Skip to content

Windows 10 Uses Your Bandwidth to Distribute Updates, Disable It Here – LifeHacker

http://lifehacker.com/windows-10-uses-your-bandwidth-to-distribute-updates-d-1721091469

Windows 10 Uses Your Bandwidth to Distribute Updates, Disable It Here

Every time Microsoft releases a new version of Windows, its servers get slammed. To help alleviate this burden, Windows 10 can download updates from other users’ computers. The problem is, it can use up your bandwidth and data caps to do so. Here’s how to turn it off.

This new distribution method works a lot like torrents do. Everyone has Windows 10 on their machine, so each person seeds a little bit of the files to those who need it, distributing the load across multiple computers and helping everyone download updates quickly. This is a great feature for those who have no data cap and want fast updates. The problem is, many ISPs have some form of data cap. This can potentially use up your allotment of data without you even realizing it’s happened. To turn it off, follow these steps:

  1. Search for “Check for updates” in the Start menu.

  2. Under “Windows Update” choose “Advanced options.”

  3. Under “Choose how updates are installed” click “Choose how updates are delivered.”

  4. Disable the toggle under “Updated from more than one place.”

This will prevent your computer from being used as a peer-to-peer server in distributing updates.

****

What a cheek!   So far, it seems as if there’s no reason to upgrade from Windows 7.

German government accuses news website of treason over leaks – Guardian

http://www.theguardian.com/world/2015/jul/31/german-government-accuses-news-website-of-treason-over-leaks

For the first time in more than 50 years journalists are facing treason charges, which is being denounced as an attack on the freedom of the press

Germany has opened a treason investigation into a news website a broadcaster said had reported on plans to increase state surveillance of online communication.

German media said it was the first time in more than 50 years journalists had faced treason charges, and some denounced the move as an attack on the freedom of the press.

“The federal prosecutor has started an investigation on suspicion of treason into the articles … published on the internet blog Netzpolitik.org,” a spokeswoman for the prosecutor’s office said.

She added the move followed a criminal complaint by Germany’s domestic intelligence agency, the Office for the Protection of the Constitution (BfV), over articles about the BfV that appeared on the website on 25 February and 15 April. It said the articles had been based on leaked documents.

The public broadcaster ARD reported Netzpolitik.org had published an article on how the BfV was seeking extra funding to increase its online surveillance, and another about plans to set up a special unit to monitor social media, both based on leaked confidential documents.

****

And this is how it starts.  The press reports on state surveillance and then the state accuses them of treason.  In the UK, the only crime that still carries the death penalty is treason (death by hanging).    It’s the classic blueprint to closing down a democracy.  Democracy will wither and die if this goes unchallenged.

How to identify a Hash – Password Cracking

Passwords are stored as a “hash”, which means it’s converted using an algorithm.  To see this in action, type in a password to this site and your MD5 hash will appear.

http://www.miraclesalad.com/webtools/md5.php

Step 1 – Enter in “password” and see the hash.

salad

Step 2 – Download HashID Python tool

https://code.google.com/p/hash-identifier/

Downloads Tab

https://code.google.com/p/hash-identifier/downloads/list

hash id tool

Step 3 – Enter your hash into the HashID Tool

The tool will run and then reveal the hash used.

hashid results

MD5 hashes are 32 characters in length

128 bits which converts to 32 characters of Hex.

Ashley Madison – passwords leaked

As you may know, the passwords of the “Have an Affair” site, Ashley Madison have been leaked; which is another 37 million passwords available for password cracking.  Crackers go easy – as the divorce lawyers will utterly destroy the lives of these guys when they get hold of the data.  So how did this happen?

Here’s what the Impact Team had to say:

http://pastebin.com/Kty5xBiv

First, we expose that ALM management is bullshit and has made millions of dollars from complete 100% fraud. Example:
  • -Ashley Madison advertises “Full Delete” to “remove all traces of your usage for only $19.00″
  • -It specifically promises “Removal of site usage history and personally identifiable information from the site”
  • -Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie.
  • -Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.

ashley1

So what issues immediately come to mind upon seeing the data?

****

Fact 1 – Ashley Madison did not enforce secure passwords. 

