Search the Community

Version 2 has been released! Changes: [New] https support added. [New] Support for modern security standards. [New] OS detection for Windows 8.1, 10. [New] Json support added. [New] Standardized menu icons added. [New] New menu items for faster access to common areas. [New] Settings now accessible through Edit menu. [New] About now accessible through Help menu. [New] Numerous optimizations of code. [New] User agent to identify Anti-Malware Toolkit. [New] Skipping partially downloaded file will delete the partial download. [Changed] Improved OS detection. [Changed] Using .NET Framework 4.8, up from .NET 2.0. [Changed] All links now use https. [Changed] GUI improvements and changes. [Changed] UAC now only prompts when necessary. [Changed] Save location is now in Settings. [Changed] Proxy settings now in its own tab, code refactored. [Changed] Settings now save to the proper location in AppData. [Removed] XML support removed. [Removed] Unnecessary tabs removed from main UI. [Removed] Support for x86/32-bit OS’ removed. [Removed] Windows Vista and lower no longer supported. Read about it on the frontpage and download the new version! Also a warning, as Windows Vista and lower, along with x86 are not supported - use at your own risk!

Version 1.13.326 has been released. Changes: [Fixed] Resolved issue where XML list was not downloading properly. Download: Lunarsoft Link: Digg This!

This update was just released yesterday. Numerous Asus routers are supported. This was a feature that was also found and slowly being implemented into Tomato. Now it's built into the Merlin firmware by default. The great thing about this is that it enhances and improves security overall, and it far more secure than DNS over HTTPS. I strongly recommend making use of this feature. Read more about it here: https://github.com/RMerl/asuswrt-merlin/wiki/DNS-Privacy Downloads: https://asuswrt.lostrealm.ca/download

I recently came across a very interesting article talking about a new type of credit card being issued in France. The card's security code (three digits on the back) randomize, much like an authenticator does. Looks like it would be very useful and give a better sense of security to many.

Software developers listen up: if you want people to pay attention to your security warnings on their computers or mobile devices, you need to make them pop up at better times. A new study from BYU, in collaboration with Google Chrome engineers, finds the status quo of warning messages appearing haphazardly—while people are typing, watching a video, uploading files, etc.—results in up to 90 percent of users disregarding them. Researchers found these times are less effective because of "dual task interference," a neural limitation where even simple tasks can't be simultaneously performed without significant performance loss. Or, in human terms, multitasking. "We found that the brain can't handle multitasking very well," said study coauthor and BYU information systems professor Anthony Vance. "Software developers categorically present these messages without any regard to what the user is doing. They interrupt us constantly and our research shows there's a high penalty that comes by presenting these messages at random times." View the full article

Data thieves used a massive “botnet” against professional networking site LinkedIn and stole member’s personal information, a new lawsuit reveals. The Mountain View firm filed the federal suit this week in an attempt to uncover the perpetrators. “LinkedIn members populate their profiles with a wide range of information concerning their professional lives, including summaries (narratives about themselves), job histories, skills, interests, educational background, professional awards, photographs and other information,” said the company’s complaint, filed in Northern California U.S. District Court. “During periods of time since December 2015, and to this day, unknown persons and/or entities employing various automated software programs (often referred to as ‘bots’) have extracted and copied data from many LinkedIn pages.” View the full article

