Thursday, April 25, 2013

What is a “Zero-Day” Exploit? (And How to Protect Yourself)

image
The tech press is constantly writing about new and dangerous “zero-day” exploits. But what exactly is a zero-day exploit, what makes it so dangerous, and – most importantly – how can you protect yourself?
Zero-day attacks happen when the bad guys get ahead of the good guys, attacking us with vulnerabilities we never even knew existed. They’re what happens when we haven’t had time to prepare our defenses.

Software is Vulnerable

Software isn’t perfect. The browser you’re reading this in – whether it’s Chrome, Firefox, Internet Explorer, or anything else – is guaranteed to have bugs in it. Such a complex piece of software is written by human beings and has problems we just don’t know about yet. Many of these bugs aren’t very dangerous – maybe they cause a website to malfunction or your browser to crash. However, some bugs are security holes. An attacker that knows about the bug can craft an exploit that uses the bug in the software to gain access to your system.
Of course, some software is more vulnerable than others. For example, Java has had a never-ending stream of vulnerabilities that allow websites using the Java plug-in to escape the Java sandbox and have full access to your machine. Exploits that manage to compromise Google Chrome’s sandboxing technology have been much more rare, although even Chrome has had zero-days.

Responsible Disclosure

Sometimes, a vulnerability is discovered by the good guys. Either the developer discovers the vulnerability themselves or “white-hat” hackers discover the vulnerability and disclose it responsibly, perhaps through something like Pwn2Own or Google’s Chrome bug bounty program, which reward hackers for discovering vulnerabilities and disclose them responsibly. The developer fixes the bug and releases a patch for it.
Malicious people may later try to exploit the vulnerability after it’s been disclosed and patched, but people have had time to prepare.
Some people do not patch their software in a timely fashion, so these attacks can still be dangerous. However, if an attack targets a piece of software using known vulnerability that there’s already a patch available for, that’s not a “zero-day” attack.

Zero-Day Attacks

Sometimes, a vulnerability is discovered by the bad guys. The people who discover the vulnerability may sell it to other people and organizations looking for exploits (this is big business – this isn’t just teenagers in basements trying to mess with you anymore, this is organized crime in action) or use it themselves. The vulnerability may have been known to the developer already, but the developer may not have been able to fix it in time.
In this case, neither the developer nor people using the software have advance warning that their software is vulnerable. People only learn that the software is vulnerable when it’s already being attacked,  often by examining the attack and learning what bug it exploits.
This is a zero-day attack – it means that developers have had zero days to deal with the problem before it’s already being exploited in the wild. However, the bad guys have known about it for long enough to craft an exploit and start attacking. The software remains vulnerable to attack until a patch is released and applied by users, which may take several days.

How to Protect Yourself

Zero days are scary because we don’t have any advance notice of them. We can’t prevent zero-day attacks by keeping our software patched. By definition, no patches are available for a zero-day attack.
So what can we do to protect ourselves from zero-day exploits?
  • Avoid Vulnerable Software: We don’t know for sure that there will be another zero-day vulnerability in Java in the future, but Java’s long history of zero-day attacks means that there likely will be. (In fact, Java is currently vulnerable to several zero-day attacks that have not yet been patched.) Uninstall Java (or disable the plug-in if you need Java installed) and you’re less at-risk of zero-day attacks. Adobe’s PDF reader and Flash Player have also historically had quite a number of zero-day attacks, although they’ve improved recently.
  • Reduce your Attack Surface: The less software you have vulnerable to zero-day attacks, the better. This is why it’s good to uninstall browser plug-ins that you don’t use and avoid having unnecessary server software exposed directly to the Internet. Even if the server software is fully patched, a zero-day attack may eventually happen.
  • Run an Antivirus: Antiviruses can help against zero-day attacks. An attack that tries to install malware on your computer may find the malware installation foiled by the antivirus. An antivirus’s heuristics (which detect suspicious-looking activity) may also block a zero-day attack. Antiviruses may then be updated for protection against the zero-day attack sooner than a patch is available for the vulnerable software itself. This is why it’s smart to use an antivirus on Windows, no matter how careful you are.
  • Keep Your Software Updated: Updating your software regularly won’t protect you against zero-days, but it will ensure you have the fix as soon as possible after it’s released. This is also why it’s important to reduce your attack surface and get rid of potentially vulnerable software you don’t use – it’s less software you need to ensure is updated.


We’ve explained what a zero day exploit is, but what is a permanent and unpatched security vulnerability known as? See if you can figure out the answer over at our Geek Trivia section!

