Technology News.

]]>
http://www.ghacks.net/2017/01/05/browser-autofill-data-may-be-phished/feed/ 23
RanSim: Test ransomware attacks on your Windows PC http://www.ghacks.net/2016/12/28/ransim-test-ransomware-attacks-windows-pc/ http://www.ghacks.net/2016/12/28/ransim-test-ransomware-attacks-windows-pc/#comments Wed, 28 Dec 2016 10:42:15 +0000 http://www.ghacks.net/?p=127749 Ransim is a ransomware simulator for Windows that simulates attacks of ten ransomware families against the computer system. Ransomware is without doubt a relatively new threat category that has gained some prominence in recent time. Security companies have added ransomware protection to their tools as a response, or released standalone programs with the aim to […]

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post RanSim: Test ransomware attacks on your Windows PC appeared first on gHacks Technology News.

]]>
Ransim is a ransomware simulator for Windows that simulates attacks of ten ransomware families against the computer system.

Ransomware is without doubt a relatively new threat category that has gained some prominence in recent time.

Security companies have added ransomware protection to their tools as a response, or released standalone programs with the aim to block ransomware from encrypting files on a computer system.

It is difficult for most users to determine how well anti-ransomware programs protect their systems against ransomware threats. RanSim has been designed to simulate attacks on a computer system to find out if it is protected against ten common ransomware attacks.

RanSim

ransomware simulator

You are asked to fill out information on the developer website before download options are provided. I suggest you download the program from Major Geeks or another third-party download repository instead.

The program makers suggest that you keep your security software configured as is to simulate a real-world attack scenario. This may be problematic however in some cases. The new Malwarebytes Premium for instance blocked the execution of RanSim on target systems.

RanSim's interface is easy to use. It offers information on the ransomware test scenarios, and a single button that you may click on to start the test.

The test should not take longer than a minute to complete. The program will download test files from the Internet, but won't harm any files on the local system. It will enumerate the files though and display information on the vulnerability of these files.

It tests the following ransomware scenarios:

  1. InsideCryptor -- encrypts files using strong encryption and overwrites most of the content of the original files with the encrypted data.
  2. LockyVariant -- simulates the behavior of a recent version of Locky ransomware.
  3. Mover -- Encrypts files in a different folder using strong encryption and safely deletes the original files.
  4. Replacer -- Replaces the content of the original files. A real ransomware would show a message that fools users into thinking they can recover them.
  5. Streamer -- Encrypts files and writes data into a single file, using strong encryption, then deletes the original files.
  6. StrongCryptor -- Encrypts files using strong encryption and safely deletes the original files.
  7. StrongCryptorFast -- Encrypts files using strong encryption and deletes the original files.
  8. StrongCrytptorNet -- Encrypts files using strong encryption and deletes the original files. It also simulates sending the encryption key to a server using an HTTP connection.
  9. ThorVariant -- Simulates the behavior of a recent version of Thor ransomware.
  10. WeakCryptor -- Encrypts files using weak encryption and deletes the original files.

RanSim lists the number of successful and unsuccessful attacks during the test.

Closing Words

Select anti-ransomware software won't block RanSim from execution. This is for instance the case for RansomFree which creates its own dummy files that it monitors. Other security software may block the execution of the application.

This makes the program unusable on those machines. Still, it if works, it may be an eye opener if the anti-ransomware protection does not protect against the simulated attacks.

Now You: Best protection against ransomware?

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post RanSim: Test ransomware attacks on your Windows PC appeared first on gHacks Technology News.

]]>
http://www.ghacks.net/2016/12/28/ransim-test-ransomware-attacks-windows-pc/feed/ 19
Netgear releases first final firmware updates for router security issue http://www.ghacks.net/2016/12/21/netgear-releases-first-final-firmware-updates-for-router-security-issue/ http://www.ghacks.net/2016/12/21/netgear-releases-first-final-firmware-updates-for-router-security-issue/#comments Wed, 21 Dec 2016 11:00:50 +0000 http://www.ghacks.net/?p=127363 Netgear has released the first batch of production firmware fixes for company routers affected by a serious security vulnerability. Cert issued a warning on December 9, 2016 that several Netgear routers are vulnerable to arbitrary command injection. Cert listed only two router models but has since then added other models to the list. Currently, the […]

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Netgear releases first final firmware updates for router security issue appeared first on gHacks Technology News.

]]>
Netgear has released the first batch of production firmware fixes for company routers affected by a serious security vulnerability.

Cert issued a warning on December 9, 2016 that several Netgear routers are vulnerable to arbitrary command injection. Cert listed only two router models but has since then added other models to the list.

Currently, the Netgear routers R6200, R6250, R6400, R6700, R6900, R7000, R7100LG, R7300, R7900, R8000, D6220, and D6400 are affected by the vulnerability.

The attacker needs to convince a user to follow a link to a specially crafted web page. An attacker on the same local area network may do the same by issuing a direct request using the syntax http://<router_IP>/cgi-bin/;COMMAND.

The attacker may in either way execute commands with root privileges on the affected router. The command http://RouterIP/;telnetd$IFS-p$IFS'45' will open Telnet on port 45 for instance.

Netgear router firmware updates

netgear router update

Netgear has released firmware updates for affected routers. The first firmware updates the company released were labeled beta. The first four production firmware (stable) were released for the models R6250, R6400, R7000 and R8000 now.

  1. R6250 Firmware Version 1.0.4.6
  2. R6400 Firmware Version 1.0.1.18
  3. R7000 Firmware Version 1.0.7.6
  4. R8000 Firmware Version 1.0.3.26

Additionally, beta firmware releases for the following Netgear routers are also still available:

  1. R6700 Firmware Version 1.0.1.14 (Beta)
  2. R6900 Firmware Version 1.0.1.14 (Beta)
  3. R7100LG Firmware Version 1.0.0.28 (Beta)
  4. R7300DST Firmware Version 1.0.0.46 (Beta)
  5. R7900 Firmware Version 1.0.1.8 (Beta)

Netgear notes that it continues to review its entire portfolio of routers to find out if other router models are affected by the vulnerability as well.

You find instructions on how to download and install these firmware updates on the router on the support pages.

The instructions are all very similar. Download the firmware (with a .chk extension), to the local computer system. Log in to the router via http://www.routerlogin.net afterwards, and select Advanced > Administration > Firmware Upgrade. Click on browse, and then on the firmware update file that you just downloaded. Select upload to upgrade the router, and wait for the process to complete, and make sure you don't power off the device or change its state during that process.

The main support page on the Netgear website that lists all affected routers and links to firmware updates is available here. Netgear will update the page when it releases production firmware for routers with beta firmware, and will also list any new router model affected by the vulnerability as well there on this page.

 

 

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Netgear releases first final firmware updates for router security issue appeared first on gHacks Technology News.

]]>
http://www.ghacks.net/2016/12/21/netgear-releases-first-final-firmware-updates-for-router-security-issue/feed/ 4
Avira Password Manager review http://www.ghacks.net/2016/12/16/avira-password-manager-review/ http://www.ghacks.net/2016/12/16/avira-password-manager-review/#comments Fri, 16 Dec 2016 06:31:11 +0000 http://www.ghacks.net/?p=126955 Avira Password Manager is a new security product by German company Avira which is probably best known for its antivirus offerings. The password manager niche is crowded, and if you want to conquer it with a new product, you better make sure it is offering something unique. Avira's reputation may certainly help the company acquire […]

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Avira Password Manager review appeared first on gHacks Technology News.

]]>
Avira Password Manager is a new security product by German company Avira which is probably best known for its antivirus offerings.

The password manager niche is crowded, and if you want to conquer it with a new product, you better make sure it is offering something unique.

Avira's reputation may certainly help the company acquire customers for its password manager.

The announcement over on the Avira blog leaves quite a few questions unanswered. Avira mentions that the password manager will be offered as a free and pro version, and that all pro features are unlocked in the free version until March 2017.

This includes the ability to back up passwords, and synchronize the data across multiple devices, and to access and manage all passwords from an online dashboard.

This reads as if the free version is only good for running it on a single device. The price of the Pro version has not been revealed yet, neither have the actual limitations of the free version.

Avira Password Manager

avira password manager

You need to sign in to an Avira account or create a new one to use the password manager. Once that is out of the way, you are asked to enter the master password twice. Since it is used to protect the data, it is recommended to make it secure.

The password manager itself is available for Firefox, Chrome and the company's own Scout browser, as well as Android and iOS. It installs fine and configured to trigger on certain events automatically.

This includes logging you in automatically, suggesting passwords, filling email addresses automatically, and asking before saving accounts.

You may import passwords from a number of popular password management programs and solutions such as LastPass, KeePass, RoboForm, Dashlane or 1Password, or import data using plain CSV files.

avira password manager generate passwords

The automatic functionality that the password manager offers works well on sites that display the login form directly.

Funny anecdote, Avira Password Manager does not work on Avira's own website at all. It won't log you in automatically, nor will it suggest passwords or fill out your email address when you register a new account there.

The online dashboard displays an option to look up the log in history. This reveals when the Avira Password Manager account was accessed. Another useful feature of the program is that it can lock automatically.

How does it compare to other password managers?

Avira Password Manager is rather bare bones right now. I mentioned already that it does not work on all sites, but that is probably true for all password managers with auto-fill functionality.

What weights more is that it does not support two-factor authentication and that it offers no option to add notes or additional data fields to the database. The latter means that you cannot add the answer to security questions to the password manager, nor any other form of note that you may require.

If you dig deeper, you will notice that it lacks features such as grouping, automatic clipboard erasing, or support for adding files to password entries (PGP signatures come to mind).

To be fair, not all users need these features but having them would certainly increase the appeal of the password manager.

Closing Words

Avira Password Manager suffers from a couple of oversights, namely a lack of information regarding the limitations of the free version, and lack of features. Add to it that the password manager does not work on Avira's own site, and you get a product that you may not want to use right now.

This could change in the future if Avira continues to improve the program.

Now You: What's your favorite password manager and why? Mine is KeePass, but you know that already.

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Avira Password Manager review appeared first on gHacks Technology News.

]]>
http://www.ghacks.net/2016/12/16/avira-password-manager-review/feed/ 9
Malwarebytes Anti-Exploit Standalone information http://www.ghacks.net/2016/12/12/malwarebytes-anti-exploit-standalone-information/ http://www.ghacks.net/2016/12/12/malwarebytes-anti-exploit-standalone-information/#comments Mon, 12 Dec 2016 06:11:29 +0000 http://www.ghacks.net/?p=126681 Malwarebytes 3.0, released a couple of days ago, marks a big jump from the company's previous policy of releasing individual security tools. Instead of offering Malwarebytes Anti-Malware, Anti-Exploit and Anti-Ransomware as individual downloads and installations, Malwarebytes decided to integrate them all in one product. The new Malwarebytes 3.0 looks on first glance like an upgrade […]

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Malwarebytes Anti-Exploit Standalone information appeared first on gHacks Technology News.

