Windows 10 News and info | Forum
July 02, 2020, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
 
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1] 2 3 ... 10
 1 
 on: Today at 01:46:12 PM 
Started by javajolt - Last post by javajolt
Microsoft has released PowerToys 0.19 in a huge bug fix that aims to increase performance and stability in the tools.

For those not familiar with Windows PowerToys, they are a set of small freeware utilities created by Windows developers to add extra functionality to Windows 10 or solve everyday tasks

With the PowerToys 0.19 release, Microsoft did not release any new tools or features but instead focused on fixing over 100 issues to improve stability and performance.

"Our goals for the 0.19 release cycle had one big goal, add instability/quality fixes. We've addressed over 100 issues across all our utilities. We've improved our installer experience and parts will start coming online in 0.19 and 0.20. In this release, it will be the last time during the upgrade you'll see Windows Explorer flash on you. For 0.20, the .NET Core install experience much smoother," Microsoft stated in the 0.19 release notes.

The bulk of the issues fixed were in the PowerToys Run app, which can now correctly detect Steam games, hidden files, and Terminal.


PowerToys Run app

The current list of PowerToys available for download are:

FancyZones: A window manager that makes it easy to create complex window layouts and quickly position windows into those layouts.

File Explorer (Preview Panes): Adds a preview pane to File Explorer that supports SVG  and Markdown.

Image Resizer: Adds a context-menu image resize.

Keyboard Manager: Lets you remap keys and create customized keyboard shortcuts.

PowerRename: An advanced bulk renaming using search and replace or regular expressions.

PowerToys Run: — A Spotlight-like tool that allows you to easily search for files and applications or compute basic math problems.

Shortcut Guide: Shows an overlay containing the current keyboard shortcuts.

To get started with Microsoft's Windows 10 PowerToys 0.19.0, you have to download the installer from GitHub, install them on your Windows computer, and then access them via the PowerToys system tray icon.

source

 2 
 on: Today at 01:04:34 PM 
Started by javajolt - Last post by javajolt
The infamous TrickBot trojan has started to check the screen resolutions of victims to detect whether the malware is running in a virtual machine.

When researchers analyze malware, they typically do it in a virtual machine that is configured with various analysis tools.

Due to this, malware commonly uses anti-VM techniques to detect whether the malware is running in a virtual machine. If it is, it is most likely being analyzed by a researcher or an automated sandbox system.

These anti-VM techniques include looking for particular processes, Windows services, or machine names, and even checking network card MAC addresses or CPU features.

TrickBot uses screen resolution as anti-VM checks

In a new sample of the TrickBot Trojan discovered by cybersecurity firm MalwareLab's Maciej Kotowicz, the malware is now checking an infected computer's screen resolution to determine if it's a virtual machine.

Started as a banking Trojan, the TrickBot has evolved over time to perform a variety of malicious behavior.

This behavior includes spreading laterally through a network, stealing saved credentials in browsers, stealing Active Directory Services databases, stealing cookies and OpenSSH keys, stealing RDP, VNC, and PuTTY Credentials, and more.

In a tweet, Kotowicz stated that a new sample of TrickBot is checking if the computer's screen resolution is 800x600 or 1024x768, and if it is, TrickBot will terminate.

TrickBot is checking for these particular resolutions because of how the researchers commonly configure their malware analysis virtual machines.

When configuring a virtual machine, most researchers will not install the VM guest software that allows for better screen resolutions, better mouse control, improved networking, and other features.

The software is not installed as malware commonly checks for files, registry keys, and processes used by the virtual machine guest software.

Without the guest software, though, a virtual machine will typically not allow any resolutions other than 800x600 and 1024x768, compared to ordinary screen resolutions that are much higher.

Knowing this, the TrickBot developers are using these screen resolution checks as another anti-VM check.

