|
OSI bean dip posted:Thanks for reminding me to edit the OP about this. Sure, no problem!
|
#
?
Oct 22, 2015 04:20
|
|
|
|
| # ? Apr 19, 2024 10:34 |
|
|
what, nothing about applocker/SRPs on Windows?
|
|
#
?
Oct 22, 2015 08:32
|
|
|
Mr Chips posted:what, nothing about applocker/SRPs on Windows?
|
|
#
?
Oct 22, 2015 08:36
|
|
|
Wiggly Wayne DDS posted:Advice on that is just going to lead to people breaking their own systems, but it should be talked about of course. The default applocker policies on 8.1 don't break the OS, and will prevent a lot of malware running itself from the usual locations in %userprofile%.
|
|
#
?
Oct 22, 2015 08:42
|
|
|
Wiggly Wayne DDS posted:Advice on that is just going to lead to people breaking their own systems, but it should be talked about of course. If someone wants to write something on this, please feel free and I'll consider adding it to the OP.
|
|
#
?
Oct 22, 2015 17:34
|
|
|
Not sure if I should just ask in here or make a new thread, but I'll ask anyway. Let me know otherwise. I downloaded a program. Being generally paranoid, I did an on-demand scan (like usual) on the executable/self-extracting archive and got a slightly inconclusive hit (seems like potentially a false positive, from what little information I found). I never manually ran the executable. Uploaded it to VirusTotal and 15/55 came back with a result but again, the results seemed fairly generic and inconclusive. I deleted the program and have run several full scans on my system with MSE, TDSSKiller, Rkill, Comodo Cleaner Essentials/KillSwitch/Autorun Analyzer, Malwarebytes, and SuperAntiSpyware. Running KillSwitch, there are a few drivers in the "Services" with nonsense names that I can't find any real information on (qrhwas, tcoifh, uotote), but I have no idea if they're related to the various scanners or what. Other than that, there are various "unknowns" from my Bluetooth and Creative audio drivers, and some mshtml.dll entries from Autorun Analyzer (about, javascript, mailto, res, vbscript), but they're signed Microsoft and don't throw any flags in the other scanners. Nothing else unknown or suspicious shows up in any of the other scanners. There aren't currently any new problems that I've noticed with the system. Is there anything else I should do to try to make sure nothing's wrong? Should I still be at all worried about this, or should I just assume it was a false positive and the system's fine? I tend to be overly paranoid and just wipe everything whenever a suspicious file pops up, which I think is probably overdoing it and overly time-consuming.
|
|
#
?
Oct 29, 2015 10:36
|
|
|
Grog posted:Not sure if I should just ask in here or make a new thread, but I'll ask anyway. Let me know otherwise. What did the AV engines on VirusTotal report it as? Usually you can find an accompanying KB article from the relevant vendor which lists signs of infection that you can check for. Of course that's assuming that it's fairly benign.
|
|
#
?
Oct 29, 2015 12:46
|
|
|
Grog posted:Running KillSwitch, there are a few drivers in the "Services" with nonsense names that I can't find any real information on (qrhwas, tcoifh, uotote), but I have no idea if they're related to the various scanners or what. I would be worried about this regardless. Do AV, etc scanners generally use random names now?
|
|
#
?
Oct 29, 2015 14:07
|
|
|
Grog posted:I never manually ran the executable. Then you're no worse off than you were before unless it exploited your AV engine or eg the PE parser bit of windows (realistically it probably didn't)
|
|
#
?
Oct 29, 2015 16:56
|
|
|
I'm always trying to find new malware scanners to clutter up my poo poo. I just saw a thing that linked to Microsoft Safety Scanner, which I've never used before. I followed the link, and the page looked so phony I had to do a double take. So I went and found another link to the same page from Microsoft. And it's still the same weird, old fashioned looking page, but whatever. I downloaded the exe, and now when I try to run it I get windows 10 Smart Scan telling me it doesn't recognize the publisher. What's going on here, and am I missing anything by not installing Safety Scanner?
|
|
#
?