]]>
Malwarebytes 3.0, released a couple of days ago, marks a big jump from the company's previous policy of releasing individual security tools.

Instead of offering Malwarebytes Anti-Malware, Anti-Exploit and Anti-Ransomware as individual downloads and installations, Malwarebytes decided to integrate them all in one product.

The new Malwarebytes 3.0 looks on first glance like an upgrade of Anti-Malware, but there are differences.

Free users get on-demand scan functionality like before, but access to Anti-Exploit or Anti-Ransomware is only granted for paying customers.

The standalone version of Anti-Exploit was offered as a free and paid version, and Anti-Ransomware was only available as a free beta prior to the release.

Malwarebytes Anti-Exploit Standalone information

malwarebytes free anti exploit

Malwarebytes did not only release Malwarebytes 3.0 Free and Premium to the public, it did remove links to Anti-Exploit and Anti-Ransomware standalone versions from its website on top of that.

Furthermore, if Malwarebytes 3.0 gets installed on a system, all previous versions of Anti-Malware, Anti-Exploit and Anti-Ransomware get removed in the process.

This is the case even if Malwarebytes 3.0 Free is used (which does not support Anti-Exploit and Anti-Ransomware). If Anti-Exploit

Some users assumed that this was done to entice upgrades to the premium version of Malwarebytes 3.0.

First of all, lets find out if you can run Anti-Exploit standalone next to Malwarebytes 3.0 Free.

While Anti-Exploit -- Free or Premium -- gets removed when you install Malwarebytes 3.0 on your computer, nothing is preventing the installation of the program afterwards.

So, all you need to do is find a copy of the last Anti-Exploit installer, and install the program anew after you installed Malwarebytes 3.0 on your computer.

You find a download link of the latest build on the official Malwarebytes forum.

Please note that the file will be removed eventually.

The future of Anti-Exploit standalone

The Malwarebytes forum is also the place where you get information on the future of a Anti-Exploit standalone version.

The company plans to offer a "perpetual beta" version of Anti-Exploit for free.

Malwarebytes Anti-Exploit standalone(MBAE) will from now on be offered as a perpetual beta product. The standalone MBAE will incorporate new protection techniques for fine-tuning purposes before they are integrated into the Malwarebytes 3.x product.

The idea here is similar to what Microsoft does with its Windows 10 Insider program. Let users test beta versions of a product so that bugs and other issues are discovered before updates make it into the core version.

The new Anti-Exploit standalone beta has not been released yet by Malwarebytes, but the previous version installs just fine for the time being (it was released on December 5, 2016).

Closing Words

There you have it. Anti-Exploit standalone is still a thing, but only in form of a beta that will never become a stable version. No word on Anti-Ransomeware standalone at this point in time. I assume you can install the standalone version as well on a system running Malwarebytes 3.0 if you can get hold of a installer.

Now You: Did you make the upgrade to Malwarebytes 3.0? What's your opinion so far?

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Malwarebytes Anti-Exploit Standalone information appeared first on gHacks Technology News.

]]>
http://www.ghacks.net/2016/12/12/malwarebytes-anti-exploit-standalone-information/feed/ 23
Password Use Study: massive reuse of passwords http://www.ghacks.net/2016/12/09/password-use-study-massive-reuse-of-passwords/ http://www.ghacks.net/2016/12/09/password-use-study-massive-reuse-of-passwords/#comments Fri, 09 Dec 2016 11:03:24 +0000 http://www.ghacks.net/?p=126650 A recent password use study by the German Hasso-Plattner-Institute of roughly 1 billion user accounts concluded that 20% of users were reusing passwords. Additionally, 27% of users used password that were nearly identical with other account passwords. User accounts and passwords are still the dominating method of authentication both locally and online. While companies work […]

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Password Use Study: massive reuse of passwords appeared first on gHacks Technology News.

]]>
A recent password use study by the German Hasso-Plattner-Institute of roughly 1 billion user accounts concluded that 20% of users were reusing passwords. Additionally, 27% of users used password that were nearly identical with other account passwords.

User accounts and passwords are still the dominating method of authentication both locally and online.

While companies work on replacing passwords with other methods, think password pills and tattoos, or the increasing use of authentication apps and biometric authentication means, nothing is out there that has replaced the good old username and password combination yet.

The authentication scheme has its flaws. Three major ones are that passwords, or their hashes, may be stolen when servers are attacked successfully, that weak passwords are common, and that nothing is keeping users from reusing passwords.

These hacks happen frequently, and they hit smaller and larger companies. It is likely that some are not made public at all, but the list of companies that disclosed successful hacks recently includes Yahoo, Dailymotion, VK, MySpace, Friend Finder Network, or Brazzers.

Password Use Study: massive reuse of passwords

password leak

Researchers of the institute analyzed about 1 billion user accounts. The data came from 31 leaks that were made public either by the attackers themselves or by buyers.

About 68.5 million email addresses appeared multiple times in the database; that is about 20% of all user accounts found in the data according to the researchers.

About 27% of all users selected passwords were at least 70% identical to other passwords that the user's used. This indicates minor changes to a core password, for instance by using "princess" as the core password, and variations such as "pr1ncess", "princess1" or "princ3ss".

These variations are sometimes used if a site's password policy requires special characters, numbers, or other characters that are absent in the core password.

The most common passwords are "123456", "123456789", "111111", "qwerty", and "12345678" according to the study.

Check your email address

check email leaks

The institute runs an email checker that you may use to find out if the entered email address appeared in one of the leaks.

All you need to do is enter your email address, click on the check button, and wait for the results to arrive in your email inbox.

If that is the case, it is suggested to change the password immediately to avoid abuse. Also, it is recommended to change the password at other services if you have reused it.

The institute is bound to German (privacy) laws. The (German) press release that announced results of the study is available here.

Now You: How do you handle passwords?

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Password Use Study: massive reuse of passwords appeared first on gHacks Technology News.

]]>
http://www.ghacks.net/2016/12/09/password-use-study-massive-reuse-of-passwords/feed/ 15
Malwarebytes 3.0: new all-in-one protection http://www.ghacks.net/2016/12/08/malwarebytes-3-0-new-all-in-one-protection/ http://www.ghacks.net/2016/12/08/malwarebytes-3-0-new-all-in-one-protection/#comments Thu, 08 Dec 2016 13:23:52 +0000 http://www.ghacks.net/?p=126625 Malwarebytes 3.0 is a new product by Malwarebytes, makers of security software that unifies the company's main security products in a single program. Home users had the choice between three different products for Windows desktop PCs up until now: There was Malwarebytes Anti-Malware, Malwarebytes Anti-Exploit, and Malwarebytes Anti-Ransomware. The first two products were available as […]

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Malwarebytes 3.0: new all-in-one protection appeared first on gHacks Technology News.

]]>
Malwarebytes 3.0 is a new product by Malwarebytes, makers of security software that unifies the company's main security products in a single program.

Home users had the choice between three different products for Windows desktop PCs up until now: There was Malwarebytes Anti-Malware, Malwarebytes Anti-Exploit, and Malwarebytes Anti-Ransomware.

The first two products were available as free and premium versions, Anti-Ransomware as a free beta release.

This meant that users had to install up to three programs on their system, all with their own interface, notification system and controls, to get the full level of protection that Malwarebytes products offered.

Malwarebytes 3.0

malwarebytes 3.0

Malwarebytes 3.0 unifies the three products into a single one. This offers several advantages, most notably access to a single user interface for managing these three products. Instead of having to juggle between three different programs, all options and logs are now presented in a single interface.

Good news: Malwarebytes 3.0 comes as a free and premium version. The free version offers a manual scanner only that detects and cleans the system when you run it, the premium version offers real-time protection against threats. This is identical to how Malwarebytes Anti-Malware handled things previously.

Not so good news: The Malwarebytes Anti-Exploit and Anti-Ransomware programs are no longer available as standalone downloads. The only way to retain access is to block the installation to Malwarebytes 3.0.

Installation of the new Malwarebytes works as you'd expect it to. The installer detects previous versions of Anti-Malware, Anti-Exploit and Anti-Ransomware, and removes them in the process.

Both Malwarebytes product were removed on a test system with Malwarebytes Anti-Malware Premium and Anti-Exploit installed, when the new Malwarebytes 3.0 was installed.

You can check your account status by selecting Settings > My Account > Subscription Details. The edition (premium or not), as well as the status (never expires, expires..) are listed there.

Your premium account is upgraded to the new version automatically.  Anti-Exploit and anti-ransomware protection is only available in Malwarebytes 3.0 Premium.

If you are a lifetime license owner, that license is also carried over. So, all is good in this regard.

If you have a Anti-Malware and Anti-Exploit subscription, Malwarebytes will get you a single Malwarebytes 3.0 subscription, reduce the subscription price, and add more licenses to the subscription, the company states in the announcement post on the official blog.

Changes

malwarebytes 3.0 premium

As far as other changes are concerned, there are plenty as well. Malwarebytes states that scan speeds have improved by a factor of up to four, that reboots will be less after certain malware events, and that the advanced heuristic engine is enabled by default in the new version.

The user interface has been redesigned to accommodate the new features, and premium users benefit from Windows Action Center / Windows Security Center integration.

One other thing that is different is that update checks are now done automatically, so that they don't need to be scheduled anymore. You can disable that behavior under Settings > Application > Application Updates.

The new interface offers improved keyboard navigation and screen reader support on top of that.

Malwarebytes 3.0.5

Malwarebytes 3.0.5 was released on December 19, 2016. The release is a bug fix release that fixes several high-profile bugs in the application, including:

  1. Installation errors.
  2. Slow shutdown issue on Windows 7 with Malware Protection enabled.
  3. Fixed a conflict with Kaspersky.
  4. Improved upgrade experience.

Malwarebytes 3.0.6

Malwarebytes 3.0.6 was released on January 26, 2017. It is a bug fix release that improves stability and performance of the application.

Highlights of the release are:

  1. Malware detection and remediation improvements.
  2. Performance improvements, e.g. startup and shutdown time.
  3. Memory Leaks fixed, and CPU usage reduced after scans.
  4. Fixed several crash and BSOD bugs.

Closing Words

The new Malwarebytes 3.0 is an improvement, especially for users who run multiple Malwarebytes products on their computer systems. Instead of having to juggle between multiple programs, all is handled from a single process and interface now.

The way the upgrade is handled deserves praise for the most part as well. Malwarebytes honors lifetime licenses, and gives premium users an upgrade to the new version for free, even if they have not bought the premium version of the Anti-Exploit tool.

The one downside to it all is that ransomware and exploit protection is only available in the premium version of Malwarebytes 3.0, and that the standalone versions appear to have been removed.

This puts free users in a difficult spot. They can either upgrade to the new Malwarebytes 3.0 Free version and get their Anti-Exploit or Anti-Ransomware installations removed in the process, or stay with the old version that won't be updated anymore to keep on using those programs.

Now You: What's your take on the new Malwarebytes 3.0?

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Malwarebytes 3.0: new all-in-one protection appeared first on gHacks Technology News.