The good news is that if you are using these resolutions, you are safe from TrickBot. The bad news is that you are using these resolutions.

source

 3 
 on: Today at 12:58:34 PM 
Started by javajolt - Last post by javajolt


Microsoft is introducing a new Windows 10 Start menu design that will de-emphasize its Live Tiles. The software giant first hinted at the refreshed design earlier this year, and it’s arriving for Windows 10 testers today. “We are freshening up the Start menu with a more streamlined design that removes the solid color backplates behind the logos in the apps list and applies a uniform, partially transparent background to the tiles,” explains Microsoft in a blog post.

Essentially, the reduction in the color of the blocky tiled interface on the Start menu will simplify it slightly and make it easier to scan for the apps you use on a daily basis. It’s a subtle change, but it certainly makes the Start menu look a little less chaotic and avoids many tiles sharing a similar blue color.


The old Start menu versus the refreshed one.

Alongside an updated Start menu, the latest Windows 10 build includes some big changes to Alt-Tab. “Beginning with today’s build, all tabs open in Microsoft Edge will start appearing in Alt-Tab, not just the active one in each browser window,” explains Microsoft. This seems like a change that might be a little confusing for veteran Windows users, but Microsoft is thankfully allowing you to switch back to the classic Alt-Tab experience.

Microsoft experimented with Alt-Tab changes in Windows 10 builds in the past, back when the company was planning to add tabs to every app. There will likely be a lot of feedback around any Alt-Tab changes here, especially if Microsoft plans to turn this on by default when its next major Windows 10 update ships later this year.


New Alt-Tab interface.

Microsoft is also making some smaller changes with this new Windows 10 build. The default taskbar appearance will also now be more personalized with the Xbox app pinned for Xbox Live users or Your Phone pinned for Android users. This will be limited to new account creation on a PC or first login, so existing taskbar layouts will remain unchanged.

Notifications now include an X in the top right corner to allow you to quickly dismiss them, and Microsoft is also improving its Settings app in Windows 10. Links that would typically push you toward the system part of the legacy Control Panel system page will now direct you to the About page in Settings. This will now house the more advanced controls typically found in that system section of the Control Panel, and Microsoft is promising “there will be more improvements coming that will further bring Settings closer to Control Panel.”


Windows 10 taskbar changes.

source

 4 
 on: July 01, 2020, 06:18:24 PM 
Started by javajolt - Last post by javajolt
Google will auto-delete data -- for some users -- but only after a year and a half. You can do better than that. We'll show you how.

Google might collect far more personal data about its users than you might even realize. The company records every search you perform and every YouTube video you watch. Whether you have an iPhone ($699 at Apple) or an Android, Google Maps logs everywhere you go, the route you use to get there, and how long you stay -- even if you never open the app. When you look closer at everything Google knows about you, the results can be eye-opening, and maybe even a little unsettling. Thankfully, there's something you can do about it.

Starting in June, new Google accounts will automatically delete private data for you. But only after 18 months by default. And only if you're a brand-new Google user. That's great if you're just now deciding to create a Gmail address or you just got your first Android phone, but if you're among the 1.5 billion people on Gmail or the 2.5 billion people using Android already, your account is set to hold onto your private data forever unless you tell Google otherwise.

We're going to cut through all the clutter and show you how to access the private data Google has on you, as well as how to delete some or all of it. Then we're going to help you find the right balance between your privacy and the Google services you rely on by choosing settings that limit Google's access to your information without impairing your experience.

Find out what private information Google considers 'public'

Chances are, Google knows your name, your face, your birthday, gender, other email addresses you use, your password, and phone number. Some of this is listed as public information (not your password, of course). Here's how to see what Google shares with the world about you.

1. Open a browser window and navigate to your Google Account page.

2. Type your Google username (with or without "@gmail.com").

3. From the menu bar, choose Personal info and review the information. You can change or delete your photo, name, birthday, gender, password, other emails, and phone number.

