How to Create a Control Panel Shortcut in Windows 10

In Windows 10, there are a few different ways to find and change your settings: Settings app, Control Panel, app settings, and search.

You can use Control Panel to change settings for Windows. These settings control nearly everything about how Windows looks and works, and you can use them to set up Windows so that it’s just right for you.

This tutorial will show you how to create or download a shortcut that will always open to the Control Panel in either category or icons view in Windows 10.

Read more…

Removal instructions for BackupGenie

What is BackupGenie?

The Malwarebytes research team has determined that BackupGenie is nagware. This one typically gets bundled with other software or promoted heavily through dubious advertisers.
Once installed it keeps reminding the user to register the full version.

https://forums.malwarebytes.org/topic/191682-removal-instructions-for-backupgenie/

Spybot Search & Destroy Weekly Update – December 7, 2016

2016-12-07
Adware
++ Ad.BetterBrowse + Ad.Linkular ++ Ad.Loffinam + BitAccelerator.DirectDownloader + bProtector + Firseria
Malware
+ P2P.MediaGet
PUPS
+ Ero.Pchd
Trojans
++ Win32.Agent.jpn + Win32.Estiwir.gen ++ Win32.Powp.gen + Win32.VB.ik
Total: 2623275 fingerprints in 834413 rules for 7744 products.

Updates

How to Add Site to Apps in Start Menu from Internet Explorer in Windows 10

All apps in the Start menu displays an alphabetical list of shortcuts to all installed Windows apps and desktop apps on your Windows 10 PC. Some of these shortcuts are grouped into folders with the folder name in the alphabetical list.

Internet Explorer allows you to add websites to Apps to be able to quickly open the site directly from your Start menu. When you open an added site from Apps, it will open in Internet Explorer and be the homepage.

This tutorial will show you how to add or remove websites from Internet Explorer to Apps in the Start menu for your account in Windows 10.

Read more…

“MP Control Manager detected management point is not responding to HTTP requests. The HTTP status code and text is 401, Unauthorized”

MP Control Manager detected management point is not responding to HTTP requests. The HTTP status code and text is 401, Unauthorized

“MP Control Manager detected management point is not responding to HTTP requests. The HTTP status code and text is 401, Unauthorized”

I have a Management Point that when I view it in Site Status in the Console (MonitoringOverviewSystem StatusSite Status) it’s Status is showing as Critical. It is also reporting Error Status Message ID 5436.

If I look in mpcontrol.log I am seeing:

Call to HttpSendRequestSync failed for port 80 with status code 401, text: Unauthorized
Http test request failed, status code is 401, 'Unauthorized'.

I have tried all kinds of things such as removing and reinstalling the MP, running the prerequisite check for the MP to make sure I haven’t missed anything there, and even a Site Reset all without success.

You need a subscription to access the answer.

The post “MP Control Manager detected management point is not responding to HTTP requests. The HTTP status code and text is 401, Unauthorized” appeared first on FAQShop.

Source:: http://faqshop.com/feed

Removal instructions for Driver Updater Plus

What is Driver Updater Plus?

The Malwarebytes research team has determined that Driver Updater Plus is a “system optimizer”. These so-called “system optimizers” sometimes use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.

https://forums.malwarebytes.org/topic/191644-removal-instructions-for-driver-updater-plus/

Entity Framework Core Cookbook – Second Edition

Some of you may be aware that my new book for Packt Publishing is out! It is titled Entity Framework Core Cookbook – Second Edition because it was meant to be the second edition of Entity Framework 4.1: Expert’s Cookbook. In fact, it is mostly a full rewrite.

It is organized in chapters:

Chapter 1: Improving Entity Framework in the Real World

Chapter 2: Mapping Entities

Chapter 3: Validation and Changes

Chapter 4: Transactions and Concurrency Control

Chapter 5: Querying

Chapter 6: Advanced Scenarios

Chapter 7: Performance and Scalability

Appendix: Pitfalls

When I started writing it, .NET Core was still in early RC1. Things changed a lot from RC1 to RC2 and then again to RTM, so I had to revisit all chapters in the end. It was a pity that EF Core 1.1 was released shortly after the book was closed, because I could have talked about it too. Also, there are things that I could have covered, like extending Entity Framework Core, but there were so many of them! Smile Maybe in a future time!