In 2015, the two SySS employees Matthias Deeg and Gerhard Klostermeier started a research project about the security of modern wireless desktop sets using AES encryption, as there was no publicly available data concerning security issues in current wireless mice and keyboards. Thus, the two IT security consultants have been analyzing modern wireless desktop sets with AES encryption of the manufacturers Microsoft, Cherry, Logitech, Fujitsu, and Perixx for security vulnerabilities during the last couple of months. Up to now, several and partly critical security vulnerabilities have been found and were reported to affected manufacturers in the course of the SySS responsible disclosure program. The found security vulnerabilities can be exploited within different attack scenarios from different attacker's perspectives. On the one hand, there are security issues which require one-time physical access to a keyboard or a USB dongle, for example to extract cryptographic keys which can be used in further attacks or to manipulate the firmware. On the other hand, there are security issues that can be exploited remotely via radio communication, for example replay or keystroke injection attacks due to insecure implementations of the AES encrypted data communication. During this research project, SySS built a proof-of-concept device that can be used to remotely attack a computer system that is operated with an affected wireless desktop set via radio signals. The combination of replay and keystroke injection attack, for instance, allows an attacker from a safe distance to remotely attack computer systems with an active screen lock, for example in order to install malware when the target system is unattended. So far, the fourteen reported security advisories concerning modern wireless desktop sets with advertised AES encryption of different manufacturers deal with the following security vulnerability types: Unencrypted data communication Insufficient protection of code (firmware) and data (cryptographic key) Missing protection against replay attacks Insufficient protection against replay attacks Cryptographic issues allowing for keystroke injection attacks As the responsible disclosure process of eight of the reported security issues is completed according to our responsible disclosure policy, we publish the first results of our research project in form of the following eight security advisories concerning wireless desktop sets of the manufacturers Microsoft, Cherry, Logitech and Perixx: SYSS-2016-031: CHERRY B.UNLIMITED AES - Cryptographic Issues (CWE-310), Missing Protection against Replay Attacks SYSS-2016-032: CHERRY B.UNLIMITED AES - Insufficient Protection of Code (Firmware) and Data (Cryptographic Key) SYSS-2016-038: CHERRY B.UNLIMITED AES - Cryptographic Issues (CWE-310), Keystroke Injection Vulnerability SYSS-2016-044: Logitech K520 (Keyboard of Wireless Combo MK520) - Cryptographic Issues (CWE-310), Missing Protection against Replay Attacks SYSS-2016-045: Perixx PERIDUO-710W - Insufficient Protection of Code (Firmware) and Data (Cryptographic Key) SYSS-2016-046: Perixx PERIDUO-710W - Cryptographic Issues (CWE-310), Missing Protection against Replay Attacks SYSS-2016-047: Perixx PERIDUO-710W - Cryptographic Issues (CWE-310), Keystroke Injection Vulnerability SYSS-2016-059: Microsoft Wireless Desktop 2000 - Insufficient Verification of Data Authenticity (CWE-345), Mouse Spoofing Attack The other six security advisories, which amongst others affect a product of the manufacturer Fujitsu, will be publicly disclosed this August and September. Moreover, further results of our research project and technical details will be presented at the IT security conference Ruxcon (22./23. October 2016) and at the Handelsblatt Jahrestagung Cybersecurity 2016 (21./22. November 2016). Source: Syss View the full article

If you don’t already have iOS 9.3.3, you better download and install it — quick. Cisco Talos, a security and research group, recently discovered a bug in Mac and iPhones that allows hackers to steal passwords with a single text message. The researchers at Cisco Talos alerted Apple, and the tech company immediately worked on a patch, which was released this week. “This is very high severity issue,” Craig Wiliams, head of global outreach at Cisco Talos, told Fortune. “The fact that you have an exploit without any user interaction makes me very concerned.” Although the iOS update is out, it doesn’t automatically install itself — people who own iPhones have to download and install the update themselves. View the full article

Not two weeks ago, LinkedIn made big data breach news when hackers claimed to have more than 100 million usernames and passwords up for sale. Fortunately, the data wasn’t new, coming from a breach that happened four years ago. What was new was the size of the list that was up for sale, nearly 20 times the size of the 6.5 million passwords that were reported to have been stolen back in June 2012. The LinkedIn breach was made worse by the way the passwords were stored, using unsalted SHA-1 hashes. What that means is that although LinkedIn didn’t keep your actual password, it didn’t do enough to secure it against a breach. View the full article

The on-going battle between Apple and the FBI has brought encryption and security to the fore once again. After remaining silent on the subject for some time, President Obama -- speaking at SXSW -- said that he was opposed the idea of encryption mechanism that are so strong it prevents governmental access. "If technologically it is possible to make an impenetrable device or system where the encryption is so strong that there is no key, there's no door at all, then how do we apprehend the child pornographer, how do we solve or disrupt a terrorist plot?" he wondered aloud, his almost rhetorical question playing neatly on two of America's biggest fears. He suggested that security keys should be made available to third parties, saying "you cannot take an absolutist view" when it comes to balancing security and privacy. But Obama has a solution: backdoors. Obama avoided talking directly about the Apple/FBI case, but it hung heavy in the air nonetheless. So what is his solution to the issue of encryption standing in the way of government being able to access whatever it wants? The out-going president's answer to the problem is far from fleshed out, and far from being a solution that anyone in their right mind would find agreeable. Addressing the SXSW audience, he said: View the full article