4. If you'd like to see what information of yours is available publicly, scroll to the bottom and select Go to About me.

5. On this page, each line is labeled with either a people icon (visible to anyone), office building icon (only visible to your organization), or lock icon (visible only to you). Select an item to choose whether to make it public, semi-public, or private. There's currently no way to make your account totally private.

Take a look at Google's record of your online activity

If you want to see the motherlode of data Google has on you, follow these steps to find it, review it, delete it, or set it to automatically delete after a period of time.

If your goal is to exert more control over your data but you still want Google services like search and maps to personalize your results, we recommend setting your data to auto-delete after three months. Otherwise, feel free to delete all your data and set Google to stop tracking you. For most of the day-to-day things you do with Google, you won't even notice the difference.

1. Sign in to your Google Account and choose Data & Personalization from the navigation bar.

2. To see a list of all your activity that Google has logged, scroll to Activity controls, and select Web & App Activity. This is where all your Google searches, YouTube viewing history, Google Assistant commands, and other interactions with Google apps and services get recorded.

3. To turn it completely off, move the toggle to the off position. But beware -- changing this setting will most likely make any Google Assistant devices you use, including Google Home and Google Nest smart speakers and displays, virtually unusable.

4. If you want Google to stop tracking just your Chrome browser history and activity from sites you sign in to with your Google account, uncheck the first box. If you don't want Google to keep audio recordings of your interactions with Google Assistant, uncheck the second box. Otherwise, move on to step 5.

5. To set Google to automatically delete this kind of data either never or every three or 18 months, select Auto-delete and pick the time frame you feel most comfortable with. Google will immediately delete any current data older than the time frame you specify. For example, if you choose three months, any information older than three months will be deleted right away.

6. Once you choose an Auto-delete setting, a popup will appear and ask you to confirm. Select Delete or Confirm.

7. Next, click Manage Activity. This page displays all the information Google has collected on you from the activities mentioned in the previous steps, arranged by date, all the way back to the day you created your account, or the last time you purged this list.

8. To delete specific days, select the trash can icon to the right of the day then choose Got it. To get more specific details or to delete individual items, select the three stacked dots icon beside the item then choose either Delete or Details.

9. If you'd rather delete part or all of your history manually, select the three stacked dots icon to the right of the search bar at the top of the page and choose Delete activity by then choose either Last hour, Last day, All-time or Custom range.

10. To make sure your new settings took, head back to Manage Activity (step 4) and make sure whatever's there only goes back the three or 18 months you selected in step 5.


Access Google's record of your location history

Perhaps even more off-putting than Google knowing what recipes you've been cooking, what vacation destination you're interested in, or how often you check the Powerball numbers, the precision of Google's record of your whereabouts can be downright chilling, even if you never do anything you shouldn't.

If you're signed in to Google Maps on a mobile device, Google's eyes are watching your every move. It's about enough to make you want to leave your phone at home. Thankfully, that's unnecessary. Here's how to access, manage, and delete your Google location data:

1. Sign in to your Google Account and choose Data & Personalization from the navigation bar.

2. To see a list of all your location data that Google has logged, scroll to Activity controls and select Location History.

3. If you want Google to stop tracking your location, turn off the toggle on this page.

4. To set Google to automatically delete this kind of data either never or every three or 18 months, select Auto-delete then pick the time frame you feel most comfortable with. Google will delete any current data older than the time frame you specify. For example, if you choose three months, any information older than three months will be deleted immediately.

5. Once you choose an Auto-delete setting, a popup will appear and ask you to confirm. Select Delete or Confirm.

6. Next, click Manage Activity. This page displays all the location information Google has collected on you as a timeline and a map, including places you've visited, the route you took there and back, as well as frequency and dates of visits.

7. To permanently delete all location history, click on the trash can icon in the lower right corner and choose Delete Location History when prompted. To delete individual trips, select a dot on the map or a bar on the timeline, then, on the next page, click the trash can icon beside the date of the trip you want to delete.

8. To make sure your location data really disappeared, start over with Activity Controls in step 2, then after Manage Activity in step 4, make sure the timeline in the upper left corner is empty and there are no dots on the map indicating your previous locations.