Those of you who are interested can get a copy from the Pack Publishing site or from other sellers, either as an e-book or in hardcopy.

I want to thank everyone at Packt Publishing, namely Chaitanya Nair, Merint Mathew and Siddhi Chavan for their professionalism and support!

Remote management app exposes millions of Android users to hacking

Remote management app exposes millions of Android users to hacking

Is your iPhone 6s eligible for a battery replacement?

How to find out if your iPhone 6s is eligible for free battery replacement

Groove Music (Xbox One) brings back music videos!

The Groove app, on Xbox One, has restored music videos with a recent update. The feature is activated by turning on the video button, shown during the now playing screen. One thing to note is that when you activate music videos, the ability for background music is lost (most likely because wanting music videos is actively saying that you’re going to use Groove music as the primary application).

In real world use, the inclusion of music videos doesn’t slow much down. They load quickly and keep the momentum of the playlist going. It’s a great feature to have for a party (especially with the holidays coming up – you could have this running in the background).

How to Reset Google Chrome to Default in Windows

There may be times when you may need to just reset Chrome settings to default, or completely reset Chrome to default like when first installed.

This tutorial will show you how to either reset Chrome settings to default or completely reset Chrome to default like when first installed for your account in Windows.

Read more…

How do I run the “mplist” test to check my SCCM Client can connect to a Management Point?

How do I run the “mplist” test to check my SCCM Client can connect to a Management Point?

In this post we explain how to run the mplist test to verify your ConfigMgr Client can connect to a Management Point.

You need a subscription to access the answer.

The post How do I run the “mplist” test to check my SCCM Client can connect to a Management Point? appeared first on FAQShop.

Source:: http://faqshop.com/feed

What is the “mplist” test for SCCM Management Points?

What is the “mplist” test for SCCM Management Points?

Wondering what the “mplist” test for ConfigMgr Management Point troubleshooting/ connectivity is for? Let us explain in the post.

You need a subscription to access the answer.

The post What is the “mplist” test for SCCM Management Points? appeared first on FAQShop.

Source:: http://faqshop.com/feed

Removal instructions for PrivacyDr.

What is PrivacyDr.?

The Malwarebytes research team has determined that PrivacyDr. is a “system optimizer”. These so-called “system optimizers” use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.

https://forums.malwarebytes.org/topic/191584-removal-instructions-for-privacydr/

How to Refresh Firefox in Windows

If you’re having problems with Firefox, refreshing it can help. The refresh feature fixes many issues by restoring Firefox to its default state while saving your essential information like bookmarks, passwords, and open tabs.

All of your Firefox settings and personal information are stored in a profile folder. The refresh feature works by creating a new profile folder for you while saving your important data.

Add-ons which are normally stored inside the Firefox profile folder, such as extensions and themes, will be removed. Add-ons stored in other locations, such as plugins, will not be removed but any modified preferences (such as plugins you have disabled) will be reset.

Read more…

How to Completely Reset Firefox to Default in Windows

You can completely reset Firefox to default like when it was first installed. Resetting Firefox will include resetting all Firefox settings to default and deleting your profiles, themes, extensions, bookmarks, browsing history, passwords, cookies, and web form auto-fill information.

This tutorial will show you how to completely reset Mozilla Firefox back to default for your account in Windows.

Read more…

“Toymaster” has released Security Mailer Volume 16 Number 49

Security Mailer V16 #49

  • Browser updates for Pale Moon and 0-day for Firefox
  • Linux updates; Microsoft changing command prompt in Windows 10
  • General Security entries

Using TLS 1.2 Windows Server 2008 R2 & 2012 R2, SQL and SharePoint

Everyone uses a certificate when requiring authentication on an internet facing site. However it’s surprising how many folks don’t take the time to understand SSL/TLS. Securing SSL/TLS protocols is a pretty common thing to do on any Windows Server running IIS and web applications that uses HTTPS, especially if they require some sort of compliance. It is a good idea to do this on all of your servers in your SharePoint farm, to ensure your secure connections really are secure. It’s also important to note that while I have several SharePoint 2016 environments where I have removed both TLS 1.0/1.1. However, I have not removed TLS 1.1 from the any of my SharePoint 2013 environments. However, all of my clients with SharePoint 2013 are using a HW Load Balancer like the F5 and have offloaded SSL and removed TLS 1.0/1.1 using the HW…

All Microsoft Windows devices using SSL/TLS protocols use SCHANNEL, where you have to install something like OpenSSL on Linux. You may also notice that while OpenSSL has more security vulnerabilities they tend to respond quickly to them. However, Microsoft has been disappointingly slow in updating the cryptography stack in its OS and Applications. Note: there may be flags when running SSL Lab scans against your servers that you may not be able to resolve at this time. This may also apply to the availability of the latest cipher suites as well.