]]>
http://www.ghacks.net/2016/12/08/malwarebytes-3-0-new-all-in-one-protection/feed/ 81
Flash tops the Exploit Kits Chart in 2016 again http://www.ghacks.net/2016/12/07/flash-tops-the-exploit-kits-chart-in-2016/ http://www.ghacks.net/2016/12/07/flash-tops-the-exploit-kits-chart-in-2016/#comments Wed, 07 Dec 2016 14:46:54 +0000 http://www.ghacks.net/?p=126602 If you needed another reason not to use Flash anymore, a new security report by Recorded Future may convince you to consider this at the very least. The company analyzed 141 exploits kits that were available between November 16, 2015 and November 15, 2016. The main takeaway of the research study is that Adobe Flash […]

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Flash tops the Exploit Kits Chart in 2016 again appeared first on gHacks Technology News.

]]>
If you needed another reason not to use Flash anymore, a new security report by Recorded Future may convince you to consider this at the very least.

The company analyzed 141 exploits kits that were available between November 16, 2015 and November 15, 2016.

The main takeaway of the research study is that Adobe Flash vulnerabilities made up six of the top ten chart spots.

Flash was not the only software that exploit kits targeted in the past year though. In fact, a vulnerability in Microsoft Internet Explorer tops the chart, followed by three Flash vulnerabilities and then a Microsoft Silverlight vulnerability.

A Windows vulnerability comes in at seven, and another Internet Explorer vulnerability at nine. The remaining places are all filled by Flash vulnerabilities

 

top vulnerabilities 2016

via https://www.recordedfuture.com/top-vulnerabilities-2016/

Flash did better this year than last year. Last year, Flash topped the first eight places of the top ten vulnerabilities list used by exploit kits, with Internet Explorer and Silverlight taking up the last two spots.

As far as the methodology is concerned that Recorded Future used to generate the report: it did not reverse engineer exploit kits or use other forms of direct analysis. Instead, it used meta information available on the Internet to compute the information.

Recorded Future did not reverse engineer any malware mentioned in this analysis and instead performed a meta-analysis of available information from the web. Exploits for dozens of other vulnerabilities are currently employed by EKs and this report’s intent is to highlight top targets of popular exploit kits.

This means that the vulnerabilities are not necessarily graded by severity, or impact on user systems. Instead, the vulnerabilities are graded by references made to them on security sites, forums and such.

This can be easily seen by looking at the vulnerability adoption by exploit kit chart that the company created.

top-vulnerabilities-2016-2

via https://www.recordedfuture.com/top-vulnerabilities-2016/

While the first five vulnerabilities listed were all exploited by three or four exploit kits, it was the Flash vulnerability in the tenth spot that was exploited the most (seven times).

The report ends with recommendations. These include the usual: patch your system and software, remove software if it is not required for core business processes, enable click to play, use script blockers, create frequent back ups, and use Chrome if possible.

The top 10 vulnerabilities

CVE-2016-0189 -- The Microsoft JScript 5.8 and VBScript 5.7 and 5.8 engines, as used in Internet Explorer 9 through 11 and other products, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability

CVE-2016-1019 -- Adobe Flash Player 21.0.0.197 and earlier allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unspecified vectors, as exploited in the wild in April 2016.

CVE-2016-4117 -- Adobe Flash Player 21.0.0.226 and earlier allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in May 2016.

CVE-2015-8651 -- Integer overflow in Adobe Flash Player before 18.0.0.324 and 19.x and 20.x before 20.0.0.267 on Windows and OS X and before 11.2.202.559 on Linux, Adobe AIR before 20.0.0.233, Adobe AIR SDK before 20.0.0.233, and Adobe AIR SDK & Compiler before 20.0.0.233 allows attackers to execute arbitrary code via unspecified vectors.

CVE-2016-0034 -- Microsoft Silverlight 5 before 5.1.41212.0 mishandles negative offsets during decoding, which allows remote attackers to execute arbitrary code or cause a denial of service (object-header corruption) via a crafted web site.

CVE-2016-1010 -- Integer overflow in Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allows attackers to execute arbitrary code via unspecified vectors

CVE-2016-4113 --Unspecified vulnerability in Adobe Flash Player 21.0.0.213 and earlier, as used in the Adobe Flash libraries in Microsoft Internet Explorer 10 and 11 and Microsoft Edge, has unknown impact and attack vectors

CVE-2015-8446 -- Heap-based buffer overflow in Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.228 on Windows and OS X and before 11.2.202.554 on Linux, Adobe AIR before 20.0.0.204, Adobe AIR SDK before 20.0.0.204, and Adobe AIR SDK & Compiler before 20.0.0.204 allows attackers to execute arbitrary code via an MP3 file with COMM tags that are mishandled during memory allocation

CVE-2016-3298 -- Microsoft Internet Explorer 9 through 11 and the Internet Messaging API in Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allow remote attackers to determine the existence of arbitrary files via a crafted web site.

CVE-2015-7645 -- Adobe Flash Player 18.x through 18.0.0.252 and 19.x through 19.0.0.207 on Windows and OS X and 11.x through 11.2.202.535 on Linux allows remote attackers to execute arbitrary code via a crafted SWF file, as exploited in the wild in October 2015.

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Flash tops the Exploit Kits Chart in 2016 again appeared first on gHacks Technology News.

]]>
http://www.ghacks.net/2016/12/07/flash-tops-the-exploit-kits-chart-in-2016/feed/ 12
BitLocker bypass on Windows 10 through upgrades http://www.ghacks.net/2016/11/30/bitlocker-bypass-on-windows-10-through-upgrades/ http://www.ghacks.net/2016/11/30/bitlocker-bypass-on-windows-10-through-upgrades/#comments Wed, 30 Nov 2016 12:45:43 +0000 http://www.ghacks.net/?p=126476 A security researcher discovered a new issue in Microsoft's Windows 10 operating system that allows attackers to gain access to BitLocker encrypted data. A post on the Win-Fu blog highlights the method. Basically, what the method does is exploit a troubleshooting feature that is enabled during the upgrade process. There is a small but CRAZY […]

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post BitLocker bypass on Windows 10 through upgrades appeared first on gHacks Technology News.

]]>
A security researcher discovered a new issue in Microsoft's Windows 10 operating system that allows attackers to gain access to BitLocker encrypted data.

A post on the Win-Fu blog highlights the method. Basically, what the method does is exploit a troubleshooting feature that is enabled during the upgrade process.

There is a small but CRAZY bug in the way the "Feature Update" (previously known as "Upgrade") is installed. The installation of a new build is done by reimaging the machine and the image installed by a small version of Windows called Windows PE (Preinstallation Environment).

This has a feature for troubleshooting that allows you to press SHIFT+F10 to get a Command Prompt. This sadly allows for access to the hard disk as during the upgrade Microsoft disables BitLocker.

If you press Shift-F10, you open a command prompt window which lets you access the storage devices of the operating system.

Since BitLocker protection is disabled during upgrades, it means that anyone exploiting the issue gets access to all files that are usually encrypted by BitLocker.

BitLocker bypass on Windows 10 through upgrades

bitlocker bypass windows 10

The method works currently when updating the original Windows 10 release build to the November update version 1511 or the Anniversary update version 1607. Furthermore, it works on any new Insider Build that Microsoft puts out, at least for the time being.

The main issue, as noted by Sami Laiho, the researcher who disclosed the issue, is that anyone with local access to the machine may exploit the issue. Administrative access is not required, and so is not special software, settings or hardware on the Windows device.

Since this is a local issue, it is clear that the issue won't be exploited in the wild. Anyone with local access to a Windows machine on the other hand may exploit the issue. If it is a user, Windows 10 may be configured to accept Windows Insider updates if not prevented by a system administrator.

Companies therefore should disallow the switching on of Windows Insider builds for machines running Windows 10.

This is done in the following way:

  1. Tap on the Windows-key, type regedit.exe and hit the Enter-key.
  2. Navigate to the following Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsSelfHost\UI\Visibility
  3. Right-click Visibility, and select New > Dword (32-bit) Value.
  4. Name it HideInsiderPage.
  5. Double-click on the new preference and set its value to 1.

You can undo the change at any time by deleting the key, or by setting it to 0.

Companies may also want to disallow unattended upgrades (not updates necessarily) on Windows 10 machines to prevent the issue from being exploited.

Closing Words

The disclosed security issue is problematic for BitLocker protected devices that run Windows 10. The main issue here is of course the revealing of protected files during upgrade processes.

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post BitLocker bypass on Windows 10 through upgrades appeared first on gHacks Technology News.

]]>
http://www.ghacks.net/2016/11/30/bitlocker-bypass-on-windows-10-through-upgrades/feed/ 13
Microsoft: Windows 10 makes EMET unnecessary. Study: Nope http://www.ghacks.net/2016/11/24/microsoft-windows-10-emet-unnecessary/ http://www.ghacks.net/2016/11/24/microsoft-windows-10-emet-unnecessary/#comments Thu, 24 Nov 2016 17:04:19 +0000 http://www.ghacks.net/?p=126365 Microsoft plans to discontinue support for its Enhanced Mitigation Experience Toolkit in July 2018, and won't release a new version of EMET either. This makes EMET 5.51 the last release version of the anti-exploit security software for Windows. The reason given by Microsoft was that Windows 10, Microsoft's new operating system, includes all the mitigation […]

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Microsoft: Windows 10 makes EMET unnecessary. Study: Nope appeared first on gHacks Technology News.

]]>
Microsoft plans to discontinue support for its Enhanced Mitigation Experience Toolkit in July 2018, and won't release a new version of EMET either.

This makes EMET 5.51 the last release version of the anti-exploit security software for Windows. The reason given by Microsoft was that Windows 10, Microsoft's new operating system, includes all the mitigation features "that EMET administrators have come to rely on" as well as new mitigations that are not part of EMET.

Microsoft stated openly that Windows 10 includes security features so that it is no longer necessary to run EMET (and thus for Microsoft to support it).

Windows 10 and EMET

EMET protection is divided into system-wide protection, and application-specific protection.

Data Execution Prevention (DEP), Structured Exception Handler Overwrite Protection (SEHOP),
Address Space Layout Randomization (ASLR), Certificate Trust (Pinning), and Block Untrusted Fonts (Fonts) fall in the first group.

Data Execution Prevention (DEP), Structured Exception Handler Overwrite Protection (SEHOP), Null Page Allocation (NullPage), Heapspray Allocations (HeapSpray), Export Address Table Access Filtering (EAF), Export Address Table Access Filtering Plus (EAF+), Mandatory Address Space Layout Randomization (ASLR). Bottom-Up Randomization (BottomUpASLR), ROP Mitigations (LoadLib,
MemProt, Caller, SimExecFlow, StackPivot), Attack Surface Reduction (ASR) and Block Untrusted Fonts (Fonts) in the second group.

Will Doorman at Carnegie Mellon University's Software Engineering Institute created the following table that lists for each mitigation whether it is included in Windows 7 or 10, or in Windows 7 or 10 with EMET installed.

windows mitigations updated

If you look at the table, you will notice quickly that vanilla Windows 10 does not offer the same level of protection as Windows 10 with EMET running.