Oct 29, 2015 21:43
|
|
|
What the hell. I can't even load that page on microsoft.com. It keeps trying to reload something forever. According to Wikipedia it's something from 2011. E: Hah, that page has a script that redirects https to http. Except microsoft.com has a general thing now that redirects all http requests to https. So that turns it into an infinite loop. Turn off javascript if you wanna see the page. Carbon dioxide fucked around with this message at 22:07 on Oct 29, 2015 |
|
#
?
Oct 29, 2015 21:52
|
|
|
Rufus Ping posted:Then you're no worse off than you were before unless it exploited your AV engine or eg the PE parser bit of windows (realistically it probably didn't) cheese-cube posted:What did the AV engines on VirusTotal report it as? Usually you can find an accompanying KB article from the relevant vendor which lists signs of infection that you can check for. Of course that's assuming that it's fairly benign. Volmarias posted:I would be worried about this regardless. Do AV, etc scanners generally use random names now? I ended up blowing away my OS again anyway soon after I posted. I'm guessing I overreacted to the whole thing and was just in too lovely of a state of mind to keep myself calm. I've been sick for two weeks now and it's getting to me. I'm gathering up some bootable disks to try scanning outside of any kind of Windows install to see if anything comes up, but I think I just overreacted like usual.
|
|
#
?
Oct 29, 2015 21:56
|
|
|
Any opinions on the encryption implementation in 7zip? I like to create encrypted archives of my vital files and just scatter them to different cloud services and on flash drives I carry around. Like if I'm on Google Drive, I'll just put up an encrypted 7z of my documents directory in case of disaster, fire, theft, etc. If I'm carrying a new flash drive, I'll toss one on there. Copy one to a folder on my work PC. Leave a flash drive in a junk drawer at my parents' house. Stuff like that. Let's also assume my password's really good and I change it every few months, and keep 'em all in Keepass and that end is all taken care of.
|
|
#
?
Oct 31, 2015 21:28
|
|
|
doctorfrog posted:Any opinions on the encryption implementation in 7zip? The easiest way of achieving this, is also the most secure. You can create a Truecrypt* volume within your dropbox and simply shove your files there. Dropbox chunks the container like any large file and just uploads the sections that have changed. You can also give yourself plausible deniability (hide the encryption) so that, if someone steals the USB / hacks dropbox and AES is broken in 5 years, they can't go back and open it up. Or at least, they'd have no reason to suspect they could.** TC uses a slightly more secure implementation of AES, and can also chain encryption methods with no appreciable performance issues, so a complete break in one algorithm won't break the encryption. The only risk to your data is 7-Zip having a backdoor (intentionally or not) or a tragic error in it's implementation. TC has been examined to death for a vulnerability and one has never been found that could lead to easier brute force attacks. Has 7-Zip been so intensely scrutinised? Almost certainly not. Whether you consider that a valid threat is your own exercise though. *Truecrypt forked and largely died as a project as of 7.2. 7.1a was a full proper release by the original team, and as of Feb this year was audited to ensure there are no backdoors (etc) in the code. **You can determine something is a TC volume with a little effort, your goal is to create something that looks like it is meant to be random-looking data and be passed over. Video files are a good choice - most players will launch and simply say the file is missing a codec or similar.
|
|
#
?