A bank would enforce a 14 character password.  Considering the danger of sexual orientation and sexual preferences leaking into the public domain, highly secure passwords ought to have been enforced.

Here’s an excerpt of AM’s passwords.

ashley2

Not great is it?   Not a complex password in sight. This raises fundamental questions regarding their risk assessment.

****

Fact 2 – European Clients have Data Protection rights.

Ashley Madison had one million UK clients.  That means it must operate under EU law, which states:

The data subject has the right to access all data processed about him. The data subject even has the right to demand the rectification, deletion or blocking of data... (art. 12).

Opps. So Ashley Madison have fallen foul of the right to be forgotten.

****

Zero Knowledge Privacy

Basically any site seriously interested in discretion, would have implemented “zero knowledge”.  Zero knowledge is clearly not the guiding principle of the site, especially as they are charging to delete information.

There are several issues here… surrounding “Accountability”, even after you have paid for deletion.  What if they do not delete your data? How can you sue them, without your wife finding out?  Do they have to keep the credit card payments on file for several years? See the problem ?

Background reading on Zero Knowledge privacy can be found here:

http://zeroknowledgeprivacy.org/ http://zeroknowledgeprivacy.org/about/

All sites that retain data on their users that can destroy their reputation or marriages, should implement cast iron levels of both security and privacy.

After discovering an affair, any decent divorce lawyer would take your home and pension. The risks are so great, that super secrecy is needed, to bypass court orders.

****

Last thoughts

If you run a website like Ashley Madison, then protecting your clients has to be your number one priority.

Deleting sensitive data should be both Automatic and FREE.

The Zero Knowledge Doctrine would make economic sense here. Finally, a giant thank you to Ashley Madison for providing another 37 million passwords for crackers.

And I’m sure the EU will be asking some hard core questions anytime soon.  Hard core.. gedit?

Privacy Guides – IVPN

IVPN have published a few privacy guides to explain the range of anonymity tools, and what and how they will protect you.  Not all tools will work for you – they ask what is the threat?  In the UK, the threat is probably your government – as the UK operates censorship.  The government is also trying to pass a new law, called the “Snoopers Charter”, which allows the government to know every website that you’ve read.

https://www.ivpn.net/privacy-guides

www.ivpn.net

Here’s an extract from their threat model:

Will a VPN Protect Me? Defining your threat model

https://www.ivpn.net/privacy-guides/will-a-vpn-protect-me

2. Protecting Against Monitoring and Logging by ISPs

  1. Consider someone who is concerned that their ISP may be monitoring and logging their online activity. They want privacy, and they also want anonymity, in the sense of remaining unassociated with their online activity. But they’re not concerned about hackers, or other real-time adversaries. They’re just concerned that their ISP might, at some point, share logs of their online activity with other potential adversaries.
  2. Using a reputable VPN service that retains no logs, and that implements perfect forward secrecy, is the least invasive approach for mitigating this threat.
  3. When a user is connected to a VPN server, their ISP sees only encrypted traffic. Websites and other Internet destinations see the VPN service’s exit IP address, rather than the user’s ISP-assigned IP address. With perfect forward secrecy, an adversary that manages to compromise a particular VPN session can only decrypt data from that session (and not past or future data). Any encrypted traffic logged by the user’s ISP remains secure.
  4. For this approach to make sense, the user must trust the VPN service more than they trust their ISP. That’s often a straightforward choice (for example, where ISPs are tightly regulated and monitored). If the stakes are high, it may be prudent to distribute trust, so that compromise would require collusion. Using the Tor browser would be the simplest approach. However, given the risk of malicious exit nodes, using end-to-end encryption would be prudent. If hiding Tor use is important, the user could access the Tor network through a VPN service, or perhaps through a nested chain of VPN services.

