Welcome to nsane.forums

Welcome to nsane.forums, like most online communities you need to register to view parts of our community or to make contributions, but don't worry: this is a free and simple process that requires minimal information. Be a part of nsane.forums by signing in or creating an account.

  • Access special members only forums
  • Start new topics and reply to others
  • Subscribe to topics and forums to get automatic updates

Search the Community

Showing results for tags 'firewall'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Found 48 results

  1. This Device Works as a Firewall for Your USB Ports USG v1.0 (via Robert Fisk) The USG is an USB attachment that allows users to connect USB flash drives and other USB devices to their computer without any of the risks. Attacks like BadUSB have shown how a rogue device can mimic a benign USB interface, but secretly send malicious low-level commands and take over a computer via its USB port. USG works like a firewall for USB connections USG, created by New Zealander Robert Fisk, works as an intermediary between the computer and the USB device (flash drive, USB keyboard, USB mouse) and behaves similar to a firewall, inspecting the data that passes through it. USG, which runs on custom firmware, only lets data pass, ignoring any kind of low-level interactions between the USB device and computer. Furthermore, USG protection goes both ways, meaning you can use USG to protect USB flash drives when connecting to unknown computers. USG designed to thwart BadUSB attacks BadUSB attacks work because computers inherently trust anything connected via an USB port. If it's a mouse or a device such as PoisonTap, which can alter DNS settings and dump passwords, the computer behaves the same. It doesn't care. Fisk says he developed USG after realizing he also couldn't trust the vendors of USB-based components. "Do you know who developed your flash drive's firmware" Fisk asks, "It's probably not the company name printed on the packaging." "Has the firmware been audited for backdoors and malicious functionality? Can you confirm that the firmware running on your drive hasn't been maliciously modified during or after manufacture?" These questions drove him to create USG using off-the-shelf development boards. He then wrote custom firmware to power these boards and make USG work as USB devices should, only focusing on the data transfer, and nothing else. Fisk open-sourced USG's firmware on GitHub. USG drawbacks Of course, this has its drawbacks. A lot of the noise traffic on USB devices is the firmware negotiating connections and improving data transfer speeds. These things are not included in USG, as they are the attack vectors for BadUSB. As such, the recently released USG v1.0 only supports a data transfer speed of up to 1 MB/s, much inferior to commercial USB devices that work in the range of tens of MB/s. In addition, USG only supports USB mass storage (flash drives), keyboards, and mice, but Fisk promises to add support for other types of USB devices in the future. People can buy or make their own USG Fisk says that anyone can make their own USG devices using off-the-shelf development boards, but if they don't have the skills, he's also selling USG devices for around $60 + shipping. "My reputation hinges on the integrity of this project," Fisk explains. "This includes the integrity of the hardware I am offering for sale. This is why I will never outsource the manufacture of USG hardware to another country." "The USG is assembled in New Zealand under my direct supervision, and the firmware is programmed from a secure device by yours truly," the developer adds. "USG devices delivered by post have tamper-evident seals placed around the case, so any attempt to reprogram the firmware is visible." Fisk recommends USG for companies and people who want to protect crucial workstations, or for people who travel a lot and have an USB flash drive they often connect to many untrusted computers. The only downside to USG (by design) is that it doesn't distinguish between good data and bad data. Malware stored on an USB flash drive can pass through USG without any warnings since the malware is just a random blob of data to USG. For malware attacks, you'll have to rely on an antivirus. Source
  2. The vendors were told about the problem and have yet to patch things up, leaving the door open to attackers It seems that security researchers have found some bugs in Java and Python which allow attackers to go around any firewall defenses. Over the past few days, two different researchers - Alexander Klink and Timothy Morgan of Blindspot Security - expressed their concern over a new vulnerability they say occurred because Java does not verify the syntax of user names in its FTP protocol. Despite the fact that connecting to FTP servers can be done with authentication, Java's XML eXternal Entity (XEE) doesn't check for the present of carriage returns or line feeds in usernames, which poses a security threat. Attackers can terminate "user" or "pass" commands, inject new commands into the FTP session and connect remotely to servers in order to send unauthorized email. "FTP protocol injection allows one to fool a victim's firewall into allowing TCP connections from the Internet to the vulnerable host's system on any "high" port (1024-65535). A nearly identical vulnerability exists in Python's urllib2 and urllib libraries. In the case of Java, this attack can be carried out against desktop users even if those desktop users do not have the Java browser plugin enabled," Morgan writes. The vulnerability can be exploited in several ways, including to parse malicious JNLP files, conduct man-in-the-middle attacks or engage in server-side request forgery campaigns. Delayed response The vendors have yet to patch the bug, despite the security teams of both companies being notified. Python was informed of the issues in January 2016, while Oracle was told about it in November 2016, indicating just how long the researchers waited before exposing the problem to the world. Hopefully, now that it's all public, the two vendors will actually patch things up in order to avoid a wave of attacks using these particular bugs. The recommendation, until then, is for both enterprise players and the general public to disable classic mode FTP by default. Source
  3. SAN FRANCISCO—Google may have sent the tired castle analogy of network security’s soft center protected by a tough exterior out to pasture for good. On Tuesday at RSA Conference, Google shared the seven-year journey of its internal BeyondCorp rollout where it affirms trust based on what it knows about its users and devices connecting to its networks. And all of this is done at the expense—or lack thereof—of firewalls and traditional network security gear. Director of security Heather Adkins said the company’s security engineers had their Eureka moment seven years ago, envisioning a world without walls and daring to challenge the assumption that existing walls were working as advertised. “We acknowledged that we had to identify [users] because of their device, and had to move all authentication to the device,” Adkins said. Google, probably quicker than most enterprises, understood how mobility was going to change productivity and employee satisfaction. It also knew that connecting to corporate resources living behind the firewall via a VPN wasn’t a longterm solution, especially for those connecting on low-speed mobile networks where reliability quickly became an issue. The solution was to flip the problem on its head and treat every network as untrusted, and grant access to services based on what was known about users and their device. All access to services, Adkins said, must then be authenticated, authorized and on encrypted connections. “This was the mission six years ago, to work successfully from untrusted networks without the use of a VPN,” Adkins said. Implementing BeyondCorp required a new architecture, said Rory Ward, a site reliability engineering manager at Google, with a sharp focus on collecting quality data for analysis. The first step was to inventory users and their roles as their careers at Google progress, essentially re-inventing job hierarchies, and assessing how and why they need to access internal services. The same intimacy was needed with respect to device information, requiring construction of a similar inventory system that tracks all devices connecting to services through its lifecycle. For the time being, Ward said, this applies to managed devices only, though in the future he hopes to extend this capability to user-owned private devices. With that in place, Ward said Google engineers went to work building a dynamic trust repository that ingested data from more than two dozen data sources feeding it information about what devices were doing on the network. Policy files would describe how to define trust for a device and that would be done dynamically. “The trust definition of a device can go up or down dynamically depending on what was done and what the policy says,” Ward said. “We have complete knowledge of users, devices and an indication of trust of every device accessing Google systems.” Next, an access control engine was developed to enforce policy; it has the capability to ingest service requests along with user and device information and apply and enforce policy rules for accessing resources. For example, Ward said, to access source code systems, one would have to be a full-time Google employee in engineering and using a fully trusted desktop. This part of the rollout, Ward said, took two to three years to implement and brought Google closer to its goal of enabling access from anywhere. The final part of the rollout, Adkins and Ward said, was the implementation phase. While the project had executive support, there was a caveat: Don’t break anything or anybody. This was a tall order given Google’s tens of thousands of internal users and devices and 15 years of assertions about a privileged network. Ward said the expensive first step was to deploy an unprivileged and untrusted network in every one of Google’s approximately 200 buildings. Engineers grabbed samples of traffic from its trusted network and replayed it on the new untrusted network in order to analyze how workloads would behave. An agent was installed on every device in its inventory and every packet from those devices was also replayed on the new network to see what would fail as unqualified. This was a two-year process as well, and as it turned out, the project successfully chugged ahead to its full implementation. “We managed to move the vast majority of devices, tens of thousands of devices and users, onto the new network and did not manage to break anybody,” Ward said. Adkins said that earning executive support required making convincing arguments about this initiative making IT simpler, less expensive, more secure and employees happier and more productive. “Clear business objectives are compelling to executives,” Adkins said. “We went from location-based authentication and knowledge-based authentication that relies on quality data. Accurate data was the key to be able to make this thing work.” Article source
