Pages

Wednesday 14 August 2013

How to Let Someone Else Use Your Computer Without Giving Them Access To All Your Stuff

windows-7-guest-user
If you let someone use your computer, they could gain access to your saved passwords, read your email, access all your files, and more. Instead of looking over their shoulder, just use your operating system’s guest account feature.
Guest accounts are found on all desktop operating systems — from Windows and Mac to Ubuntu, Chrome OS, and other Linux distributions. The Guest account isn’t enabled by default on Windows, so you have to go out of your way to use it.
We’ve covered why it’s a good idea to use separate Windows user accounts, and using a guest account is ideal for the same reason. There’s no need to create a dedicated user account for temporary guest users.

Why You Should Use Guest Accounts

Have you ever needed to give someone else access to your computer? If you’re careful, you may have sat behind them, looking over their shoulder and ensuring they weren’t going to stumble into your private documents or unwittingly access your email. There’s a better way — use the special guest account that gives your guest limited access, allowing you to leave them alone with your computer and let them browse the web without giving them access to all your passwords, private documents, email, social media accounts, browser history, and everything else you do on your computer.

Guest accounts aren’t able to install software, configure hardware devices, change system settings, or even create a password that applies to the guest account. Guest accounts can shut down your computer — that’s about as much harm as they can do.
The guest account allows users to browse the web and use typical applications, so it’s a great way to give someone else access to your computer without feeling compelled to look over their shoulder. Even someone you trust may not access your personal data maliciously — they may open your browser, head to Gmail to check their email, and see your inbox if you’re already logged in. They’d then have to log out and log into their account, and you’d have to log back into your accounts when they’re done. Avoid this headache by using the guest account instead.

Enabling the Guest Account in Windows

To enable the guest account on Windows 7, open the Control Panel and select the Add or remove user accounts option.

On Windows 8, click the Change account type option instead.

Click the Guest icon to enable the account.

Windows will display some information — enabling the guest account will allow anyone to log into your PC and use it, although they won’t be able to access your personal files or install software. Click Turn On to enable guest access.

Using the Guest Account

Once you’ve enabled the guest account, it will be appear as a separate user account on your login screen. Anyone can log in as the guest account after booting your computer or accessing it when it’s locked.
You can log out of your current user account or use the Switch User feature to stay logged in, keeping your programs open and your account locked while allowing the guest to use your PC.

Once they’re done, they can log out of the guest account. Note that their browsing history, logged-in websites, and any other files or data they left lying around will remain accessible to future users of your guest account. Guest users should log out of any websites they accessed or just use a browser’s private browsing feature inside the guest account.

Guest Accounts on Mac, Linux, and Chrome OS

On a Mac, you can log in as the guest user by selecting the Guest User account on the login screen. If this option isn’t available, use the Users & Groups panel in System Preferences to enable the guest account.
On Ubuntu, the guest account is enabled out of the box. You can select the Guest user on the login screen to log in as the guest account.
Mac OS X and Ubuntu both automatically delete a guest user’s files when the guest user logs out, providing a fresh experience for each guest user. Windows doesn’t do this. Microsoft was working on similar functionality with “Guest Mode” when they were developing Windows 7, but this feature was dropped.

Google’s Chromebooks also offer a guest mode. Like Mac and Linux, all guest user data will be automatically wiped when the guest user logs out.

Tuesday 13 August 2013

How Hackers Take Over Web Sites with SQL Injection / DDoS



Even if you’ve only loosely followed the events of the hacker groups Anonymous and LulzSec, you’ve probably heard about web sites and services being hacked, like the infamous Sony hacks. Have you ever wondered how they do it?
There are a number of tools and techniques that these groups use, and while we’re not trying to give you a manual to do this yourself, it’s useful to understand what’s going on. Two of the attacks you consistently hear about them using are “(Distributed) Denial of Service” (DDoS) and “SQL Injections” (SQLI). Here’s how they work.
Image by xkcd

Denial of Service Attack


What is it?
A “denial of service” (sometimes called a “distributed denial of service” or DDoS) attack occurs when a system, in this case a web server, receives so many requests at one time that the server resources are overloaded the system simply locks up and shuts down. The goal and result of a successful DDoS attack is the websites on the target server are unavailable to legitimate traffic requests.
How does it work?
The logistics of a DDoS attack may be best explained by an example.
Imagine a million people (the attackers) get together with the goal of hampering Company X’s business by taking down their call center. The attackers coordinate so that on Tuesday at 9 AM they will all call Company X’s phone number. Most likely, Company X’s phone system will not be able to handle a million calls at once so all the incoming lines will tied up by the attackers. The result is that legitimate customer calls (i.e. those that are not the attackers) do not get through because the phone system is tied up handling the calls from the attackers. So in essence Company X is potentially losing business due to the legitimate requests being unable to get through.
A DDoS attack on a web server works exactly the same way. Because there is virtually no way to know what traffic is sourced from legitimate requests vs. attackers until the web server is processing the request, this type of attack is typically very effective.
Executing the attack
Due to the “brute force” nature of a DDoS attack, you need to have lots of computers all coordinated to attack at the same time. Revisiting our call center example, this would require all the attackers to both know to call at 9 AM and actually call at that time. While this principle certainly will work when it comes to attacking a web server, it becomes significantly easier when zombie computers, instead of actual manned computers, are utilized.
As you probably know, there are lots of variants of malware and trojans which, once on your system, lie dormant and occasionally “phone home” for instructions. One of these instructions could, for example, be to send repeated requests to Company X’s web server at 9 AM. So with a single update to the home location of the respective malware, a single attacker can instantly coordinate hundreds of thousands of compromised computers to perform a massive DDoS attack.
The beauty of utilizing zombie computers is not only in its effectiveness, but also in its anonymity as the attacker doesn’t actually have to use their computer at all to execute the attack.