The same can be said for the comparison of vanilla Windows 10 and Windows 7 that is running EMET.

While it is true that Windows 10 supports several application mitigations out of the box so to speak, DEP, SEHOP, ASLR and BottupASLR to be precise, it is clear that the operating system does not include all protective features that EMET offers. Protective features in this regard mean application mitigations such as HeapSpray, EAF, MemProt or ASR.

As far as the supported options by Windows 10 are concerned, they are not enabled by default and need to be enabled in the Group Policy Editor.

The researcher comes to the conclusion that Microsoft's implication that users don't need EMET if they run Windows 10 is not true.

Microsoft strongly implies that if you are running Windows 10, there is no need for EMET anymore. This implication is not true. The reason it's not true is that Windows 10 does not provide the application-specific mitigations that EMET does.

He notes furthermore that Windows 10 does ship with additional protective measures, but that programs need to take advantage of them, and that this does not account for all the protective measures that EMET offers.

His recommendation is to use EMET if possible and if application-specific mitigations are configured by system administrators or users. If that is not possible for whatever reason, the next best thing is to configure mitigations that can be applied to Windows 10 without EMET. (via Deskmodder)

Alternatives to EMET are Malwarebytes Anti-Exploit (also available in Malwarebytes Premium), and HitmanPro.Alert.

Now You: Do you run anti-exploit software?

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Microsoft: Windows 10 makes EMET unnecessary. Study: Nope appeared first on gHacks Technology News.

]]>
http://www.ghacks.net/2016/11/24/microsoft-windows-10-emet-unnecessary/feed/ 12
Malwarebytes releases Telecrypt ransomware Decrypter http://www.ghacks.net/2016/11/23/malwarebytes-releases-telecrypt-ransomware-decrypter/ http://www.ghacks.net/2016/11/23/malwarebytes-releases-telecrypt-ransomware-decrypter/#comments Wed, 23 Nov 2016 18:50:13 +0000 http://www.ghacks.net/?p=126341 Malwarebytes Telecrypt Decryptor is a free program for devices running Microsoft Windows to decrypt files that are encrypted by the ransomware Telecrypt. Telecrypt is a rather troubling piece of ransomware that is distributed through various means including emails, exploits, and drive by downloads. What makes Telecrypt special is that it uses the API of the […]

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Malwarebytes releases Telecrypt ransomware Decrypter appeared first on gHacks Technology News.

]]>
Malwarebytes Telecrypt Decryptor is a free program for devices running Microsoft Windows to decrypt files that are encrypted by the ransomware Telecrypt.

Telecrypt is a rather troubling piece of ransomware that is distributed through various means including emails, exploits, and drive by downloads.

What makes Telecrypt special is that it uses the API of the popular messaging service TeleGram for communication, and not a control server or servers on the Internet.

TeleGram communication is encrypted and the team behind the service has released an open API and protocol for anyone to use.

TeleCrypt will encrypt files on the system, and launches a program which informs users about the encryption. The ransomware looks for more than hundred different file types including jpg, xlsx, docx, mp3, 7z, torrent or ppt.

Malwarebytes Telecrypt Decryptor

malwarebytes telecrypt decryptor

The decrypter has been developed by Malwarebytes. It requires that you have access to a good copy of one of the encrypted files. The file type does not matter at all.

Your best chances are backups, online cloud storage used by sync software, or any other form of back up space that you may have access to. A suggestion that Malwarebytes has is to use sample photos that Windows ships with, as they are usually easy to get hold of. You may also re-download email attachments if email is kept on a mail server.

You need to load the encrypted file, and the good copy, on the screen that opens. Once you have done so, click the start button and follow the process.

Telecrypt Decryptor verifies the files that you have supplied. If the files match and are encrypted by the encryption scheme that Telecrypt uses, you are taken to the second page of the program interface.

Here you may either add the list of files that the ransomware has encrypted on the device, or may point the program to a single folder containing encrypted files.

You may copy any encrypted files to a single folder location, and pick the folder decrypt option to decrypt all files copied to the folder at once.

It is suggested that you work with backup files and not the original files to avoid any issues that may arise during the process.

You find additional instructions and screenshots on the Malwarebytes blog.

Now You: Have you ever been the victim of a ransomware attack?

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Malwarebytes releases Telecrypt ransomware Decrypter appeared first on gHacks Technology News.

]]>
http://www.ghacks.net/2016/11/23/malwarebytes-releases-telecrypt-ransomware-decrypter/feed/ 4
KeePass audit: no critical security vulnerabilities found http://www.ghacks.net/2016/11/22/keepass-audit-no-critical-security-vulnerabilities-found/ http://www.ghacks.net/2016/11/22/keepass-audit-no-critical-security-vulnerabilities-found/#comments Tue, 22 Nov 2016 04:03:38 +0000 http://www.ghacks.net/?p=126302 We reported back in June 2016 that KeePass, a popular password manager, was getting a security audit by the European Commission's EU Free and Open Source Software Auditing project (EU-FOSSA). EU-FOSSA is a pilot project to create a formal process for contributing software security reviews to open source communities. The project created an inventory of […]

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post KeePass audit: no critical security vulnerabilities found appeared first on gHacks Technology News.

]]>
We reported back in June 2016 that KeePass, a popular password manager, was getting a security audit by the European Commission's EU Free and Open Source Software Auditing project (EU-FOSSA).

EU-FOSSA is a pilot project to create a formal process for contributing software security reviews to open source communities.

The project created an inventory of open source solutions used by the Commission, published studies into the security practices of 14 open source communities, and reviewed two popular open source solutions.

KeePass is a password manager created for Windows -- also working on Linux -- that uses a locally stored encrypted database.

The program ships with an impressive list of options. You can enable a global login shortcut for instance, or improve security of KeePass by modifying settings.

The password manager supports plugins and forks thanks to its open source nature. Plugins enable users to extend the program's functionality, for instance by integrating it in web browsers or synchronizing the database using online storage providers.

KeePass audit

keepass source audit

The research team audited the code of KeePass 1.31, and not of KeePass 2.34. While KeePass 2.34 is not mentioned anywhere in the report, it appears reasonable that KeePass 2.34 would fare similarly in a code audit.

KeePass 1.x is the legacy version of the password manager. The version does not require Microsoft .NET but lacks features that only KeePass 2.x ships with. It does not support linking KeePass to the Windows user account or one-time passwords for instance. You find a full edition comparison table here.

keepass audit

The KeePass audit went through all 84622 lines of code and found no critical or high-risk issues in the code. It did find five medium rated, three low rated, and six information only rated issues however.

No critical or high-risk findings were detected. Among the remaining findings, five medium and three low risk results were detected. The remaining six were of an informative nature.

The issues that were found by the researchers are detailed in the audit report which you can download from the project deliveries page on the EU-Fossa website. There you find listed the Apache security audit as well (look under WP6: sample code review near the bottom of the page).

Closing Words

KeePass is an excellent, secure, password manager for Windows. The results of the code audit suggest that it is a well designed program with no critical or high risk issues.

Now You: Which password manager are you using and why?

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post KeePass audit: no critical security vulnerabilities found appeared first on gHacks Technology News.

]]>
http://www.ghacks.net/2016/11/22/keepass-audit-no-critical-security-vulnerabilities-found/feed/ 23
Deterministic password manager Issues http://www.ghacks.net/2016/11/07/deterministic-password-manager-issues/ http://www.ghacks.net/2016/11/07/deterministic-password-manager-issues/#comments Mon, 07 Nov 2016 15:53:44 +0000 http://www.ghacks.net/?p=126049 If you read password managers that don't store passwords here on Ghacks, you know already what deterministic or stateless password managers are. Broken down to the basics, these password managers don't store passwords or account information. So, instead of having to use local or remote storage for the password database, these programs rely on algorithms […]

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Deterministic password manager Issues appeared first on gHacks Technology News.

]]>
If you read password managers that don't store passwords here on Ghacks, you know already what deterministic or stateless password managers are.

Broken down to the basics, these password managers don't store passwords or account information. So, instead of having to use local or remote storage for the password database, these programs rely on algorithms instead to generate passwords on the fly.

How that is done? Through the use of algorithms that compute passwords when the user enters a master password and other data.

Again, at the very basic level, a password would come out when you enter the master password and the domain of a site.

password managers no storage

The main advantage is that there is no syncing or password storage involved, at least not on the basic level.

This means that you can generate your passwords on any device if you use a program, app or online service that offers such a solution without having to sync your password database.

Deterministic password manager Issues

If you look closer, or use a service for a while, you may realize that deterministic passwords have a couple of issues.

While you may still use a password manager with a deterministic approach, you should be well aware of them before you make the decision.

Master Password

If you want to change the master password, you need to change all passwords on all sites as well, as the master password is one key component that is used to generate the passwords.

So, if your master password gets hacked or leaks accidentally, then you need to go ahead and change passwords on all sites.

Changing Passwords

Basic stateless password managers don't offer options to change individual passwords. If you need a password changed, you need to change the master password which in turn requires all other passwords to be changed as well.

More sophisticated solutions ship with options to change a variable to generate a new password for a single site.

Algorithms

The algorithm that computes the passwords cannot be changed easily. If it changes so that new passwords get generated when a user enters the master password and other information, then all passwords need to be changed as well before the system is updated to the new version.

Algorithm changes may be necessary if flaws are discovered in the implementation.

Migration to a deterministic password manager

There is no import option which means that you need to generate new passwords for any account that you want to use the deterministic password manager for.

Password rules

lesspass

Most Internet sites and programs ship with password rules. Some may require a certain minimum or maximum length, others that numbers, special characters or upper case characters are included.

There is no way that deterministic password managers can take those requirements into account without interface that users may use to pick those information.

The password manager LessPass for instance displays those options on its site, while others may not offer them at all (which means they cannot generate working passwords for some services).

You do need to remember the rules that you have specified for certain sites though, or store those information locally or remotely.

The information stored contains sensitive information that may help attackers.

Remembering sites

Apart from remembering password rules -- if you choose not to save the information -- you need to remember the sites you have registered an account with using the password manager.

Since you need to enter the data manually each time you require the password. This may not be a problem if you use it for a handful of sites, but it is easy enough to forget about one or the other site, or which site URL you used.

Now You: Do you use a password manager? If so, which and why?

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Deterministic password manager Issues appeared first on gHacks Technology News.

]]>
http://www.ghacks.net/2016/11/07/deterministic-password-manager-issues/feed/ 6
Your browsing history may have been sold already http://www.ghacks.net/2016/11/01/browsing-history-sold/ http://www.ghacks.net/2016/11/01/browsing-history-sold/#comments Tue, 01 Nov 2016 19:44:09 +0000 http://www.ghacks.net/?p=125919 Add-on companies are selling the browsing history of millions of users to third-parties according to a report that aired on German national TV. Reporters of Panorama managed to gain access to a large data collection that contained the browsing history of roughly 3 million German Internet users. The data was collected by companies that produce […]

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Your browsing history may have been sold already appeared first on gHacks Technology News.