  4. Firewall App Blocker 1.5: Easier Windows Application Blocking Firewall App Blocker 1.5 is the latest version of the popular third-party program for Windows to block applications from accessing the Internet. While you can block any process from connecting to the Internet using the built-in firewall on Windows machines, the process is not overly comfortable as it involves several steps to complete. That's one of the main reasons why programs such as Windows Firewall Control and Firewall App Blocker are popular. Firewall App Blocker 1.5 Firewall App Blocker was designed to improve the process of allowing or blocking applications in Windows Firewall. The portable program extends Windows Firewall in this regard. To use it, download the latest version of the firewall program from the developer website (linked in the summary box below this article), and extract the archive that it is provided in. The program is provided as a 32-bit and 64-bit application in the program folder after extraction. The 64-bit version of the application is a new feature of this release. If you have used the last version of the program, released in 2014, you may notice differences immediately. The outbound and inbound rules are now separated, so that it is easier to keep an overview. All existing rules are listed in the interface. Each entry is listed with its name (usually program name and filename), the location on the disk, whether the rule is enabled, and the action (allow, block). You can sort the data with a click on a column header, for instance to display all active rules, or all rules that block connections. Add process is another new feature of Firewall App Blocker 1.5. You had to select programs on the disk in previous versions to add rules for them. With the new add process option, it is now possible to pick running processes as well which makes it easier as you don't have to browse the system for the file location anymore. Another feature that adds to the comfort level of the program is the add a folder option. It blocks all executable files in the selected folder automatically. This is useful if there are multiple executable files in a folder that you want to block. Instead of selecting each executable file individually, you'd simply block the whole folder using the program. How that is done? Simple: click on File > Add Folder Contents, and select the folder using the file browser that opens. This adds all executable files of that folder to the block list. Please note that this is a one-time process. The folder is not monitored for new executable files. So, any executable file placed in the folder after you run the operation is still allowed to run. You need to re-run the add folder option in this case or add the new executable file manually. Firewall App Blocker supports a new and handy "block all Internet" feature which you can toggle with a click on Firewall > Block Internet. You may use the same Firewall menu to disable the firewall as well. What else? The program window is resizable now, and you may change the font used by the application to display the firewall rules in the list. Last but not least, there is a new whitelist mode feature which blocks all processes from connecting to the Internet except for those on the whitelist. You switch between default mode and whitelist mode in the firewall menu. Closing Words The Firewall App Blocker 1.5 update improves the program in several significant ways: 64-bit program support, the new whitelist and folder blocking features, and the new handy process blocking options. Now You: Which firewall, and program, do you use on your machines? Source
  5. Sphinx Windows Firewall Control A guest post from Noel Carboni: Firewall software is responsible for blocking or allowing network communications. A lot of folks who care about security and privacy visit AskWoody.com, so I want to let everyone here know about a good piece of 3rd party firewall software that’s just been released: Sphinx Windows Firewall Control version 8 http://www.sphinx-soft.com/Vista/index.html Essentially Sphinx Windows Firewall Control offers, for Win 7, 8, and 10 users, the practical ability to set up and manage a “deny outgoing connections by default” configuration. The Sphinx Windows Firewall Control application works with the Microsoft-provided Windows Filtering Platform / Base Filtering Engine, where the “dirty work” of actually gating network connections is done. The filtering platform is a mature, working system component that has been around for a while now. Out of the box, Windows of course provides the Windows Advanced Firewall, but in its default configuration it really doesn’t do much to enhance users’ privacy and security, since it allows all outgoing communications by default. That made some sense when we actually trusted the OS maker to have our backs. Now… Think of the Sphinx Windows Firewall Control software package as a different, better, user interface for managing the firewall configuration on the PC, and in fact it CAN run alongside the Windows Advanced Firewall – there is no coupling between the two – though in practice you really want to just shut off the Windows Advanced Firewall and manage firewall operations entirely with the Sphinx software. Having both active would just lead to confusion. But the really neat part – the thing that’s really special about this new version 8 release – is that the firewall configuration can now be managed using names, not addresses. That’s very significant. It changes the effort in setting up and maintaining a firewall configuration from impractical to almost trivial, given today’s networking that’s rich with server banks and content delivery networks (where a given host name can resolve to many different addresses). It means, in layman’s terms, that if you want to allow site svc.anksvn.net to be contacted you just enter the name svc.anksvn.net into a zone rule and you’re done. You don’t have to figure out that this name can resolve to any of multiple different network addresses and enter them all. And you don’t have to try to figure out when a new server at a different address is added or one of them is taken offline in the future. I can’t stress enough how much managing the firewall configuration by name simplifies the setup and greatly reduces ongoing maintenance. It literally changes it from practically impossible to something that can be taken to a very detailed level and still kept up. I personally am a control aficionado and have what some would call quite a pedantic setup, where EVERYTHING is controlled to the finest point. The Sphinx software sets up a workable default configuration, but I’ve developed my own configs completely from scratch. I’m quite willing to share them if it can be helpful to others to see what I’ve set up. I have literally not had to make any changes to my Sphinx firewall configuration in weeks. It really is possible to develop a practically “set it and forget it” configuration that lets you do normal things without exposing you to new threats. Some observations, after using this software for quite a while: Seeing what Windows tries to contact in the Events pane of this software gives one a warm feeling of knowing what’s happening on your system. Logging can be managed by application – meaning you can, for example, log everything your services do online but suppress logging of sites you visit with your browser. There’s a UI panel for the events (that you can, for example, clear or filter for certain things), and there’s a bona fide geek level log put in a file as well. It offers complex-enough configuration capabilities to set up most of the system to run in a deny-by-default mode, yet some applications (e.g., your browser or Skype) can be set to allow-by-default – with exceptions to both of course. So, for example, no newly installed program will be allowed to contact online servers until you add a rule to allow it, and conversely your browser can contact previously unvisited websites without any pop-up, yet still be blocked from contacting certain bad ones. New / unexpected attempts to make network connections are blocked with a pop-up that has a “horror movie” violin sound effect (which you can change if you like), at which point you can choose to either allow future such attempts or continue to deny them. What this means is that once you’ve got things initially set up, ongoing maintenance because of changes e.g., installing new software is essentially reactionary. In this day and age, knowing communications you have NOT allowed ahead of time will NOT succeed is comforting. This software has your back. There is a rich configuration interface. A change, for example, to allow or disallow Windows Updates is trivial for me. I just change the zone assigned to the Host Process for Windows Services (svchost) and it’s done. Thus no update will occur unless I specifically set the system up to do it. Through the Domain Names tab you can set up a list of security servers that are always allowed system-wide (e.g., machines serving the ocsp protocol that your system contacts when verifying code signing certificates, etc.). You can also set up a list of servers that are never allowed system-wide. Getting an indication of when an unapproved connection is attempted, by what application, and to what server, is very valuable in learning what needs to be reconfigured or tweaked via registry settings to make a system more private. Do that for a while and you end up with a Windows system that doesn’t even try to spill the beans. No matter what rules a software installer (e.g., a telemetry update) might try to add to the Windows Advanced Firewall they don’t affect the Sphinx Windows Firewall Control configuration, so you’re still in complete charge of what is being allowed or denied. I have been working closely with the author all through the beta testing period of the name-based software, and I have run the package through all kinds of harsh tests. He’s a smart, careful engineer who has been very responsive to feedback. As a result, the software really works. I use the Network/Cloud edition on all my systems. I am not associated commercially with this product in any way. The only connection I have is that I have been a beta tester all through the development of version 8 and some time before that. Noel Carboni Source
