That's an utter load of crap.
Few days ago I started seeing ads on ebay. Weird.. confused I blocked the ad manually and forgot about it. The next time I visited ebay, the ad was showing again. I blocked it again. Third time.. Yes, you guessed right, the ad was back. So, I started to investigate why my filter rule was not working.
Why the fuck I have "Acceptable Ads" list enabled?
I've complained about Chrome automatic updates before. I actually stayed on outdated Chrome 45 for a long time because I really needed NPAPI support to perform certain tasks.
But few months ago I decided to bite the bullet and "live a normal life". So, I enabled Google Chrome updates and crossed my fingers. It worked for some time. I got the awful "modern UI" and managed to turn it off. I got the automatic Chrome sign-in that nobody actually wants and Google retracted later. And I was able to turn it off too.
But now Chrome cannot open my Gmail account. WTF?
Can't sync to account.
When logging into Gmail it just pops up this message "Can't sync to account. Request cancelled."
Yesterday I read an article on ZDNet called "Researcher finds simple way of backdooring Windows PCs and nobody notices for ten months" and it made my laugh hysterically.
Why? Because it's a bloody nonsense from start to end.
Let's just look at the main claim in the article.
... in cases where a hacker has a foothold on a system --via either malware or by brute-forcing an account with a weak password-- the hacker can give admin permissions to a compromised low-level account, and gain a permanent backdoor with full SYSTEM access on a Windows PC.
What. The. Fuck.
I just read the article on ZDNet: "Atlanta projected to spend at least $2.6 million on ransomware recovery". Yes, you read it right - $2'600'000 to clean up the Atlanta city network from ransomware. And, of course, taxpayers will pay the bill. smile
Dear City of Atlanta, this situation will not magically resolve itself. Your IT guys must take the responsibility for this failure. Fire your CIO. Fire your entire IT staff. Sue them all for the damages. And let them rot in prison for a few years for gross negligence.
You hold an architect accountable for making your house blueprints right. You hold the builders accountable for building your house right and your doctor for taking a proper care of you.
IT guys are not special snowflakes, they don't do magic, and they must be held accountable for their (in-)actions just like everyone else. Only then we'll see some improvements in security.
But I'm sure City of Atlanta knows better. After all, they decided $600'000 on advisory services from Ernst & Young on how to handle security incidents. That's a money well spent! </irony>
Every once in a while, I read an article about security which is so incredibly bad that I just have to comment on it.
This time, it's an article from iTWire called "When F00F bug hit 20 years ago, Intel reacted the same way". It's written by Sam Varghese who claims to have decades of experience in the field. Let's see..
Make Intel CPU to hang remotely and anonymously?
Let me write that down!
Any Intel Pentium/Pentium MMX could be remotely and anonymously caused to hang, merely by sending it the byte sequence "F0 0F C7 C8".
This statement is incorrect in so many ways!
Yes, there was a bug in Pentium CPUs. CPU would freeze when executing instruction lock cmpxchg8b eax which has the opcode "F0 0F C7 C8". Can you see the difference?
- CPU doesn't hang on merely seeing the data sequence "F0 0F C7 C8". It hangs when trying to execute these bytes. Big difference! And if someone is able to run arbitrary instructions on your CPU, you have much bigger problems than just a simple hang.
- There is no f*ing way to run any code on any CPU remotely and anonymously. You can remotely exploit a bug in firmware/OS/software to execute some code - that's called remote code execution. But that is not specific to Intel CPUs and have nothing to do with the F00F bug in particular.
Dear Sam Varghese, please stop writing about security. Open a hotdog stand or do anything else that doesn't involve computers. You just don't get them.
Main reason for writing this blog-post is the extremely crappy article by Vallejo named "Installation and First Contact With the New WinDbg". I read it, cried for a few minutes and decided to fix it.
Mandatory XKCD reference:
Having said that, let's go through some of the most "brilliant" Vallejo's statements!
We execute WinDbg from installation shortcut and we search the main process.
Dude, when your article is called "Installation and first steps..." shouldn't you start at the beginning and tell us where to get this app and how to install it?
You need to get the app from the Windows Store: https://www.microsoft.com/store/apps/9pgjgd53tn86.
No, there is no real technical reason for that, just another attempt of Microsoft to convert you to Windows 10 and make you use their Windows Store.
After you've jumped through all those hoops, you get this nice and shiny Windows Store app. Windows Store apps get installed under "C:\Program Files\WindowsApps\" and this one is no different. At the moment of writing the application version was 1.0.16, so it got installed into "C:\Program Files\WindowsApps\Microsoft.WinDbg_22.214.171.124_x86__8wekyb3d8bbwe".
The installation creates another exe here: C:\Users\<user>\AppData\Local\Microsoft\WindowsApps\WinDbgX.exe. It is zero bytes, and if you try, for example, to copy it, you can’t.
Because it's a reparse point, not an EXE file.