SQL Injection Attack


What is it?
A “SQL injection” (SQLI) attack is an exploit that takes advantage of poor web development techniques and, typically combined with, faulty database security. The result of a successful attack can range from impersonating a user account to a complete compromise of the respective database or server. Unlike a DDoS attack, an SQLI attack is completely and easily preventable if a web application is appropriately programmed.
Executing the attack
Whenever you login to a web site and enter your user name and password, in order to test your credentials the web application may run a query like the following:
SELECT UserID FROM Users WHERE UserName='myuser' AND Password='mypass';
Note: string values in a SQL query must be enclosed in single quotes which is why they appear around the user entered values.
So the combination of the entered user name (myuser) and password (mypass) must match an entry in the Users table in order for a UserID to be returned. If there is no match, no UserID is returned so the login credentials are invalid. While a particular implementation may differ, the mechanics are pretty standard.
So now let’s look at a template authentication query which we can substitute the values the user enters on the web form:
SELECT UserID FROM Users WHERE UserName=’[user]‘ AND Password=’[pass]‘
At first glance this may seem like a straightforward and logical step for easily validating users, however if a simple substitution of the user entered values is performed on this template, it is susceptible to an SQLI attack.
For example, suppose “myuser’–” is entered in the user name field and “wrongpass” is entered in the password. Using simple substitution in our template query, we would get this:
SELECT UserID FROM Users WHERE UserName='myuser'--' AND Password='wrongpass'
A key to this statement is the inclusion of the two dashes (--). This is the begin comment token for SQL statements, so anything appearing after the two dashes (inclusive) will be ignored. Essentially, the above query is executed by the database as:
SELECT UserID FROM Users WHERE UserName='myuser'
The glaring omission here is the lack of the password check. By including the two dashes as part of the user field, we completely bypassed the password check condition and were able to login as “myuser” without knowing the respective password. This act of manipulating the query to produce unintended results is a SQL injection attack.
What damage can be done?
A SQL injection attack is caused by negligent and irresponsible application coding and is completely preventable (which we will cover in a moment), however the extent of the damage which can be done depends on the database setup. In order for a web application to communicate with the backend database, the application must supply a login to the database (note, this is different than a user login to the web site itself). Depending on what permissions the web application requires, this respective database account can require anything from read/write permission in existing tables only to full database access. If this isn’t clear now, a few examples should help provide some clarity.
Based on the above example, you can see that by entering, for example, "youruser'--", "admin'--" or any other user name, we can instantly login to the site as that user without knowing the password. Once we are in the system doesn’t know we are not actually that user so we have full access to the respective account. Database permissions will not provide a safety net for this because, typically, a web site must have at least read/write access to its respective database.
Now let’s assume the web site has full control of its respective database which gives the ability to delete records, add/remove tables, add new security accounts, etc. It is important to note that some web applications could need this type of permission so it is not automatically a bad thing that full control is granted.
So to illustrate the damage which can be done in this situation, we will use the example provided in the comic above by entering the following into the user name field: "Robert'; DROP TABLE Users;--". After simple substitution the authentication query becomes:
SELECT UserID FROM Users WHERE UserName='Robert'; DROP TABLE Users;--' AND Password='wrongpass'
Note: the semicolon is in a SQL query is used to signify the end of a particular statement and the beginning of a new statement.
Which gets executed by the database as:
SELECT UserID FROM Users WHERE UserName='Robert'
DROP TABLE Users
So just like that, we have used an SQLI attack to delete the entire Users table.
Of course, much worse can be done as, depending the SQL permissions allowed, the attacker can change values, dump tables (or the entire database itself) to a text file, create new login accounts or even hijack the entire database installation.
Preventing a SQL injection attack
As we mentioned several times previously, a SQL injection attack is easily preventable. One of the cardinal rules of web development is you never blindly trust user input as we did when we performed simple substitution in our template query above.
An SQLI attack is easily thwarted by what is called sanitizing (or escaping) your inputs. The sanitize process is actually quite trivial as all it essentially does is handle any inline single quote (‘) characters appropriately such that they cannot be used to prematurely terminate a string inside of a SQL statement.
For example, if you wanted to lookup “O’neil” in a database, you couldn’t use simple substitution because the single quote after the O would cause the string to prematurely end. Instead you sanitize it by using the respective database’s escape character. Let’s assume the escape character for an inline single quote is prefacing each quote with a \ symbol. So “O’neal” would be sanitized as “O\’neil”.
This simple act of sanitation pretty much prevents an SQLI attack. To illustrate, let’s revisit our previous examples and see the resulting queries when the user input is sanitized.
myuser'-- / wrongpass:
SELECT UserID FROM Users WHERE UserName='myuser\'--' AND Password='wrongpass'
Because the single quote after myuser is escaped (meaning it is considered part of the target value), the database will literally search for the UserName of "myuser'--". Additionally, because the dashes are included within the string value and not the SQL statement itself, they will be considered part of the target value instead of being interpreted as a SQL comment.
Robert'; DROP TABLE Users;-- / wrongpass:
SELECT UserID FROM Users WHERE UserName='Robert\'; DROP TABLE Users;--' AND Password='wrongpass'
By simply escaping the single quote after Robert, both the semicolon and dashes are contained within the UserName search string so the database will literally search for "Robert'; DROP TABLE Users;--" instead of executing the table delete.

Learn How Websites Are Tracking You Online


cctv cameras header
Some forms of tracking are obvious – for example, websites know who you are if you’re logged in. But how do tracking networks build up profiles of your browsing activity across multiple websites over time?
Tracking is generally used by advertising networks to build up detailed profiles for pinpoint ad-targeting. If you’ve ever visited a business’ website and seen ads for that business on other websites later, you’ve seen it in action.

IP Addresses

The most basic way of identifying you is by your IP address. Your IP address identifies you on the Internet. These days, it’s likely that your computer shares an IP address with the other networked devices in your house or office. From your IP address, a website can determine your rough geographical location – not down to street level, but generally your city or area. If you’ve ever seen a spammy ad that tries to look legitimate by mentioning your location, this is how the ad does it.

IP addresses can change and are often used by multiple users, so they aren’t a good way of tracking a single user over time. Still, an IP address can be combined with other techniques here to track your geographical location.

HTTP Referrer

When you click a link, your browser loads the web page you clicked and tells the website where you came from. For example, if you clicked a link to an outside website on How-To Geek, the outside website would see the address of the How-To Geek article you came from. This information is contained in the HTTP referrer header.
The HTTP referrer is also sent when loading content on a web page. For example, if a web page includes an ad or tracking script, your browsers tells the advertiser or tracking network what page you’re viewing.
“Web bugs,” which are tiny, one-by-one pixel, invisible images, take advantage of the HTTP referrer to track you without appearing on a web page. They’re also used to track emails you open, assuming your email client loads images.