All of the configuration changes to SCHANNEL are stored in the registry: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNEL

 

The first time I created a GPO to Configure SSL/TLS, and deploy to the farm. I spent a few days with Regedit and reading technet, I recommend using IISCrypto from Nartac to make the changes to ensure the process goes a smooth as possible on your first server then after reboot, exporting the SCHANNEL Key for use with a GPO to automate the deployment for all additional servers in your farm

You can use the following command to export up the SCHANNEL registry settings prior to making the changes and again after for use with the GPO, should you need to restore it: reg export HKLMSYSTEMCurrentControlSetControlSecurityProvidersSCHANNEL SChannel-Export.reg

Known issues

There are a few gotchas when making modifications to SCHANNELL on Windows, please QA as necessary in the lab prior to deploying to production:

  1. SQL Server used to require TLS 1.0, when you disabled it your SharePoint Servers would not be able to communicate with the SQL Cluster. Please review the information about the SQL updates and additional known issues using the following link TLS 1.2 support for Microsoft SQL Server, then download and install the appropriate SQL Updates. All versions prior to SQL Server 2016 require the updates regardless of Service Pack or Cumulative Update
  2. Please make sure you download and installed KB3080079 if you are running a version of Windows Server prior to Windows Server 2012 or RDS/RDP will break when after disabling TLS 1.0 and rebooting. Note: If you are using IISCrypto you may see a pop like the following screenshot after reviewing TLS 1.0/1.1

     

  3. Older clients > Windows XP and earlier may not be able to connect if they do not support the newer SSL/TLS technologies and you disable the older ones. Out of the box Windows Server is configured to be relatively compatible with older clients, which in turn makes it less secure. You can find a complete browser compatibility list here: https://en.wikipedia.org/wiki/Template:TLS/SSL_support_history_of_web_browsers
  4. Qualys will ding you for supporting 1024 bit DHE groups, and will recommend DHE key exchanges be increased to 2048 bit or disabled, but 1024 is the limit on all versions of Windows prior to Windows 10 at this time.
  5. Be sure to thoroughly test your applications after making any changes, mainly looking for connection failures over HTTPS. The errors will be listed in the system event log with SCHANNEL as the source

The following configuration works with most modern software (Windows Vista and newer) while providing a relatively robust SSL/TLS configuration, and earning an A ranking on Qualys’s SSL Labs tester.

IISCRYPTO

  1. Download IISCrypto and apply the “Best Practices” Template
  2. Use The Best Practice Template; Click Templates, Use the drop Down choose Best Practice, then click Apply
  3. Disable TLS 1.0 Assuming SQL updates have been applied and KB3080079for RDS/RDP has been applied
  4. Disable MD5 under Hashes enabled
  5. Click Apply
  6. Reboot
  7. Test your site with Qualys’s SSL Labs tester

QUALYS SSLLabs Ranking

 


 

How to do password reset

First, a quick recap:

Credentials include a Claim and a Proof (possibly many).

The Claim is what states one or more facts about your identity.

A Username is one example of a Claim. So is Group Membership, Age, Eye Colour, Operating System, Installed Software, etc…

The Proof is what allows someone to reliably trust the Claim is true.

A Password is one example of a Proof. So is a Signature, a Passport, etc…

Claims are generally public, or at least non-secret, and if not unique, are at least specific (e.g. membership of the group “Brown eyes” isn’t open to people with blue eyes).

Proofs are generally secret, and may be shared, but such sharing should not be discoverable except by brute force. (Which is why we salt passwords).

Now, the topic – password resets

Password resets can occur for a number of reasons – you’ve forgotten your password, or the password change functionality is more cumbersome than the password reset, or the owner of the account has changed (is that allowable?) – but the basic principle is that an account needs a new password, and there needs to be a way to achieve that without knowledge of the existing password.

Let’s talk as if it’s a forgotten password.

So we have a Claim – we want to assert that we possess an identity – but we have to prove this without using the primary Proof.