]]>
Add-on companies are selling the browsing history of millions of users to third-parties according to a report that aired on German national TV.

Reporters of Panorama managed to gain access to a large data collection that contained the browsing history of roughly 3 million German Internet users.

The data was collected by companies that produce browser extensions for various popular browsers such as Chrome and Firefox.

Panorama did mention only one add-on, Web of Trust or WoT, but did not fail to mention that the data was collected by multiple browser extensions.

Browser extensions that run when the web browser runs may record any move a user makes depending on how they are designed.

web of trust ratings

Some, like Web of Trust, provide users with a service that requires access to every site visited in the browser. The extension is designed to offer security and privacy guidance for sites visited in the browser.

The data that Panorama bought from brokers contained more than ten billion web addresses. The data was not fully anonymized, as the team managed to identify people in various ways.

The web address, URL, for instance revealed user IDs, emails or names for instance. This was the case for PayPal (email), for Skype (user name) or an online check-in of an airline.

What's particularly worrying is that the information did not stop there. It managed to uncover information about police investigations, the sexual preferences of a judge, internal financial information of companies, and searches for drugs, prostitutes, or diseases.

Links may lead to private storage spaces on the Internet that, when improperly secured, may give anyone with knowledge of the URL access to the data.

It is trivial to search the data for online storage services for instance to reveal those locations and check whether they are publicly accessible.

Panorama reports that Web of Trust logs collected information such as time and date, location, web address and user ID. The information are sold to third-parties who may sell the data again to interested companies.

WOT notes on its website that it hands over data to third-parties but only in anonymized form. The team of reporters managed to identify several user accounts however which suggests that the anonymization does not work as intended.

The extension has been downloaded over 140 million times. While the data set that the researchers bought included only German user information, it is likely that data sets are available for users from other regions of the world.

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Your browsing history may have been sold already appeared first on gHacks Technology News.

]]>
http://www.ghacks.net/2016/11/01/browsing-history-sold/feed/ 80
MBRFilter protects the Master Boot Record against manipulation http://www.ghacks.net/2016/10/21/mbrfilter-protects-the-master-boot-record-against-manipulation/ http://www.ghacks.net/2016/10/21/mbrfilter-protects-the-master-boot-record-against-manipulation/#comments Fri, 21 Oct 2016 14:15:23 +0000 http://www.ghacks.net/?p=125651 MBRFilter is a new open source software for Windows devices designed to protect the Master Boot Record against manipulation. The Master Boot Record holds information about how partitions and file systems are organized on a storage device. It triggers the loader of installed operating systems as well, which makes it an important part of any […]

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post MBRFilter protects the Master Boot Record against manipulation appeared first on gHacks Technology News.

]]>
MBRFilter is a new open source software for Windows devices designed to protect the Master Boot Record against manipulation.

The Master Boot Record holds information about how partitions and file systems are organized on a storage device.

It triggers the loader of installed operating systems as well, which makes it an important part of any computer system.

If the Master Boot Record is altered, either accidentally or through malicious software, it may result in boot errors or other issues.

There is malware out there in the wild that overwrites the Master Boot Record with its own boot loader. Petya, a ransomware, does so for instance.

MBRFilter

mbrfilter

The main purpose of MBRFilter is to protect the Master Boot Record against any form of manipulation.

Note: It is highly recommended to test the filter on a test system before it is installed on a production machine. Create a system backup before you do so in either case to be on the safe side.

Installation is a bit finicky. The filter is supplied as source, but also as a 32-bit and 64-bit driver for Windows. Make sure you download the correct version for Windows and unpack the downloaded archive afterwards.

The archive contains an .inf file and a .sys file. Right-click on MBRFilter.inf and select install from the context menu that opens. You are prompted to reboot the system afterwards to complete the installation.

If things worked well, Windows should boot again and you can start using the system like before. The only thing that you need to be aware of is that the driver will prevent writes to sector 0 on all drives, including those that you may authorize. You may run into issues for instance when initializing new drives on the machine.

This can cause an issue when initializing a new disk in the Disk Management application. Hit  'Cancel' when asks you to write to the MBR/GPT and it should work as expected.

Alternatively, if OK was clicked, then quitting and restarting the application will allow partitoning/formatting.

Removal is quite complicated as well. The Github project page lists all the steps required to remove the MBRFilter again from a machine. Basically, the following steps need to be completed:

  1. Open a Registry Editor and remove the MBRFilter line from the UpperFilters Registry key: HKLM\System\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}
  2. Reboot
  3. Use AccessMBR, a program supplied on the Github site as well to verify that the MBR lock is disabled.

The only option you have to manipulate the boot sector while the driver is active is to boot into Safe Mode.

Closing Words

If you are worried particularly about malware that overwrites the Master Boot Record, or accidentally damaging it, then you may find MBRFilter useful as it prevents that from happening.

It may make more sense for most users to install anti-ransomware software or antivirus software instead which should prevent ransomware or malware from running on the PC in first place (and thus modifying the MBR).

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post MBRFilter protects the Master Boot Record against manipulation appeared first on gHacks Technology News.

]]>
http://www.ghacks.net/2016/10/21/mbrfilter-protects-the-master-boot-record-against-manipulation/feed/ 15
Malwarebytes acquires AdwCleaner http://www.ghacks.net/2016/10/21/malwarebytes-acquires-adwcleaner/ http://www.ghacks.net/2016/10/21/malwarebytes-acquires-adwcleaner/#comments Fri, 21 Oct 2016 11:01:22 +0000 http://www.ghacks.net/?p=125645 Malwarebytes, makers of the popular Malwarebytes Anti-Malware, Anti-Exploit, Anti-Ransomware and other security tools, announced on October 19, 2016 that it has acquired AdwCleaner, a program for Windows designed to clean adware from computer systems. We have reviewed the standalone version of AdwCleaner back in 2013 the first time, and then again in 2015 when AdwCleaner […]

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Malwarebytes acquires AdwCleaner appeared first on gHacks Technology News.

]]>
Malwarebytes, makers of the popular Malwarebytes Anti-Malware, Anti-Exploit, Anti-Ransomware and other security tools, announced on October 19, 2016 that it has acquired AdwCleaner, a program for Windows designed to clean adware from computer systems.

We have reviewed the standalone version of AdwCleaner back in 2013 the first time, and then again in 2015 when AdwCleaner 5 was released. The team released version 6 of the application in 2016, but we have not reviewed that yet.

AdwCleaner, compatible with all versions of Windows starting with Windows XP, has been designed to scan a Windows PC for traces of adware, and to provide you with options to remove those traces.

Adware in the context refers to any unwanted software, setting or file that is not considered malicious. So, all those potentially unwanted programs (PUP) that you may get while installing another software count as adware for instance, but also changes to a browser's homepage or search engine, services added to Windows, advertisement popups, or cookies planted to track users.

Malwarebytes acquires AdwCleaner

AdwCleaner

Malwarebytes plans to improve the company's programs in regards to the detection of potentially unwanted programs. Check out the company's definition of potentially unwanted programs if you are interested in how Malwarebytes classifies potentially unwanted software.

The company did acquire another tool in that vertical not long ago for that very same purpose, called Junkware Removal Tool.

Like Junkware Removal Tool, AdwCleaner will remain available as a free standalone program. This means that users who rely on the program currently may continue to use it after the acquisition.

Malwarebytes plans to integrate the technology that is powering AdwCleaner into its Anti-Malware product.

According to the company, AdwCleaner is downloaded more than 200,000 times every day, and has been installed "about" 200 million times in total.

Both AdwCleaner and Junkware Removal Tool are already listed on Malwarebytes official product site. The AdwCleaner download link points to an external site for now and files are not downloaded from Malwarebytes servers.

malwarebytes adwcleaner

This is probably going to change very soon though. You will notice however that is is already showing up as Malwarebytes AdwCleaner when you run it.

Closing Words

Malwarebytes Anti-Malware is a popular second opinion scanner -- the free version lacks real-time protection -- and the premium version is quite popular as well as a replacement for traditional antivirus solutions.

I like how Malwarebytes handles its acquisition for now. Keep the programs free and available as standalone versions, but integrate the technology into the main products.

Now You: What's your take on Malwarebytes and the acquisition in particular?

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Malwarebytes acquires AdwCleaner appeared first on gHacks Technology News.

]]>
http://www.ghacks.net/2016/10/21/malwarebytes-acquires-adwcleaner/feed/ 9
VeraCrypt 1.19 fixes security vulnerabilities http://www.ghacks.net/2016/10/18/veracrypt-1-19-fixes-security-vulnerabilities/ http://www.ghacks.net/2016/10/18/veracrypt-1-19-fixes-security-vulnerabilities/#comments Tue, 18 Oct 2016 11:33:35 +0000 http://www.ghacks.net/?p=125584 VeraCrypt 1.19 is the newest version of the popular open source data encryption program that many users switched to after TrueCrypt was discontinued back in 2014. The application is based on TrueCrypt code but has since then been updated regularly with new features, improvements and most notable security fixes. The VeraCrypt team fixed security vulnerabilities […]

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post VeraCrypt 1.19 fixes security vulnerabilities appeared first on gHacks Technology News.

]]>
VeraCrypt 1.19 is the newest version of the popular open source data encryption program that many users switched to after TrueCrypt was discontinued back in 2014.

The application is based on TrueCrypt code but has since then been updated regularly with new features, improvements and most notable security fixes.

The VeraCrypt team fixed security vulnerabilities that a TrueCrypt audit brought to light, and has fixed several vulnerabilities or issues since then.

The team announced back in August 2016 that VeraCrypt would receive a security audit of its own thanks to the Open Source Technology Improvement fund.

The scope of the audit was twofold. First, to verify that TrueCrypt related issues are fixed, and second, that features introduced by VeraCrypt did not introduce issues of their own.

A first step consisted in verifying that the problems and vulnerabilities identified in TrueCrypt 7.1a had been taken into account and fixed.

Then, the remaining study was to identify potential security problems in the code specific
to VeraCrypt. Contrary to other TrueCrypt forks, the goal of VeraCrypt is not only to fix
the public vulnerabilities of TrueCrypt, but also to bring new features to the software.

VeraCrypt 1.19

veracrypt 1.19

The security audit of VeraCrypt and its bootloaders by QuarksLab has been completed. The company found a total of 26 different vulnerabilities or issues of which eight were rated critically. The remaining vulnerabilities received a rating of medium (3) and low or informational (15).

VeraCrypt released version 1.19 of the encryption software that addresses the majority of issues found by QuarksLab. This includes among others a fix that protects against the leaking of the password length in the MBR bootloader inherited from TrueCrypt on Windows machines.

The technical documentation of the audit reveals that some vulnerabilities have not been fixed yet because of their complexity as they require either major modifications to existing code or the project architecture.

This includes for instance a problem with the AES implementation which makes it susceptible for cache-timing attacks. The only way to resolve the issue is to rewrite the AES implementation which takes time.