Cookies & Tracking Scripts

Cookies are small pieces of information websites can store in your browser. They have plenty of legitimate uses – for example, when you sign into your online-banking website, a cookie remembers your login information. When you change a setting on a website, a cookie stores that setting so it can persist across page loads and sessions.

Cookies can also identify you and track your browsing activity across a website. This isn’t necessarily a big problem – a website might want to know what pages users visit so it can tweak the user experience. What’s really pernicious are third-party cookies.

While third-party cookies also have legitimate uses, they’re often used by advertising networks to track you across multiple websites. Many websites – if not most websites – include third-party advertising or tracking scripts. If two different websites use the same advertising or tracking network, your browsing history across both sites could be tracked and linked.
Scripts from social networks can also function as tracking scripts. For example, if you’re signed into Facebook and you visit a website that contains a Facebook “Like” button, Facebook knows you visited that website. Facebook stores a cookie to save your login state, so the Like button (which is actually part of a script) knows who you are.

Super Cookies

You can clear your browser’s cookies — in fact, we’ve got a guide to clearing your browser’s cookies. However, clearing your cookies isn’t necessarily a solution – “super cookies” are increasingly common. One such super cookie is evercookie. Super cookie solutions like evercookie store cookie data in multiple places – for example, in Flash cookies, Silverlight storage, your browsing history, and HTML5 local storage. One particularly clever tracking method is assigning a unique color value to a few pixels every time a new user visits a website. The different colors are stored in each user’s browser cache and can be loaded back – the color value of the pixels is a unique identifier that identifies the user.
When a website notices that you’ve deleted part of the super cookie, the information is repopulated from the other location. For example, you might clear your browser cookies and not your Flash cookies, so the website will copy the value of the Flash cookie to your browser cookies. Super cookies are very resilient.

User Agent

Your browser also sends a user agent every time you connect to a website. This tells websites your browser and operating system, providing another piece of data that can be stored and used to target ads. For more information about user agents, check out our explanation of what a browser user agent is.

Browser Fingerprinting

Browsers are actually pretty unique. Websites can determine your operating system, browser version, installed plug-ins and their versions, your operating system’s screen resolution, your installed fonts, your time zone, and other information. If you’ve disabled cookies entirely, that’s another piece of data that makes your browser unique.
The Electronic Frontier Foundation’s Panopticlick website is an example of how this information can be used. Only one in 1.1 million people have the same browser configuration I do.

There are surely other ways that websites can track you. There’s big money in it, and people are brainstorming new ways to track every day – just see evercookie above for evidence of that.

Why Is Smartphone Battery Life So Bad?



Phones have improved dramatically in the last ten years. Modern smartphones seem like a technology from an alien civilization when placed next to the original cell phones. But battery life hasn’t improved. In fact, battery life feels like it’s getting worse.
Old dumb phones could run for a week or more on a charge, but modern smartphones often struggle to make it through an entire day. Battery technology doesn’t seem to be advancing fast enough. What gives?

Battery Technology Isn’t Improving Much

We’re all used to technology improving dramatically. Every year, CPUs, memory, displays and other components become better, faster, and cheaper to manufacture. They offer more computing power, capacity, and pixels for your money. Moore’s Law has held, and technology is improving exponentially. Smartphones today have faster CPUs, cheaper storage, more RAM, and higher-quality displays then ever. The difference between a smartphone today and one released a few years ago is huge.
However, battery technology just isn’t improving at the same pace. Battery technology isn’t completely stuck, and battery technology is definitely improving – but it’s improving by small amounts. We don’t see the exponential increase we see with other types of technology. While other parts of modern portable electronics have been improving quickly, batteries have been lagging behind. Other components are shrinking, but batteries still take up a large part of a phone’s internals.
Various people are working on new battery technologies, but it’s unclear when they’ll make it to the market. Even the most optimistic predictions leave us with only small improvements for the next few years.

Batteries Are Becoming Thinner and Smaller

Battery technology has been improving somewhat, and smartphone components are becoming more power efficient, requiring less electricity to produce the same amount of performance output. So why haven’t we seen noticeable improvements?
Modern smartphones are becoming thinner and lighter. Rather than capitalize on improvements by offering more battery life at the same form factor, smartphone manufacturers choose to make the batteries even thinner so they can shrink the size of their smartphones. The iPhone 5 is thinner and lighter than the iPhone 4S and advertises somewhat longer battery life, but the battery life could have improved more dramatically if Apple had chosen to keep the iPhone 5 the same thickness as the iPhone 4S. Like other smartphone manufacturers, Apple chose to offer a thinner, lighter phone. Larger batteries are also more expensive, so shrinking them helps keep costs down.
Extended batteries were once an option. However, as more and more phones ship without user-serviceable batteries, we no longer have the option to buy bigger batteries or carry a spare battery with most phones.
Not all phones have such tiny batteries. The Droid Razr MAXX line is loved for its long battery life, and iPhone fans craving longer battery life can buy battery packs like the popular Mophie Juice Pack. However, most phones are becoming thinner and thinner.

Push Notifications and Background Sync

A dumb phone did very little. It wasn’t constantly receiving notifications of new emails, social network updates, and other current information. It wasn’t checking your podcasts and downloading new episodes. It wasn’t checking for app updates, downloading new weather forecasts, automatically updating your location, or anything else like that.
Modern smartphones are basically just computers – in fact, they run the same software. Android uses Linux, iOS uses Darwin (Darwin powers OS X), and Windows Phone 8 uses the Windows NT kernel used by Windows on the desktop.
Your phone’s screen may be off, but the phone itself may be on and busy. We’ve explained how to identify and eliminate wakelocks on Android – wakelocks are the things that keep your phone awake when its screen is off. On Android, where apps have more freedom to misbehave thanks to a more flexible process model, bad apps could run in the background while your phone is off, consuming CPU resources.
Apple’s iOS restricts programs much more, but push notifications and syncing can still drain battery power.

