Windows, Flash and IE

The perfect trio, if you are a miscreant intent on making someones day horrible. For years we have known that IE was buggy, that Flash was a security hole no-one should use and Windows has how many new and variant malware a day (it’s one every 4.2 seconds, you do the math.)

But it is getting better, and part of that is Windows 10 is much more secure and people are starting to not use Flash and IE. Microsoft has proclaimed that IE is not a web browser and Adobe is telling people to not use Flash. And this is good except, parts of IE are embedded in everything Windows. From the desktop to file dialogs part of that code lives on. What bug or exploit as yet unknown is just sitting there ready for someone to use.

The “I can send you an email and get your password” bug, which we should have seen coming, is based on Microsoft’s use of the file:// url. But because so many companies use this still on their internal intranets which makes it that people still have to use IE.  Firefox and Chrome won’t open that URL because file:// is a security risk. But we use them and the same problem exists in Outlook mail client because it shares either a library or code with IE.

It comes down to when Microsoft made their networking platform the only servers your computer could see were the company servers on your network. So it knew it could trust them. And to make things so that people could only see what they were allowed to see your computer had to identify you to that server with your username and the hash of your password. But it never really checked if that server was worthy. (It was/is encrypted .) They made the file:// URL. Skip ahead to the internet and we have certificates to identify servers and do encryption. But Windows sees a file:// url it doesn’t ask it just sends your username and password hash. So now it’s in emails, web pages, shortcuts (see the icon URL) so when you open a file dialog and go to a directory with a shortcut that has been editted so the url for the icon is a file:// URL there goes your username and password hash.

SO what you say? Um unless your password is 30 characters or longer and hasn’t already shown up in a dumped password list (or rainbow tables) it’s trivial to break it. Any good gaming computer now has a graphics card that can be used by password cracking software to break your password. And that gaming computer instead of the normal 2 or 4 CPU cores now has also the compute cores in the graphics card, likely 300 but there are some with up to 5 thousand cores. So instead of a few days to break a password with just a CPU it’s minutes on a gaming system. Access to a cloud compute system or the super computer at your place of employment and the limit goes up to 35 or 40 characters passwords to be safe.

Sorry if this is confusing I’m a bit sick today.

Posted in Computers and Internet, Security | Leave a comment

I can get and crack your password hashes from an email -CSO

I love this one. A CSO Online story a few days ago where you can just send someone an email with a certain type of URL in a link somewhere and if the person uses Windows, when they view the email it sends your system their username and password hash.

This is a new twist to the IE sends you password hack already described here and it’s something we should have figured out already. And it’w worse really. Every program on Windows that uses URLs like file dialogs or editors or the desktop have this bug/feature. I can trigger this with notepad.

So my recommendations: If you can’t avoid Windows use text view for emails, 2 factor authentication and long passwords. Long passwords because the longer the password the less likely it will be in rainbow tables. And always use a password longer than 15 characters because Windows passwords smaller than that can be decrypted.

I realize that telling everyone to switch away from Windows is not possible, to much invested in it everywhere and besides I wouldn’t have anything to do. Windows problems and fixes are what keeps the computer industry going.

Hopefully I won’t be so long til a new post next time. Sorry guys.

Posted in Computers and Internet | Leave a comment

Cyber Security Series

As you may know I’ve been doing cyber security for a while and lately at work I’ve been doing cyber research. Really all of my career I have been doing cyber but until now it hasn’t been all that I have done. All of the other stuff has actually fed into the cyber research. Networking, program development, reverse engineering, etc.

At work out focus is on industrial control so I have to keep that for work, unless for some reason they let me talk about it here OR I no longer work for them. But everything else is open so I can tell you how to protect yourself on the web, protect your home network, your small business computers and network, web sites,etc.

Of course this will be way to much for one post, or even a couple so I am hoping to do a post for each type of network you might be protecting. I want to start with the most simple and most common and work my way up to enterprise level network protection. This could take a while, I’m starting on drafts today and hope to post a new one a couple of times a week. If there are points people want to know particularly post comments to this post and I will add them.

I will also be posting more about specific attacks and alerts if I can. One of the first |I will cover is the increasingly prevalent crypto-locker style attacks where a users computers files are encrypted and locked so the user cannot access them without paying a ransom.

