So I have often been asked to explain to someone how to be sure that a program or application that they download is safe and not infected with a virus or a trojan.
First of all, Always
1. Download from the official site or source of the program.
and you “can sometimes”…
2. Use a tool to check that the md5 or Sha hash of the application is the same as the software manufacturers advertised I use a very simple tool called Febooti File Tweak Hash and CRC… but there are many tools out there that do this and I have not tested these types of programs, I don’t even use it that often, but some people will swear that it is very important to always check your md5 or sha hashes to verify an application’s authenticity. The reason I do not use this method often is that I have not personally experienced infected software that often, and also many application vendors do not even offer you the original hash with which to check.
However, I use other methods to be sure that my software is authentic, including but not limited to expensive security software, HIPS, NIPS, Anti-malware and sandbox software, etc. I try to always download from trusted sources. I must point out, however, that it is possible that the original download source of an application can become corrupt or infected, but this is not common, (it is up to the software company to secure the servers that are hosting the download.)
So, in summary, you should always download from the site of the company that actually developed the software you are downloading. Now, there are certain cases where I have often seen software companies package something called opencandy with their software, however, and it is debatable whether this is in fact spyware.(it is flagged as malware by ESET). I have had several debates with the opencandy developers about this software, so i do not intend to devote any more of my time into explaining why I feel it is indeed malware. The reason that software developers sometimes package their free software with some type of adware is that it makes them money. Just be aware that when you download free software, it may indeed include some type of monetizing code that may attempt to steal your data. This is not alarmingly common however, and any “reputable” software developer will often notify you of their applications contents. I always tend to look for an Open Source alternative, (one that has its actual code available for anyone to look at and read.)
We’ve been trying to optimize without spending a boatload of money on bandwidth, so this speed should be fast enough for basic webapp pentesting. We have tried some new methods and they seem to be working well.
How to Clean Up Your Messy Windows Context Menu
One of the most irritating things about Windows is the context menu clutter that you have to deal with once you install a bunch of applications. It seems like every application is fighting for a piece of your context menu, and it’s not like you even use half of them.
I will explain where these menu items are hiding in your registry, how to disable them within the registry, and an easier cleanup method for those who don’t want to get down and dirty in the registry.
Cleaning the Context Menu by Hacking the Registry
If you want to clean things up the fun way, you can open up regedit.exe through the start menu search or run box, and then browse down to one of the following keys, unfortunately, the context menu items are not stored in a single location.
Most of the menu items that used for all files and folders can be found by looking at one of these keys:
Items that are specific to folders can usually be found in one of these keys instead:
The context menu items found at these different locations will need to be handled differently, and I will explain how.
Dealing with “shell” Items
Let’s take a look at one item as an example… if you browse down to the shell key under Directory you’ll see the items for Add to VLC media player and Play with VLC. Items under the regular “shell” key are sometimes easy to spot, and easy to get rid of.
If you want to hide one of these items so that you’ll have to Shift+Right-Click, then you can add a new string value on the right-hand side and name it “Extended”
If you’d like to disable it instead, but don’t want to delete the key, you can add a new string value and call it “LegacyDisable”.
And of course, you could just delete the whole key if you really wanted to… but I’d export a copy just in case.
Dealing with “shellex” Items
You probably noticed the other registry keys above that have “shellex” (Shell Extension) in the name instead of just “shell”. Those types of keys will need to be handled differently… for an example, we’ll head down to one of the keys mentioned above:
These items will be a little more tough to decipher… but you can usually figure out an item by the key name on the left, and then just modify the (Default) value by putting a few dashes in front of it, which will disable the item without actually deleting anything.
You’ll want to go through each location in the list at the top of this article until you figure out where exactly the offending items are located. At that point, you can use one of the tricks we mentioned in order to disable that item.
Dealing With Specific File Type Items
Sometimes, although not often, the menu items are located on the registry key for a specific file type. In that case you’ll need to first locate the file extension key by looking under HKEY_CLASSES_ROOT for that extension, which will tell you the name of the key that you need to look for.
For instance, if I wanted to remove a menu item for Excel documents (.xls) I would look at this registry key, which gives me the name of the actual key to look under…
I’ll then browse down to this registry key:
And now I can use the same techniques as above to disable items under “shell”… remember LegacyDisable and Extended? Yep, those work here.
Cleaning Up the Context Menu the Easy Way
Instead of hacking the registry, you can use two different NirSoft utilities to clean up the context menu. Sadly, some of the menu items are implemented as Explorer shell extensions (like the “shellex” keys we explained above), and some are implemented as regular context menu items (like the regular “shell” keys we explained above).