Manage your YouTube search and watch history

Of all the personal data that Google tracks, your YouTube search and watch history is probably the most innocuous. Not only that, allowing Google to track your YouTube history might have the most obvious benefit of all -- it helps YouTube figure out what kind of videos you like so it can dish out more of the type of content you'll enjoy.

Here's how to get a look at your YouTube history and, if you want, how to delete it, either manually or at three- or 18-month intervals. Just like with Web & App Activity, we recommend setting YouTube to purge your data every three months. That's just long enough that YouTube's recommendations will stay fresh, but doesn't leave a years-long trail of personal data lingering behind.

1. Sign in to your Google Account and choose Data & Personalization from the navigation bar.

2. To see a list of all your YouTube data that Google has logged, scroll to Activity controls and select YouTube History.

3. If you want Google to stop tracking your YouTube search and viewing history entirely, turn off the toggle on this page. To stop Google from tracking either just the videos you watch or just your searches, uncheck the appropriate box.

4. To set Google to automatically delete your YouTube data either never or every three or 18 months, select Auto-delete and pick the time frame you feel most comfortable with. Google will delete any current data older than the time frame you specify. For example, if you choose three months, any information older than three months will be deleted immediately.

5. Once you choose an Auto-delete setting, a popup will appear and ask you to confirm. Select Delete or Confirm.

6. Next, click Manage Activity. This is where every search you make and every video you watch is listed.

7. To delete specific days, select the trash can icon to the right of the day then choose Got it. To get more specific details or to delete individual items, select the three stacked dots icon then choose either Delete or Details.

8. If you'd rather delete part or all of your history manually, select the three stacked dots icon to the right of the search bar at the top of the page and choose Delete activity by then choose either Last hour, Last day, All time or Custom range.

9. To make sure your YouTube data really disappeared, start over with Activity Controls in step 2, then after Manage Activity in step 4 make sure whatever's there (if you deleted it all there should be nothing) only goes back the three or 18 months you selected in step 5.

One more important thing about your privacy

Be forewarned, just because you set Google not to track your online or offline activity doesn't necessarily mean you've closed off your data to Google completely. Google has admitted it can track your physical location even if you turn off location services using information gathered from Wi-Fi and other wireless signals near your phone. Also, just like Facebook has been guilty of doing for years, Google doesn't even need you to be signed in to track you.

Not to mention, there are sometimes seeming contradictions between Google's statements on privacy issues. For example, Google has admitted to scanning your Gmail messages to compile a list of your purchases in spite of publicly declaring in a 2018 press release, "To be absolutely clear: no one at Google reads your Gmail, except in very specific cases where you ask us to and give consent, or where we need to for security purposes, such as investigating a bug or abuse." Perhaps by "no one" Google meant "no human," but in an age of increasingly powerful AI, such a distinction is moot.

The point is, it's ultimately up to you to protect yourself from invasive data practices. These eight smartphone apps can help manage your passwords and obscure your browser data, as well as attend to some other privacy-related tasks. If you have any Google Home smart speakers in your house, here's how to manage your privacy with Google Assistant.

source

 5 
 on: July 01, 2020, 05:40:08 PM 
Started by javajolt - Last post by javajolt
Microsoft has published on Tuesday two out-of-band security updates to patch two vulnerabilities in the Microsoft Windows Codecs Library.

Tracked as CVE-2020-1425 & CVE-2020-1457, the two bugs only impact Windows 10 and Windows Server 2019 distributions.

In security advisories published today, Microsoft said the two security flaws can be exploited with the help of a specially crafted image file.

If the malformed images are opened inside apps that utilize the built-in Windows Codecs Library to handle multimedia content, then attackers would be allowed to run malicious code on a Windows computer and potentially take over the device.

The two bugs -- described as two remote code execution (RCE) vulnerabilities -- received patches earlier today.