  6. Show of hands—How many of you have heard someone say something like this: “You don’t need an extra firewall. The one that comes with Windows is sufficient for home users”. While this may be true for the default settings when it comes to protection, how many who have heard this remark are able to check which programs have added themselves to the list of allowed programs? Find the settings Let’s take a look. You can find the settings for the Windows firewall under Control Panel > System and Security > Windows Firewall > Allow a program or feature through Windows Firewall. Despite the title “Allow a program or feature …”, this is also the place where you can remove them from the list of allowed programs and features. Changing the settings To get started, click the “Change settings” button. This requires Administrator rights and, after execution, you will see that the tick boxes are no longer grayed out. Effectively, you can check here if everything that has permissions to connect are programs you trust, or whether you actually feel that they need to have these permissions. Some programs can be trusted to run on your computer, but there might be no real reason for them to make outside connections. The method above can be rather painstaking, especially if you have a large amount of programs installed. Not to mention all the (undoubtedly) confusing names. Malware authors are sometimes counting on our reluctance to disable anything made to look like it’s related to Microsoft, Windows, or Internet Explorer. “Who knows what will stop working if I disable that?” An easier way to check To make it a little easier, you can use a program that makes a log and uses whitelisting, so all you have to do is take a look at the remaining entries. One such program which is very popular at many tech help forums is FRST. If you download FRST (make sure to get the right version) and run it, make sure there is a tick in the “Addition.txt” field if you want to look at the firewall section. Once “FRST.txt” and “Addition.txt” are ready, you will be prompted. Click OK on both prompts, and the logs will be saved in the same folder as “FRST(64).exe”. A typical firewall related section of FRST will look like this: ==================== FirewallRules (Whitelisted) =============== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) FirewallRules: [{3297B962-0770-4831-890E-FEF6510610E4}] => (Allow) C:\Program Files\Newsbin\newsbinpro64.exe FirewallRules: [{8D2A05D2-99CF-487E-A1B9-F8564A86F6A2}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe FirewallRules: [{E5055742-8397-4AFB-BDD9-DF9CFB3B2C4E}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe FirewallRules: [{64DC59A3-D99D-4926-8010-A4006CC83EC1}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe FirewallRules: [{AD102C3A-3D40-4A47-9483-AB5C8FC40D25}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe FirewallRules: [{06100084-A816-405E-B3E8-965FD63E1B8F}] => (Allow) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe FirewallRules: [{8B8C1A5C-20E0-4B64-BC6B-705C4B002763}] => (Allow) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe FirewallRules: [UDP Query User{1D2F5D5C-673D-4480-A385-C362D7BE39F7}C:\program files (x86)\skype\phone\skype.exe] => (Allow) C:\program files (x86)\skype\phone\skype.exe FirewallRules: [TCP Query User{16301F9C-A2E7-4758-894D-18B300A6E0F9}C:\program files (x86)\skype\phone\skype.exe] => (Allow) C:\program files (x86)\skype\phone\skype.exe FirewallRules: [{47F0B7D0-D0EA-403F-9D8B-0A1F92E5E84E}] => (Allow) C:\Program Files\Microsoft Office\Office15\UcMapi.exe FirewallRules: [{88724164-66B1-4D9B-97BD-76BDBD486E3F}] => (Allow) C:\Program Files\Microsoft Office\Office15\UcMapi.exe FirewallRules: [{2A926726-D200-4CAD-9A56-7D6B10516B53}] => (Allow) C:\Program Files\Microsoft Office\Office15\lync.exe FirewallRules: [{CAE1A4B8-4C29-4929-A508-D2B2D89AFEAA}] => (Allow) C:\Program Files\Microsoft Office\Office15\lync.exe FirewallRules: [{1AB7A511-8CC3-4032-936D-6E6121445CF5}] => (Allow) C:\Program Files (x86)\RelevantKnowledge\rlvknlg.exe FirewallRules: [{5B7AD292-902A-44BE-A6F1-E276DC1E4E89}] => (Allow) C:\Program Files (x86)\RelevantKnowledge\rlvknlg.exe FirewallRules: [{854E69F5-896D-4BF9-A5EB-F1C645E8EBD1}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe FirewallRules: [{006610CB-49E1-4F19-BB70-783191B21F91}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe If you need help analyzing one of these logs, we recommend asking for help on our forums. Malware adding allowed programs So, if it’s so difficult to find and get rid of unwanted entries, it must be really hard to add one, you might think. Unfortunately, that’s not true. If a program is run elevated—with Administrator privileges—all it has to do is run a command like the example below: netsh firewall add allowedprogram "C:\Users\{username}\AppData\Roaming\Tr.exe" "Tr.exe" ENABLE This example is taken from a Trojan that runs this command to grant itself internet access. After which, it downloads additional malware. Of course, this is not only true for malware. Every program and installer that runs elevated has the ability to add programs to the “Allowed” list, which is exactly the reason why we recommend regular checks to see which programs are allowed if you are relying on the Windows firewall alone. Some might argue that this is true for every firewall, and they would be right in my book. It never hurts to check your firewall settings, certainly not after cleaning up an infection. Conclusion While the built-in Windows firewall may offer adequate protection, this is only true if you check the settings on a regular basis, and certainly immediately after removing an infection. Links Netsh Commands for Windows Firewall Article source
  7. NetBalancer is an internet traffic control and monitoring tool designed for Microsoft Windows XP, 2003, Vista, 7, 8 with native x64 support. With NetBalancer you can: Set a download and/or upload network priority or limit for any process Manage priorities and limits for each network adapter separately Define detailed network traffic rules Group local network computers and balance their traffic synchronised Set global traffic limits Get detailed statistics and totals about your data usage Show network traffic in system tray and much more! Homepage: https://netbalancer.com Release Date: 21-Sep-2016 Update 9.5.2 - 9.5.6: Bug fixing and stability improvements. Features: https://netbalancer.com/features Download: https://netbalancer.com/downloads/NetBalancerSetup.exe
  8. A type of denial of service attack relevant in the 1990s has resurfaced with surprising potency against modern-day firewalls. Dubbed a BlackNurse attack, the technique leverages a low-volume Internet Control Message Protocol (ICMP) -based attack on vulnerable firewalls made by Cisco, Palo Alto, SonicWall and others, according to researchers. TDC Security Operations Center, a security firm that published a technical report (PDF) on BlackNurse this week, said the attack is more traditionally called a “ping flood attack.” In this type of assault, traffic volume doesn’t matter as much as the type of packets sent, researchers said. In a description of BlackNurse, an attacker causes a Denial of Service (DoS) state by overloading the firewall’s host CPU. “When an attack is ongoing, users from the LAN side will no longer be able to send/receive traffic to/from the Internet,” according to TDC. It’s unclear why the ICMP Type 3 Code 3 requests overload firewall’s CPU. However, researchers at SANS Internet Storm Center believe it’s tied to firewall logging. It’s a theory bolstered by TDC’s own description of the impact of the attack. “Firewall logging during the attack can increase the impact from the attack, which means that the firewall gets even more exhausted,” TDC wrote. BlackNurse attacks are similar to, but not to be confused with, related ICMP Type 8 Code 0 attacks, also called a ping flood attack, according to TDC. “ICMP based attacks in general are a well-known attack type used by some DDoS attackers,” TDC wrote. Researchers explain: “The BlackNurse attack attracted our attention, because in our anti-DDoS solution we experienced that even though traffic speed and packets per second were very low, this attack could keep our customers’ operations down. This even applied to customers with large internet uplinks and large enterprise firewalls in place. We had expected that professional firewall equipment would be able to handle the attack.” Noteworthy, BlackNurse DoS attack volume intensity hovers between a paltry 15 to 18 Mbps (or 40 to 50K packets per second), according to researchers. That’s in stark contrast to the 1 Tbps DDoS attack recorded against DNS provider Dyn last month. The low volume DDoS attack is effective because the goal is not to flood the firewall with useless traffic, but rather to drive high CPU loads. To that end many firewall vendors protect against ICMP-based attacks. But blocking all ICMP types and codes isn’t an option, for fear that something will likely to break down, TDC said. In fact, security firm NetreseC points out in an analysis of BlackNurse that Cisco warns: “We recommend that you grant permission for the ICMP unreachable message type (type 3). Denying ICMP unreachable messages disables ICMP Path MTU discovery, which can halt IPSec and PPTP traffic.” As for vulnerable firewalls, TDC singles out some Cisco ASA firewalls. According to a SANS Internet Storm Center report on BlackNurse, Cisco firewalls that are newer, larger and are multi-core appear to be fine. However, SonicWall and some Palo Alto firewalls appear to be vulnerable, according to Johannes Ullrich, dean of research at SANS Technology Institute and author of the SANS ISC post. Cisco, SonicWall and Palo Alto were contacted for this report, but did not reply. Testing for BlackNurse, suggests TDC, includes allowing ICMP on the WAN side of a firewall and conducting tests with the tool Hping3, a free packet generator and analyzer for the TCP/IP protocol. Detection includes adopting SNORT IDS/IPS rules to spot the attack, according TDC which outlines its own rules. Mitigation includes creating a “list of trusted sources for which ICMP is allowed and could be configured” and “disabling ICMP Type 3 Code 3 on the WAN interface,” TDC said. Article source
  9. Description Simple tool to configure Windows Filtering Platform (WFP) which can configure network activity on your computer. Features Simple configuration (to understand it not necessary to work in NASA). Localization support (you may translate interface into your language). Adware, telemetry blocking You can download either the installer or portable version. For correct working, need administrator rights. Settings To activate portable mode, create "wfptool.ini" in application folder, or move it from "%APPDATA%\Henry++\Wfp Tool". Settings are stored in the program folder the file "wfptool.ini" The list of configured applications in the file "config.xml" The list of your rules in "rules.xml" Author: Henry++ License: GPL v3 Language: C/C++ Supported OS: Vista, 7, 8, 8.1, 10 Platform architecture: 32-bit/64-bit Language: English, Russian, Simplified Chinese, Korean,French,Italian Changelog https://github.com/henrypp/wfptool/blob/master/CHANGELOG.md v1.1.116 (30 September 2016) added "listen" layer blocking added forgotten rules into settings menu added open folder by double click for listview added shared resources highlighting dropped packets logging optimizations fixed process list menu icons with classic ui updated translation minor improvements Wfp Tool 1.1.116 https://github.com/henrypp/wfptool/releases/download/v.1.1.116/wfptool-1.1.116-setup.exe portable https://github.com/henrypp/wfptool/releases/download/v.1.1.116/wfptool-1.1.116-bin.zip
  10. Please tell me that the firewall may be blocking outgoing DNS requests from a computer? DNS Firewall 4.01 does not offer. The program is a good but unfortunately start too late after loading the operating system.