Learning Windows 7 – Managing Internet Explorer


Internet Explorer is a complex piece of software and hasn’t always been the browser choice of us geeks, but the truth is that it has gotten a lot better over the years so come and see what it has to offer.

Compatibility View

Internet Explorer is notorious  for not being able to render pages that worked perfectly in previous generations of the browser. To remedy the situation Microsoft added a feature to IE called Compatibility View. In a nutshell, it allows you to view webpages using the rendering engines of past Internet Explorer versions. To use compatibility view all you have to do its click on the little icon that looks like a page that has been torn in half, which is located in the URL Bar.

RSS Feeds

If you don’t already know what they are, RSS feeds provide a great way for you to stay up to date with your favorite websites by allowing you to subscribe to them. When one of the websites you are subscribed to adds new content, for example when How-To Geek releases a new article, you will automatically be notified. In Internet Explorer, if the RSS button turns orange it means that the website you are viewing supports RSS feeds.

Once you have subscribed to the feed, you can quickly check if any new content has been added.

Security Zones

Internet Explorer assigns all websites to one of four security zones: Internet, Local intranet, Trusted sites, or  Restricted sites. The zone to which a website is assigned specifies the security settings that are used for that site. Let’s take a closer look at what type of websites each of the four zones should contain:
  • Local intranet – This zone should contain sites that reside inside your company’s firewall.
  • Trusted – This zone contains all sites that you know are trusted, for example the site of a business partner.
  • Internet – This zone contains all sites on the internet that are not in the Trusted, Local intranet or Restricted zones.
  • Restricted – This zone contains sites that you do not trust.
If you want to you can also change the security settings that are applied to any particular zone. To do this, click on Tools and then choose the Internet Options menu item.

Then switch over to the Security tab.

You can either choose one of the pre-defined security levels by moving the slider, or you can click on the Custom level button.

Configuring a Trusted Site

To add a site to the Trusted Sites security zone, select the zone and then click on the Sites button.

Now enter the URLs of any sites that you know for sure are not a threat.  Then click add.

You can do the same for the other zones, just be careful about what you add to each zone.

Managing Add-Ons

Internet Explorer has add-ons which are the equivalent of plug-ins in Chrome and Firefox, and serve to extend the functionality of the browser. One of the more infamous types of add-on is a toolbar. These are those pesky search bars that often get added to Internet Explorer when you install some kind of application.  To manage toolbars, click on the Tools menu and then choose the Manage Add-ons menu item.

From here you can right click on any toolbar and disable it. If you wish to uninstall the toolbar, you must use the Control Panel to uninstall it just as you would any other application.

Search Providers

Another type of add-on is a Search Provider, which allows you add additional search engines to Internet Explorer. To add a Search Provider, switch over to the Search Providers section.

In the bottom left hand corner of the Window you will see a Find more search providers… hyperlink. Click on it.

From here you can choose from thousands of providers.

Once added, you can search that site directly from the search bar.

Keep reading to learn about security features and more.

Use PowerShell to Remove Multiple Modern Apps from Windows 8

modern_uninstall_top
There are numerous modern apps that are a built into Windows 8 and they are featured prominently on the Start screen. It may well be the case that you don’t want to use them because they just aren’t apps you’re interested in, or it may be that you have found a better alternative.
You can right click a tile and selecting the uninstall option, but if you want to remove multiple apps at once you can do so with a PowerShell Script. You can also use this technique to uninstall multiple apps you have installed from the Store.

You can download a readymade script from the TechNet Script Center that can be used to select all of the modern apps you want to remove, and uninstall them all at once. Download the script and extract it from the zip file.

Launch PowerShell in Administrator mode by pressing the Windows key to bring up the Start screen and then type Powershell. Right click the Windows PowerShell icon and then click the ‘Run as administrator’ button at the bottom of the screen before clicking Yes in the User Account Control dialog.

Run the script by typing its full path at the command prompt and then press Enter.

You will see a list of all of the modern apps you have installed. This list includes apps that you have installed and those that are built into Windows 8.
Each app has a number next to it and you can use these to specify which apps should be uninstalled. Just enter all of the app numbers, separated by commas, and press Enter.