Oct 31, 2015 22:58
|
|
|
Khablam posted:The easiest way of achieving this, is also the most secure. You can create a Truecrypt* volume within your dropbox and simply shove your files there. Dropbox chunks the container like any large file and just uploads the sections that have changed. You can also give yourself plausible deniability (hide the encryption) so that, if someone steals the USB / hacks dropbox and AES is broken in 5 years, they can't go back and open it up. Or at least, they'd have no reason to suspect they could.** TC uses a slightly more secure implementation of AES, and can also chain encryption methods with no appreciable performance issues, so a complete break in one algorithm won't break the encryption. I would never, ever recommend TrueCrypt in light of this statement from the developer themselves: quote:WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues Nowhere does it mention specifically that it is the crypto that is at fault, but it should be noted that while it did go under an audit after it was forked, it only focused on the cryptography, not the OS implementation of which I'd argue is just as important. It has come to light since the audit that there were severe vulnerabilities affecting both TrueCrypt and its forks. This isn't to say that these are the vulnerabilities that the original developer were warning about, but it should be enough to indicate that there are problems affecting more than the crypto. It is right to question 7-Zip's cryptography but truthfully it works for the time-being. Source code is available and I think it's a good point that an audit is needed. If you need full disk encryption, just use whatever your OS provides. Until there is evidence of BitLocker, FileVault, or dm-crypt having crypto flaws or outright backdoors, it's generally best to stick with them if at all an option. For file encryption, rely on 7-Zip for now as it will do the job. If you are looking for a way to backup data that is important, I'd suggest looking at Tarsnap.
|
|
#
?
Nov 1, 2015 03:04
|
|
|
OSI bean dip posted:For file encryption, rely on 7-Zip for now as it will do the job. This is what I'm leaning toward. I kinda figured that 7zip won't get a whole lot of attention from the security community and I'm risking something by using it, but I have a feeling the more exploitable vulnerabilities have more to do with the creation of the archive, or accessing it, rather than the archive itself. And you shouldn't be accessing personal files on an untrusted system anyway. I'm using VeraCrypt for container or partition encryption, with the hope that it has been inheriting the community scrutiny once due TrueCrypt. But here I'm mostly interested in file encryption, that I can quickly right-click and archive with rather than create a container, predict the size I'll need, and need admin rights somewhere to access (not that I'd ever access personal data on a device I don't have admin rights on, but you never know). Didn't know that Dropbox handled large files in a graceful way that would be conducive to encrypted container use, that's a good possibility as well. That said, is there an encrypted notepad you guys tend to like, or does it make the most sense to just use a favored file encryption software for that? Just to keep private notes in case a flash drive is lost or stolen, not defy the government. I've been using fsekrit (http://f0dder.dcmembers.com/fsekrit.index.php).
|
|
#
?
Nov 1, 2015 03:28
|
|
|
7-Zip's method of hashing the password a bunch and then using AES-CBC on the entire file is not completely ideal in terms of tamper-resistance, but in terms of keeping people out of your data it's solid, straightforward, and there is so much less code for bugs to hide in. I've been using CherryTree for a little encrypted note app. Amusingly, it achieves encryption by storing its XML blob inside an encrypted 7-Zip file.
|
|
#
?
Nov 1, 2015 04:46
|
|
|
Dylan16807 posted:7-Zip's method of hashing the password a bunch and then using AES-CBC on the entire file is not completely ideal in terms of tamper-resistance, but in terms of keeping people out of your data it's solid, straightforward, and there is so much less code for bugs to hide in. Yeah, if it were available and simple, I'd like stuff that would defeat the NSA, but defeating casual-to-moderate theft or snooping is good enough for these files. Realistically, this is stuff that could be gotten to with a search warrant or careful application of a pipe wrench to my face, not that anyone would be interested in doing either to get at my old work files and terrible poems I wrote in my teens. Thanks for the recommendation on CherryTree, though I'm looking for something dead simple that just makes encrypted text files and is convenient to use and runs on a flash drive with no runtime installation necessary. The other file encryption software I sometimes use from a flash drive is the (old) dscrypt (http://members.ozemail.com.au/~nulifetv/freezip/freeware/) and AxCrypt2Go (http://www.axantum.com/AxCrypt/Downloads.aspx). No need to install, but also not as heavily scrutinized as TrueCrypt or VeraCrypt. Mostly I'm back on VeraCrypt after initially getting spooked by the TrueCrypt's endgame. edit: another option I just thought of for encrypted notes (hierarchical and others) and other organize-y things is EssentialPIM. (http://www.essentialpim.com/pc-version/features#security) doctorfrog fucked around with this message at 05:15 on Nov 1, 2015 |
|
#
?