*****

www.ivpn.net

How to configure the most secure VPN – IVPN

https://uwnthesis.wordpress.com/2015/07/12/how-to-configure-the-most-secure-vpn-ivpn/

Creator Of Internet Privacy Device Silenced: “Effective Immediately We Are Halting Further Development”

http://www.zerohedge.com/news/2015-07-19/creator-internet-privacy-device-silenced-effective-immediately-we-are-halting-furthe

ProxyHam

(Pictured: Proxyham by Benjamin Caudill / Rhino Security Labs)

Earlier this year an inventor by the name of Benjamin Caudill announced a device he dubbed the ProxyHam which was going to literally change everything about how those concerned with privacy could connect to the internet:

“I PRESENT PROXYHAM, A HARDWARE DEVICE WHICH UTILIZES BOTH WIFI AND THE 900MHZ BAND TO ACT AS A HARDWARE PROXY, ROUTING LOCAL TRAFFIC THROUGH A FAR-OFF WIRELESS NETWORK – AND SIGNIFICANTLY INCREASING THE DIFFICULTY IN IDENTIFYING THE TRUE SOURCE OF THE TRAFFIC. IN ADDITION TO A DEMONSTRATION OF THE DEVICE ITSELF, FULL HARDWARE SCHEMATICS AND CODE WILL BE MADE FREELY AVAILABLE.”

Rhino Security Labs via HackRead

What Caudill had built is a device that would mix up your personal WIFI signal in such a way that no one, not even the National Security Agency, could track down where it originated.

That, of course, is not something the government wants in the hands of ordinary citizens, and the events of the last week show exactly how dangerous of a device this is to the Big Brother Surveillance State.

Just hours before Caudill was to reveal a fully-functioning ProxyHam at the DefCon hacking conference his presentation was abruptly cancelled. No reason was given and Caudill posted several cryptic Tweets that left many baffled.

The device had been disappeared, the company was cancelling production on retail units, and the source code and blueprints would no longer be released to the public.

rhinosecurity

Some have suggested that a private business approached Caudill before the conference and made him an offer for retail distribution.

But the more likely scenario, given what we’re privy to about the device and the government’s incessant need to know everything about everyone, is that someone made Caudill an offer he couldn’t refuse. Hackread explains:

There’s another possibility of this sudden cancellation i.e. intrusion by the government. Maybe that is the reason why Caudill is not discussing the reason behind this halt. Even though the security firm was “excited” to unveil ProxyHam at Def Con.

Steve Ragan of CSO Online said:

“IT WOULD LOOK AS IF A HIGHER POWER – NAMELY THE U.S. GOVERNMENT – HAS PUT THEIR FOOT DOWN AND KILLED THIS TALK […] IT ISN’T PERFECT, BUT A TOOL LIKE PROXYHAM – WHEN COMBINED WITH TOR OR OTHER VPN SERVICES, WOULD BE POWERFUL.”

Incidents like this give us clear insight into what the goals of government surveillance are. As we noted in 2011, well before the Snowden revelations, everything we do is monitored.

John McAfee, known for creating one of the first virus security programs for computers, has also been working on a new gadget that would create a “dark web” of interconnected devices designed to shield individuals from government monitoring. The device, according to McAfee would cost less than $100.

The cat is out of the bag with the ProxyHam and its abilities. It shouldn’t be long before source codes and blueprints for similar gadgets begin appearing on the open market.

How to crack passwords using a GUI on Windows 7 – Hashcat

Step 1 – Install .NET 4 framework – Stand alone installer

https://www.microsoft.com/en-sg/download/details.aspx?id=17718

http://filehippo.com/download_dotnet_framework_4/

Step 2 – Download OCL Hashcat 1.36 for Windows

http://hashcat.net/oclhashcat/

hashcat gpu

Step 3 – Download Hashcat Gui for Windows

http://hashkiller.co.uk/hashcat-gui.aspx

***

Step 4 – Watch the video regarding rulesets and wordlists

Hashcat options.

This is background information so that you can adapt your attack for windows hashes or unix hashes etc.

hashcat –help

-m = hash type  (the hash varies by operating system)

-a = Attack Mode (we’ll use both Straight and Combination Attack)

-r = rules file (look for xyz.rule)

 

****

Questions to ask

1. What hash algorithm is being used? MD5 or NTLM?

2. What wordlists do you want to use?

The rockyou database is one of the best, with 14 million unique passwords.

3. What rulesets do you want to use?

Straight through or Combinator?