Larger Screens, Faster CPUs, More Cores, and LTE Radios

Price per performance may be improving, but we’re shoving much more powerful hardware into our phones. Every year, displays get larger and higher-resolution, CPUs get faster and add cores(the Samsung Galaxy S 4 has an 8-core CPU), and LTE radios are added to more phones. While LTE allows for faster data transfers than previous generation 3G technology, LTE radios require more battery power.
There’s also more hardware in a modern smartphone than an old dumb phone. Aside from the cellular radio, there’s Wi-Fi, Bluetooth, GPS, and NFC. It may not be on all the time, but it drains your battery life when it is.


Battery technology hasn’t been improving at the exponential rate that other smartphone technologies have, so a smartphone with longer battery life requires trade-offs. You could have a smartphone with much longer battery life, but it would be heavier and thicker. You could squeeze even more battery life out of a smartphone by putting less-demanding hardware into the phone, but people want large, high-resolution displays and fast CPUs.

If One of My Passwords Is Compromised Are My Other Passwords Compromised Too?



If one of your passwords is compromised, does that automatically mean that your other passwords are also compromised? While there are quite a few variables at play, the question is an interesting look at what makes a password vulnerable and what you can do to protect yourself.
Today’s Question & Answer session comes to us courtesy of SuperUser—a subdivision of Stack Exchange, a community-drive grouping of Q&A web sites.

The Question

SuperUser reader Michael McGowan is curious how far reaching the impact of a single password breach is; he writes:
Suppose a user uses a secure password at site A and a different but similar secure password at site B. Maybe something like mySecure12#PasswordA on site A and mySecure12#PasswordB on site B (feel free to use a different definition of “similarity” if it makes sense).
Suppose then that the password for site A is somehow compromised…maybe a malicious employee of site A or a security leak. Does this mean that site B’s password has effectively been compromised as well, or is there no such thing as “password similarity” in this context? Does it make any difference whether the compromise on site A was a plain-text leak or a hashed version?
Should Michael worry if his hypothetical situation comes to pass?

The Answer

SuperUser contributors helped clear up the issue for Michael. Superuser contributor Queso writes:
To answer the last part first: Yes, it would make a difference if the data disclosed were cleartext vs. hashed. In a hash, if you change a single character, the entire hash is completely different. The only way an attacker would know the password is to brute force the hash (not impossible, especially if the hash is unsalted. see rainbow tables).
As far as the similarity question, it would depend on what the attacker knows about you. If I get your password on site A and if I know you use certain patterns for creating usernames or such, I may try those same conventions on passwords on sites you use.
Alternatively, in the passwords you give above, if I as an attacker see an obvious pattern that I can use to separate a site-specific portion of the password from the generic password portion, I will definitely make that part of a custom password attack tailored to you.
As an example, say you have a super secure password like 58htg%HF!c. To use this password on different sites, you add a site-specific item to the beginning, so that you have passwords like: facebook58htg%HF!c, wellsfargo58htg%HF!c, or gmail58htg%HF!c, you can bet if I hack your facebook and get facebook58htg%HF!c I am going to see that pattern and use it on other sites I find that you may use.
It all comes down to patterns. Will the attacker see a pattern in the site-specific portion and generic portion of your password?
Another Superuser contributor, Michael Trausch, explains how in most situations the hypothetical situation isn’t much cause for concern:
To answer the last part first: Yes, it would make a difference if the data disclosed were cleartext vs. hashed. In a hash, if you change a single character, the entire hash is completely different. The only way an attacker would know the password is to brute force the hash (not impossible, especially if the hash is unsalted. see rainbow tables).
As far as the similarity question, it would depend on what the attacker knows about you. If I get your password on site A and if I know you use certain patterns for creating usernames or such, I may try those same conventions on passwords on sites you use.
Alternatively, in the passwords you give above, if I as an attacker see an obvious pattern that I can use to separate a site-specific portion of the password from the generic password portion, I will definitely make that part of a custom password attack tailored to you.
As an example, say you have a super secure password like 58htg%HF!c. To use this password on different sites, you add a site-specific item to the beginning, so that you have passwords like: facebook58htg%HF!c, wellsfargo58htg%HF!c, or gmail58htg%HF!c, you can bet if I hack your facebook and get facebook58htg%HF!c I am going to see that pattern and use it on other sites I find that you may use.
It all comes down to patterns. Will the attacker see a pattern in the site-specific portion and generic portion of your password?
If you’re concerned that you current password list isn’t diverse and random enough, we highly recommend checking out our comprehensive password security guide: How To Recover After Your Email Password Is Compromised. By reworking your password lists as if the mother of all passwords, your email password, has been compromised, it’s easy to quickly bring your password portfolio up to speed.

6 Ways Windows 8 Is More Secure Than Windows 7

00_lead_image_windows_8
Whatever you think of it, Windows 8 isn’t just a new interface slapped on top of Windows 7. Windows 8 has seen a lot of security improvements, including an integrated antivirus, an application reputation system, and protection from boot-time rootkits.
There are also quite a few low-level security improvements under the hood. Microsoft hasn’t spelled out all of them, but Windows 8 manages memory in a more secure way and includes features that make security vulnerabilities harder to exploit.

Integrated Antivirus

Windows 8 finally includes an integrated antivirus program. it’s named Windows Defender, but the interface will be immediately familiar to anyone that’s ever used Microsoft Security Essentials – this is Microsoft Security Essentials with a new name. You can easily install any other antivirus you prefer and Windows Defender will be automatically disabled if another antivirus is running, but the integrated antivirus is a capable product. Best of all, this ensures that all Windows users will finally have antivirus protection out-of-the-box.

Early Launch Anti-Malware

In Windows 8, antivirus products can start earlier in the boot-up process to scan the system’s drivers for malware. This helps protect against rootkits that start before the antivirus program and hide from it. Windows Defender starts earlier in the boot process out-of-the-box, and third-party antivirus vendors can also add the Early-Launch Anti-Malware (ELAM) feature to their products.