  11. Comprehensive Security Guide i. Foreword The primary purpose of this guide is to offer a concise list of best-of-breed software and advice on selected areas of computer security. The secondary purpose of this guide is to offer limited advice on other areas of security. The target audience is an intermediately skilled user of home computers. Computer software listed are the freeware versions when possible or have free versions available. If there are no free versions available for a particular product, it is noted with the "$" symbol. The guide is as well formatted as I could make it, within the confines of a message board post. This guide is constantly evolving, if it is not as in-depth as you require in any specific area, you can try Google if you're interested in more. ii. Table of Contents i. Foreword ii. Table of Contents 1. Physical Security .. a. Home .. b. Computer .. c. Personal 2. Network Security .. a. Hardware Firewall .. b. Software Firewall 3. Hardening Windows .. a. Pre-install Hardening .. b. Post-install Hardening .. c. Alternative Software .. d. Keep Windows Up-To-Date 4. Anti-Malware .. a. Anti-Virus .. b. HIPS / Proactive Defense .. c. Malware Removal 5. Information and Data Security .. a. Privacy / Anonymity .. b. Encryption .. c. Backup, Erasure and Recovery .. d. Access Control (Passwords, Security Tokens) 6. Conclusion 1. Physical Security I just wanted to touch on a few things in the realm of physical security, and you should investigate physical and personal security in places other than here. a. Home How would you break in to your own home? Take a close look at your perimeter security and work inwards. Make sure fences or gates aren't easy to climb over or bypass. The areas outside your home should be well lit, and motion sensor lights and walkway lights make nice additions to poorly lit areas. If possible, your home should have a security system featuring hardwired door and window sensors, motion detectors, and audible sirens (indoor and outdoor). Consider integrated smoke and carbon monoxide detectors for safety. Don't overlook monitoring services, so the police or fire department can be automatically called during an emergency. Invest in good locks for your home, I recommend Medeco and Schlage Primus locks highly. Both Medeco and Schlage Primus locks are pick-resistant, bump-proof, and have key control (restricted copying systems). Exterior doors should be made of steel or solid-core wood and each should have locking hardware (locking doorknob or handle), an auxiliary lock (mortise deadbolt) with a reinforced strike plate, and a chain. Consider a fireproof (and waterproof) safe for the storage of important documents and valuables. A small safe can be carried away during a robbery, and simply opened at another location later, so be sure and get a safe you can secure to a physical structure (in-wall, in-floor, or secured to something reasonably considered immovable). You may be able to hide or obscure the location of your safe in order to obtain some additional security, but don't make it cumbersome for yourself to access. b. Computer Computers are easy to just pick up and take away, so the only goal you should have is to deter crimes of opportunity. For desktop computers, you may bring your desktop somewhere and an attacker may not be interested in the entire computer, but perhaps just an expensive component (video card) or your data (hard drive), and for that I suggest a well-built case with a locking side and locking front panel. There are a variety of case security screws available (I like the ones from Enermax (UC-SST8) as they use a special tool), or you can use screws with less common bits (such as tamper resistant Torx screws) to secure side panels and computer components. There are also cable lock systems available for desktop computers to secure them to another object. For laptop computers, you are going to be primarily concerned about a grab-and-go type robbery. There are a variety of security cables available from Kensington, which lock into the Kensington lock slot found on nearly all laptops, which you can use to secure it to another object (a desk or table, for example). Remember though, even if it's locked to something with a cable, it doesn't make it theft-proof, so keep an eye on your belongings. c. Personal Always be aware of your surroundings. Use your judgment, if you feel an area or situation is unsafe, avoid it altogether or get away as quickly and safely as possible. Regarding hand to hand combat, consider a self-defense course. Don't screw around with traditional martial arts (Karate, Aikido, Kung-Fu), and stay away from a McDojo. You should consider self-defense techniques like Krav Maga if you are serious about self defense in a real life context. I generally don't advocate carrying a weapon on your person (besides the legal mess that may be involved with use of a weapon, even for self-defense, an attacker could wrestle away a weapon and use it against you). If you choose to carry any type of weapon on your person for self-defense, I advise you to take a training course (if applicable) and to check with and follow the laws within the jurisdiction you decide to possess or carry such weapons. Dealing with the Police Be sure to read Know Your Rights: What to Do If You're Stopped by the Police a guide by the ACLU, and apply it. Its advice is for within the jurisdiction of the US but may apply generally elsewhere, consult with a lawyer for legal advice. You should aso watch the popular video "Don't talk to the police!" by Prof. James Duane of the Regent University Law School for helpful instructions on what to do and say when questioned by the police: regent.edu (Mirror: )Travelling Abroad Be sure and visit the State Department or Travel Office for your home country before embarking on a trip abroad. Read any travel warnings or advisories, and they are a wealth of information for travelers (offering guides, checklists, and travel advice): (US, UK, CA). 2. Network Security As this is a guide geared towards a home or home office network, the central theme of network security is going to be focused around having a hardware firewall behind your broadband modem, along with a software firewall installed on each client. Since broadband is a 24/7 connection to the internet, you are constantly at risk of attack, making both a hardware and software firewall absolutely essential. a. Hardware Firewall A hardware firewall (router) is very important. Consider the hardware firewall as your first line of defense. Unfortunately, routers (usually) aren't designed to block outbound attempts from trojans and viruses, which is why it is important to use a hardware firewall in conjunction with a software firewall. Be sure that the firewall you choose features SPI (Stateful Packet Inspection). Highly Recommended I recommend Wireless N (802.11n) equipment, as it is robust and widely available. Wireless N is backwards compatible with the earlier Wireless G (802.11g) and B (802.11b) standards. 802.11n supports higher speeds and longer distances than the previous standards, making it highly attractive. I recommend any of the following Wireless N compatible routers: Asus: RT-N16, WL500W, RT-N12, RT-N10. Linksys: E3000, E2000, WRT610Nv2, WRT320N. If price is a concern, Wireless G (802.11g) equipment is generally less expensive, as it has been around longer than Wireless N equipment. Range extender antennas and boosters exist if range is an issue, and 125HSM (Afterburner) technology exists to boost single-channel throughput. I recommend any of the following Wireless G compatible routers: Asus: WL-500G Premium, WL500G Deluxe, WL520GU. Linksys: WRT54-GL (or GS v1-v4), WRT54G-TM, WRTSL54GS. Use WPA2/WPA with AES if possible, and a passphrase with a minimum of 12 characters. If you are really paranoid, use a strong random password and remember to change it every so often. Alternatives A spare PC running SmoothWall or IPCop, with a pair of NIC's and a switch can be used to turn a PC into a fully functional firewall. b. Software Firewall A software firewall nicely compliments a hardware firewall such as those listed above. In addition to protecting you from inbound intrusion attempts, it also gives you a level of outbound security by acting as a gateway for applications looking to access the internet. Programs you want can access the internet, while ones you don't are blocked. Do not use multiple software firewalls simultaneously. You can actually make yourself less secure by running two or more software firewall products at once, as they can conflict with one another. Check out Matousec Firewall Challenge for a comparison of leak tests among top firewall vendors. Leaktests are an important way of testing outbound filtering effectiveness. Highly Recommended Comodo Internet Security Comodo is an easy to use, free firewall that provides top-notch security. I highly recommend this as a first choice firewall. While it includes Antivirus protection, I advise to install it as firewall-only and use an alternate Antivirus. Alternatives Agnitum Outpost Firewall Free A free personal firewall that is very secure. Be sure to check out the Outpost Firewall Forums, to search, and ask questions if you have any problems. Online Armor Personal Firewall Free Online Armor Personal Firewall makes another great choice for those who refuse to run Comodo or Outpost. Online Armor 3. Hardening Windows Windows can be made much more secure by updating its components, and changing security and privacy related settings. a Pre-install Hardening Pre-install hardening has its primary focus on integrating the latest available service packs and security patches. Its secondary focus is applying whatever security setting tweaks you can integrate. By integrating patches and tweaks, you will be safer from the first boot. Step 1 - Take an original Windows disc (Windows 2000 or later) and copy it to a folder on your hard drive so you can work with the install files. Step 2 - Slipstream the latest available service pack. Slipstreaming is a term for integrating the latest service pack into your copy of windows. Step 3 -Integrate the latest available post-service pack updates. This can be done with a utility such as nLite or vLite, and post-service pack updates may be available in an unofficial collection (such as the RyanVM Update Pack for XP). Step 4 - Use nLite (Windows 2000/XP) or vLite (Windows Vista/7) to customize your install. Remove unwanted components and services, and use the tweaks section of nLite/vLite to apply some security and cosmetic tweaks. Step 5 - Burn your newly customized CD, and install Windows. Do not connect the computer to a network until you install a software firewall and anti-virus. b. Post-Install Hardening If you have followed the pre-install hardening section, then your aim will be to tweak settings to further lock down windows. If you hadn't installed from a custom CD, you will need to first update to the latest service pack, then install incremental security patches to become current. After updating, you'll then disable unneeded Windows services, perform some security tweaks, and use software such as xpy to tweak privacy options. Disable Services Start by disabling unneeded or unnecessary services. By disabling services you will minimize potential security risks, and use fewer resources (which may make your system slightly faster). Some good guides on disabling unnecessary services are available at Smallvoid: Windows 2000 / Windows XP / Windows Vista. Some commonly disabled services: Alerter, Indexing, Messenger, Remote Registry, TCP/IP NetBIOS Helper, and Telnet. Security Tweaks I highly recommend using a strong Local Security Policy template as an easy way to tweak windows security options, followed by the registry. Use my template (security.inf) to easily tweak your install for enhanced security (Windows 2000/XP/Vista/7): 1. Save the following attachment: (Download Link Soon!) 2. Extract the files. 3. Apply the Security Policy automatically by running the included "install.bat" file. 4. (Optional) Apply your policy manually using the following command: [ secedit /configure /db secedit.sdb /cfg "C:\<Path To Security.inf>\<template>.inf" ] then refresh your policy using the following the command:[ secedit /refreshpolicy machine_policy ] (Windows 2000), [ gpupdate ] (Windows XP/Vista/7) This template will disable automatic ("administrative") windows shares, prevent anonymous log on access to system resources, disable (weak) LM Password Hashes and enable NTLMv2, disable DCOM, harden the Windows TCP/IP Stack, and much more. Unfortunately my template can't do everything, you will still need to disable NetBIOS over TCP (NetBT), enable Data Execution Prevention (AlwaysOn), and perform other manual tweaks that you may use. Privacy Tweaks xpy (Windows 2000/XP) and vispa (Windows Vista/7) These utilities are great for modifying privacy settings. They supersede XP AntiSpy because they include all of XP Anti-Spy's features and more. You should use them in conjunction with the security tweaks I've listed above. c. Alternative Software Another simple way of mitigating possible attack vectors is to use software that is engineered with better or open security processes. These products are generally more secure and offer more features then their Microsoft counterparts. Highly Recommended Mozilla Firefox (Web Browser) Mozilla Thunderbird (Email Client) OpenOffice.org (Office Suite) Alternatives Google Chrome (Web Browser) Opera (Web Browser) The Bat! (Email Client) Google Docs (Online) (Office Suite) Firefox Additions Mozilla has a Privacy & Security add-on section. There are a variety of add-ons that may appeal to you (such as NoScript). And although these aren't strictly privacy related, I highly recommend the AdBlock Plus add-on, with the EasyList and EasyPrivacy filtersets. d. Keep Windows Up-To-Date Speaking of keeping up-to-date, do yourself a favor and upgrade to at least Windows 2000 (for older PC's) and Windows XP Pro (or later) for newer PC's. Windows 9x/Me is completely broken in terms of the possibilities for a secure computing environment, and as such updates for them have been removed from the list. Be sure to keep up-to-date on your service packs, they're a comprehensive collection of security patches and updates, and some may add minor features. Microsoft Windows Service Packs Windows 2000 - Service Pack 4 with Unofficial Security Rollup Package Windows XP - Service Pack 3 with Unofficial Security Rollup Package Windows XP x64 - Service Pack 2 with Unofficial Security Rollup Package Windows Vista - Service Pack 2 Windows 7 - Service Pack 1 Microsoft Office Service Packs Office 2000 - Service Pack 3 with the Office 2007 Compatibility Pack (SP3). Office XP (2002) - Service Pack 3 with the Office 2007 Compatibility Pack (SP3). Office 2003 - Service Pack 3 with the Office 2007 Compatibility Pack (SP3) and Office File Validation add-in. Office 2007 - Service Pack 3with the Office File Validation add-in. Office 2010 - Service Pack 1 After the service pack, you still need to keep up-to-date on incremental security patches. Windows supports Automatic Updates to automatically update itself. However, if you don't like Automatic Updates: You can use WindowsUpdate to update windows periodically (Must use IE5 or greater, must have BITS service enabled), or you can use MS Technet Security to search for and download patches individually, or you can use Autopatcher, an unofficial updating utility. In addition to security patches, remember to keep virus definitions up-to-date (modern virus scanners support automatic updates so this should not be a problem), and stay current with latest program versions and updates, including your replacement internet browser and mail clients. 4. Anti-Malware There are many dangers lurking on the internet. Trojans, viruses, spyware. If you are a veteran user of the internet, you've probably developed a sixth-sense when it comes to avoiding malware, but I advocate backing up common sense with reliable anti-malware software. a. Anti-Virus Picking a virus scanner is important, I highly recommend Nod32, but there are good alternatives these days. Check out AV Comparatives for a comparison of scanning effectiveness and speed among top AV vendors. Highly Recommended Nod32 Antivirus $ I recommend Nod32 as a non-free Antivirus. Features excellent detection rates and fast scanning speed. Nod32 has a great heuristic engine that is good at spotting unknown threats. Very resource-friendly and historically known for using less memory than other AV's. There is a 30 day free trial available. Alternatives Avira AntiVir Personal I recommend Avira as a free Antivirus. Avira is a free AV with excellent detection rates and fast scanning speed. Kaspersky Anti-Virus $ Kaspersky AV is a good alternative to Nod32. Features very good detection rates, and fast scanning speed. Online-Scanners Single File Scanning Jotti Online Malware Scan or VirusTotal These scanners can run a single file through a large number of different Antivirus/Antimalware suites in order to improve detection rates. Highly recommended. Whole PC Scanning ESET Online Scanner Nod32 Online Antivirus is pretty good, ActiveX though, so IE only. There is a beta version available that works with Firefox and Opera. b. HIPS / Proactive Defense Host-based intrusion prevention systems (HIPS) work by disallowing malware from modifying critical parts of the Operating System without permission. Classic (behavioral) HIPS software will prompt the user for interaction before allowing certain system modifications, allowing you stop malware in its tracks, whereas Virtualization-based HIPS works primarily by sandboxing executables. Although HIPS is very effective, the additional setup and prompts are not worth the headache for novice users (which may take to just clicking 'allow' to everything and defeating the purpose altogether). I only recommend HIPS for intermediate or advanced users that require a high level of security. Highly Recommended I highly recommend firewall-integrated HIPS solutions. Comodo Defense+ is a classic HIPS built into Comodo Internet Security, and provides a very good level of protection. Outpost and Online Armor provide their own HIPS solutions, and the component control features of the firewalls are powerful enough to keep unwanted applications from bypassing or terminating the firewall. If you want to use a different HIPS, you can disable the firewall HIPS module and use an alternative below. Alternatives Stand-alone HIPS solutions are good for users who either don't like the firewall built-in HIPS (and disable the firewall HIPS), or use a firewall without HIPS features. HIPS based on Behavior (Classic) ThreatFire ThreatFire provides a strong, free behavioral HIPS that works well in conjunction with Antivirus and Firewall suites to provide additional protection. HIPS based on Virtualization DefenseWall HIPS $ DefenseWall is a strong and easy-to-use HIPS solution that uses sandboxing for applications that access the internet. GeSWall Freeware GeSWall makes a nice free addition to the HIPS category, like DefenseWall it also uses sandboxing for applications that access the internet. Dealing with Suspicious Executables You can run suspicious executables in a full featured Virtual Machine (such as VMware) or using a standalone sandbox utility (such as Sandboxie) if you are in doubt of what it may do (though, you may argue that you shouldn't be running executables you don't trust anyway). A more advanced approach to examining a suspicious executable is to run it through Anubis, a tool for analyzing the behavior of Windows executables. It displays a useful report with things the executable does (files read, registry modifications performed, etc.), which will give you insight as to how it works. c. Malware Removal I recommend running all malware removal utilities on-demand (not resident). With a firewall, virus scanner, HIPS, and some common sense, you won't usually get to the point of needing to remove malware... but sometimes things happen, perhaps unavoidably, and you'll need to remove some pretty nasty stuff from a computer. Highly Recommended Anti-Spyware Spybot Search & Destroy Spybot S&D has been around a long time, and is very effective in removing spyware and adware. I personally install and use both Spybot & Ad-Aware, but I believe that Spybot S&D has the current edge in overall detection and usability. Anti-Trojan Malwarebytes' Anti-Malware Malwarebytes has a good trojan detector here, and scans fast. Anti-Rootkit Rootkit Unhooker RKU is a very advanced rootkit detection utility. Alternatives Anti-Spyware Ad-Aware Free Edition Ad-Aware is a fine alternative to Spybot S&D, its scanning engine is slower but it is both effective and popular. Anti-Trojan a-squared (a2) Free a-squared is a highly reputable (and free) trojan scanner. Anti-Rootkit IceSword (Mirror) IceSword is one of the most capable and advanced rootkit detectors available. 