Nov 1, 2015 05:05
|
|
|
Updated the OP a bit to clean it up and also added some details on FDE.
|
|
#
?
Nov 4, 2015 19:39
|
|
|
I have a question regarding network security, and in particular, outbound (egress) filtering. I was always under the understanding that when a client (for example, a web browser) initiates the connection on a 'random' outgoing port to the server's incoming port (in this case, port 80 or 443). I always thought it would be difficult to filter an outbound connection because of the fact that the outbound connection is established on a random (I believe the term is 'ephemeral') port, the only solution would be to restrict outbound connections to the range of ephemeral ports, usually defined by the OS. Is there an effective way to filter outbound connections based on this information, and if so, how?
|
|
#
?
Nov 4, 2015 20:23
|
|
|
OSI bean dip posted:Updated the OP a bit to clean it up and also added some details on FDE. This doesn't invalidate all concern about VeraCrypt perhaps inheriting any unknown TrueCrypt bugs, but the two issues you cite with TrueCrypt's FDE are marked as fixed (or at least addressed) in VeraCrypt 1.15: https://veracrypt.codeplex.com/wikipage?title=Release%20Notes
|
|
#
?
Nov 4, 2015 21:13
|
|
|
doctorfrog posted:This doesn't invalidate all concern about VeraCrypt perhaps inheriting any unknown TrueCrypt bugs, but the two issues you cite with TrueCrypt's FDE are marked as fixed (or at least addressed) in VeraCrypt 1.15: https://veracrypt.codeplex.com/wikipage?title=Release%20Notes While fixed it needs to be remembered that the developer killed the original project and left that ominous note.
|
|
#
?
Nov 4, 2015 21:26
|
|
|
Tatsujin posted:I have a question regarding network security, and in particular, outbound (egress) filtering. What do you mean exactly? It's perfectly doable to filter outgoing connections on destination port. What are you trying to achieve?
|
|
#
?
Nov 4, 2015 22:50
|
|
|
If you're trying to identify locally initiated outbound connections (without resorting to looking at the origin port) you could use conntrack
|
|
#
?
Nov 4, 2015 23:45
|
|
|
I've been using KeePass to store my password for ages but I decided the other day to start using it properly with a YubiKey + auto-typing / etc; some of the poo poo I login to for work just has the page title "Login" which fucks with the auto-type (goon autism won't allow me to just choose the correct entry off a list) and so I was thinking about installing a chrome extension to add the site url to the tab title as an elegant solution From what I understand most drive-by malware will scan for a ton of different extensions to exploit and the few options I can see for my tab title idea don't seem to have a lot of users (and so probably aren't maintained) / I don't imagine the authors give two shits about security (not to mention the extension itself could be malicious / get purchased by some shady people in the future and made to be malicious) Any general thoughts on keeping safe with chrome extensions / any other suggestions for my auto-typing woes? Grim fucked around with this message at 01:59 on Nov 5, 2015 |
|
#
?
Nov 5, 2015 01:56
|
|
|
Yeah use 1Password instead. It has proper browser extensions that don't rely on magic involving window titles, don't blindly auto-type, and don't require you to construct some Rube Goldberg contraption out of third-party software in an attempt to work around it being poo poo
|
|
#
?
Nov 5, 2015 02:31
|
|
|
spankmeister posted:What do you mean exactly? It's perfectly doable to filter outgoing connections on destination port. What are you trying to achieve? Ah, that makes perfect sense, thanks.
|
|
#
?