SmartScreen Filter

Previously used only in Internet Explorer, the SmartScreen filter is now implemented at the operating system-level. It will be used to scan EXE files you download from Internet Explorer, Mozilla Firefox, Google Chrome, and other programs. When you download and double-click an EXE file, Windows will scan the file and send its signature to Microsoft’s servers. If the application is known-good, such as the installer for iTunes, Photoshop, or another popular program, Windows will allow it to run. If it’s known-bad, perhaps if it contains malware, Windows will prevent it from running. If it’s new and Windows doesn’t know what it is, Windows will warn you and allow you to bypass the warning.
This feature should help less-experienced users from downloading and running malicious programs from the Internet. Even new pieces of malware will be detected by the SmartScreen filter as an unknown new program that should be approached with caution. Read more about the new SmartScreen filter here.

Secure Boot

On new Windows 8 computers that use the UEFI firmware instead of the old-style BIOS, Secure Boot guarantees that only specially signed and approved software can run at boot. On current computers, malware could install a malicious boot loader that loads before the Windows boot loader, starting a boot-level rootkit (or “bootkit”) before Windows even launches. The rootkit could then hide itself from Windows and antivirus software, pulling the strings in the background.
On Intel x86 PCs, you’ll be able to add your own security keys to the UEFI firmware, so you could even have your system boot only secure Linux boot loaders that you’ve signed. Read more about Secure Boot here.

Memory Management Improvements

Microsoft has made a lot of under-the-hood improvements to the way Windows 8 manages memory. When a security hole is found, these improvements can make the security hole harder or even impossible to exploit. Some types of exploits that function on earlier versions of Windows wouldn’t function at all on Windows 8.
Microsoft hasn’t spelled out all of these improvements, but they have mentioned a few:
  • ASLR (Address Space Layout Randomization) has been extended to more parts of Windows, randomly moving data and code around in memory to make it harder to exploit.
  • Mitigations that were once applied to Windows applications are now also applied to the Windows kernel.
  • The Windows heap, where Windows applications receive their memory from, includes additional checks to defend against exploit techniques.
  • Internet Explorer 10 includes improvements that make 75% of the security vulnerabilities reported over the last two years more difficult to exploit.

New Apps Are Sandboxed

Apps for Windows 8’s new Modern interface (formerly known as Metro) are sandboxed and restricted in what they can do on your computer.
On the Windows desktop, applications had full access to your system. If you downloaded and ran a Windows game, it could install drivers on your system, read files from everywhere on your hard drive, and install malware on your computer. Even if programs run with limited credentials thanks to UAC, they typically install with Administrator privileges and can do anything they want during installation.
Windows 8 apps function more like web pages and mobile apps on other popular mobile platforms. When you install an app from the Windows Store, that app has limited access to your system. It can’t run in the background and monitor all your keystrokes, logging your credit card number and online banking passwords like applications on the traditional Windows desktop can. it doesn’t have access to every file on your system.
Apps for Windows 8’s new Modern interface are also available only available through the Windows Store, which is more controversial. However, users can’t install malicious Modern apps from outside the store. They’d have to go through the Windows Store, where Microsoft has the ability to pull them if they’re discovered to be malicious.

How Attackers Actually “Hack Accounts” Online and How to Protect Yourself

silly-hacker-stock-photo
People talk about their online accounts being “hacked,” but how exactly does this hacking happen? The reality is that accounts are hacked in fairly simple ways — attackers don’t use black magic.
Knowledge is power. Understanding how accounts are actually compromised can help you secure your accounts and prevent your passwords from being “hacked” in the first place.

Reusing Passwords, Especially Leaked Ones

Many people — maybe even most people — reuse passwords for different accounts. Some people may even use the same password for every account they use. This is extremely insecure. Many websites — even big, well-known ones like LinkedIn and eHarmony — have had their password databases leaked over the past few years. Databases of leaked passwords along with usernames and email addresses are readily accessible online. Attackers can try these email address, username, and passwords combinations on other websites and gain access to many accounts.
Reusing a password for your email account puts you even more at risk, as your email account could be used to reset all your other passwords if an attacker gained access to it.
However good you are at securing your passwords, you can’t control how well the services you use secure your passwords. If you reuse passwords and one company slips up, all your accounts will be at risk. You should use different passwords everywhere — a password manager can help with this.

Keyloggers

Keyloggers are malicious pieces of software that can run in the background, logging every key stroke you make. They’re often used to capture sensitive data like credit card numbers, online banking passwords, and other account credentials. They then send this data to an attacker over the Internet.
Such malware can arrive via exploits — for example, if you’re using an outdated version of Java, as most computers on the Internet are, you can be compromised through a Java applet on a web page. However, they can also arrive disguised in other software. For example, you may download a third-party tool for an online game. The tool may be malicious, capturing your game password and sending it to the attacker over the Internet.
Use a decent antivirus program, keep your software updated, and avoid downloading untrustworthy software.

Social Engineering

Attackers also commonly use social engineering tricks to access your accounts. Phishing is a commonly known form of social engineering — essentially, the attacker impersonates someone and asks for your password. Some users hand their passwords over readily. Here are some examples of social engineering:
  • You receive an email that claims to be from your bank, directing you to a fake bank website and asking you to fill in your password.
  • You receive a message on Facebook or any other social website from a user that claims to be an official Facebook account, asking you to send your password to authenticate yourself.
  • You visit a website that promises to give you something valuable, such as free games on Steam or free gold in World of Warcraft. To get this fake reward, the website requires your username and password for the service.
Be careful about who you give your password to — don’t click links in emails and go to your bank’s website, don’t give away your password to anyone who contacts you and requests it, and don’t give your account credentials to untrustworthy websites, especially ones that appear too good to be true.

Answering Security Questions

Passwords can often be reset by answering security questions. Security questions are generally incredibly weak — often things like “Where were you born?”, “What high school did you go to?”, and “What was your mother’s maiden name?”. It’s often very easy to find this information on publicly-accessible social networking sites, and most normal people would tell you what high school they went to if they were asked. With this easy-to-get information, attackers can often reset passwords and gain access to accounts.
Ideally, you should use security questions with answers that aren’t easily discovered or guessed. Websites should also prevent people from gaining access to an account just because they know the answers to a few security questions, and some do — but some still don’t.

Email Account and Password Resets

If an attacker uses any of the above methods to gain access to your email accounts, you’re in bigger trouble. Your email account generally functions as your main account online. All other accounts you use are linked to it, and anyone with access to the email account could use it to reset your passwords on any number of sites you registered at with the email address.
For this reason, you should secure your email account as much as possible. It’s especially important to use a unique password for it and guard it carefully.