5. Information and Data Security Data can be reasonably protected using encryption and a strong password, but you will never have complete and absolute anonymity on the internet as long as you have an IP address. a. Privacy / Anonymity Anonymity is elusive. Some of the following software can help you achieve a more anonymous internet experience, but you also must be vigilant in protecting your own personal information. If you use social networking sites, use privacy settings to restrict public access to your profile, and only 'friend' people you know in real life. Don't use (or make any references to) any of your aliases or anonymous handles on any websites that have any of your personal information (Facebook, Amazon, etc..). You should opt-out from information sharing individually for all banks and financial institutions you do business with using their privacy policy choices. You should opt-out of preapproved credit offers (US), unsolicited commercial mail and email (US, UK, CA), and put your phone numbers on the "Do Not Call" list (US, UK, CA). Highly Recommended Simply install and use Tor with Vidalia to surf the internet anonymously. It's free, only downside is it's not terribly fast, but has fairly good anonymity, so it's a tradeoff. Keep in mind its for anonymity not for security, so make sure sites you put passwords in are SSL encrypted (and have valid SSL certificates), and remember that all end point traffic can be sniffed. You can use the Torbutton extension for Firefox to easily toggle on/off anonymous browsing. POP3/IMAP and P2P software won't work through Tor, so keep that in mind. Portable Anonymous Browsing The Tor Project now has a "Zero-Install Bundle" which includes Portable Firefox and Tor with Vidalia to surf anonymously from a USB memory stick pretty much anywhere with the internet. It also includes Pidgin with OTR for encrypted IM communications. Note: These won't protect you from Trojans/Keyloggers/Viruses on insecure public terminals. Never type important passwords or login to important accounts on a public computer unless it is absolutely necessary! Alternatives I2P functions similar to Tor, allowing you to surf the general internet with anonymity. IPREDator $ is a VPN that can be used to anonymize P2P/BitTorrent downloads. Freenet is notable, but not for surfing the general internet, it's its own network with its own content. b. Encryption For most people, encryption may be unnecessary. But if you have a laptop, or any sort of sensitive data (whether it be trade secrets, corporate documents, legal or medical documents) then you can't beat the kind of protection that encryption will offer. There are a variety of options available today, including a lot of software not listed here. A word to the wise, please, please don't fall for snake oil, use well established applications that use time tested (and unbroken) ciphers. Regardless of what software you use, the following "what to pick" charts will apply universally. If you have to pick an encryption cipher: Best: AES (Rijndael) (128-bit block size) Better: Twofish (128-bit block size), Serpent (128-bit block size) Good: RC6 (128-bit block size) Depreciated: Blowfish (64-bit block size), CAST5 (CAST-128) (64-bit block size), Triple-DES (64-bit block size) When encrypting large volumes of data, it is important to pick a cipher that has a block size of at least 128-bytes. This affords you protection for up to 2^64x16 bytes (264 exabytes) . 64-bit block ciphers only afford protection of up to 2^32x8 bytes (32 gigabytes) so using it as a full disk or whole disk encryption cipher is not recommended. The depreciated list is only because some of you might be stuck using software that only supports older encryption methods, so I've ordered it from what I feel is best to worst (though all three that are on there are pretty time tested and if properly implemented, quite secure). If you have to pick a hash to use: Best: Whirlpool (512-bit) Better: SHA-512 (512-bit), SHA-256 (256-bit) Good: Tiger2/Tiger (192-bit), RIPEMD-160 (160-bit) Depreciated: RIPEMD-128, SHA-1, MD-5. With all the recent advances in cryptanalysis (specifically with work on hash collisions) These days I wouldn't trust any hash that is less than 160-bits on principle. To be on the safe side, use a 192-bit, 256-bit, or 512-bit hash where available. There will be cases where your only options are insecure hashes, in which case I've ordered the "depreciated" list from best to worst (they are all varying levels of insecure). Many older hashes (MD4, MD2, RIPEMD(original), and others) are totally broken, and are not to be used. A quick software rundown, these applications are popular and trusted: Highly Recommended Freeware Whole Disk Encryption TrueCrypt Based upon E4M, TrueCrypt is a full featured disk encryption suite, and can even be run off a USB memory stick. TrueCrypt supports the whole disk encryption of Windows, with pre-boot authentication. Very nice. If you can't use whole-disk encryption (WDE), you can use the TCTEMP add-on to encrypt your swapfile, temp files and print spooler, and you can use the TCGINA add-on to encrypt your windows home directory. (Note: TCTEMP/TCGINA is less secure than WDE, and only preferable if WDE is not an option. WDE is highly recommended.). Freeware PKI Encryption GnuPG (GPG) GnuPG provides public-key encryption, including key generation and maintenance, signing and checking documents and email messages, and encryption and decryption of documents and email messages. Freeware Email Encryption Enigmail Enigmail is truly a work of art, it integrates with GnuPG and provides seamless support for encryption and decryption of email messages, and can automatically check PGP signed documents for validity. (Enigmail requires both Mozilla Thunderbird and GnuPG) Alternatives Encryption Suite (with Whole Disk and Email Encryption) PGP Full Disk Encryption $ PGP provides public-key encryption, including key generation and maintenance, signing and checking documents and email messages, encryption and decryption of documents and email messages, volume disk encryption, whole disk encryption, outlook integration, and instant messenger encryption support. c. Backup, Erasure and Recovery // This section is under construction. Backups Your data might be safe from prying eyes, but what if you are affected by hardware failure, theft, flood or fire? Regular backups of your important data can help you recover from a disaster. You should consider encryption of your backups for enhanced security. Local Backup Cobian Backup Cobian Backup is a fully-featured freeware backup utility. SyncBack Freeware, Macrium Reflect Free SyncBack Freeware and Macrium Reflect Free are feature-limited freeware backup utilities. Off-site Backup SkyDrive (25GB, filesize limited to 100MB), box.net (5GB) SkyDrive and box.net offer free online storage, useful for easy offsite backups. Be sure to utilize encrypted containers for any sensitive documents. Data Destruction It would be better to have your data residing in an encrypted partition, but sometimes that may not be possible. When sanitizing a hard drive, I recommend using a quality Block Erase tool like DBAN followed by a run-through with ATA Secure Erase if you really want a drive squeaky clean. Block erasing is good for data you can normally reach, but ATA secure erase can hit areas of the drive block erasers can't. As for multiple overwrite passes, there is no proof that data overwritten even one time can be recovered by professional data recovery corporations. For moderate security, a single pseudorandom block-erase pass (random-write) followed by an ATA Secure Erase pass (zero-write) is sufficient to thwart any attempts at data recovery. For a high level of security, a "DoD Short (3 pass)" block-erase pass followed by an ATA Enhanced Secure Erase will ensure no recovery is possible. Single-File/Free Space Erase - If you are interested in just erasing single files or wiping free space, you can use the Eraser utility. Block Erase - For hard drive block-erasure, use DBAN. ATA Secure Erase - For ATA Secure Erasing, use the CMRR Secure Erase Utility. CMRR Secure Erase Protocols (.pdf) - http://cmrr.ucsd.edu...seProtocols.pdf NIST Guidelines for Media Sanitation (.pdf) - http://csrc.nist.gov...800-88_rev1.pdf File Recovery Software This is kind of the opposite of data destruction. Keep in mind no software utility can recover properly overwritten data, so if it's overwritten there is no recovery. Highly Recommended Recuva Recuva is an easy to use GUI-based recovery utility. Alternatives TestDisk and PhotoRec These tools are powerful command-line recovery utilities. TestDisk can recover partitions, and PhotoRec is for general file recovery. Ontrack EasyRecovery Professional $ EasyRecovery is one of the best paid utilites for file recovery. d. Access Control (Passwords, Security Tokens) // This section is under construction. Secure Passwords //Section under construction. Your security is only as strong as its weakest password. There are a few basic rules to follow when creating a strong password. Length - Passwords should be at least 12 characters long. When possible, use a password of 12 or more characters, or a "passphrase". If you are limited to using less than 12 characters, you should try and make your password as long as allowable. Complexity - Passwords should have an element of complexity, a combination of upper and lowercase characters, numbers, and symbols will make your passwords much harder to guess, and harder to bruteforce. Uniqueness - Passwords should avoid containing common dictionary words, names, birthdays, or any identification related to you (social security, drivers license, or phone numbers for example). Secret - If you have a password of the utmost importance, do not write it down. Do not type them in plain view of another person or share them with anyone. Avoid use of the same password in multiple places. Security Tokens Security Tokens are cryptographic devices that allow for two-factor authentication. Aladdin eToken Safenet iKey IronKey Basic 6. Conclusion And here we are at the end! I would like to thank all of you for taking the time to read my guide, it's a few (slow) years in the making and I've kept it up to date. This guide is always changing, so check back from time to time. Revision 1.10.018-upd3 Copyright © 2004-2012 Malakai1911, All Rights Reserved The information contained within this guide is intended solely for the general information of the reader and is provided "as is" with absolutely no warranty expressed or implied. Any use of this material is at your own risk, its authors are not liable for any direct, special, indirect, consequential, or incidental damages or any damages of any kind. This guide is subject to change without notice. Windows_Security_Template__1.10.015_.zip