The patches have been deployed to customer systems via an update to the Windows Codecs Library, delivered through the Windows Store app -- not the Windows Update mechanism.

"Customers do not need to take any action to receive the update," Microsoft said.

Redmond said the bugs were privately reported and they haven't been used in the wild before today's patches.

The OS maker said it learned of the bugs after a report from Trend Micro's Zero Day Initiative, a program that intermediates communications between security researchers and larger companies. Microsoft credited Abdul-Aziz Hariri for first discovering these bugs, before passing them to the ZDI team.

source

 6 
 on: July 01, 2020, 12:49:40 PM 
Started by javajolt - Last post by javajolt

Everything on the internet is forever, but that doesn’t mean your tweets need to be. There’s almost no reason to keep your old tweets public, so in the video above, I share a few ways to clean up your Twitter timeline.

The official method
Twitter allows you to delete individual tweets through the dropdown menu pictured below. But there is no official way to delete tweets in bulk, which means you’ll have to rely on third-party solutions.



The third-party service I recommend and use myself is TweetDelete. The site allows you to bulk delete old tweets and likes from your Twitter account for free, with some advanced features available for a one-time $15 purchase. I have it set up to check my timeline every few days and automatically delete any tweets older than 3 months.

Jumbo

A privacy-focused app Jumbo is a great option on mobile devices. It’s an app we’ve recommended in the past as a great tool for taking control of your privacy and data on services like Google, Facebook, and Twitter. Jumbo can even archive the tweets it deletes locally or to a personal Dropbox account.

Keep in mind that all third-party solutions suffer from a limitation imposed by the Twitter API: They can only see and delete your last 3,200 tweets. So if you have 10,000 tweets to delete, you’ll have to run these services multiple times to completely purge your timeline. But trust me, it’ll be worth it.

source

 7 
 on: July 01, 2020, 12:42:35 PM 
Started by javajolt - Last post by javajolt
Google has removed 25 malicious apps from the Google Play Store after the French cybersecurity firm Evina discovered they contained Facebook-hacking malware. That means it’s time once again to check your Android device to make sure you didn’t foolishly (or accidentally) install a crappy app.

The list of apps includes flashlight tools, pedometers, image editors and more, but they’re all basically the same app. Sure, they all perform their different features as advertised, and they look different on the surface, but they all contain the same malicious code built to steal your Facebook login information.

The bad-news apps would check if the Facebook app was open in the background, then sneak a browser tab with a fake Facebook login page into the open background app’s window, enticing you to fill in your info. The fake page would copy your login and password and send them to a remote server that has since been shut down.

Here’s the list of removed apps from Evina’s report:



Apps removed from Google Play should automatically be removed from any devices they were installed on, but it’s worth double-checking—especially if you have side-loaded anything on your device. If affected, you should reset your Facebook password and update your security settings—enabling two-factor authentication is always a good bet—right away.

Normally I’d make sure to remind folks to check those app permissions to make sure there’s nothing sketchy happening under the hood, but these apps were suckering users with fake Facebook login pages rather than doing anything untoward behind the scenes. That said, checking app permissions before installing is crucial to data security, but you can’t drop your guard just because the permissions seem fine.

Plenty of malware apps and phishing campaigns try to steal your social media account info with fake login pages. The safest strategy is to only log in through a social media platform’s official app.

However, if for some reason you do need to log in via a web browser, confirm the page is legit first. Check everything—the URL, images, layout, text, even the color of the page when you view all tabs. If they don’t match, then it’s fake.



That’s why having extra layers of security on all your accounts is important: even if your password is stolen, it’ll be difficult for someone to break in if they don’t have access to your 2FA codes.

source

 8 
 on: June 30, 2020, 07:00:38 PM 
Started by javajolt - Last post by javajolt
US Cyber Command said today that foreign state-sponsored hacking groups are likely to exploit a major security bug disclosed today in PAN-OS, the operating system running on firewalls and enterprise VPN appliances from Palo Alto Networks.

"Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use," US Cyber Command said in a tweet today.

"Foreign APTs will likely attempt [to] exploit soon," the agency added, referring to APT (advanced persistent threat), a term used by the cyber-security industry to describe nation-state hacker groups.

CVE-2020-2021 - A RARE 10/10 VULNERABILITY

US Cyber Command officials are right to be panicked. The CVE-2020-2021 vulnerability is one of those rare security bugs that received a 10 out of 10 score on the CVSSv3 severity scale.

A 10/10 CVSSv3 score means the vulnerability is both easy to exploit as it doesn't require advanced technical skills, and it's remotely exploitable via the internet, without requiring attackers to gain an initial foothold on the attacked device.

In technical terms, vulnerability is an authentication bypass that allows threat actors to access the device without needing to provide valid credentials.

Once exploited, the bug allows hackers to change PAN-OS settings and features. While changing OS features seems innocuous, and of little consequence, the bug is actually quite a major issue because it could be used to disable firewalls or VPN access-control policies, effectively disabling the entire PAN-OS devices.

In a security advisory published today, Palo Alto Networks (PAN) said that mitigating factors include the fact that PAN-OS devices must be in a certain configuration for the bug to be exploitable.

PAN engineers said the bug is only exploitable if the 'Validate Identity Provider Certificate' option is disabled and if SAML (Security Assertion Markup Language) is enabled.



Devices that support these two options -- and are vulnerable to attacks -- include systems like:

• GlobalProtect Gateway

• GlobalProtect Portal

• GlobalProtect Clientless VPN

• Authentication and Captive Portal

• PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces

• Prisma Access systems

These two settings are not in the vulnerable positions by default and require manual user intervention to be set in that specific configuration -- meaning that not all PAN-OS devices are vulnerable to attacks by default.

SOME DEVICES HAVE BEEN CONFIGURED TO BE VULNERABLE

However, according to Will Dormann, vulnerability analyst for CERT/CC, several vendor manuals instruct PAN-OS owners to set up this exact particular configuration when using third-party identity providers -- such as using Duo authentication on PAN-OS devices, or third-party authentication solutions from Centrify, Trusona, or Okta.

This means that while the vulnerability looks harmless at a first glance due to the complex configuration needed to be exploitable, there are likely quite a few devices configured in this vulnerable state, especially due to the widespread use of Duo authentication in the enterprise and government sector.

At the time of writing, the number of vulnerable systems is estimated to be at most 4,200, according to Troy Mursch, co-founder of internet scanning and threat intel firm Bad Packets.

"Of the 58,521 publicly accessible Palo Alto (PAN-OS) servers scanned by Bad Packets, 4,291 hosts were found using some type of SAML authentication," Mursch told ZDNet today.

However, Mursch says that his company's scans can only tell if SAML authentication is enabled, but not if the second condition (Validate Identity Provider Certificate' option disabled) is also met.

Owners of PAN-OS devices are advised to immediately review device configurations and apply the latest patches provided by Palo Alto Networks if their devices are running in a vulnerable state.

The list of vulnerable PAN-OS releases where CVE-2020-2021 is known to work is listed below.



Following Palo Alto's vulnerability disclosure today, several respected figures in the cyber-security community have echoed the US Cyber Command warning and have also urged system administrators to patch PAN-OS devices as soon as possible, also anticipating attacks from nation-state threat actors to follow in a matter of days.









Palo Alto Networks did not return an email seeking comment on the US Cyber Command's warning.

source

 9 
 on: June 30, 2020, 05:49:45 PM 
Started by javajolt - Last post by javajolt
A simple VBScript may be enough to allow users to gain administrative privileges and bypass UAC entirely on Windows 10.

In a new report from a PwC UK security researcher Wietze Beukema, we learn that almost 300 Windows 10 executables are vulnerable to DLL hijacking.