But to start it all off, some tips to keep safe on the internet. If you can, switch the system you browse the internet to Linux. The attacks out there are all aimed at Windows systems so if you can switch it removes 99.9% of the attack surface. But I know most people cannot do this so you have to make your copy of Windows more secure. Start by applying every important or recommended patch to Microsoft Windows and always keeping your patching up to date. If you can switch to Windows 10 this is better than staying with XP or Windows 7. 10 is more secure, just not totally secure. Turn automatic updates on in Control Panel on older Windows and Setting on Windows 10.

Install an Anti-virus and yes even Microsoft’s Windows Defender is good enough for home use. Again make sure it updates regularly and scans. Do a manual scan once in a while. Windows update should update the antivirus and once a month when it runs it runs the Malware Removal Tool. This tool provided free by Microsoft tackles a list of known malware and removes it from your system. One way you can detect malware is that some malware disables updates so check it is enabled once a month or so.

Then Don’t use Internet Explorer (IE). Use Google’s Chrome or Mozilla’s Firefox or even Edge, although Edge is not as known to us researchers as the others it’s not IE so it’s safer. Disable Flash. Most sites that use Flash also use HTML 5 and can show movies and the like without it. Also ads that use flash won’t work. And unless you are sure you need it disable Java in your browser. Flash and Java vulnerabilities in web browsers are the most common attack against Windows.

After that just be more cautious. If you receive an email or message with a link or attachment, stop, think and decide if it is real or not or someone is trying to “phish” you.

I will cover this all of in more detail in the first post hopefully coming soon.

Posted in Computers and Internet | 1 Comment

I’m back, I think

I keep doing this, I write a bit then drop off the face of the earth. I don’t mean to it’s that to cope with the health issues and pain I end up doing other things and posting here, or anywhere gets pushed aside.

I want to write stuff for you guys but I have two issues. I don’t know what people want help with as a group and gaming gets in the way.

Gaming helps me focus on something other than the pain. But it has to be a specific type of game and i get very immersed in it. Gaming is not the only thing that helps, programming is also another way to do this, I get so focused I can ignore the pain. The pain is from my lung condition and the associated things with it. Writing stuff doesn’t work so the gaming ends up winning.

But I want to write stuff for you guys so if you can suggest what you want me to write about please do. Otherwise what else can I do for you? I keep thinking I should be either recording or streaming game sessions or computer help videos but I need to know what you guys need or I can’t do it for yo.



Posted in Computers and Internet | Leave a comment

Minecraft and Minetest

I hope everyone by now has heard of Minecraft. The top selling game on a couple of platforms, XBox and IOS at least and winner of more awards that it has employees, as they like to say. Minecraft, for those of you yet to experience it is a deceptively simple game where you mine and place blocks. Due to the number of types of blocks, both mineral and animal/plant life, you can do a lot of things from just build a simple house and garden to create a simulated company with factories and machines. There is also a large mod and server community that make additions to the game and use it to play various games and tournaments.

I own a copy or two of Minecraft and play it and like it.

And then along come the copycats and look-a-likes and some of them are just jumping on the bandwagon, so why am I talking about Minetest? Well it is a lot like Minecraft and gets a lot of comparisons but it’s different. First of the Minetest game is a lot like the look of minecraft, and there are basics that are the same but  it’s open source and the philosophy is decidedly different. Minecraft runs great on its own and can be played without any mods. In fact the XBox and PS-3 versions don’t have any mods and the game is very playable and with enough imagination can be played for quite a while. Minetest is designed to be modded to be playable. Yes you can make structures and stuff with the basic game but there are no mobs, just basic ores and no way to do anything like you can do with redstone. (Redstone allows you to make electrical circuits and up to computer like functionality although spread out over a large area.)

Everything is added by using mods. Mods for cows, sheep, new trees, new ores, new devices and the counterpoint to redstone, mesecons. Mods are easy to get, easy to program and easy to add to the game. (The game is written in Lua where original minecraft is in Java.)