Avast Software has released the fourth update to its Avast 2014 range of products with the unveiling of build number 9.0.2021 for Avast Free Antivirus 2014, Avast Internet Security 2014 and Avast Premier Security 2014. As with the previous few updates, R4 contains no new features, but does include several important security enhancements among other tweaks and optimizations that once again make it essential for existing users. Avast promises tighter security through improved process security, which is guarded by Avast’s self-defense component. Avast R4 also handles conditions for the Guest account better, increasing sensitivity to any incorrect user inputs that might compromise system security and tuning the import settings tool to prevent it from allowing users to bypass any protections. The program’s setup component also now supports resume functionality, which should make downloading smoother on systems where the connection is slow or frequently interrupted. On a related note, the install process now detects potentially critical problems post-install, such as missing administrator rights or insufficient disk space, alerting the user should functionality not be 100 percent. Paid-for editions also gain a new anti-spam library, which Avast promises should improve the accuracy of spam detection, while promotion popups can also be disabled (these remain mandatory in the free edition). The update is rounded off with a number of bug fixes, some through static code analysis, and others promising increased stability and better performance, with a particular focus on the network and engine components. Avast’s Free Antivirus 2014, Internet Security 2014 and Premier Security 2014 are all available for free and trial download now for PCs running Windows XP or later. Visit the Downloadcrew Software Store to purchase licenses at significant discounts -- for example, a single-PC, one-year license for Internet Security 2014 can be purchased for just $24.99, a saving of 50 per cent on the MSRP. Three-PC and two-year licenses of both Internet Security 2014 and Premier 2014 are also available. Source: Betanews View the full article

Bromium has just published the results of “Endpoint Protection: Attitudes and Opinions,†a survey of more than 300 information security professionals, focused on end user threats and security. The majority of the respondents believe: Existing security solutions are unable to stop endpoint infections, Anti-virus is unable to stop advanced targeted attacks and End users are their biggest security headache. View the full article

California-based password management software specialist SplashData has released the results of its annual list of the internet’s worst passwords. For the first time "password" has been knocked off the number one slot. This doesn’t mean people are getting more security minded, however, as it's been replaced by the equally obvious "123456". SplashData compiles the list from files containing stolen passwords posted online during the previous year. This year's list is heavily influenced by the large number of Adobe user passwords posted online following the company's 2013 security breach. Morgan Slain, CEO of SplashData says, "Seeing passwords like 'adobe123' and 'photoshop' on this list offers a good reminder not to base your password on the name of the website or application you are accessing". The list shows that people continue to put themselves at risk by using weak passwords. "Another interesting aspect of this year's list is that more short numerical passwords showed up even though websites are starting to enforce stronger password policies," Slain says. So password pickers, here are the top 25 worst choices of 2013: SplashData offers some tips on making your passwords more secure. These include using passwords that are eight characters or more in length and which use a mix of characters. But it warns that even passwords which use common l33t-style substitutions like "dr4mat1c" can be vulnerable to attackers' increasingly sophisticated technology. It recommends using passphrases, combinations of short words separated by spaces -- or other characters if the site doesn’t allow this -- for example "cakes years birthday" or "smiles_light_skip?" It also recommends not using the same password for multiple websites, especially risky is using the same password for websites as you do for banking or email. If you have trouble remembering all of your passwords, SplashData naturally recommends using a password manager application like its Splash ID Safe to take care of them. View the full article

Canonical, the maker of Ubuntu, has been fending off criticism from privacy advocates because the desktop search tool in recent versions of the operating system also searches the Internet. That means if you're searching your desktop for a file or application, you might also see results from Amazon or other websites. One person who dislikes Canonical's search tool is Micah Lee, a technologist at the Electronic Frontier Foundation who maintains the HTTPS Everywhere project and is CTO of the Freedom of the Press Foundation. Lee set up a website called "Fix Ubuntu," which provides instructions for disabling the Internet search tool. "If you're an Ubuntu user and you're using the default settings, each time you start typing in Dash (to open an application or search for a file on your computer), your search terms get sent to a variety of third parties, some of which advertise to you," the website says. View the full article

Today, TeamViewer announces a new beta version of its popular remote control software for Windows, Mac and Linux PCs. The latest release, named TeamViewer 9 Beta, introduces new features aimed at businesses, developers and end-users as well as security improvements. The most noteworthy security addition in TeamViewer 9 Beta is two-factor authentication. It allows users to add an extra layer of protection to their accounts by using security codes, that can be sent to their mobile devices and, alternatively, generated by dedicated mobile apps. On Macs, TeamViewer 9 also adds the option to increase the password strength in QuickSupport. "TeamViewer has always been focused on remote support functionality", says the company's head of product management Kornelius Brunner. "With TeamViewer 9, we are going back to the roots and offering even better features for support teams in companies large and small". View the full article