 

Step 5 – Collect Password Dictionaries

https://github.com/danielmiessler/SecLists/tree/master/Passwords

The 2 major cracking dictionaries are Rockyou, and CrackStation.

Rockyou contains 14 million unique passwords.

CrackStation.  For MD5 and SHA1 hashes, there is a 190GB, 15-billion-entry lookup table, and for other hashes, they offer a 19GB 1.5-billion-entry lookup table.

Download CrackStation by Torrent:

https://crackstation.net/buy-crackstation-wordlist-password-cracking-dictionary.htm

Some hashes will fail to be cracked,  this is due to several reasons, it may not be a md5 hash, it may not be in your password list etc.

Hashes are case sensitive, so Password1 is not the same as password1.

oclHashcat-Plus uses your GPU rather than your CPU to crack passwords.  Graphics cards are MUCH faster as an attack tool, than a CPU… MANY times faster.

*****

KALI – How to crack passwords using Hashcat – The Visual Guide

https://uwnthesis.wordpress.com/2013/08/07/kali-how-to-crack-passwords-using-hashcat/

BRUTE FORCE HACKING – Brute force Calculator – A Visual Guide

https://uwnthesis.wordpress.com/2014/04/18/bruteforce-hacking-bruteforce-calculator-a-visual-guide/

Blog DRIPA “unlawful” according to High Court judgment – Big Brother Watch

https://www.bigbrotherwatch.org.uk/2015/07/dripa-unlawful-according-to-high-court-judgment/

A year to the day that DRIPA was enacted its early demise has been confirmed in the High Court.

Today’s judgment in the judicial review brought by David Davis MP and Tom Watson MP is a huge blow to the Government.

The Court has found DRIPA to be unlawful, proving that rushing emergency legislation through Parliament with no scrutiny and little debate was not the way to solve the issue of national security concerns and surveillance. As the Court state in the judgment “legislation enacted in haste is more prone to error.” (The Government is currently rushing through the Snoopers Charter – which is MUCH worse than DRIPA).

The ruling is abundantly clear. Section 1 of DRIPA which states that the Secretary of State can issue a notice to a telecommunications operator to “retain relevant communications data” if the Secretary of State considers it to be “necessary and proportionate” is “inconsistent with EU law”.  YAY!

The Court state clearly that communications data should only be retained for the “prevention and detection of serious offences or the conduct of criminal prosecutions relating to such offences”.

It goes on to say that it is necessary that “prior review by a court or an independent administrative body” who will determine “what is strictly necessary” must be applied to any access for retained data.  At the moment the police issue and authorise the warrants themselves – there is no rule of law.  It’s East Germany all over again.

This judgment is in line with the recommendations made by both David Anderson QC in his report “A Question of Trust” and the review of surveillance powers conducted by RUSI.

Today’s ruling effectively brings the sunset clause date of 31st December 2016 for DRIPA forward to the 31st March 2016. Whilst the court was prepared to make DRIPA ineffective immediately, Mr Davis and Mr Watson requested that more time be given to give Parliament “a reasonable opportunity to legislate proper safeguards.”

*****

The court was willing to declare DRIPA illegal with immediate effect.  I so wish that Tom Watson and David Davis had agreed to this.

However, these two legends of privacy stand tall against the Orwellian Government, and the UK is a safer place today, because of two good men.

UK mass surveillance laws are unlawful, it’s official

http://www.wired.co.uk/news/archive/2015-07/17/uk-surveillance-laws-are-unlawful

Emergency mass surveillance laws rushed through Parliament last year have been ruled unlawful by the High Court.

The Data Retention and Investigatory Powers Bill (Dripa), which was pushed through in three days in July 2014, was designed to give GCHQ and other public intelligence authorities the power to gather and retain information on phones calls, text messages and online communications, and force telecommunications companies to retain data for 12 months.

It was deemed necessary by the then-coalition government due to existing powers being invalidated by a ruling from the European Union’s Court of Justice. In order to maintain effective guards against serious crime and terrorism, the Home Office argued at the time, new emergency powers were required. A group of British legal experts published an open letter protesting the emergency bill, which gave MPs no time to deliberate the complex legislation. But with little time to raise a strong opposition, the bill was passed and later cemented in law.