The release brings other improvements, for instance a 2.5 times performance increase of the Serpent algorithm on 64-bit systems, EFI system encryption support on 32-bit versions of Windows, and a fix for EFS data access issues on Windows 10.

The documentation has been updated to inform users about potential security issues. See the tokenpin command line parameter for instance as an example.

VeraCrypt users who are interested in the audit find the technical report here (pdf document). The release notes of the new version are posted on the official VeraCrypt project website.

Closing Words

VeraCrypt security has improved significantly thanks to the audit. While there is still work that needs to be done to address the issues that are too complex to be fixed in a short period of time.

Since it is one of the few remaining TrueCrypt forks or successor projects that is still updated regularly, it may be a good idea to migrate to it if that has not been done already.

Now You: Do you use an encryption software? If so which and why?

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post VeraCrypt 1.19 fixes security vulnerabilities appeared first on gHacks Technology News.

]]>
http://www.ghacks.net/2016/10/18/veracrypt-1-19-fixes-security-vulnerabilities/feed/ 10
A preview of KeePass 2.35 and its security improvements http://www.ghacks.net/2016/10/04/a-preview-of-keepass-2-35-and-its-security-improvements/ http://www.ghacks.net/2016/10/04/a-preview-of-keepass-2-35-and-its-security-improvements/#comments Tue, 04 Oct 2016 05:01:12 +0000 http://www.ghacks.net/?p=125336 KeePass 2.35 is the next version of the popular password manager that will introduce a new version of the KDBX file format and security improvements among other things. KDBX is the file format that KeePass uses for information storage on the device. Version 4 of KDBX features improvements and new capabilities. KeePass will use the […]

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post A preview of KeePass 2.35 and its security improvements appeared first on gHacks Technology News.

]]>
KeePass 2.35 is the next version of the popular password manager that will introduce a new version of the KDBX file format and security improvements among other things.

KDBX is the file format that KeePass uses for information storage on the device. Version 4 of KDBX features improvements and new capabilities.

KeePass will use the new format eventually, but at first only if certain requirements are met. This is done to give ports of KeePass time to update their versions of the software to support the new format.

Basically, none of the following conditions need to be true:

  1. KeePass uses a different key derivation function than AES-KDF (the default and only used in KDBX 3.1).
  2. Plugins request to store custom header data in the KDBX file.
  3. Plugins request to store custom data in an entry or a group.

If none of the conditions are met, KeePass 2.35 will use the new file format automatically.

KeePass 2.35 and its security improvements

keepass argon2

Probably the biggest change from a security point of view is support for the key derivation function Argon2.

The algorithm won the Password Hashing Competition against 23 candidates. Starting with KeePass 2.35 users of the software can switch the key derivation function from AES-KDF to Argon.

  1. Open KeePass 2.35 or later.
  2. Select File > Database Settings.
  3. Switch to the Security tab.
  4. Locate "key derivation function" on the screen. You may switch to Argon2 (and back to AES-KDF) with a click on the menu.

keepass argon

Once you have selected Argon2 as the key derivation function, additional parameters become available. You may change the number of iterations, memory, and parallelism.

You may increase iterations and memory to make dictionary and brute force attacks harder, but database loading and saving may take more time.

You may use the "test" button to test new values that you enter. KeePass runs tests and displays the time it takes to transform a key in a small window afterwards.

keepass test

Some examples on a device with an Intel Core i7-6700k CPU and 32 Gigabytes of ram.

  • Iterations 2, Memory 1, Parallelism 2: 0.003 seconds
  • Iterations 2, Memory 250, Parallelism 2: 2.97 seconds
  • Iterations 10, Memory 2000, Parallelism 2: 25.257 seconds
  • Iterations 10, Memory 2000, Parallelism 4: 15.601 seconds

The main advantage of Argon2 over AES-KDF is that it provides better resistance against GPI/ASIC cracking attacks.

KeePass' Argon2 implementation supports all parameters that are defined in the official specification, but only the number of iterations, the memory size and the degree of parallelism can be configured by the user in the database settings dialog. For the other parameters, KeePass chooses reasonable defaults: a 256-bit salt is generated by a CSPRNG each time a database is saved, the tag length is 256 bits, no secret key or associated data. All versions of Argon2d (1.0 to 1.3) are supported; KeePass uses the latest version 1.3 by default.

Other KeePass KDBX 4.x changes

Besides support for Argon2, KDBX 4.x will introduce a number of improvements and changes that are outlined briefly below:

  • Improved header authentication -- KDBX 4 uses HMAC-SHA-256 instead of SHA-256 for header authentication. This offers various advantages, one being that KeePass may verify the header before decrypting the remaining data.
  • Improved data authentication -- Similarly, KDBX 4 uses HMAC-SHA-256 instead of SHA-256 for data block authentication which is considered to be more secure and allows KeePass to verify the authenticity of a data block before trying to decrypt it.
  • Plugins may extend the KDBX 4 header , may add other key derivation functions to KeePass 2.35 and later, and may store custom data in entries and groups.
  • The ChaCha20 encryption algorithm is supported with 256-bit key and 96-bit nonce.
  • Inner Header improvements that reduce the database size and improve loading and saving performance.

Additional information on the new format are available on the KeePass website. It is not clear yet when the KeePass 2.35 will be released.

Now You: What's your take on the improvements?

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post A preview of KeePass 2.35 and its security improvements appeared first on gHacks Technology News.

]]>
http://www.ghacks.net/2016/10/04/a-preview-of-keepass-2-35-and-its-security-improvements/feed/ 7
Password Managers that don’t store passwords http://www.ghacks.net/2016/10/03/password-managers-that-dont-store-passwords/ http://www.ghacks.net/2016/10/03/password-managers-that-dont-store-passwords/#comments Mon, 03 Oct 2016 10:46:08 +0000 http://www.ghacks.net/?p=125315 Password managers are one of the best options to manage account information. The two major flavors they come in are local storage and remote storage solutions which both offer advantages and disadvantages. Local storage solutions like KeePass or Enpass keep the encrypted password database file on the local system thus removing cloud storage and network […]

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Password Managers that don’t store passwords appeared first on gHacks Technology News.

]]>
Password managers are one of the best options to manage account information. The two major flavors they come in are local storage and remote storage solutions which both offer advantages and disadvantages.

Local storage solutions like KeePass or Enpass keep the encrypted password database file on the local system thus removing cloud storage and network traffic as an attack vector. Remote storage solutions like LastPass or Dashlane on the other hand make things easier if you use multiple devices, and they may make information on the Internet via a web-based interface as well.

Both rely on encrypted password databases that are unlocked by a user's master password.

There is a third kind of password manager that rose to prominence fairly recently: those that don't store passwords at all. These are called stateless or deterministic password managers.

Examples are Master Password App, available for various desktop and mobile operating systems, and a web app, and Forgiva, a commercial password solution for various desktop operating systems.

Password Managers that don't store passwords

password managers no storage

Password managers like Master Password App don't store passwords, but generate them on the fly whenever they are needed.

For this particular app for instance, passwords are generated using a name, the site the password is for, and a master password.

Here is how this works in greater detail:

  1. You enter your name and master password to sign in to the password manager.
  2. The password generation and look up interface is identical. Basically, to create or display a password you simply enter the site name -- or any other name for that matter.
  3. You can then copy the password over to the site to sign in to your account, or register for an account.

Forgiva extends this basic approach by adding visual pattern confirmations, different key-derivation algorithms, and a certification system.

Both have in common that passwords are generated using information that is either entered by the user, or created during initial setup.

The main advantage they offer over conventional password managers is that attackers cannot dump the password manager database file either by attacking a local device or a company that stores the data in the cloud.

Also, since passwords are not stored in a database, there is no syncing involved to gain access to passwords across devices. All that is needed is access to the application, the master password, and maybe other data depending on the product, to gain access to all information.

Caveats

While deterministic password managers do away with storage, they are as susceptible to certain attack forms than regular password managers.

Since users need to somehow get the password displayed in the programs and enter them on a website or application, it means that they will either be copied to the clipboard, or entered manually using the keyboard.

Depending on the level of complexity of the service, getting hold of the master password may give you access to all password unless the product users other security precautions (like Forgiva does).

Password renewal may also be an issue if the service does not offer an option to do so. Additionally, depending on functionality, these password managers may not offer options to store additional data, security question answers for instance.

Closing Words

Deterministic password managers offer an interesting approach to password management. While they do away with password storage, they are not immune to attacks and may be limited in terms of what other data -- if any -- can be saved by them.

Now You: Do you use a password manager? If so which, and why?

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Password Managers that don’t store passwords appeared first on gHacks Technology News.

]]>
http://www.ghacks.net/2016/10/03/password-managers-that-dont-store-passwords/feed/ 18
PayPal Digital Gift Cards code leak http://www.ghacks.net/2016/09/06/paypal-digital-gift-cards-code-leak/ http://www.ghacks.net/2016/09/06/paypal-digital-gift-cards-code-leak/#comments Tue, 06 Sep 2016 10:51:07 +0000 http://www.ghacks.net/?p=124645 PayPal is not only a dominating force when it comes to making online transactions between individuals and companies, it also branched of in other areas such as gift cards. You may visit the site PayPal Gifts to purchase gift cards for various popular online and offline services using a PayPal account. The service has a […]

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post PayPal Digital Gift Cards code leak appeared first on gHacks Technology News.

]]>
PayPal is not only a dominating force when it comes to making online transactions between individuals and companies, it also branched of in other areas such as gift cards.

You may visit the site PayPal Gifts to purchase gift cards for various popular online and offline services using a PayPal account.

The service has a security issue currently that is caused by an improperly configured server, or more precisely, a robots.txt file.

Basically, what happens is that search engines index the "here is your PayPal gift card" pages on the site. These pages show the code of the gift card among other things. This means that anyone may use the code to grab the credit before the recipient may have a chance to redeem it.

paypal gift card

Good news is that only a handful of pages are indexed currently by Google. The main reason for this is that the gift pages are not linked anywhere on the PayPal Digital Gifts site. This means that they can only come in the index of they are linked from a location that search engine bots have access to.

Customers who purchase gift cards using PayPal's Digital Gifts service need a PayPal account for that. Recipients on the other hand don't. They can take the code and redeem it directly using the service it was created for.

The service supports a wide variety of popular online services including iTunes, Google Play, Best Buy or Apple Music.

A robots.txt file is used by webmasters to "tell" search engine bots what they can and cannot crawl on the site.

The theory is that search engines ignore any "forbidden" area as indicated by the file so that it is not indexed.

Something that is not indexed cannot come up in the search results. PayPal on the other hand redirects the robots.txt file which means that it does not use one on the site.

While fairly limited in scope, it is an issue nevertheless, and one that does not paint PayPal in a kind light.

Take away: if you get a digital gift card, redeem it right away. If you buy one, make sure the recipient does so to avoid any issues with the information leaking online.

Now You: Do you use gift cards?