“It turns out nearly 300 executables in your System32 folder are vulnerable to relative path DLL Hijacking. Did you know that with a simple VBScript some of these EXEs can be used to elevate such executions, bypassing UAC entirely?” explained Beukema.

The vulnerability referred to here is relative path DLL hijacking, which is when an attacker can cause a legitimate Windows executable to load an arbitrary DLL of the attacker’s choice, most likely with malicious intent.

DLL hijacking attacks can prove useful to a skilled attacker as they grant capabilities such as arbitrary code execution, privilege escalation, and persistence on the target system.

The various techniques of DLL hijacking covered by the Beukema's blog post include DLL replacement, DLL Proxying, DLL search order hijacking, Phantom DLL hijacking, DLL redirection, WinSxS DLL replacement, and relative path DLL Hijacking.

A working example

To demonstrate relative path DLL hijacking in practice, Beukema focused on the libraries present in the “C:\Windows\System32” folder on a Windows 10 (v1909) machine.

He copied the legitimate winstat.exe process into the downloads folder on his system. He then ran process monitoring tool, procmon, to get a better understanding of what DLLs the EXE is looking for during execution.


Process monitor showing accessed DLLs - source: wietzebeukema.nl
“This allows us to identify all DLLs queried by each application, which will be all potential hijackable DLL candidates. But it does not automatically follow that all of these are also loaded (and therefore executed),” explained the researcher.

“The most reliable way to find out which DLLs are properly loaded is to compile our own version of the DLL and make it write to a unique file upon successfully loading. If we then repeat the above approach for all target executables and DLLs, it will result in a collection of files that tells us which DLLs are confirmed vulnerable to DLL hijacking.”

What poses a challenge for the attacker, though, is compiling a custom version of DLL that can be launched by the executable, without any issues. To get a reliable understanding of a legitimate DLL structure, Beukema recommends using tools like DLL Export Viewer for analysis.

This tool provides insight into the DLL structure we are trying to recompile by enumerating all external functions names that would then be duplicated in a DLL Hijacking exploit.


Approach to finding vulnerable executables - source: wietzebeukema.nl
The researcher has provided a comprehensive list of libraries that are good candidates for hijacking attacks.

He added, “these are not mere theoretical targets, these are tested and confirmed to be working. The list comprises 287 executables and 263 unique DLLs.”

A CSV with a complete list of these libraries has been provided via GitHub.

source

 10 
 on: June 30, 2020, 02:32:16 PM 
Started by javajolt - Last post by javajolt
Microsoft has created a Windows 10 File Recovery Tool that recovers deleted files and forgot to tell anyone.

Everyone has deleted a file by accident and then realized that they had no backup. If this file was critical, then you may get lucky using a third-party file recovery, or undelete, a program to recover the deleted data.

Windows sleuth WalkingCat recently discovered a program created by Microsoft called the 'Windows Recovery Tool.'

This tool states it is a file recovery program that allows you to undelete files on a hard drive, USB drive, and even an SD card.

Quote
"Accidentally deleted an important file? Wiped clean your hard drive? Unsure of what to do with corrupted data? Windows File Recovery can help recover your personal data."


Microsoft's Windows File Recovery Tool supports three modes of operation: 'Default,' 'Segment,' and 'Signature.'

Each of these modes attempts to recover deleted files from a storage device in a different way, as described below.

Default mode: This mode uses the Master File Table (MFT) to locate lost files. Default mode works well when the MFT and file segments, also called File Record Segments (FRS), are present.

Segment mode: This mode does not require the MFT but does require segments. Segments are summaries of file information that NTFS stores in the MFT such as name, date, size, type, and the cluster/allocation unit index.

Signature mode: This mode only requires that the data is present and searches for specific file types. It doesn't work for small files. To recover a file on an external storage device, such as a USB drive, you can only use Signature mode.

When installed, the program will be installed as a command-line tool called winfr.exe.

Below we have provided some examples of how to use the winfr tool in Windows 10.

