Category Archives: Miscellany

Windows 10 miscellany

Ed Bott noticed that the latest release of Windows 10 (1511) was mysteriously removed from availability via the Media Creation Tool. The new version can still be obtained through Windows Update. Microsoft’s explanation isn’t very helpful, and it’s rather annoying to system builders who missed the brief window during which release 1511 was available via MCT. Update #1: Ars Technica reports on the situation, noting that there are reports of serious problems with release 1511 when installed via the MCT. Update #2: Ars Technica confirms that upgrading via MCT was causing privacy settings to be reset to defaults. The problem has been fixed, and build 1511 is once again available via MCT.

Meanwhile, Microsoft apparently updated its privacy policy in response to concerns about information gathered and transmitted by Windows 10. Changes to the policy make it clear that Microsoft will only provide law enforcement access to your data on their servers, not data stored locally on your computer. Encryption keys are backed up to Microsoft servers, but Microsoft will not use them to decrypt disks or files on your computer. The collection of telemetry data cannot be disabled, but it can be limited so that only very basic data is collected, and none of it personal.

And finally, Microsoft has relented somewhat on its Windows 10 activation policy, allowing for legitimate installs using old, unused activation keys from Windows 7 or 8.

Security roundup for June 2015

What’s in a name?

ICANN is the non-profit organization that governs the basic naming system used on the Internet. Anyone who owns a domain name has an ongoing relationship (even if indirect) with ICANN. Unfortunately, there’s alarming evidence that ICANN is now being guided by corporate interests. Update 2015Jul08: this is a very real privacy threat.

ICANN wants to make it impossible for site owners to be anonymous. They insist that this will only apply to commercial sites, but the definition of commercial promises to be so vague that almost any site would qualify. Spammers will be rubbing their hands together in glee, since the information associated with domain registration is extremely valuable to them.

Free proxies: use with caution

Brian Krebs reports on recent research in which 443 free, open proxy services were tested, to determine whether they: a) support secure web traffic; b) maintain the privacy of user information; and c) modify user traffic in any way. Fully 79% of the tested proxies force web pages to load non-securely, which means that the service operator can see all their user traffic in unencrypted form. Sixteen percent of the services actively insert advertising into customer web traffic.

Recommendation: if you’re looking for a free proxy service, try to find one that allows secure (HTTPS) web traffic.

Why We Encrypt

Another insightful post from security expert Bruce Schneier explains why encryption is important, why it should be enabled by default, and why recent efforts to weaken encryption are a huge mistake.

Failure to encrypt

Researchers at AppBugs used their security software to detect flaws in the way apps encrypt Internet traffic, and the results are depressing. Over fifty Android applications – downloaded by millions of users – are using encryption incorrectly, or not at all. While some of these apps probably don’t transmit anything sensitive, many do, including several high profile apps from the NBA, Match.com, Safeway, and Pizza Hut.

New method for managing passwords

The free, open source Master Password simplifies the task of securely generating and storing secure, unique passwords. It does this without the need to store or access anything on the Internet; all you need is the app itself and a master password. The catch? You’ll have to generate and set new passwords for all the sites and services you use. Master Password is available for iPhone/iPad, Mac, Windows Desktop, Android, and on the web.

Steganography toolkit for malware

Steganography is a technique used to hide information inside otherwise harmless-looking image files. Security researchers have previously detected its use in hiding malware, but now they’ve discovered software that helps malware authors use the technique. Dell SecureWorks researchers recently analyzed StegoLoader’s capabilities. From their report:

Stegoloader is stealthy in many aspects; it evades analysis tools and deploys only necessary modules, without writing them to disk. Although CTU researchers have not observed Stegoloader being used in targeted attacks, it has significant information stealing capabilities.

The dangers of using secret questions for account recovery

Anyone who uses Internet-based services has seen them: ‘secret’ questions and answers you set up to facilitate password resets and account recovery. The idea is that the service can be sure you are who you say you are because you can correctly answer one or more of these questions. The problem is that this method has serious failings, as reported by Google researchers (PDF). The authors recommend using email-based, or – better still – SMS/text-based account recovery methods.

Testing your anti-malware solution

Is your anti-malware software working? Short of visiting a web site known to distribute malware, how can you be sure? One method involves a special string of text known as the EICAR test. Visit the EICAR web site and download a file containing the text; your anti-malware software should detect the text and identify it as the EICAR test. Alternatively, you can download Didier Stevens’ EICARGen software, which generates files containing the EICAR text. Depending on your anti-malware software’s configuration, the EICAR text may be detected when you attempt to download it, or when you write, read, or execute a file containing it. I currently use Avast, which by default detects EICAR when attempting to download it, and during full and explicit scans, but only detects EICAR in existing files when they are executed.

Analysis shows people are using stronger passwords

A recent post on Ars Technica provides an interesting look at the strength of passwords.

People seem to be getting the message about using strong passwords, because the worst passwords are being used less frequently. For example, the notoriously bad password ‘123456’ was used in less than 1% of the sample data, down from 8.5% in previous studies.

But while these findings are encouraging, it’s important to recognize that the data is likely skewed, because it is mostly obtained from public dumps of data taken from compromised systems.