Confirm the action and after a moment or two the selected apps will be removed for you.
Should you change your mind about an app you have removed, you can easily reinstate it from the Store.
It may be that you would like to remove all modern apps form your hard drive, and if this is the case you have a couple of options available to you.
The first option can be used to remove all apps from the account you are currently logged into.  Launch PowerShell as an administrator and type the following command before pressing Enter:
Get-AppxPackage | Remove-AppxPackage
Secondly, you can use the following command to remove all modern apps from all user accounts:
Get-AppxPackage -AllUsers | Remove-AppxPackage

Prevent Windows From Restarting Your PC After Windows Updates

image
Have you seen that message in Windows 8 that tells you your computer is going to reboot and there is not a thing you can do about it except save your work? Here’s how to make sure that never happens again. This tip works for Windows 7 as well.
Note that we have covered this method before for preventing Windows 7 from automatically rebooting. This article has two methods for doing the same thing.

Prevent Windows 8 From Restarting Your PC After Windows Updates

Press the Win + R keyboard combination to bring up the run dialog then type gpedit.msc and press enter.

When the Local Group Policy Editor opens, navigate to:
Computer Configuration\Administrative Templates\Windows Components\Windows Update

On the right hand side you will see a setting titled:
No auto-restart with logged on users for scheduled automatic updates installations
Double click on it.

From here you will need to enable the setting by changing the radio button from “Not Configured” to “Enabled”, then clicking apply.

As always, we recommend you force a Group Policy update so that the changes will reflect immediately.


That’s all there is to it.

Using the Registry

If your version of Windows 8 doesn’t ship with the Group Policy editor, you can always use the registry to disable these reboots. Again press the Windows + R keyboard combination to bring up a run box – type regedit then hit enter.

Now navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
Note: If you don’t see the Windows Update or AU keys you may have to create them.
Then create a new 32-bit DWORD called NoAutoRebootWithLoggedOnUsers.

Then double click on it and give it a hex value of 1.

Reboot your machine and you’re good to go!

How to Manually Uninstall a Globally Installed Firefox Extension

can't-remove-logitech-setpoint-from-firefox
Firefox provides several ways for other programs on your computer to install Firefox extensions, sometimes without your explicit consent. While you can disable these extensions, you often can’t uninstall them via Firefox’s Add-ons screen.
Mozilla has become more vigilant in protecting users and now asks you whether you want to enable such extensions after they’re installed. However, a disabled extension continues to clutter your list of installed extensions.

Windows Control Panel

If the globally installed extension is a well-behaved piece of software, you’ll probably be able to uninstall the extension from the Programs and Features window in the Windows Control Panel. Just perform a search for the name of the extension and uninstall it as if it were any other program.

However, this won’t always work. In the example above, the extension can only be removed by uninstalling the complete Logitech SetPoint software package.
In some cases, an unscrupulous extension may not add any entry to Programs and Features at all, attempting to hide itself and prevent you from removing it from your system.

Firefox Installation Directory

The first place to look when an extension can’t be uninstalled from within Firefox is in Firefox’s installation directory. By default, Firefox is installed to C:\Program Files (x86)\Mozilla Firefox on 64-bit versions of Windows. On 32-bit versions of Windows, you will find it in C:\Program Files\Mozilla Firefox. If you installed Firefox to a custom directory on your system, you will find it there instead.
Look inside the extensions directory inside the Mozilla Firefox directory. Other applications can add their own extensions to this directory, where they will be picked up by all Firefox profiles on the system.

Note: Leave the {972ce4c6-7e08-4474-a285-3208198ce6fd} directory alone! This directory contains Firefox’s default theme.
Other directories contain globally installed Firefox extensions and themes. You can determine which extension resides in a directory by entering the directory and opening the install.rdf file inside it in a text editor. The install.rdf file will tell you what extension resides in a directory. For example, the default Firefox theme’s install.rdf file contains the line “The default theme.”

To remove a globally installed extension, delete its folder from the extensions directory.

Windows Registry

On Windows, extensions can also be installed and associated with Firefox via the Windows Registry. To open the registry editor, press the Windows key to open the Start menu, type regedit into the Start menu, and press Enter. (On Windows 8, press the Windows key to access the Start screen, type regedit at the Start screen, and press Enter.)

You will need to look under three different registry keys for globally installed Firefox extensions:
HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions\
HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions (64-bit editions of Windows only.)
You will find the globally installed Firefox extension under one of these locations.

To manually remove the extension, delete its registry value. The extension’s files will still be on your system, but the extension itself won’t be picked up by Firefox.

To remove the extension’s files, look at the directory specified under the Data column. Locate the directory in Windows Explorer and delete the directory from your system.
This step isn’t completely necessary, but it will remove the extension’s files from your computer.

After removing the value in the registry, the extension will vanish from your Firefox extensions list. (You will need to restart Firefox for your changes to take effect, no matter how you removed the globally installed extension.)