Windows 10 processes bundled Windows Store application's AppxManifest.xml and creates appropriate appExecutionAlias'es:
<Application Id="Microsoft.WinDbg" Executable="DbgX.Shell.exe" EntryPoint="Windows.FullTrustApplication">
<uap:VisualElements DisplayName="WinDbg Preview" Description="WinDbg Preview" BackgroundColor="#777777" Square150x150Logo="Resources\WinDbg_150.png" Square44x44Logo="Resources\WinDbg_44.png" />
<uap3:FileTypeAssociation Name="newtypes" Parameters="-z "%1"" desktop2:UseUrl="true">
<uap3:Extension Category="windows.appExecutionAlias" Executable="DbgX.Shell.exe" EntryPoint="Windows.FullTrustApplication">
<desktop:ExecutionAlias Alias="WinDbgX.exe" />
Same thing goes for all other applications Vallejo "found" under C:\Users\<user>\AppData\Local\Microsoft\WindowsApps\, like dbgsrv64.exe:
<Application Id="Microsoft.WinDbg.DbgSrv64" Executable="amd64\dbgsrv.exe" EntryPoint="Windows.FullTrustApplication">
<uap:VisualElements AppListEntry="none" DisplayName="WinDbg Preview DbgSrv 64-bit" Description="WinDbg Preview DbgSrv 64-bit" BackgroundColor="#777777" Square150x150Logo="Resources\WinDbg_150.png" Square44x44Logo="Resources\WinDbg_44.png" />
<uap3:Extension Category="windows.appExecutionAlias" Executable="amd64\dbgsrv.exe" EntryPoint="Windows.FullTrustApplication">
<desktop:ExecutionAlias Alias="dbgsrv64.exe" />
You can read more about aliases on MSDN: Start your app by using an alias.
I have not found a tool or way to manage or get information about these files.
Ever tried fsutil? It's been part of Windows since Windows7.. bigsmile
Sure, you can Google for that - but it won't tell you much, except that it's not really documented and should be left alone.
Old windbg.exe accepted parameters with “-“, for example -k. New Windbg needs /k parameter to pass the connection configuration
Ok, that was enough criticism for one day. Let's do something more constructive!
Running WinDbgX on Windows 7
Remember how I said that there is no technical reason why WinDbgX should be available only on Windows 10 and only as a store app? There really isn't. smile
- You need to copy all the files from your Windows 10 machine to your other machine (Windows 7 in my case). It's as simple as selecting all files in "C:\Program Files\WindowsApps\Microsoft.WinDbg_126.96.36.199_x86__8wekyb3d8bbwe" and copy-pasting them. Don't worry about the reparse points in C:\Users\<user>\AppData\Local\Microsoft\WindowsApps\, we'll fix that later.
- If you try to run DbgX.Shell.exe on Windows 7, it will fail with Exception:
1234567891011***FATAL ERROR ENCOUNTERED***2017-11-21:20:01:12:504 : Error : DbgX.dll : (E) System.TypeLoadException: Could not find Windows Runtime type 'Windows.ApplicationModel.Package'. ---> System.PlatformNotSupportedException: Operation is not supported on this platform.--- End of inner exception stack trace ---at DbgX.DbgEngModule.SetDbgSrvOverridePathIfNeeded(Boolean use64Bit)at DbgX.DbgEngModule.DebugCreateOutOfProc(Boolean use64BitDebugger, Boolean shouldElevate)at DbgX.EngineThread.ThreadProc()System.TypeLoadException: Could not find Windows Runtime type 'Windows.ApplicationModel.Package'. ---> System.PlatformNotSupportedException: Operation is not supported on this platform.--- End of inner exception stack trace ---at DbgX.DbgEngModule.SetDbgSrvOverridePathIfNeeded(Boolean use64Bit)at DbgX.DbgEngModule.DebugCreateOutOfProc(Boolean use64BitDebugger, Boolean shouldElevate)at DbgX.EngineThread.ThreadProc()
- Let's look at that code in DbgX.dll using dnSpy:
It's crashing on the Package.Current.Id.FamilyName, as this function is available only for Windows Store apps.
As a simple hack, we can replace this call with an empty string. Better hack would be to use the proper folder based on the actual WinDbgX path. But the simple way will do for our demo..
- Using "Edit IL instructions" function in dnSpy, replace first 4 instructions with ldstr and nops:
- Save the module. If saving fails, remove read-only attribute from DbgX.dll and try again.
- Since we chose a simple hack, create folder C:\Users\<user>\AppData\Local\Microsoft\WindowsApps\
- Depending on your OS (32- or 64-bit), copy files from WinDbgX\X86 or WinDbgX\amd64 folder to C:\Users\<user>\AppData\Local\Microsoft\WindowsApps\. Rename dbgsrv.exe to dbgsrv32.exe or dbgsrv64.exe accordingly.
- Run the DbgX.Shell.exe shell now. It will work just fine!
There are 3 more places in DbgXUI.dll, DbgX.Util.dll and Extensions\DbgX.External.dll that might need similar fixes. But that's behind the scope of this article.