What Password “Hacking” Isn’t

Most people likely imagine attackers trying every single possible password to log into their online account. This isn’t happening. If you tried to log into someone’s online account and continued guessing passwords, you would be slowed down and prevented from trying more than a handful of passwords.
If an attacker was capable of getting into an online account just by guessing passwords, it’s likely that the password was something obvious that could be guessed on the first few tries, such as “password” or the name of the person’s pet.
Attackers could only use such brute-force methods if they had local access to your data — for example, let’s say you were storing an encrypted file in your Dropbox account and attackers gained access to it and downloaded the encrypted file. They could then try to brute-force the encryption, essentially trying every single password combination until one works.

People who say their accounts have been “hacked” are likely guilty of re-using passwords, installing a key logger, or giving their credentials to an attacker after social engineering tricks. They may also have been compromised as a result of easily guessed security questions.
If you take proper security precautions, it won’t be easy to “hack” your accounts. Using two-factor authentication can help, too — an attacker will need more than just your password to get in.

Monday 12 August 2013

Find, Track and Protect your Lost Android Device with Droid Finder


With the technology getting better and better these days, Android devices are also getting expensive and helpful. This has given rise to increase in phone thefts. Well nobody wishes to lose their phone and with everyone having their personal information, contacts, messages, important documents, and secret information, am sure nobody would like to lose it. Hence you should make sure you have something in your phone that can protect your phone from thefts, help recover it if lost and also can wipe out your data.
Here is a very useful application for your Android devices called as Droid Finder as it helps in securing your phone against theft, helps you find your misplaced device and much more. Droid Finder is the best tool to protect your devices from intruder, theft or to find your phone when you misplaced.
droid-finder-app
As you can see from the main GUI, it can tell you whether your phone is in complete protection or not. Also you can make use of the Anti-Theft and Find my Droid features available on the homepage. Features of both the options are listed below.
Anti-Theft:
• Prevents unauthorized access your devices
• Records any attempt to by pass device lock and notify the owner by SMS or email with intruder face captured by front camera.
• Re-lock device with a ramdom code
• Track connected WiFi hotspots and other valuable information
• Detect & notify SIM card changed
• 4 preset-mode to alert you when a theft or intruder try to access your device: silent, medium, aggressive, and custom
Find my Droid:
• Locate device on Google Maps
• Smart activity recognizing: device is in vehicle, on bicycle, on foot or stand-still
• Display messages on locked screen
• Lock device with new passcode
• Take and view photo
• Remote wipe SD Card, app data or device (factory reset).
droid-finder-anti-theft-features
Lost Mode:
Making it even easier to find and protect a missing Android. Droid Finder immediately
• Take a photo with front camera
• Lock device with a random passcode
• Sends a message with contact number to be call back.
• Track device locations, connected WiFi
droid-finder-trigger-modes

So in short if there is someone who is trying to fiddle with your Android device, he will be instantly captured with your device’s front camera. If you are trying to find your device, then you can make use of the web dashboard to find its location on the Google Maps (this will require your device to be in data connection either GSM, or WiFi). Or say if someone tries to change the SIM card, then it will text you with the call back number. Interesting isn’t it?
droid-finder-web-locator
To be able to use the app you need to install it first and then sign in using your Google+ profile. You can then configure the app according to you, as it has lots of options, some of which are shown in the screenshot here. You will also be required to visit this web dashboard and login with the same Google+ profile so that you can control your device remotely.
Visit the link below to download the app and also to know more on how to use the app.

Genhost.in - Cheap Unlimited Webhosting Service | Shared | Reseller

Hello Guys,

Genhost.in Providing Cheap Unlimited Hosting Service | Shared | Reseller
Shared Hosting Features :
  • Unlimited Space and Bandwidth For all Plans
  • Email Support
  • FTP Support
  • Mysql Databases With PHPMyadmin
  • 99.9% Server Uptime
  • cPanel x
  • Starting From 0.99$ Per Month
Coupon for Shared Hosting All Plans : GENHOST10
For more On Shared Hosting Visit : http://www.genhost.in/shared.html

For More On Reseller Hosting Visit : http://www.genhost.in/reseller.html

Payment Options : Libertyreserve,Paypal,Offline Payment(Only for Indian Peoples),Western Union.

Wednesday 7 August 2013

Remotely Access and Control another Computer with Chrome Remote Desktop


It is not possible for anyone to travel with their own personal computer all the time and if it is a desktop then you can’t even imagine doing this. For some or the other reasons, it becomes necessary for us to log back into our own system and if you can’t be present at your system then at that occasion comes Remote Sharing handy.
There are lots of methods which one can make use of to remotely access and control a computer, most require installing some software in both the systems. I came across this handy Chrome extension called Chrome Remote Desktop that can help you do the same thing and that too easily and without installing any other special remote sharing software.
chrome-remote-desktop
All you need to do is just install this extension into your own computer as well as the computer to be accessed (you might need the assistance of someone at the other end). When you are done doing this, you just need to login into Chrome with your google address.
chrome-remote-desktop-access-code
Now you are all set for the remote sharing and control of the remote computer. Start the app, which will now provide you with an Access Code. You need to provide this code to the person assisting you on the other end, entering which into the same app there, will connect you remotely to the other computer. Now you have two options either to share your computer or remotely control the other computer (the options which you will see on the app itself).
chrome-remote-desktop-sharing
This is all, you are now connected! You can remotely control the other system, view files, run apps or just let your system be controlled. The advantage of using this extension is that it is very easy to operate and doesn’t require any third party software (since most users use Chrome today on their machines).