Learning Windows 7 – IP Addressing Fundamentals

IP Fundamentals

When you send a letter via snail mail you have to specify the address of the person you would like to receive the mail. Similarly, when one computer sends a message to another computer it needs to specify the address that the message should be sent to. These addresses are called IP addresses and typically look something like this:
192.168.0.1
These addresses are IPv4 (Internet Protocol Version 4) addresses and like most things these days they are a simple abstraction as to what the computer actually sees. IPv4 addresses are 32-bit, which mean they contain a combination of 32 ones and zeros. The computer would see the address listed above as:
11000000 10101000 00000000 00000001
Note: Each decimal octet has a maximum value of (2^8) – 1 which is 255. This is the maximum number of combinations that can be expressed using 8 bits.
If you wanted to convert an IP address to its binary equivalent you could create a simple table, like below. Then take one section of the IP address (technically called an octet), for example 192, and move from left to right checking if you can subtract the number in the header of the table from your decimal number. There are two rules:
  • If the number in the header of the table is smaller than or equal to your number, mark the column with a 1. Your new number then becomes the number you had subtract the number in the header of the column. For example, 128 is smaller than 192 so I mark the 128s column with a 1. I am then left with 192 – 128, which is 64.
  • If the number is larger than the number you have, mark it with a 0 and move on.
Here is how it would look using our example address of 192.168.0.1
1286432168421
11000000
10101000
00000000
00000001
In the above example, I took our first octet of 192 and marked the 128s column with a 1. I was then left with 64 which is the same as the number as the second column so I marked it with a 1 as well. I was now left with 0 since 64 – 64 = 0. That meant that the rest of the row was all zeros.
In the second row, I took the second octet, 168. 128 is smaller than 168 so I marked it with a 1 and was left with 40. 64 was then greater than 40 so I marked it with a 0. When I moved into the third column, 32 was less than 40 so I marked it with a 1 and was left with 8. 16 is greater than 8 so I marked it with a 0. When I got to the 8s column I marked it with 1 which left me with 0 so the rest of the columns were marked with 0.
The third octet was 0, and nothing can go into 0 so we marked all columns with a zero.
The last octet was 1 and nothing can go into 1 except 1, so I marked all columns with 0 until we got to the 1s column where I marked it with a 1.

Subnet Masks

Note: Subnet masking can get very complex, so for the scope of this article we are only going to discuss classful subnet masks.
An IP address is made up of two components, a network address and a host address. The subnet mask is what is used by your computer to separate your IP address into the network address and host address. A subnet mask typically looks something like this.
255.255.255.0
Which in binary looks like this.
11111111.11111111.11111111.00000000
In a subnet mask the network bits are denoted by the 1s and the host bits are denoted by the 0s. You can see from the above binary representation that the first three octets of the IP address are used to identify the network that the device belongs to and the last octet is used for the host address.
Given an IP address and subnet mask, our computers can tell if the device is on the same network by performing a bitwise AND operation. For example, say:
  • computerOne wants to send a message to computerTwo.
  • computerOne has an IP of 192.168.0.1 with a subnet mask of 255.255.255.0
  • computerTwo has an IP of 192.168.0.2 with a subnet mask of 255.255.255.0
computerOne will first calculate the bitwise AND of its own IP and subnet mask.
Note: When using a bitwise AND operation, if the corresponding bits are both 1 the result is a 1, otherwise it’s a 0.
11000000 10101000 00000000 00000001
11111111 11111111 11111111 00000000
11000000 10101000 00000000 00000000
It will then calculate the bitwise AND for computerTwo.
11000000 10101000 00000000 00000010
11111111 11111111 11111111 00000000
11000000 10101000 00000000 00000000
As you can see, the results of the bitwise operations are they same, so that means that the devices are on the same network.

Classes

As you probably have guessed by now, the more networks (1s) you have in you subnet mask the less host (0s) you can have.  The number of hosts and networks you can have is divided up into 3 classes.

NetworksSubnet MaskNetworksHosts
Class A1-126.0.0.0255.0.0.012616 777 214
Class B128-191.0.0.0255.255.0.016 38465 534
Class C192-223.0.0.0255.255.255.02 097 152254

Reserved Ranges

You will notice that the 127.x.x.x range has been left out. This is because the entire range is reserved for something called your loopback address. Your loopback address always points to your own PC.
The 169.254.0.x range was also reserved for something called APIPA which we will discuss later on in the series.