The first tool we will check out is ShellMenuView, which allows us to manage all of those “shell” key items with an easy to use interface.
Just browse down until you find the offending item, then click the Disable button… which will actually create a LegacyDisable key just like we explained in the manual section above.
Next, we need to disable those “shellex” or Shell Extensions, using another great Nirsoft utility appropriately called ShellExView. This one works the same exact way as the first utility… just click on the Disable button to remove the items.
Go forth, and clean your context menu clutter! And yes, this works the same in all versions of Windows.
For today’s lesson we’ll show you how to add Notepad to the menu, but you could add any applications you want instead. The first thing you’ll want to do is open up regedit.exe through the Start Menu search or run box, and then browse down to the following key:
Next, you’ll want to create a new key underneath the shell key, the name of which is exactly what is going to show up on the desktop menu. Right-click on the “shell” key, and then choose New Key from the menu.
Give the new key the name that you want to show up on the desktop context menu. For this example we’ll be using Notepad.
Optional: If you want to assign an “Alt” key to this menu entry for quicker access, you can change the (Default) value on the right and put an & character in front of the key you want to use. For instance, if you wanted to be able to just use the N key to launch Notepad once the desktop context menu pops up, you can do this:
Personally I don’t find this terribly useful since you have to use the mouse to right-click on the desktop… may as well just use the mouse to click the item. Still, for completeness I’ve included it.
Next you’ll need to create the command key that will actually hold the command used to launch the application. Right-click on the new Notepad key, and then choose New Key from the menu.
Give this key the name “command” in lowercase.
To complete this step you’ll need the full path to the application that you want to launch. You can use Shift + Right-Click to get the Copy as Path menu item to find this more quickly. Note: of course, for Notepad you wouldn’t need the full path, but this is just an example.
Now click on “command” on the left side, and then double-click on the (Default) key in the right side to edit the string value.
Paste in the full path to the executable that you got from the “Copy as Path” step above, or you can put in the full path yourself if you’d like.
And right-clicking on the desktop will produce the new menu item… naturally, using this menu item should launch Notepad.
You can add as many applications to the desktop context menu as you’d like, just repeat the steps again with a new menu item name.
Kurt L Hudson 11 Jun 2012 5:24 PM 11
Public key based cryptographic algorithms strength is determined based on the time taken to derive the private key using brute force methods. The algorithm is deemed to be strong enough when the time required to derive private key is prohibitive enough using the computing power at disposal. The threat landscape continues to evolve. As such, we are further hardening our criteria for the RSA algorithm with key length less than 1024 bits.
To further reduce the risk of unauthorized exposure of sensitive information, Microsoft has created a software update that will be released in August 2012 for the following operating systems: Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. This update will block the use of cryptographic keys that are less than 1024 bits.
Some issues that you may encounter after applying this update may include:
Error messages when browsing to web sites that have SSL certificates with keys that are less than 1024 bits
Problems enrolling for certificates when a certificate request attempts to utilize a key that is less than 1024 bits
Creating or consuming email (S/MIME) messages that utilize less than 1024 bit keys for signatures or encryption
Installing Active X controls that were signed with less than 1024 bit signatures
Installing applications that were signed with less than 1024 bit signatures (unless they were signed prior to January 1, 2010, which will not be blocked by default).
To prepare for this update, you should determine whether your organization is currently using keys less than 1024 bits. If it is, then you should take steps to update your cryptographic settings such that keys under 1024 bits are not in use.
Certificate Chain Build Block of Keys under 1024 Bits
The Crypto API builds a certificate trust chain and validates that chain using time validity, certificate revocation, and certificate policies (such as intended purposes). Once the update is applied, during chain building there is an additional check to ensure that no certificate in the chain has key length less than 1024 bits). Chain building is done using the CertGetCertificateChain function. If a key chain building issue is encountered with such a certificate, then the errors produced are as follows:
Event 11, CAPI2
Working CSPs that Default to Allow Minimum 512 Bit Keys
There are three cryptographic service providers (CSPs) that default
to allow minimum 512 bit keys in Windows Server 2008 R2:
Microsoft Base Cryptographic Provider v1.0 (RSA)
Microsoft Base DSS and Diffie-Hellman
Cryptographic Provider (DH)
Microsoft DH SChannel Cryptographic Provider
When working with V2 certificate templates, if you do not specify the key size, then the default CSP with default key size will be used to generate the key. If the default CSP is one of the above 3 CSPs on the client box, then the generated key will be under 1024 bits. The CA which has been updated with weak key protection will reject such request. As a result, we recommended that you do the following:
Configure the template to specify the cryptographic providers that you want to be utilized by selecting Requests must use on of the following
Configure the Minimum key size to 1024 bit or larger.