How to use Microsoft's Windows File Recovery tool

To use the Windows 10 File Recovery Tool, you need to install the app first from the Microsoft Store.

As this program requires administrative privileges, once installed, you need to launch a Windows 10 elevated command prompt to use it.

In the command prompt, you can type winfr and press enter to see a list of the available commands.


Windows 10 File Recovery Tool

Quote
Windows File Recovery
Copyright (c) Microsoft Corporation. All rights reserved
Version:            0.0.11761.0
----------------------------------------------------------

USAGE: winfr source-drive: destination-folder [/switches]

/r           - Segment mode (NTFS only, recovery using file record segments)
/n [filter]  - Filter search (default or segment mode, wildcards allowed, trailing \ for folder)

/x           - Signature mode (recovery using file headers)
/y:[type(s)] - Recover specific extension groups (signature mode only, comma separated)
/#           - Displays signature mode extension groups and file types

/?           - Help text
/!           - Display advanced features

Example usage - winfr C: D:\RecoveryDestination /n Users\[username]\Downloads\
                winfr C: D:\RecoveryDestination /x /y:PDF,JPEG
                winfr C: D:\RecoveryDestination /r /n *.pdf /n *.jpg

Visit http://aka.ms/winfrhelp for user guide
For support, please email winfr@microsoft.com


Winfr also includes advanced options, which can be viewed by typing winfr /!.

These advanced options, shown below, allow you to fine-tune the recovery process by specifying what sectors to scan, how the recovery should perform, and disabling specific file extensions.

Quote
Windows File Recovery
Copyright (c) Microsoft Corporation. All rights reserved
Version:            0.0.11761.0
----------------------------------------------------------

USAGE: winfr source-drive: destination-folder [/switches]
/p:[folder]    - Specify recovery log destination (default: destination folder)
/a             - Accepts all user prompts

/u             - Recover non-deleted files (default/segment mode only)
/k             - Recover system files (default/segment mode only)
/o:[a|n|b]     - Overwrite (a)lways, (n)ever or keep (b)oth always (default/segment mode only)
/g             - Recover files without primary data stream (default: false, default/segment mode only)
/e             - Disable extension exclusion list (default/segment mode only)
/e:[extension] - Disable specific extension(s) (default extension list no longer applies) (default/segment mode only)

/s:[sectors]   - Number of sectors in volume (segment/signature mode only)
/b:[bytes]     - Number of bytes in cluster (segment/signature mode only)
/f:[sector]    - First sector to scan (segment/signature mode only)


When using the Windows 10 File Recovery Tool, you need to specify the source drive, the drive files will be recovered, and any filters that fine-tune what files are recovered and the file recovery mode.

For example, to use the 'default' mode to recover all deleted .JPG files on the D: drive and restore them to the E: drive, you would use the following command:

Quote
winfr D: F: /n *.JPG


To use the 'default' mode to recover all deleted files from the E:\temp folder, you would use the command:

Quote
winfr E: F: /n \temp\*.PNG



winfr.exe example

To use the 'segment' mode to search the C: drive for deleted files whose filename contained the string 'statement' and recover them to the E: drive, you would use the following command.

Quote
winfr C: E: /r /n *statement*


Finally, to use the 'signature' mode to recover Word documents (.docx) from the C: drive, you would use the following command:

Quote
winfr C: D:\RecoveryDestination /x /y:DOCX


It should be noted that when using filters that match a folder name, you should leave off the drive letter.

For example, if you set your source drive to C: and want to recover files from C:\ test, you would use a filter of /n \test\.

Unfortunately, in our tests, many of the recovered files were not actually usable. When attempting to recover .txt files from our E:, the recovered files were corrupt, as shown below.


Corrupted recovered file

We will continue to use the tool in real-life recovery tests to see how well it performs.

For now, though, you may have better success using tools like Photorec or Recuva to recover any deleted files.

source

Pages: [1] 2 3 ... 10
Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page Today at 05:27:48 PM