Nov 5, 2015 16:41
|
|
|
Grim posted:I've been using KeePass to store my password for ages but I decided the other day to start using it properly with a YubiKey + auto-typing / etc; some of the poo poo I login to for work just has the page title "Login" which fucks with the auto-type (goon autism won't allow me to just choose the correct entry off a list) and so I was thinking about installing a chrome extension to add the site url to the tab title as an elegant solution Why is any of this better than just using one of the approved chrome keepass extensions?
|
|
#
?
Nov 5, 2015 21:25
|
|
|
I guess my problem was that I did not understand the difference between stateful and stateless filtering. Stateless does not explicitly allow return traffic so you *do* have to worry about ephemeral ports. I guess stateless is more useful for governing traffic between subnets, and stateful is more applicable on traffic between groups of individual hosts/instances.
|
|
#
?
Nov 5, 2015 22:52
|
|
|
Khablam posted:Why is any of this better than just using one of the approved chrome keepass extensions? I didn't see one listed in the OP  But also I guess I was asking about thoughts on installing non-essential Chrome extensions - I figure uBlock will help me avoid most drive-by infections but how big of a deal / how much consideration do people think I should treat this stuff with? Is life really worth living without Cloud-to-Butt or similar?
|
|
#
?
Nov 5, 2015 23:38
|
|
|
Is Secunia PSI still good? I used it to install on all of my dad's laptops to keep all software up to dateOSI bean dip posted:While fixed it needs to be remembered that the developer killed the original project and left that ominous note. I don't understand this argument against TrueCrypt at all. All software has undiscovered vulnerabilities, doesn't it? To be absolutely fair to TrueCrypt/VeraCrypt, I think you should also mention that:
|
|
#
?
Nov 6, 2015 11:52
|
|
|
Rufus Ping posted:Yeah use 1Password instead. It has proper browser extensions that don't rely on magic involving window titles, don't blindly auto-type, and don't require you to construct some Rube Goldberg contraption out of third-party software in an attempt to work around it being poo poo Can you use a yubikey with 1password?
|
|
#
?
Nov 6, 2015 18:57
|
|
|
Loving Africa Chaps posted:Can you use a yubikey with 1password? yes you could use a yubikey to enter your master password if that's what you mean (any of the normal yubikeys, not the cheap u2f-only one that doesn't support static passwords)
|
|
#
?
Nov 6, 2015 20:23
|
|
|
Rufus Ping posted:yes you could use a yubikey to enter your master password if that's what you mean does it support u2fa as the second factor though? Like password + yubikey?
|
|
#
?
Nov 6, 2015 20:25
|
|
|
spankmeister posted:does it support u2fa as the second factor though? Like password + yubikey? no - and iiuc 2fa doesn't make sense here because you're essentially decrypting a file on disk, not running an authentication protocol with another party
|
|
#
?
Nov 6, 2015 21:24
|
|
|
hackbunny posted:
I took the original 'warning' as blowing smoke at the ex project, and some general advice that there will one day be published vulnerabilities, which won't be touched. There are now such vulnerabilities published (vs just existing in theory) so having it installed certainly offers some extra attack surface. I'm not rushing to replace my portable TC vaults, but there's also now no compelling reason to use it going into it fresh.
|
|
#
?