I like minetest for a few reasons. It’s open source so community driven and coded. It comes with Ubuntu, from ubuntu servers (although to get the latest I had to add a new source to synaptic/apt.) You can swap in new mods very easy without restarting the game, although mods that change the world can only be applied by recreating the world since the new ores, for instance from more ores, have to be added when the world generates, not many mos are able to retrofit although mobs will just start spawning the new mobs on save and reopen a world.

It also seems quicker to save and I get fairly decent frame rates even on this old laptop.

But minetest is not a finished product. the version number should tell anyone that as it is currently 0.4.10. I also have this problem of falling through the floor every once in a while so when you start a game immediately set home ( use /sethome) so that when you start the inevitable plunge through the earth typing /home takes you back to that point. Once you build a home do the same sethome so you won’t telelport to your spawn point.

And check out the mods. I am always going to have more ores, more blocks, mesecons, pieworks and compassgps installed and probably unified inventory and technics unless testing something that conflicts.

So if you want something finished and fun get Minecraft, it’s worth the low cost relatively. Get the PC version, Windows or Linux and then you can add mods and see the things that your favorite You Tuber is playing but also get Minetest, also fun, to see what the future is going to hold and maybe play with programming in Lua and joining the community while this new take on open world blocky gaming grows into a full fledged game.

Posted in Fun, Open Source, Programming | Tagged , | 2 Comments

Don’t fall for Microsoft Phone Scam

Yet again there is a scam going around where you receive a phone call purportedly from Microsoft or some other official sounding Windows related business. Microsoft will not call you to tell you that you have a problem with your computer. Ever. It is a scam.

This is not a new scam but it must be paying off for the scammers as they keep doing it. The scam goes like this, the scammers call you and tell you they have found something wrong with your computer. T prove this they will ask you to open up the Administrative Tools and Event Viewer and in the event logs they will point at events in the log and try to tell you that the events are due to a virus. They are not. If your computer has an anti-virus package (you have one of those right?) it is the only thing that can tell you that you have a virus.

At this point they will then try to talk you into installing a program that lets them access your computer and once you let them in they will infect your computer with malware and bill you for the “service”.

Remember, Microsoft or other tech service companies will never call you and tell you that you have a virus or “problem” with your computer. If you suspect that someone is calling you to scam you hang up on them. Never let a complete stranger access your computer.

Amusingly one of these scammers called here and my wife answered the call. She has some sense and I had warned her about this scam so when it happened she realized it immediately. She chose to not hang up but have some fun with them so she slid over to one of our Linux computers and acted a bit naively and messed with the scammer for about an hour. When he asked what version of Windows she was using she said “puppy” because that system is running Puppy Linux. Then they asked her to go to the start menu, and of course there is no “Start Menu” and she asked them “applications?” The caller, “no start menu”… Apparently he ended up quite mad and frustrated with her and hung up.

If you chose to do this be careful. I also got a scammer calling me and I played with them for a while and I ended up getting a death threat emailed to me so caution, please. We don’t think there was ever any real danger of them attacking me but be safe. These are phone scammers, but they are also criminals and they can get ugly fast. A lot of online crime is now organized crime, where there is a buck to be made by criminals organized crime will surely true to get that buck.

Stay safe out there and if you would like to know more about viruses, malware, online scams, Linux or anything else computer related post a question in the comments. Also press Like and subscribe please.

Posted in Computers and Internet, hackers, Security | Tagged , | Leave a comment

Thanks and what else can I write for you?

I would like to thank all of my readers for something interesting happening. I was talking to one of the guys at work and said that I get a of hits on one of my blog posts, the Windows 8 where did notepad go post. He did a search on Google for Windows 8 notepad and yes you guys have put my bog to the top of the search results for that. 

This highlights an issue with the blog though that of 100,000 + views most of them have been for that one post. I really don’t want to be a one trick pony and I have a lot more to offer but I’m crowd sourcing ideas here. What else do you want me to write about?

There is one other thing that this says to me, if you will indulge me. A lot of people came here to find a way to open notepad. A lot of people use notepad. It seems to be very important that you can use it and Microsoft still includes it. But they didn’t deem it important enough to make an easy way to get to it? I don’t think they know how important a simple text editor is to people. I hope someone at Microsoft notices and fixes that at least if not in this version of Windows in the next and that they don’t abandon it. It works so let us use it. 


Posted in Computers and Internet | Leave a comment