Which means we have to know of a secondary Proof. There are common ways to do this – alternate ID, issued by someone you trust (like a government authority, etc). It’s important in the days of parody accounts, or simply shared names (is that Bob Smith, his son, Bob Smith, or his unrelated neighbour, Bob Smith?) that you have associated this alternate ID with the account using the primary Proof, or as a part of the process of setting up the account with the primary Proof. Otherwise, you’re open to account takeover by people who share the same name as their target.

And you can legally change your name.

What’s the most common alternate ID / secondary Proof?

E-mail.

Pretty much every public web site relies on the use of email for password reset, and uses that email address to provide a secondary Proof.

It’s not enough to know the email address – that’s unique and public, and so it matches the properties of a Claim, not a Proof, of identity.

We have to prove that we own the email address.

It’s not enough to send email FROM the email address – email is known to be easily forged, and so there’s no actual proof embodied in being able to send an email.

That leaves the server with the prospect of sending something TO the email address, and the recipient having proved that they received it.

You could send a code-word, and then have the recipient give you the code-word back. A shared secret, if you like.

And if you want to do that without adding another page to the already-too-large security area of the site, you look for the first place that allows you to provide your Claim and Proof, and you find the logon page.

By reusing the logon page, you’re going to say that code-word is a new password.

[This is not to say that email is the only, or even the best, way to reset passwords. In an enterprise, you have more reliable proofs of identity than an email provider outside of your control. You know people who should be able to tell you with some surety that a particular person is who they claim to be. Another common secondary identification is the use of Security Questions. See my upcoming article, “Security Questions are Bullshit” for why this is a bad idea.]

So it’s your new password, yes?

Well, yes and no. No, actually. Pretty much definitely no, it’s not your new password.

Let’s imagine what can go wrong. If I don’t know your password, but I can guess your username (because it’s not secret), I can claim to be you wanting to reset your password. That not only creates opportunity for me to fill your mailbox with code-words, but it also prevents you from logging on while the code-words are your new password. A self-inflicted denial of service.

So your old password should continue working, and if you never use the code-word, because you’re busy ignoring and deleting the emails that come in, it should keep working for you.

I’ve frequently encountered situations in my own life where I’ve forgotten my password, gone through the reset process, and it’s only while typing in the new password, and being told what restrictions there are on characters allowed in the new password, that I remember what my password was, and I go back to using that one.

In a very real sense, the code-word sent to you is NOT your new password, it’s a code-word that indicates you’ve gone the password reset route, and should be given the opportunity to set a new password.

Try not to think of it as your “temporary password”, it’s a special flag in the logon process, just like a “duress password”. It doesn’t replace your actual password.

It’s a shared secret, so keep it short-lived

Shared secrets are fantastic, useful, and often necessary – TLS uses them to encrypt data, after the initial certificate exchange.

But the trouble with shared secrets is, you can’t really trust that the other party is going to keep them secret very long. So you have to expire them pretty quickly.

The same is true of your password reset code-word.

In most cases, a user will forget their password, click the reset link, wait for an email, and then immediately follow the password reset process.

Users are slow, in computing terms, and email systems aren’t always directly linked and always-connected. But I see no reason why the most usual automated password reset process should allow the code-word to continue working after an hour.

[If the process requires a manual step, you have to count that in, especially if the manual step is something like “contact a manager for approval”, because managers aren’t generally 24/7 workers, the code-word is going to need to last much longer. But start your discussion with an hour as the base-point, and make people fight for why it’ll take longer to follow the password reset process.]

It’s not a URL

You can absolutely supply a URL in the email that will take the user to the right page to enter the code-word. But you can’t carry the code-word in the URL.

Why? Check out these presentations from this year’s Black Hat and DefCon, showing the use of a malicious WPAD server on a local – or remote – network whose purpose is to trap and save URLs, EVEN HTTPS URLs, and their query strings.

Every URL you send in an email is an HTTP or HTTPS GET, meaning all the parameters are in the URL or in the query string portion of the URL.

This means the code-word can be sniffed and usurped if it’s in the URL. And the username is already assumed to be known, since it’s a non-secret. [Just because it’s assumed to be known, don’t give the attacker an even break – your message should simply say “you requested a password reset on an account at our website” – a valid request will come from someone who knows which account at your website they chose to request.]

So, don’t put the code-word in the URL that you send in the email.