Facebook has been accused of deceiving developers after it emerged that the social networking site did nothing to verify the security of applications it was paid tens of thousands of dollars to review, and which it assured users had been checked. It is believed Facebook was paid up to $95,000 (£60,600) by developers whose applications were entered into its verified apps scheme. The system gave a green tick of approval to apps that passed what Facebook described as its "test for trustworthy user experiences". An investigation by the US Federal Trade Commission (FTC) revealed that Facebook took no steps to review the applications in its now-closed scheme. Facebook awarded the verified badge to 254 applications, according to the FTC. View the full article

Chances are it's not, or at least could be stronger, more secure. Now that you've created a password nearly impossible to break (and remember), thought about storage, encryption - a passphrase? A topic of this nature can be boring so I'll get to the point - if you need help with creating stronger passwords, or maybe you've considered a passphrase but didn't have the energy to think up anything too clever, here's 2 free tools that may be useful in the creation and storage of passwords & passphrases. PWGen for Windows KeyPass Password Safe Note: A password for a bank or school is more important than IMDB in most cases. Strike a balance between too few and too many characters, or excessive use of strange characters. Know what & how many characters are allowed in a password or passphrase for each site. Change your passwords or passphrases periodically.

I'm the administrator on my compuetr. I had a virus on my laptop that Webroot removed. When I click on system restore, it says I don't have sifficient security privileges to run this tool. How can I get access to system restore?

I'm looking for a 'component verifier' that works as follows. [1] Gets a list of all major *.exe and *.dll files that comprise the 'target' software device. [2] Verify the target (program, sub-system or product) on any Operating System. The 'verifier' needs to do the following (Using a Microsoft OS as an example). (A) Check each module (*.exe and/or *.dll file) of the target software device (product, sub-system, whatever) via 3 different hash functions (MD5, SHA1, etc). (B) Open a 'Device Descriptor' file that contains an XML formatted description of the target device to be verified (or use a database) © Generate a report on the verification results (inclusive of 'version statement' below) (D) Generate a 'Version' statement on the 'release version' of the target software device. (E) Provide several export formats as well as a 'save as' for the native report format. (F) Provide a switchable (turn on/off) Locater check that ensures modules are where they should be in the directory structure. (G) Provide a switchable (turn on/off) Environment check that can verify DOS PATH, registry and other device artifacts in the system. (H) Provide a switchable and selectable Level check that can activate recursive verifications for shared DLL environments and sub-systems. (I) Provide a 'single or multi' report result option so multi-level scans can generate single/multiple reports on foundation devices (of the top target device). Several comments on the above. - The selectable portion of Level Check sets how many levels of sub-systems (to the target) the verifier should scan in addition to the prime target. - Each file of the device should be scanned with all three hash functions. - Random 'internal scans' can scan sub-sections of a target file for added veracity. - Hash functions should be selectable from a large set of all major hash function algorithms. - The descriptor should contain multiple hash results for each module that makes up the device. - A target ontology needs to be developed to distinguish various types of sub-systems (compiler runtime libraries). - The environment checker does not need to be exhaustive - but it would be nice. There are some crude verifiers in the public domain but no 'polished security products' that perform this function at a reasonable cost (like PC firewalls, virus detectors, etc.) Since China and many other well funded groups (both governmental and non-governmental) are experimenting with sophisticated (in today's terms) security attacks (Operation Aurora, etc.) a simple Verifier would go a long way to ensure the update mechanism (of any software device) is valid. It is inevitable that Microsoft will one day have this in the public domain (verifiers). Otherwise the whole Microsoft product line (as a social infrastructure similar to electrical or phone systems) looses its integrity and provides a viable 'cyber-space' for 'netbots' and the eventual evolution of other pirate entities. National security is also effected - since the appeal of the USA computing infrastructure (via a lower attack surface opportunity cost - as a foundation path to access/control security, electrical and communications infrastructures) as a potential weapon is pretty germane (just read or watch sci-fi). Using a 'verifier' security product (as above) could verify the Windows Update device (on any system) as a real device and not one that is morphed or compromised in any way.