When using certreq, ensure that you specify a 1024 bit or larger key in the INF file. For additional information, see Best Practice for Configuring Certificate Template Cryptography.
Discovering Usage of Keys under 1024 Bits in Certificate Templates
You can run the following query on your Certification Authorities (CAs) in order to discover certificate templates that are utilizing
keys under 1024 bits:
Note: The command should be run in each forest in your organization.
If you run this query, templates that utilize keys that are smaller than 1024 bits will be shown with their key size. The following figure illustrates that two of the built-in templates SmartcardLogon and SmartcardUser templates have default key lengths that have minimum key sizes of 512 bits. You may also discover other templates that were duplicated with minimum key sizes of less than 1024 bits.
For each template you discover that allow less than 1024 bit keys, you should determine whether it is available to issue certificates as shown in the Certificate Templates section of the Certification Authority console.
For these templates, you should consider increasing the Minimum key size to a setting of at least 1024 (assuming the devices to which these certificates are to be issued support a larger key size).
You should use Reenroll All Certificate Holders to cause the client computers to reenroll and request a larger key size.
If you have issued certificates using the built-in Smartcard Logon or Smartcard User templates, you will not be able to adjust the minimum key size of the template directly. Instead, you will have to duplicate the template, increase the key size on the duplicated template, and then supersede the original template with the duplicated template.
After you have superseded the template, you should use Reenroll All Certificate Holders to cause the client computers to reenroll and request a larger key size.
Discovering Usage of Keys under 1024 Bits in Cryptographic Operations
You can utilize CAPI2 logging starting with Windows Vista or Windows Server 2008 computers to help identify keys under 1024 bits. You can then allow the computers to perform their normal operations and check the log after a period of time to help identify such keys. You can then use that information to track down the sources of the certificates and make the necessary updates.
To accomplish this, you must first enable verbose diagnostic logging. To enable verbose mode logging:
Open the Registry Editor (regedit.exe).
Navigate to the following registry key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicescrypt32
Add a DWORD (32-bit) value DiagLevel with value of 0x00000005
Add a QWORD (64-bit) value DiagMatchAnyMask with value of 0x00ffffff
Once you do this, you can then enable CAPI2 operational logging in the Event Viewer. The CAPI2 Operational log is located under Applications and Service Logs, Microsoft, Windows, and CAPI2 in the Event Viewer. To enable logging, right-click the Operational log and select Enable Log.
Once you’ve collected the log, you can use the following filter to reduce the number of entries that you have to search through in order to find certificate operations with keys under 1024 bits. The following filter looks for keys of 512 bits.
You can also query multiple key lengths with a single query. For example, the following filter queries for both 384 bit and 512 bit keys.
certificates, PKI, 1024, key size, certificate, AD CS
jmdesp 12 Jun 2012 8:13 PM #
I strongly hope you are taking under consideration in this update that some ‘1024’ keys are actually 1023 or 1022 bits long keys. Or you will run into very serious problems with it.
RaFi 13 Jun 2012 4:31 AM #
Please delete a “[” character from
jbourdet23 13 Jun 2012 8:32 AM #
1. I’m interesting in doing/using Event Forwarding to forward CAPI2 events to a central server. I’m already familiar with event forwarding and using it to forward from security, application and other logs. When I try to forward from the CAPI2 log the forwarder returns an error. I started with the Machine Account but even tried my domain admin account and the forwarder says ‘no active channel is available’
2. Just a comment: You can enable the capi2 log by a registry or GP update also. Set the following key to a value of 1. HKLMSOFTWAREMicrosoftWindowsCurrentVersionWINEVTChannelsMicrosoft-Windows-CAPI2/OperationalEnable
Kurt L Hudson 13 Jun 2012 11:32 AM #
Fixed the command. It should have included a space in the syntax (as shown in the figure). Thanks for reporting. As for the other comment about us considering the length of keys, we have done extensive testing on this and continue to do so. We will be posting an article in the future that will explain more, including troubleshooting steps and modifications to the settings. This posting is just an informational post about what is coming in the future. There will be more information and steps presented in the future as well.
Kurt L Hudson 14 Jun 2012 1:46 PM #
jbourdet23, Would you please post the technical issue regarding the forwarding of CAPI2 logs to the Security forum (social.technet.microsoft.com/…/threads)?