Private IP Ranges

Up until a few years ago every device on the internet had a unique IP address. When IP addresses began to run out, a concept called NAT was introduced which added another layer between our networks and the internet. IANA decided that they would reserve a range of addresses from each class of IPs:
  • 10.0.0.1 – 10.255.255.254 from Class A
  • 172.16.0.1 – 172.31.255.254 from Class B
  • 192.168.0.1 – 192.168.255.254 from Class C
Then instead of assigning each device in the world an IP address, your ISP provides you with a device called a NAT Router which is assigned a single IP address. You can then assign your devices IP addresses from the most suitable private IP range. The NAT Router then maintains a NAT table and proxies your connection to the internet.
Note: The IP of your NAT Router is usually assigned dynamically via DHCP so it normally changes depending on the constraints your ISP has in place.

Name Resolution

It is way easier for us to remember human readable names like FileServer1 than it is to remember an IP address like 89.53.234.2. On small networks, where other name resolution solutions like DNS don’t exist, when you try to open a connection to FileServer1 you computer can send a multicast message (which is a fancy way of saying send a message to each device on the network) asking who FileServer1 is. This method of name resolution is called LLMNR (Link-lock Multicast Name Resolution), and while it’s a perfect solution for a home or small business network it doesn’t scale well, firstly because broadcasting to thousands of clients will take too long and secondly because broadcasts don’t typically traverse routers.

DNS (Domain Name System)

The most common method to solve the scalability issue is to use DNS. The Domain Name System is the phonebook of any given network. It maps human readable machine names to their underlying IP addresses using a giant database. When you try to open a connection to FileServer1 your PC asks your DNS Server, which you specify, who FileServer1 is. The DNS Server will then respond with an IP address which your PC can in turn make a connection to. This is also the name resolution method used by the largest network in the world: the internet.

Changing Your Network Settings

Right click on the network settings icon and select Open Network and Sharing Center from the context menu.

Now click on the Change adapter settings hyperlink on the left hand side.

Then right click on your network adapter and select Properties from the context menu.

Now select Internet Protocol Version 4 and then click on the properties button.

Here you can configure a static IP address by selecting the radio button for “Use the following IP address”. Armed with the information above, you can fill in an IP address and subnet mask. The default gateway, for all intents and purposes, is the IP address of your router.

Near the bottom of the dialog you can set the address of your DNS server. At home you probably don’t have a DNS server, but your router often has a small DNS cache and forwards queries to your ISP. Alternatively, you could use Google’s public DNS server, 8.8.8.8.

How Can I Effectively Conduct a Performance Test of My Internet Connection?


It’s one thing to just hit up SpeedTest.net to get a rough idea of your internet connection speed, but what if you want to conduct more extensive testing over time to see if you’re really getting your money’s worth from your ISP?
Today’s Question & Answer session comes to us courtesy of SuperUser—a subdivision of Stack Exchange, a community-driven grouping of Q&A web sites.

The Question

SuperUser reader KronoS is in an interesting position: he has access to his old internet connection and his new internet connection for a period of time. During this period he wants to test them out:
Right now I’m in the process of possibly switching from a Cable provider to a DSL provider. I have both connections live, and before I cancel one or the other, I’m wanting to do some exhaustive testing of the internet connection. I have three major questions:
  1. What are some approaches that I can quantitatively test the speeds (both up and down) and quality of my internet connections (ping, time connection is down, etc,.)?
  2. Are there other consideration that should be taken when testing an internet connection?
  3. Are there any tools that can do this automatically and capture results?
Overall, I’m looking to compare the two connections over multiple periods of time such as peak hours (1600 – 2100 in my area), and with different loads such as streaming movies, uploading files, etc,.
What’s the best method for quantitatively measuring different aspects of the data connections?

The Answer

SuperUser contributor Dennis offers the following battery of tests to try out:
The Broadband Tests and Tools from DSLReports.com include a simple speed test, as well as long- and short-term line quality tests:
1. Speed Tests
Test your maximum upload speed and download speed from several geographically distributed locations.
Java, Flash and iPhone speed test (100% browser) available.

2. Smokeping
Intensively monitor an IP address for 24 or more hours to review packet loss and/or excessive latency variability — from three different US locations

3. Line Quality – Ping Test
Test latency, jitter and packet loss to your IP address, including identification of any problems en-route to you.
The speed test requires Flash or Java; the other two require that your IP is pingable.
In the absence of a specialized tool for long-term speed tests, you could use a command-line network retriever (e.g. Wget or Wget for Windows) and download uncompressable test files with a shell/batch script.
The nearest test files to Arizona I could find are from speedtest.dal01.softlayer.com (Dallas, TX) and speedtest.sea01.softlayer.com (Seattle, WA).