Reveal Password behind Asterisk in Firefox


It is very important to hide passwords as asterisk so as to prevent unauthorized people from viewing it and as it adds a level of security to our logins. Had the passwords been not hidden, we could not have login into many websites in front of our friends or other people. While it is very important to hide the passwords, it sometimes becomes problematic when we forget it.
There are occasions when you accidentally press two keys while typing a password and have to go back again and start all over. Or it might be you are typing with Caps Lock On or the Num Lock off. Yes these are very irritating things and can happen to anyone. Hence it sometimes becomes important to know what we are typing rather than erase all and start typing again. If you are using Chrome, then this is possible with the extension about which we have already written here.
But if you are using Firefox then here is an add-on available for the same purpose. The add-on is called as Show My Password and as the name suggests, it allows you to see the passwords that you are typing and is hidden behind asterisks (or the dots). What you all need to do is just install this add-on, and hover your mouse over the password for about 2 seconds (by default and can be changed) to be able to see the passwords.
show-my-password-firefox-settings
This time duration is by default set to 2 seconds so that you don’t make the password visible by mistake. You can also configure the plugin to select the option of seeing the password by right clicking on the password field. This can be very useful too if you have some saved passwords which you have already forgotten and don’t remember it anymore but at the same time if yours is a shared system then be sure to not to save any password else anyone else might be able to see it too.

Find all the Expired and to be Deleted Domain Names


Website Address or also known as the Domain names are usually registered by the owners for a longer period of time ranging from 1 year to several years. It may happen that one website name is liked by many people but since the names have to unique and only one person can get it for registration, the first one to book it gets to own it. Now we don’t know how long the person wish to keep it with him and since there is always a chance of placing a back order so that if it gets free we get to own it, we should know when our favorite domain names are deleting.
There are lots of domains on the worldwide web and thousands of them are deleting everyday. You must be knowing the fact that when a domain is deleted it is eligible to be registered again, what if there is one that you wish to register which is going to be deleted soon? Well if you are a blogger then you would like to keep an eye of which all domains are deleting everyday and which all are available for registration.
find-expires
Here is a small and free app called as findExpires that serves the same purpose. findExpires is a small .NET app that will download a list of domain names that have expired and are scheduled to be deleted soon so that you don’t have any problem in looking for the expired and to be deleted domains.
find-expires-domains-list
findExpires produce an excel list of the domains separated by TLD, Deletion date and character count so that it is easier to apply a filter and look for any domain that suits you. Domains with name less than 5 characters are not listed in the sheet but are generated separately in different sheets.
find-expires-less-characters-domains
The app is very easy to operate, you just need to double click the app, provide a save location and click the Start button to let it search all the expired and to be deleted domain names. If you liked the app then get it free from the location below.

Now Download Wikipedia E-Book as PDF or EPUB

Wikipedia is one of the most viewed websites for information gathering and learning about almost anything. Till now if someone had to view the pages on Wikipedia, they were required to visit the page online either through a website or a mobile device but recently Wikipedia had incorporated a new feature into their webpage using which users can download their own liked content as a book and read it anywhere and onto the supported mobile devices.
The reason why I liked this feature so much is that we can not only download the ebook but can also create one of our choice, this means that if you like any article on Wiki, you can add it to the ebook and when you feel it had gathered enough information, you can download this custom created e-book in either pdf or epub format for free which can be read on almost any electronic device you have whether a computer, a cellphone or a tablet.

This feature will come handy in those times when you are at a place (or while travelling) where you don’t have an internet connection but still like to read something. Creating an e-book on Wikipedia is very simple too, what you need to do is activate the ‘Create a book’ link located in the left sidebar of Wikipedia in the ‘print/export’ section. Now you can compile the personal collection of articles you wish to add in the e-book.

Now you can download the book as PDF or EPUB book or simply order a printed book via PediaPress which is the official print-on-demand partner of Wikipedia. This was announced by Wikipedia officially and you can read more about it here.
Let us know if this feature impressed you.

Flickr now Offers 1TB Free Memory Space for your Personal Photo


This would interest all the photo enthusiasts out there and also others who were looking for some online space to save their photos and also to display their work to the world. Flickr has been one of the famous online services to store and display photos but recently users have started facing the low memory space provided.
A day ago, it came as good news to everyone when Flickr announced that it is now offering 1 Terabyte of free memory space to all the users which mean they now have lots and lots of space to store their photos and videos online in their Flickr account. Lets see what Flickr has to say
At Flickr, we believe you should share all your images in full resolution, so life’s moments can be relived in their original quality. No limited pixels, no cramped formats, no memories that fall flat. We’re giving your photos room to breathe, and you the space to upload a dizzying number of photos and videos, for free. Just how big is a terabyte? Well, you could take a photo every hour for forty years without filling one.
And yep, you heard us. It’s free.”
flickr-1tb-free-space
Moreover along with the increase in the memory space Flickr have totally updated the look and feel of the website too. According to Flickr, this new beautiful design will enhance the beauty of your photos by placing where they should be. The all new design will also display the images in as many pixels as possible. It also allows you to set a profile picture of yourself.
flickr-new-design
In case you are not only limited to photos and like uploading some videos, then also Flickr will come to your help. You can now upload 3 minutes per video of 1080p HD quality. You can upload as many video as you want provided you are within your memory space limits.
You can also enjoy the Flickr on your mobile phone with the official Flickr apps both for iPhone and Android phones. While the app was there for iOS already, it has been released for Android. [via]

Reopen Recently Closed Folders and Applications with UndoClose


What I like the most about today’s web browsers Chrome and Firefox is their ability to reopen the recently closed tabs instantly. It happens sometimes that we either accidentally close a window/the tab or wish to open them again to complete our work, but instead of opening the page again, we can open the last closed tabs (in order of closure) easily in these browsers.
Similarly wouldn’t it be great if there is some application that can open the recently closed Folders and Applications instantly without the need to manually go back and double click to open them? I am sure it must have happened to you some or the other time when you wish to open the application or the folder you were last working upon.

If this is the same case with you then you can save your effort and time by using this tool called UndoClose. As the name of the tool suggests, this tool can open the last closed folder or application instantly. For example, if you have closed a folder named ABC, Windows Media Player and Firefox (in the same order), then when you run this tool, it will open Firefox, WMP and ABC for you (in the last closed order).
UndoClose does not require any installation; you just have to double click it for it to run properly. It will sit down in your system tray and start monitoring the apps and folders. To open the folders and apps, you don’t have to run it again and again, just use the shortcuts Ctrl + Shift + F (for Folders) and Ctrl + Shift + A (for applications) and it will open them automatically. These shortcuts can also be changed.
The tool is very easy and light to use. Currently you can use it only on Windows 7 however on both 32 and 64 bit versions.