In what will be seen as a big win for privacy activists everywhere, a challenge brought by MPs David Davis and Tom Watson has now been proven legitimate. The High Court ruled today that sections 1 and 2 of Dripa are unlawful because they breach Articles 7 and 8 of the EU Charter of Fundamental Rights. 

 “The court has recognised what was clear to many last year, that the government’s hasty and ill-thought through legislation is fatally flawed,” said triumphant MP for Haltemprice and Howden, Davis. “They will now have to rewrite the law to require judicial or independent approval before accessing innocent people’s data, reflecting the new consensus amongst experts in the Anderson and RUSI reports. This change will improve both privacy and security, as whilst the government gave Parliament one day to consider its law, the court has given almost nine months.”

The High Court ruled that the law fails to provide the “clear and precise rules” necessary to ensure data is only accessed in the most serious cases to prevent crime, or accessed when conducting criminal prosecutions relating to those serious offences. Dripa also fails to demand a warrant from a court or independent body. In the ruling the High Court concluded: “The need for that approval to be by a judge or official wholly independent of the force or body making the application should not, provided the person responsible is properly trained or experienced, be particularly cumbersome.”

****

Yay! for David Davis and Tom Watson.

The police raided David Davis’ office late in the evening, under terrorism laws to take documents used by Parliament.  The Doctrine of the Separation of Powers (Legislative, Judiciary and Executive) were breached that night.  Tom Watson stood against Murdoch and the hacking scandal.  Two good men – whose value to society is legendary.

Flash Zero Day Flaw – TrendLabs Security Intelligence

http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak/

Most of the leaked information covered Hacking Team’s business practices, which seemingly contradict their official statements on who they sell their products to. However, the leak also included the tools provided by the company to carry out attacks, and this included several exploits targeting Adobe Flash Player and Windows itself.

The information dump includes at least three exploits – two for Flash Player and one for the Windows kernel. One of the Flash Player vulnerabilities, CVE-2015-0349, has already been patched.

One of the Flash exploits is described by Hacking Team as “the most beautiful Flash bug for the last four years.” This Flash exploit has not yet been given the CVE number.

Figure 1. Description of vulnerability by Hacking Team

Vulnerability Information

The leaked package contains both a Flash zero-day proof-of-concept (POC) which can open the Windows calculator and a release version with real attack shellcode.

In the POC, there is a readme document which describes the details of this zero-day as we can see below. It states that this exploit can affect Adobe Flash Player 9 and later, and that desktop/metro IE, Chrome, Firefox and Safari are all affected. External reports have stated that the latest version Adobe Flash (version 18.0.0.194) is also affected.

Figure 2. Description of vulnerability by Hacking Team

Root Cause Analysis

The readme also describes the root cause of the vulnerability. This is a ByteArray class user-after-free (UAF) vulnerability, which we can describe simply.

  • When you have a ByteArray object ba, and perform an assignment like this ba[0] = object, it will call this object’s ValueOf function
  • The ValueOf function can be overridden, so someone can change value of ba in the object ValueOf function
  • If you reallocate the ba memory in the ValueOf function, it will cause a UAF because ba[0] = object will save the original memory and use it after ValueOf function has been called.

Release Version Exploit Analysis

After triggers UAF vulnerability, it corrupts the Vector.<uint> length to achieve arbitrary memory read and write capabilities in the process. With this ability, the exploit is capable of performing the following:

  • Search for the kernel32.dll base address in process, then find the VirtualProtect address
  • Find the address of shellcode which is contained in a ByteArray
  • Call VirtualProtect to change the shellcode memory to become executable.
  • There is an empty static function named Payload defined in AS3 code.
  • Find the Payload function object address and then find the real function code address contained by the Payload function object.
  • Overwrite the real function code address with the shellcode address
  • Call the static function Payload in AS3, which causes the shellcode to be called
  • After the shellcode executes, reset the static function address.

We can see that this exploit method can bypass Control Flow Guard by overwriting a static function code address.

Follow

Get every new post delivered to your Inbox.

Join 194 other followers