Nov 7, 2015 20:27
|
|
|
Khablam posted:I took the original 'warning' as blowing smoke at the ex project, and some general advice that there will one day be published vulnerabilities, which won't be touched. Again, the vulnerabilities of TC referred to in the OP have been addressed by VC. VeraCrypt's a project in motion, at least, and you can always convert your TC containters/partitions into VC ones (I think) or even just access them with VC. You're basically right to regard this or any privacy solution with a critical eyeball, and all such software gets old and obsolete with time. Personally I'd go with an open source project that seems to have legs over a Microsoft solution, but I also really value the cross-platform and portable support that VeraCrypt has. On per-file encryption solutions, I've also used dscrypt (http://members.ozemail.com.au/~nulifetv/freezip/freeware/) and Axcrypt (http://www.axantum.com/AxCrypt/), and unless they're vulnerable in ways I'm not aware of they should be ok alternatives to 7zip. dscrypt: Good: simple executable good for flash drives, open source, simple to use, runs fine in Wine. Has a CLI version if you're a wiz with batch files or something. Bad: doesn't recurse directories, doesn't make self-decrypting files, last updated 2009, doesn't recognize when it's encrypted something already, so you can re-encrypt something you've already encrypted, meaning you now have to decrypt it twice. Axcrypt: Good: actively developed, system-integrated with Windows, open/edit/save without manually decrypting/reencrypting. Optionally caches passwords, recurses directories. Has a portable version. Bad: uses user temp directory to store temporarily decrypted files, where they can become stranded if something unexpected occurs, mass-en/de/crypting takes a long time, installer offers poo poo you don't want (open the installer with 7zip and extract the "real" installer first) I was using Axcrypt a bunch after ditching TrueCrypt and it was such a pain in the rear end for heavy office use I re-embraced the TrueCrypt model with VeraCrypt. Honestly what I really oughta be doing is using an FDE solution but I'm so scared something will happen (lose my password in my brains, get a corrupted Keepass database or partition) and all my files will be unreadable garbage, even though I guess that's just as likely if I never encrypt anything at all.
|
|
#
?
Nov 7, 2015 23:12
|
|
|
Khablam posted:I took the original 'warning' as blowing smoke at the ex project, and some general advice that there will one day be published vulnerabilities, which won't be touched. Honestly? I wouldn't trust any open source kernel-mode Windows code. TrueCrypt was much better than average in fact: the recent vulnerabilities were pretty complex to identify and exploit, complex enough that they could have appeared in professionally-developed code. It wasn't something you could find by fuzzing or running an analyzer. Compare with say, pcap for Windows, which has no security whatsoever: if the driver is running, any user can capture all network traffic, no matter how low their privilege (I submitted a patch for it, a long time ago, I wonder if it was ever applied. I bet my rear end it wasn't). I don't even want to think about that tap driver that's used by OpenVPN, and god help you if you are stupid enough to install, say, one of those open source Linux filesystem drivers on a machine of any value While we're at it: the kernel-mode part of anti-virus software is often poorly written, so that having AV actually makes your machine less secure. I can't remember any recent high-profile exploits in AVs, but at the very least there are several tricks to bypass their hooks, sometimes in ways that are impossible to fix (yes, AVs are fundamentally broken, especially those of the behavioral/heuristic kind). Yes, I can elaborate (not from personal experience, but I know a couple of things about kernel-mode Windows) Khablam posted:I'm not rushing to replace my portable TC vaults, but there's also now no compelling reason to use it going into it fresh. I'm not paying for an upgrade just for BitLocker
|
|
#
?
Nov 8, 2015 01:11
|
|
|
hackbunny posted:While we're at it: the kernel-mode part of anti-virus software is often poorly written, so that having AV actually makes your machine less secure. I can't remember any recent high-profile exploits in AVs, but at the very least there are several tricks to bypass their hooks, sometimes in ways that are impossible to fix (yes, AVs are fundamentally broken, especially those of the behavioral/heuristic kind). Yes, I can elaborate (not from personal experience, but I know a couple of things about kernel-mode Windows) Just look for anything that Tavis Ormandy has written on anti-virus software and you'll find a treasure trove of stuff.
|
|
#
?
Nov 8, 2015 01:24
|
|
|
|
| # ? Apr 19, 2024 10:34 |
|
|
OSI bean dip posted:Just look for anything that Tavis Ormandy has written on anti-virus software and you'll find a treasure trove of stuff. drat the spanking he gave to Sophos  -- hackbunny posted:Is Secunia PSI still good? I used it to install on all of my dad's laptops to keep all software up to date So, anyone? It's not strictly a security tool, but it keeps all software up to date and it requires almost zero maintenance or human intervention. I was wondering if anyone else used it and if it's secretly terrible
|
|
#
?
Nov 12, 2015 10:25
|
|