Tuesday 6 August 2013

Solution to Pen Drive Showing Less Space than Actual


Several readers of our blog TS, sent me this problem that their pen drive is showing them less space than the actual. This problem was faced by one of our readers recently that I decided to write a solution for it.
The problem was that despite being the 4GB capacity drive, it showed only 900 MB of free space and was not storing data more than this. Even on formatting the drive, it could store only 900 MB of data only. If you are also facing the similar issue then here are the two solutions that you should try to make your drive work fine again.
Note: Data in the drive will be lost.
First Solution:
1.    Plug in your pen drive
2.    Type diskmgmt.msc in Run box to open Disk Management.
3.    Select your drive’s partition.
4.    Right click on it and select the option of “Delete Volume” in it.

5.    This will delete the memory space allocated and free up the total space.
6.    Now in the empty space created again right click and select “Create Volume” to create the space.
7.    Select the file system and format the partition to be able to use it again.
Second Solution:
If you are unsure of the first solution or if it doesn’t work for you then try using this format utility called HP Format Disk Utility which is actually a low level format utility.
Use this utility to format the drive and it shall be working again normally.

Steps to Disable VLC Building Font Cache Problem


One of our regular readers was irritated at this problem of VLC Building Font Cache. Because of this problem VLC starts rebuilding the font file to show the subtitles in the video which feels very irritating. If you are also facing the same issue then the following solution shall help you.

Steps to solve the problem:
1.    Run the VLC player
2.    Press Ctrl + P, to open the Preferences dialog box.
3.    Now as depicted in the image, select the option of “All” under Show Settings.
4.    Expand the Videos option in the left bar, and click on the Subtitles/OSD option.
5.    Now in the right side, select the option of dropdown “Text rendering module” as “Dummy font rendering functions”.
6.    Click Save to save the settings.
7.    Close the player and run it again.
Now you will observe that when you play a movie with subtitles the building cache problem should have gone.

How to Kill a Process when Task Manager is unable to Terminate


If you have been using a Windows system then you must have come across this situation some or the other time, that you have non-responsive process that needs to be terminated. Recently I had this program which wasn’t responding so I was required to terminate this process.
To terminate a process I opened the Task Manager but to my surprise I found that my Windows Task Manager was unable to terminate the process and showed this error message “Unable to terminate Process: the operation could not be completed

I have always used the Task Manager to kill a process but why this happened today and what should I do to kill the process now? Well, this can happen as a process can have more priority and can overcome task manager but if you need to terminate a process without task manager then you can use task manager alternatives or known as task manager replacement tools.
So you can use some tool like Process Explorer and use it to kill the process when your Task Manager is not working and in case Process Explorer is also unable to terminate it, then restart it by right clicking on it and selecting as “Run as Admin” as sometimes Admin rights are required to terminate a process.
There are many more tools that can help here, by the way what’s your approach when you are unable to terminate a process?

Fix Windows is Not Genuine Message in Windows

We know how it feels when you are prompted by this “Windows is not Genuine” message every time you boot up your system. Though Windows is easily available today, not everyone wish to pay for this and thus uses the pirated copy of Windows OS.
Note: We do not encourage piracy and advise our viewers to use genuine software only.
Earlier we have also written about the “Windows Software Counterfeiting” problem and posted the solution using the RemoveWGA tool, which you can read here. “Windows is not genuine”, is a different problem than this and thus here is the solution below.

Steps:
1. Solving this problem is very easy and can be done by using a simple tool called RemoveWAT.
2. What you all have to do is, just download this tool from the link below (in case this link is not working you can search the net for this tool with the same name).
3. Extract the archive and double click the tool to run it.

4. You will see couple of options listed, just click on the “Remove WAT” button and it will start working on the problem automatically.
When the problem has been fixed, your system will be required to reboot. You will see that after the reboot your problem has been fixed and you will no longer see the “Windows is not genuine” watermark at the bottom right of your screen.
Now you can use the system as original and also set the wallpaper and themes which you were not able to, earlier.

Steps to Remove Trojan.Agent Virus

Recently I was asked by one our readers whose computer was infected by this Virus called Trojan.Agent. This is a virus type that belongs to the Trojan virus family. The virus is mostly found in the svchost.exe file of the computer. It is a very potential virus and should be removed as soon as you detect it.

How to detect if your system has Trojan.Agent Virus?
• The weirdest thing that you will notice is that your Anti Virus would stop functioning. This virus has the ability to stop the AV from its proper functioning.
• Your system will get severely affected and would get extremely slow for no reasons.
• You might see some unexpected computer shutdowns or restarts.
• Then when if you scan your system with Mbam (highly advisable tool to have in the system), it will detect it and might delete it. But do note that Trojan.Agent virus might return back after the computer has been restarted.
• The virus can act as backdoor agent to many hackers to provide some confidential information.
from google images
How to remove Trojan.Agent Virus from the computer?
Removing Trojan.Agent virus from the system is not that difficult and requires sort of same steps that we most times perform to remove a malware.
1. First of all reboot the system to enter into the Safe Mode.
2. When in Safe Mode, run the Task Manager and terminate the process named as random.exe. This process is related to Trojan.Agent virus and termination is important as this will ensure that it is not running in the background.
3. Now we need to remove the virus from the system. This can be done manually and using a scanner. I would prefer both (please note that if you are unsure of the manual process, then do not proceed further as it might affect the system adversely.
4. So scan the system with Malwarebytes AntiMalware Mbam. If this finds the virus, quarantine it.
5. You also need to delete the following files (whichever you can find)
C:\windows\system32\Svchost.exe
C:\Windows\winsxs\amd64_microsoft-windows-s..s-service\controller_31bf3892wo9a07b1\services.exe
C:\Windows\Installer\{bbee3ba2-89af-930c-bb78-1fb4e17db3cc}
6. Now we need to delete the following registry keys too (again whichever you can find)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\ CurrentVersion\Run\Random.exe
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Random.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\ policies\explorer “EnableShellExecuteHooks”= 1 (0×1)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ Explorer\run\Random.exe
A system restart might have solved the problem for you and the Trojan.Agent virus should not be there.