  12. Everyone knows the term firewall, but few people know why they would ever need one. Go on the Internet and read around, and you’ll find that there are not only many different ideas of what a firewall is supposed to do, but there are also many different technical concepts that fall under the term. The basic idea of a firewall is a “wall-layer” that protects against attacks from the “other” side. This may seem simple enough, but then many people go on to wonder: Where should that wall be placed? And what, actually, are “attacks”? To begin, let’s start out with an overview of the places where a firewall can reside. Hardware firewalls For high-end users, large networks or servers, a hardware firewall is usually a standalone device. For home users or small businesses, it is typically a component built into a router/modem. When a hardware firewall is used, all network traffic is routed through it before the data reaches individual computers. As traffic passes through, the hardware firewall takes a deep look into its content to decide what should be let through and what should not. Some firewalls just follow plain rules that the user has defined. For example: Don’t let anyone from the Internet initiate a connection to any local computer that sits behind the firewall – only allow outgoing connections. Other firewalls adopt more advanced rules, using protocol-based filters. For example: Let users connect to the Internet, but only through port 80 (the HTTP web server port), and route the incoming traffic to a web server behind the firewall before it reaches individual computers. Still other firewalls are even more sophisticated and inspect every data package deeply on an application layer. Here a rule might be: Allow incoming traffic on port 80, unless it contains any code sequence that may be used to hack the web server residing behind the firewall, such as a cross site scripting attack or an exploit against a database the web server works with. The advantage of hardware firewalls is that they are very literally separate from the computers they protect. All traffic must go through the dedicated, hardware firewall or it will not reach the local, target computer at all. Furthermore, there is no extra “surface area” within a hardware firewall for a malicious data package to sneak through by using manipulative code, such as there might be with a software-based firewall. The data either gets through or it doesn’t. A square peg cannot fit through a round hole. The disadvantage of hardware firewalls, however, is that because of their separation and limited surface area (i.e., brain power) the firewall doesn’t really know what’s happening on the computers behind it. The hardware firewall only sees the data traffic generated by these computers, but it doesn’t know which applications are generating this data. Therefore, if a user tells a legitimate application to connect to the Internet and that application tries to connect in a way that the hardware firewall is configured to block, the hardware firewall will prevent the application from connecting. Wrong decisions stemming from too strictly configured rule sets that block legitimate services are an inherent problem of hardware firewalls – and they typically result in unhappy users. Network Address Translation (NAT) Routers A special form of a hardware firewall is a Network Address Translation, or NAT, router. Most DSL routers in use today are using NAT, and in technical terms they are actually not firewalls, but they have a similar effect. The idea behind NAT is simple. Many households have more than 1 Internet-connected computer, but the Internet account has only one public IP address. That IP address is like your Internet phone number, and it can be reached from anywhere in the world. With NAT, your public IP address is assigned to the router. Incoming data packages must then pass through the router before they reach their destination computer. A NAT router enables this passage by converting each incoming data package sent to the public IP address to a special IP address that is exclusively used on local networks. These exclusive-use IPs usually start with 10.* or 192.168.* and they can’t be reached from the outside directly. These IPs are actually used multiple times by millions of local networks around the world. As an example, consider the case of a local computer requesting a website from a public web server. First, a NAT router will replace the computer’s original, local IP with the account’s public IP. At the same time, the NAT router will “wrap” information about the original, local source IP within the data package request, so that it can keep track of which computer it belongs to when it returns. When the web server responds, it will then send the data back to the public IP – at which point the NAT router will “unwrap” the information it appended about the local source IP and forward the data package to the computer with that local IP. NAT routers give us a huge advantage: Computers that are in a NAT can reach everything on the outside, but nothing on the outside can directly connect to a computer in a NAT, unless the NAT router is specifically configured to forward individual protocols to single machines. In this way, NAT can enable a very powerful “firewalling” effect, despite the fact that NAT is not usually called a “firewall.” Software firewalls A software firewall runs on a local computer, but basically does the same job as a hardware firewall. Software firewalls inspect network data packages and decide which data to block or allow, based on rules. One of the biggest things software firewalls have going for them is that they are usually not as expensive as standalone hardware firewalls. Another major advantage of a software-based firewall is that in addition to analyzing network traffic, it can also link each data package with the program that generates it – which is exactly what hardware firewalls can’t do. A software firewall can analyze traffic and program behavior as a whole, which means it can make decisions with much more precision than a hardware firewall ever could. For example: If a data package genuinely originates from a program that was made by a trusted software vendor, there is no need to ask each time whether to allow it, even if it violates some pre-configured rule. A software firewall will recognize this benign origin and grant an exception. A good software firewall is one that shows almost no warning messages, unless it is certain that there is a real attack and that some malicious program is attempting to gain access to your computer. An overabundance of warnings is not a good thing because it desensitizes the user to alerts. Too many warnings can be like the boy who cried wolf, or in firewall terms “the security software that shows multiple alerts every single day.” Who has not dealt with a product like that? You see so many warning messages that you eventually just click “Allow,” no matter what the warning says. These types of software firewalls are in reality just a waste of computing resources because even when they detect real threats, their users unknowingly (and understandably) allow those threats to get through. A good software firewall is also one that doesn’t block needed applications. This is after all what most users get so annoyed about with hardware firewalls (maybe you’ve experienced this at work ;). Granting permission to a certain legitimate application on a hardware firewall can be quite laborious. First, you have to open the admin interface; then, you have to find the right configuration tab and set up a complicated rule – provided of course you can understand the rule set. Software firewalls are better here as well because they are always locally at hand, and they are actually even smart enough to discern harmless actions, eliminating the need to configure new rules all by yourself. When do you need a software firewall, then? The truth is, if you exclusively connect to the Internet via a local home DSL or cable account that works with NAT, you should save the money you’d spend on a software firewall and get your best mates a cup of coffee instead. A reliable antivirus software with a great detection rate and a powerful behavior blocker is all you will need. If however you are using a computer that frequently connects to the Internet via third party networks, a software firewall is worth the investment. Think of public WLANs, like at the coffee shop you took your friends to, or plugging in a network cable at some foreign hotel. Once you are connected, every other computer user on such a network can try to connect to your machine. And why would they want to do that? To try to find a leaky component that can be exploited to take control of your computer for financial gain, or to steal private data (also for financial gain). A software firewall that hides all the open ports on your computer effectively reduces the surface area and success rate of such attacks. Frequent misconceptions about software firewalls Misconception 1: Firewalls detect malware The main purpose of a software firewall is to eliminate potential entry points attackers could use to get onto your computer from the outside. Software firewalls are not made to detect active malware that is already on your PC and communicating with some stranger half way across the world. Why not? In short: Once there is active malware on your PC, it is too late. There is simply no point in blocking outgoing connections sourced by malware, because if the malware managed to run it probably also managed to disable your entire firewall and manipulate all sorts of system settings. This is