It is true that classic WinDbg looks really dated. So, I can totally understand why Microsoft would want to create a replacement with a better UI. However, WinDbgX falls short on everything - its installation via Windows Store is brain-dead stupid, its user interface is confusing (who would look at Model->Change Query to change debugger settings?!) and severely limited (no multiple Memory windows, seriously?). If it was a school project, it wouldn't get even a B-. But for some reason, Microsoft insists that this is the only way forward. Oh, well.. sad
At least, the DLLs are not obfuscated, so someone can take them and make a much better UI.. wink
2 days ago everybody started talking about DoubleAgent attack that Cybellum supposedly invented and how every Windows OS since Windows XP is screwed. As soon as I read about it, I said "hmmm, where have I seen it before?".
While the rest of the world went on writing sensational news articles, Alex Ionescu summed up it all up in one nice tweet:
Shocking news. Another "next gen" cyber company takes my research (Recon 2015: Hooking Nirvana) and creates FUD https://t.co/88eVz9vzE5
— Alex Ionescu (@aionescu) March 22, 2017
Have fun and don't believe in everything you read - too many morons are writing about security these days..
I read Kotaku's article called "FBI Says Alleged Hackers Used FIFA To Steal Millions From EA" this morning. And it reminded me of the crap articles Catalin Cimpanu writes at Softpedia.
What's wrong with Kotaku's article?
Well, pretty much everything.
First, this group did not steal from Electronic Arts. If fact, not a single penny of real currency was taken from EA.
According to an unsealed FBI indictment, Clark and his co-defendants allegedly built a tool that would send false signals to EA’s servers to spoof matches, generating these FIFA coins at a rapid rate. The FBI alleges that Clark and crew then sold the coins to third-party sellers, earning millions.
Exactly! Guys received FIFA coins from EA (it's an in-game currency) which they later sold on underground sites. Money came from persons entirely unrelated to Electronic Arts and it was given voluntarily. And that, by definition, is not a theft.
The article continues with a plenty of other funny statements like
.. worked with the defendants to get Xbox development kits and reverse-engineer a pirated copy of FIFA 14 using a program called Interactive Disassembler. This process took several months, Alcala said, but it allowed them to create a tool for mining FIFA coins.
I just love the IDA reference in here. bigsmile These guys used disassembler, they must be real evil hackers! All in all, this article is a fun read but it got all the basic facts wrong.
Mr. Jason Schreier, please stop writing about things you have no clue about. Stick to your video game reviews or something.
What is really happening?
Thankfully, UK journalists have much better idea of what's happening in US courts, and they wrote a much better article. According to the indictment, the charges are "conspiracy to commit wire fraud", a stupid catch-all term used in US courts for pretty much everything done over the Internet.
That document is equally funny read and shows how desperate the prosecutors must be to make any charges stick. Let's see:
- the defendant assisted in creating a program (...) which sent electronic messages to EA's servers fraudulently representing that thousands of FUT matches had been completed in the EA's FIFA video game. EA's servers materially relied on the completed match messages and credited various accounts maintained by the defendant and his co-conspirators with FIFA coins. - this is the only part of the indictment that actually makes sense. Kinda. There's one teeny tiny detail - RANE Developments got virtual goods from EA. And the legal status of virtual goods is very unclear in the United States. If virtual goods are not "money or property" in the eyes of law, then there was no fraud.
- the defendant and co-conspirators continued to create and execute new methods to circumvent the security measures by EA in EA's effort to prevent fraudulent activity associated with the company's FIFA video game. - that might be a breach of EULA but not a crime;
- executed their "application" through a video game console, which they modified to circumvent security and copyright protections, and on game development kits, which they obtained from unlicensed sources. - we're getting desperate, let's charge them with modding their consoles!
- executed their "application" through cloud computer servers, which allowed them to run more copies of the software and obtain significantly more FIFA coins. - if nothing else helps, let's charge them with renting cloud computer servers! Oh, wait, what? smile
Naturally, the defendant has pled not guilty to the charge. And if his lawyer is any good, I'm guessing he'll walk out of the court as a free man.
Today I read an article in The Register called Tor torpedoed! Tesco Bank app won't run with privacy tool installed.
It's a fun read about Tesco's Android banking app and how it refuses to run when Tor application is installed on your mobile. But what really caught my attention, is this comment to the article:
I did a count of my account with a certain bank and when I use a PC which does not store their funky cookies, I get 6 (yes really, 6) steps for authentication.
- Initial Customer code
- Security password as there is no cookie so PC is not recognised
- pre-agreed image
- pre-agreed phrase
- Customer Number
- Security code
and if I use a Windows PC it whinges that I don't have cRapport which would 'improve my security'
So 6-Factor security isn't good enough and you want an extra package to help???????
Sir, if you ever read what a multi-factor authentication is, you wouldn't be stating such nonsense. All six of the steps you mentioned are of the same factor - "something you know". As such, they provide no additional security, as one keylogger/screengrabber will capture them all.
Why your bank insists on you jumping over so many redundant hoops, remains a mystery..