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post PayPal Digital Gift Cards code leak appeared first on gHacks Technology News.

]]>
http://www.ghacks.net/2016/09/06/paypal-digital-gift-cards-code-leak/feed/ 7
Avira PC Cleaner review http://www.ghacks.net/2016/09/05/avira-pc-cleaner-review/ http://www.ghacks.net/2016/09/05/avira-pc-cleaner-review/#comments Mon, 05 Sep 2016 06:38:33 +0000 http://www.ghacks.net/?p=124617 Avira PC Cleaner is an on-demand scanner that you may use to scan a Windows computer for infections, and remove malicious code that is found by the program. On-demand scanners are often called second-opinion scanners, as they may be run next to any installed antivirus solution. The main idea is to verify that resident security […]

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Avira PC Cleaner review appeared first on gHacks Technology News.

]]>
Avira PC Cleaner is an on-demand scanner that you may use to scan a Windows computer for infections, and remove malicious code that is found by the program.

On-demand scanners are often called second-opinion scanners, as they may be run next to any installed antivirus solution.

The main idea is to verify that resident security software is working correctly and that no malicious software slipped by it.

While running on-demand scanners is no guarantee that the system is indeed clean, it increases the likelihood that it is.

Avira PC Cleaner

avira pc cleaner

PC Cleaner is not Avira's first on-demand scanner. The makers of the popular Avira Free Antivirus for Windows published Avira De-Cleaner years ago which offered similar functionality.

The program itself is portable, but you need to download data from the Internet when you run it before it can start scanning the PC.

Avira PC Cleaner is a bare bones application that lists only one option in its interface after the end user agreement.

You may run a full scan of the system or a quick scan by removing the checkmark from the full scan preference.

A click on scan system starts the scan. Scan time depends on several factors and may take quite some time to complete. It took more than an hour to complete on a test system for instance.

The program indicates if malware is found, but does not give you any indication about its type during the scan.

Avira PC Cleaner displays the number of threats found after the scan.

avira pc cleaner threats

You may hit the remove all button right there, but that is not suggested as you get no indication what the threats actually are.

Since there is a chance that Avira found false positives, it is highly recommended to click on view details first to evaluate the findings.

threats

The details listing -- if you want to call it that -- lists file names and the threats they contain. There is no path information on the other hand which makes it difficult to put the finding in context.

All you can do to find out more is to use third-party programs, Windows Search or a faster solution such as Everything, to do so. Also, locating the file on your computer gives you options to scan it with an online service such as Virustotal.

Closing Words

Avira PC Cleaner is a free on-demand scanner that is backed by Avira's powerful antivirus engine. As is the case for programs of its kind, it is quite limited in what you can do with it. Basically, all there is, is to scan the system, and to remove infections that are found during the scan.

Some options, the ability to only scan the main drive or excluding certain directories come to mind, would certainly be useful.

The lack of information on the details screen is another thing that Avira should consider fixing. The information listed there now make it difficult to do research on your own, and that is what users should do before they hit the remove button.

All files found during scans of test systems were false positives.

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Avira PC Cleaner review appeared first on gHacks Technology News.

]]>
http://www.ghacks.net/2016/09/05/avira-pc-cleaner-review/feed/ 11
McAfee GetSusp: sniff out undetected malware http://www.ghacks.net/2016/09/03/mcafee-getsusp-sniff-out-undetected-malware/ http://www.ghacks.net/2016/09/03/mcafee-getsusp-sniff-out-undetected-malware/#comments Sat, 03 Sep 2016 16:09:53 +0000 http://www.ghacks.net/?p=124582 McAfee GetSusp is a free program for Microsoft Windows devices designed to sniff out malware that resident security solutions did not detect. The program is not new, it was last updated in 2013, but uses McAfee's Global Threat Intelligence (GTI) File Reputation database, to determine whether a file is suspicious. Word of warning: the program […]

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post McAfee GetSusp: sniff out undetected malware appeared first on gHacks Technology News.

]]>
McAfee GetSusp is a free program for Microsoft Windows devices designed to sniff out malware that resident security solutions did not detect.

The program is not new, it was last updated in 2013, but uses McAfee's Global Threat Intelligence (GTI) File Reputation database, to determine whether a file is suspicious.

Word of warning: the program will submit files to McAfee by default for analysis according to the terms of service that you need to accept not only before download but also before you run the program.

While that may not be a problem for most home users, as the program concentrates on executable files, it will likely be one for privacy conscious users and businesses.

The main issue with the approach is that you don't get a say during the scanning. It would be user friendly if the program would display prompts for any file that it plans to transfer to the service for further analysis. That's however not the case.

McAfee GetSusp

mcafee getsusp

The application itself is portable, and one of those click a button and wait until the scan completes type of programs that gives you little options or control over the process.

You may disable the submission of results to McAfee and the reporting of all scanned files, but that is about it.

Simply click on the preferences icon in the program interface to make those changes.

McAfee GetSusp found quite a few suspicious files on the test computer system; a total of 41 to be precise. The list included several Google Chrome dll and executable files, Veeam EndPoint files, the main Private Internet Access application, and several downloaded programs such as AutoHotKey.

The program leaves you alone after listing what it considers suspicious files, and it is up to you to make sure the files are clean.

This cannot be done from within the program unfortunately which means that you will have to go through the listing one by one, and either scan each file with third-party security software, or an online service like Virustotal.

Obviously, you may be able to refute certain claims right away.

Closing Words

So how useful is McAfee GetSusp. I'd say it is not overly useful. You may get much better results by downloading and running second opinion scanners like Malwarebytes Anti-Malware, Bitdefender QuickScan, Dr.Web CureIt, or any of the other programs designed specifically for that purpose.

The results are likely better, and you get options to do something about them right away as well.

Also, some second opinion scanners don't require an Internet connection at all to scan the system which will please anyone who does not want data to be transferred to remote Internet servers without having a say in the matter.

GetSusp, all in all, is a rather weak program, and that is probably one reason why it was not updated by Intel Security in well over three years.

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post McAfee GetSusp: sniff out undetected malware appeared first on gHacks Technology News.

]]>
http://www.ghacks.net/2016/09/03/mcafee-getsusp-sniff-out-undetected-malware/feed/ 12
Study: Half of people click on unknown sender links http://www.ghacks.net/2016/09/01/study-half-of-people-click-on-unknown-sender-links/ http://www.ghacks.net/2016/09/01/study-half-of-people-click-on-unknown-sender-links/#comments Thu, 01 Sep 2016 04:22:31 +0000 http://www.ghacks.net/?p=124524 Phishing is one of the biggest threats on the Internet. Attacks use it to gain access to login or financial information, or to scam users right away. With phishing being a thing for longer than a decade, one could assume that users are aware of the risks that clicking on links or attachments in emails, […]

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Study: Half of people click on unknown sender links appeared first on gHacks Technology News.

]]>
Phishing is one of the biggest threats on the Internet. Attacks use it to gain access to login or financial information, or to scam users right away.

With phishing being a thing for longer than a decade, one could assume that users are aware of the risks that clicking on links or attachments in emails, chats or on websites poses, but that is apparently not the case.

A recent study at the German Friedrich-Alexander University concluded that 56% of email recipients and 40% of Facebook users clicked on links from unknown senders.

The research team conducted two studies in which they sent email messages and Facebook messages to about 1700 students of the University.

The messages were adapted to the target group. Messages in both studies claimed that the link pointed to images of a party of the previous weekend. They were signed with a common name for the age group.

phishing

A click on the link would open a web page that would simply show an access denied message. All clicks were logged this way, and that's how the researchers managed to get the stats for both studies.

Studies were slightly different in topic. In the first study, test subjects were addressed by first name. Test subjects were not addressed by first name in the second study, but additional details about the party were listed instead.

Also, for the Facebook study, profiles were created that offered varying degrees of public information. Some with photos and timeline information, others with no photos and minimal content.

The results were astonishing: 56% of email recipients and 38% of Facebook users clicked on the link in the first study. In the second study -- the one without the test subject's first name -- email clicks dropped down to 20% but Facebook clicks increased to 42%.

78% of all study participants stated in a questionnaire that "they were aware of the risks of unknown links". Interestingly enough, only 20% of the first study and 16% of users in the second study confirmed that they clicked on that link.

The researchers believe that the discrepancy between actual clicks and claimed clicks comes down to users simply forgetting the message that they clicked on as nothing happened.

The large majority of test participants who remembered clicking on the link stated that curiosity got the better of them. Others stated that they knew someone with the name, or that they had been to the party.

Participants who did not click on the link stated that they did not click because they did not recognize the sender's name, and some even stated that they wanted to protect the sender's privacy by not looking at the photos.

Closing Words

A large number of test subjects, 78%, claimed they knew about the dangers of clicking on links. Still, about 50% did click anyway when presented with a chance to do so.

The attack in the study was targeted and used information that the students could relate to, but that is not an excuse for falling for it. It is plausible however that targeted attacks have a higher success rate than generic phishing attacks.

It would be interesting to know if some of the students opened the link in a secure environment, but it seems unlikely that many would have.

A very simple option to check out a link without loading it in your own browser or on your own system is to use a web service for it.

GTMetrix is designed to test the speed of a website, but it will display the content of the page that it checks as well.

1700 participants is not an awful lot to come to a conclusion, and it would be interesting if the study would be repeated in other regions of the world.

Now You: Will users ever learn?

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Study: Half of people click on unknown sender links appeared first on gHacks Technology News.

]]>
http://www.ghacks.net/2016/09/01/study-half-of-people-click-on-unknown-sender-links/feed/ 21
Dropbox may have reset your password, just now http://www.ghacks.net/2016/08/26/dropbox-may-have-reset-your-password-just-now/ http://www.ghacks.net/2016/08/26/dropbox-may-have-reset-your-password-just-now/#comments Fri, 26 Aug 2016 03:54:15 +0000 http://www.ghacks.net/?p=124411 If you are a Dropbox customer, you may have received an email from the company informing you that it reset the password of the Dropbox account. The email offers little information about the why, only that it is a reaction of a security incident that took place in mid-2012. What this means is that user […]

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Dropbox may have reset your password, just now appeared first on gHacks Technology News.

]]>
If you are a Dropbox customer, you may have received an email from the company informing you that it reset the password of the Dropbox account.

The email offers little information about the why, only that it is a reaction of a security incident that took place in mid-2012.

What this means is that user accounts are only affected by this if they are at least this old.

We’re reaching out to let you know that if you haven’t updated your Dropbox password since mid-2012, you’ll be prompted to update it the next time you sign in. This is purely a preventative measure, and we’re sorry for the inconvenience.

To learn more about why we’re taking this precaution, please visit this page on our Help Center. If you have any questions, feel free to contact us at password-reset-help@dropbox.com.

Dropbox's email contains a link to a FAQ help page that answers some of the questions. Probably the most important answers are what you need to do right now, and why the password was reset in first place.

Reason for the password reset

It appears that Dropbox got their hands on a dump file that lists Dropbox user credentials. According to the company, it contains Dropbox usernames (usually an email address), and salted passwords.