Log it, and watch for repeats, errors, other bad signs

DON’T LOG THE PASSWORD

I have to say that, because otherwise people do that, as obviously wrong as it may seem.

But log the fact that you’ve changed a password for that user, along with when you did it, and what information you have about where the user reset their password from.

Multiple users resetting their password from the same IP address – that’s a bad sign.

The same user resetting their password multiple times – that’s a bad sign.

Multiple expired code-words – that’s a bad sign.

Some of the bad things being signaled include failures in your own design – for instance, multiple expired code-words could mean that your password reset function has stopped working and needs checking. You have code to measure how many abandoned shopping carts you have, so include code that measures how many abandoned password reset attempts you have.

In summary, here’s how to do email password reset properly

  1. Consider whether email is an appropriately reliable secondary proof of identification.
    1. A phone call from the user, to their manager, followed by the manager resetting the user’s password is trustworthy, and self-correcting. A little slow and awkward, but stronger.
    2. Other forms of identification are almost all stronger and more resistant to forgery and attack than email.
    3. Bear in mind that, by trusting to email, you’re trusting that someone who just forgot their password can remember their other password, and hasn’t shared it, or used an easily-guessed password.
  2. When an account is created, associate it with an email address, and allow & encourage the validated account holder to keep that updated.
  3. Allow anyone to begin a password reset process – but don’t allow them to repeatedly do so, for fear of allowing DoS attacks on your users.
  4. When someone has begun a password reset process, send the user a code-word in email. This should be a random sequence, of the same sort of entropy as your password requirements.
    1. Encoding a time-stamp in the code-word is useful.
    2. Do not put the code-word in a URL in the message.
    3. Do not specify the username in the message, not even in the URL.
  5. Do not change the user’s password for them yet. This code-word is NOT their new password.
  6. Wait for up to an hour (see item 4.1. – the time stamp) during which you’ll accept the code-word. Be very cautious about extending this period.
  7. The code-word, when entered at the password prompt for the associated user, is an indication to change the password, and that’s ALL it can be used for.
  8. Allow the user to cancel out of the password change, up to the point where they have entered a new password and its verification code and hit OK.

And here’s how you’re going to screw it up (don’t do these!)

  • You’ll use email for password resets on a high-security account. Email is relatively low-security.
  • You’ll use email when there’s something more reliable and/or easier to use, because “it’s what everyone does”.
  • You’ll use email to an external party with whom you don’t have a business relationship, as the foundation on which you build your corporate identity tower of cards.
  • You won’t have a trail of email addresses associated with the user, so you don’t have reason to trust you’re emailing the right user, and you won’t be able to recover when an email address is hacked/stolen.
  • You’ll think the code-word is a new password, leading to:
    • Not expiring the code-word.
    • Sending passwords in plain-text email (“because we already do it for password reset”).
    • Invalidating the user’s current password, even though they didn’t want it reset.
  • You’ll include the credentials (username and/or password) in a URL in the email message, so it can be picked up by malicious proxies.
  • You’ll fail to notice that someone’s DoSing some or all of your users by repeatedly initiating a password reset.
  • You’ll fail to notice that your password reset process is failing, leading to accounts being dropped as people can no longer get in.
  • You won’t include enough randomness in your code-word, so an attacker can reset two accounts at once – their own, and a victim’s, and use the same code-word to unlock both.
  • You’ll rely on security questions
  • You’ll use a poor-quality generation on your code-words, leading to easy predictability, reuse, etc.
  • You won’t think about other ways that your design will fail outside of this list here.

Let the corrections begin!

Did I miss something, or get something wrong? Let me know by posting a comment!

How to Turn On or Off Let Apps Use PC Camera in Windows 10

In Windows 10, having a camera as part of your device or system lets you make Skype video calls, take pictures, etc. Many apps and services request and use the camera, and Windows settings give you control over which apps can use your camera.

Some people worry about unknown apps, organizations, or malware using their camera. Whenever your camera is used, you should be in charge. That’s why you’re always told when your camera is turned on:

•If your device or camera comes with a camera light, the light will turn on when the camera is in use.
•If your system doesn’t have a camera light, you’ll get a notification to let you know when the camera turns on or off.

This tutorial will show you how to turn on or off to let apps use the PC camera for only your account or all accounts in Windows 10.

Read more…

Recent Comments

Archives