Kurt L Hudson 22 Jun 2012 12:08 PM #
Questions and answers:
1. Is this update targeting only RSA keys less than 1024 bits? Yes, only RSA keys are targeted.
2. Will there be a KB article? Yes, one is planned and will go out with the update.
3. If after installing the patch on a Microsoft CA, will the Web enrollment interface allow PKCS # 10 requests for certificates that use a key of 512-bit? Once the CA is patched, requests for certificates that are less than 1024 bits will fail.
4. Will the 1023 bit keys that are issued by IBM’s WebSphere be affected by the update? No, those keys will not be blocked by the update.
Kai Rohrbacher 25 Jun 2012 6:21 AM #
Will there be the chance to _intentionally_ delete / uninstall the respective MS patch? (=as a work-around in case that customer systems will not be able to be updated till August)
Kurt L Hudson 25 Jun 2012 11:16 AM #
Kai Rohrbacher – When the update comes out, you will be able be modify how it works through the registry modifications. For example, you will be able to set 512 as minimum or set the system to only log issues – not block them. We have another blog post to discuss these settings planned as well as a TechNet Wiki article planned to describe how to identify and resolve issues with the update.
Donna Simpson 27 Jun 2012 10:34 AM #
How will this affect the Secure ID RSA tokens?
Kurt L Hudson 28 Jun 2012 10:51 AM #
Q: How will this affect VPNs?
A: PPTP used for VPN uses MPPE (technet.microsoft.com/…/cc757532.aspx) for encryption, which is different protocol and is not affected by the blocking RSA keys less than 1024 bits. Microsoft’s MPPE uses RC4 cipher suite for encryption, while non-Microsoft clients may use different ciphers for encryption. None of these is affected by this change.
This change is applicable only to RSA asymmetric keys and we are changing the behaviour of chain building (msdn.microsoft.com/…/aa376078.aspx) only.
RFC 3078 specifies that for initial session keys, peer credentials are used. If certificates less than 1024 bits are used for authentication then the authentication will fail before MPPE comes into picture.
Kurt L Hudson 29 Jun 2012 9:19 AM #
Donna Simpson – I received a detailed answer to your question:
At a very high level view, the RSA SecurID authentication consists of a token(software/hardware) which is assigned to a computer user and it generates an authentication code at fixed intervals.
A user authenticating to a network resource, needs to enter both a PIN and the number being displayed at that moment on their RSA SecurID token. The server computes what number the token is supposed to be showing at that instance of time, checks it against user entered data and makes a decision to allow or deny access.So here the chain building function((CertGetCertificateChain()) is not invoked and it will not be hit in this case.
However, there are newer versions of SecurID which feature USB connector, which allows the token to be used as a smart card–like device for securely storing certificates (example: SID800 model).This device is capable of storing digital certificates which can be used to log on to a windows operating system and in that case if the certificate has RSA key less than 1024 bits then build chain function error and prevent user logon.
If you are not referring to RSA SecurID but in general taking about RSA secure token authentication, then whenever the authentication is based on RSA certificates then the chain building function will be used and if the certificate size is less than 1024 bits, the functionality will be broken.
Here is a list of several programs that I have on my machines and will usually utilize when cleaning up a client’s computer.
1. Ccleaner – Piriform – (essential tool for cleaning up unneeded files and registry entries.)
2. Secunia PSI 3.0 (essential application that will aid the user in updating all of their installed applications, or do it automatically if desired.)
3. Slimdrivers – (utility that scans your installed hardware and notifies you if any device drivers should be updated.)
4. Sandboxie – (the ultimate safetynet – enables the user to surf the web, check email, or run any program safely by creating a sandboxed virtual environment that can be deleted at any time)
5. Notepad++ – (this is a utility that I use to create scripts, batch files, and python scripts, and is great for programmers for coding in any programming language.)
6. Revo Uninstaller – (Essential utility for completely removing unwanted applications from pc)
7. Sysinternals Suite – (ancient but essential suite of tools for troubleshooting windows)
8. MalwareBytes AntiMalware – (free anti-malware remover that has done great work for many years.)
9. SlimCleaners – (similar to CCleaner but does a more complete job of removing unneeded files and settings for advanced power users.)
10. PowerGUI – (advanced tool for creating powershell scripts to control sysadmin tasks.)
What did BMW think when they decided to allow for electronic keyless entry and ignition. Did they really think they could protect buyers from hackers? Don’t they know by now that if they are going to use computers inside their vehicles that they must hire a team of security experts. I feel bad for anyone who bought one of these “hackable rides”