All Dropbox users who are on that list receive an email from Dropbox with the information posted above.

Dropbox considers this move a precaution, as it is not aware of any attacks against the accounts on that list, or unauthorized access to one or multiple of the Dropbox accounts on that list.

We are prompting a password update purely as a preventive measure. We have no indication your account was improperly accessed.

Affected users will be prompted to change their account password on the next sign in to Dropbox. This is only the case for users who have not changed their passwords since mid-2012. If you did, you are good.

What Dropbox wants you to do

Dropbox reset affected account passwords. This means that you will receive a prompt to create a new password on the first sign in to the service on dropbox.com.

You may initiate the "forgot your password" process instead if you prefer it that way. Simply enter your Dropbox email on the first page, click on the link in the email that you will receive, and enter a new password for the account.

Also, if you have two-factor authentication enabled, you need to confirm that second step of authorization to complete the process.

Note: If you used the email and password credentials on other sites, you may want to update passwords on those sites as well as attackers may try to sign in using the combination (if they are able to crack the password).

Also, two-factor authentication SMS codes are delayed currently, it appears.

Now you: Did you receive an email from Dropbox?

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Dropbox may have reset your password, just now appeared first on gHacks Technology News.

]]>
http://www.ghacks.net/2016/08/26/dropbox-may-have-reset-your-password-just-now/feed/ 11
Trend Micro Ransomware Screen Unlocker Tool http://www.ghacks.net/2016/08/21/trend-micro-ransomware-screen-unlocker-tool/ http://www.ghacks.net/2016/08/21/trend-micro-ransomware-screen-unlocker-tool/#comments Sun, 21 Aug 2016 16:07:36 +0000 http://www.ghacks.net/?p=124314 Trend Micro Ransomware Screen Unlocker Tool is a free program for Microsoft Windows operating systems that helps you unlock the screen after ransomware attacks. As you may know, there are two general types of ransomware: those that lock the screen, and those that encrypt files. Screen lockers use various methods to block you from getting […]

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Trend Micro Ransomware Screen Unlocker Tool appeared first on gHacks Technology News.

]]>
Trend Micro Ransomware Screen Unlocker Tool is a free program for Microsoft Windows operating systems that helps you unlock the screen after ransomware attacks.

As you may know, there are two general types of ransomware: those that lock the screen, and those that encrypt files. Screen lockers use various methods to block you from getting in the system by blocking access to it.

Some may only do so when the system is booted regularly, others may also block you from accessing Safe Mode on top of that.

Tip: Use ID Ransomware or No More Ransomware to identify the ransomware that infected a computer.

Trend Micro's program has been designed to unlock Windows devices that are affected by lock screen ransomware.

Trend Micro Ransomware Screen Unlocker Tool

trendmicro ransomware screen unlocker tool

The application is offered in two versions: first a regular version that you run in the Safe Mode environment. Second, a version for USB that you boot from if Safe Mode is locked as well.

The Safe Mode version requires that you boot the PC into Safe Mode. While that is easy on older versions of Windows -- tap on F8 rapidly during boot -- it may be nearly impossible on newer versions if you cannot access the settings anymore.

If you manage to get in Safe Mode, simply run the program in the environment to install it on the system.

Reboot into the normal mode of the Windows operating system afterwards, and use the keyboard shortcut Ctrl-Alt-T-I to trugger the program. Trend Micro notes that the hotkey works locally only and not through remote sessions. Also, it may need to be activated more than once before it works.

The screen lock should terminate and the main Ransomware Screen Unlocker Tool program window should appear on the monitor.

Click on the scan button to scan the system for ransomware files. Files found by the application are listed in the interface. You may review those, select files that are malicious, and hit the clean button afterwards to delete them from the system.

All that is left to do then is to click on the reboot button to restart the system. The ransomware threat should have been removed on the next start.

The USB version of the ransomware unlocker tool works in a different way. When you run it you are asked to pick a USB device you want the program to be copied on.

ransomware boot

You need to boot the computer from USB to load the program on startup of the device. Log in to the infected computer afterwards, and wait for the Ransomware Screen Unlocker Tool window to unlock the screen and display the same program interface you see on the first screenshot.

Now Read: Our anti-ransomware software guide that protects Windows from ransomware infections.

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Trend Micro Ransomware Screen Unlocker Tool appeared first on gHacks Technology News.

]]>
http://www.ghacks.net/2016/08/21/trend-micro-ransomware-screen-unlocker-tool/feed/ 6
VeraCrypt 1.18 fixes one TrueCrypt vulnerability http://www.ghacks.net/2016/08/18/veracrypt-1-18-fixes-one-truecrypt-vulnerability/ http://www.ghacks.net/2016/08/18/veracrypt-1-18-fixes-one-truecrypt-vulnerability/#comments Thu, 18 Aug 2016 15:32:01 +0000 http://www.ghacks.net/?p=124235 VeraCrypt 1.18 was released yesterday by the development team for all supported operating systems. The new version of the encryption program fixes one vulnerability affecting the application and TrueCrypt, the encryption software it uses code from. VeraCrypt is one of several TrueCrypt alternatives that were published shortly after development on TrueCrypt ended under mysterious circumstances. […]

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post VeraCrypt 1.18 fixes one TrueCrypt vulnerability appeared first on gHacks Technology News.

]]>
VeraCrypt 1.18 was released yesterday by the development team for all supported operating systems. The new version of the encryption program fixes one vulnerability affecting the application and TrueCrypt, the encryption software it uses code from.

VeraCrypt is one of several TrueCrypt alternatives that were published shortly after development on TrueCrypt ended under mysterious circumstances.

The encryption software is based on TrueCrypt code for the most part, but has been modified in the past two years of its existence to add, change or remove functionality.

While that is the case, it is still based on TrueCrypt code for the most part. The developers of the program fixed vulnerabilities that came to light after the TrueCrypt audit, and added interesting features to it such as PIM.

VeraCrypt 1.18

The most recent version of VeraCrypt fixes a vulnerability in TrueCrypt that allows attackers to detect the presence of hidden volumes on a device.

veracrypt 1.18

VeraCrypt, just like TrueCrypt, support hidden volumes that are put inside regular volumes. The idea is that if users of the software are coerced into handing out the password to the encrypted data, that it only reveals the regular volume and not the hidden volume inside.

The new version of VeraCrypt improves other features of the application. The new version supports the Japanese encryption standard Camelia for Windows system encryption (MBR and EFI), and the Russian encryption and hash standards Kuznyechik, Magma and Streebog for the Windows EFI system encryption.

On Windows, VeraCrypt 1.18 introduces support for EFI system encryption. The limitation at this point is that the feature does not support hidden operating systems or custom boot messages.

The new version ships with better protection against dll hijacks on Windows. VeraCrypt 1.18 fixes boot issues that were experienced on some machines, reduces CPU usage, and has a workaround for AES-NI support under Hyper-V on Windows Server 2008 R2.

The command line version supports a new command to pass smart card PINs via the /tokenpin option, and a command line switch to hide the waiting dialog the program displays normally.

Closing Words

TrueCrypt users won't get the vulnerability fixed as the program is no longer in active development. While the issue may not affect all users, as it only affects encryption setups that use hidden volumes, users that are affected may want to consider migrating to VeraCrypt instead.

The release is not the only good news about VeraCrypt. The encryption software will be audited thanks to OSTIF (Open Source Technology Improvement fund). You can read the announcement here. The audit will happen over the course of the next month, with results being released publicly after they have been patched.

Now You: Which encryption software do you use primarily?

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post VeraCrypt 1.18 fixes one TrueCrypt vulnerability appeared first on gHacks Technology News.

]]>
http://www.ghacks.net/2016/08/18/veracrypt-1-18-fixes-one-truecrypt-vulnerability/feed/ 28
Kaspersky Anti-Ransomware Tool for Business http://www.ghacks.net/2016/08/12/kaspersky-anti-ransomware-tool-for-business/ http://www.ghacks.net/2016/08/12/kaspersky-anti-ransomware-tool-for-business/#comments Fri, 12 Aug 2016 17:38:51 +0000 http://www.ghacks.net/?p=124107 Kaspersky Anti-Ransomware Tool for Business is a free security product by Kaspersky to block ransomware on Windows machines. Designed for businesses who don't run other Kaspersky software, it is available for anyone as a free download on the official site. Please note that you need to fill out a form on the site that asks […]

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Kaspersky Anti-Ransomware Tool for Business appeared first on gHacks Technology News.

]]>
Kaspersky Anti-Ransomware Tool for Business is a free security product by Kaspersky to block ransomware on Windows machines.

Designed for businesses who don't run other Kaspersky software, it is available for anyone as a free download on the official site.

Please note that you need to fill out a form on the site that asks for a phone number, email address, name and company name, country, and number of workstations.

The program is compatible with other security software on the system -- provided that it is not Kaspersky's own.

The program homepage is scarce in terms of information; it lacks information about how the program works or which threats it protects against. The press release is not of much help either.

Kaspersky Anti-Ransomware Tool for Business

kaspersky anti-ransomware tool

The help file of the program, accessible after installation, is of more help. While it does not mention any ransomware types by name, it reveals what the program does to protect the system.

It runs in the background at all times, and monitors program activity. Upon detection of malware, it will automatically add it to the block list. The security program uses various methods to detect threats according to Kaspersky. It uses its own signature database, and Kaspersky's Security Network which is a cloud-based service that aggregates information from Kaspersky users.

Kaspersky's tool will perform rollback operations for actions of the malicious application. This includes restoring changed files or changes to the Windows Registry.

For that, Kaspersky Anti-Ransomware for Business keeps a history of program activity.

The Anti-Ransomware Tool provides little in terms of preferences or options. The start page lists information about detected threats and actions. There you find a link to the settings.

kaspersky anti-ransomware tool settings

You may change the trace level there, disable the program's self-defense mechanism, and add proxy server information on top of that.

The only other menu provided by the program is the "manage applications screen. There you find listed applications that were blocked by the program in the past.

kaspersky anti-ransomware tool manage

You may use the screen to unblock programs or add programs to the list of trusted applications which protects them from being identified as problematic by Kaspersky's tool.

Kaspersky's Anti-Ransomware Tool for Business is free, but by using it you agree to provide information to Kaspersky in return (to increase the protection level according to Kaspersky).

Among the many bits of information is the hardware and software of the computer, information about downloaded and started applications, unique application installation IDs and unique computer IDs, information about checked files, and information about digital certificates that are in use.

You find the full list under "about data provision" in the help file.

Closing Words

It is near-impossible to judge the program without running lengthy tests to see how effective it is in protecting Windows PCs against malware threats. It is probably a good idea to wait until this has been tested in the wild, or if you have the capabilities, tested by yourself before deciding on whether to install it as a protective program on Windows.

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.

The post Kaspersky Anti-Ransomware Tool for Business appeared first on gHacks Technology News.

]]>
http://www.ghacks.net/2016/08/12/kaspersky-anti-ransomware-tool-for-business/feed/ 15