not because firewalls are incompetent – it is simply because they are not designed to block malware. Blocking malware is the work of anti-malware. A firewall instead “hides you” from the outside, by denying communication with other programs through certain “channels” or ports. Misconception 2: Firewalls are always HIPS (host-based intrusion prevention systems) Not so long ago, all software firewall products available did exactly what users expected them to do: Filter network data. Today, that’s still the classic definition of the term “firewall;” however, since firewall technology was soon developed to death (no more space for innovation -> all vendors offering a similar level of quality), vendors started to add new and somewhat overkill features to their firewall products, such as monitoring of all sorts of operating system changes and detection of all sorts of non-standard-compliant code executions by programs and thousands of other ‘suspect’ things that tend to fall under the term HIPS today. The major problem with these technologies is that for all their monitoring and detection capability they are relatively dumb. They tend to raise an alert for each and every action that could possibly lead to an attack, but the truth is that about 99.9% of all such alerted actions are not malicious. As mentioned before, such alerts are annoying and even dangerous because they can train users to click “Allow,” day in, day out. HIPS are therefore recommended for experts only, who can fully understand the large amount of alerts they produce and take advantage of the extra protection layer this can provide. This doesn’t make HIPS irrelevant to everyday users, though. In fact, the technology behind HIPS is what eventually evolved into behavior blocking, an essential component of modern anti-malware. Thanks to what behavior blocking borrows from HIPS, false alarms from antivirus software using the technology are now extremely rare. Behavior blocking isn’t HIPS though, and neither term is freely interchangeable with “firewall.” Have a great (firewalled) day! Article source
  13. Description Simple tool to configure Windows Filtering Platform (WFP) which can configure network activity on your computer. Author: Henry++ License: GPL v3 Language: C/C++ Supported OS: Vista, 7, 8, 8.1, 10 Platform architecture: 32-bit/64-bit Language: English, Russian, Simplified Chinese, Korean,French, Italian Homepage http://www.henrypp.org/product/wfptool https://github.com/henrypp/wfptool Download x86/x64 installer/portable https://github.com/henrypp/wfptool/releases Create your own localization https://github.com/henrypp/wfptool/blob/master/bin/i18n/!example.txt =================================================================== Any volunteer help to translate in your language, it's easy and not so many words. im sure you worth to try it. WFP tool needs encode "UTF-16 LE" as language file. Please use this to convert,choose "utf-16 little endian" http://www.iosart.com/tools/charset-fixer/
  14. Description Simple tool to configure Windows Filtering Platform (WFP) which can configure network activity on your computer. Features Simple configuration (to understand it not necessary to work in NASA). Localization support (you may translate interface into your language). Adware, telemetry blocking You can download either the installer or portable version. For correct working, need administrator rights. Settings To activate portable mode, create "wfptool.ini" in application folder, or move it from "%APPDATA%\Henry++\Wfp Tool". Settings are stored in the program folder the file "wfptool.ini" The list of configured applications in the file "config.xml" The list of your rules in "rules.xml" Author: Henry++ License: GPL v3 Language: C/C++ Supported OS: Vista, 7, 8, 8.1, 10 Platform architecture: 32-bit/64-bit Language: English, Russian, Simplified Chinese, Korean,French,Italian Changelog https://github.com/henrypp/wfptool/blob/master/CHANGELOG.md Homepage http://www.henrypp.org/product/wfptool https://github.com/henrypp/wfptool Download x86/x64 installer/portable https://github.com/henrypp/wfptool/releases Create your own localization https://github.com/henrypp/wfptool/blob/master/bin/i18n/!example.txt
  15. Overview Our Free Home Use XG Firewall is a fully equipped software version of the Sophos XG firewall, available at no cost for home users – no strings attached. Features full protection for your home network, including anti-malware, web security and URL filtering, application control, IPS, traffic shaping, VPN, reporting and monitoring, and much more. NOTE: The Sophos XG Free Home Use firewall contains its own operating system and will overwrite all data on the computer during the installation process. Therefore, a separate, dedicated computer is needed, which will change into a fully functional security appliance. Just right for the spare PC you have sitting in the corner! Features Increase your Internet Bandwidth - You can make easy use of traffic shaping to prioritize application traffic over your internet connection and even subscribe to multiple ISP connections to get more bandwidth or resiliency in the event of an outage with one of them. Monitor and control family web surfing - Use Web Filtering to stop sites from infecting you with viruses and spyware, keep your children from surfing to bad sites, and get full reporting on the activity in your home. Also setup access schedules or usage quotas for family members who may be wasting too much time online. Access your home network from anywhere – Use VPN to access your network remotely from anywhere in the world. Stop Viruses - Dual AV scanning engines stop viruses in file downloads, email attachments, and embedded in web sites. Sophos catches them at the gateway, before they can get in to assault your computers. And a lot more... What you need Intel compatible computer with dual network interfaces. (Any previous OS or files on the computer will be overwritten when installing the XG Firewall Home Edition) Home Edition is limited to 4 cores and 6 GB of RAM. The computer can have more than this, but XG Firewall Home Edition will not be able to utilize it. Source
  16. The answer is YES, according to LulzSec co-founder An analysis of the BENIGNCERTAIN exploit included in The Shadow Brokers data dump reveals that the Equation Group, a cyber-espionage group that many have linked with the NSA, had the ability to crack open Cisco PIX firewalls and extract VPN and RSA private key and other sensitive configuration details. Over the weekend, a person, or group, named The Shadow Brokers dumped online a trove of data they said they stole from a server hosting the malware used in a live operation by the Equation Group. The hackers are now selling this data to the highest bidder in an anonymous Bitcoin auction. Lots of firewall-cracking exploits included in the data dump So people take them seriously and to prove the legitimacy of their claims, the group leaked a series of exploits, most of them aimed at hacking enterprise-grade firewalls. Among these were exploits such as EPICBANANA, JETPLOW, and EXTRABACON, that targeted Cisco ASA devices. Other exploits like ESCALATEPLOWMAN targeted WatchGuard firewalls, while EGREGIOUSBLUNDER targeted Fortinet devices. Mustafa Al-Bassam, aka tFlow, co-founder of the LulzSec hacking crew, now a legitimate white hat researcher, says that one of the overlooked exploits is BENIGNCERTAIN. Looking at the NSA's past hacking tools The reason why many security vendors and researchers ignored this exploit is because it targets Cisco PIX firewalls, a line of products that has reached its end of life. While other security researchers were looking into seeing what exploits still worked today, Al-Bassam and security researcher Hector Martin were analyzing the older exploits, to understand what the NSA was capable of doing in the past, when targeting old-gen devices. They discovered that the BENIGNCERTAIN exploit targeted Cisco PIX versions 5.2(9) to 6.3(4), and used three files to put together an exploitation chain that dumped the device's memory using malformed Internet Key Exchange (IKE) packets. "The memory dump can then be parsed to extract an RSA private key and other sensitive configuration information," Al-Bassam writes in his analysis. Below is how a memory dump would look like, and the type of data the Equation Group would receive. RSA private key structure at offset 0x%04x, size 0x%x bytes: *** Found probable RSA private key *** RSA public key structure at offset 0x%04x, size 0x%x bytes: *** Found probable RSA public key *** RSA key structure at offset 0x%04x, size 0x%x bytes: RSA keys were generated at %s VPN group structure at offset 0x%04x, size 0x%x bytes Split-tunnel ACL: 0x%08x %s Idle-time: 0x%08x [%d seconds] Max-time: 0x%08x [%d %s] PFS: 0x%08x %s Clear-client-cfg: 0x%08x %s User-idle-timeout: 0x%08x [%d seconds] Authen. server: 0x%08x %s Secure-unit-auth: 0x%08x %s User authen.: 0x%08x %s Device pass-thru: 0x%08x %s Article source
  17. Folder Firewall Blocker is a special application that is designed to block connections to EXE files in a given folder. The lightweight application achieves this by making new rules in Windows Firewall, which ensures that both outbound and inbound connections to and from the Internet of all EXE files in the specified folder are blocked. Features: - Option to scan subfolders. - Blocks EXE as well as any file type you want now with the "Extra file types" tab Home https://sourceforge.net/projects/folder-firewall-blocker-ffb/ Download https://sourceforge.net/projects/folder-firewall-blocker-ffb/files/Folder Firewall Blocker 1.2.1.exe/download
  18. Block Entire Folders In Windows Firewall Folder Firewall Blocker is a free open source program for Windows devices that lets you block inbound and outgoing connections of every executable file in a specified folder. One of the shortcomings of the Windows Firewall, and the majority of firewall programs for the matter for Windows, is that you cannot specify paths to block all executable files stored under that path from inbound or outbound Internet connections. If you wanted to block all programs in the user folder or temporary folder for instance, you would have to specify them one by one in Windows Firewall. If you don't want programs under a certain path to connect to the Internet, then you have only a couple of options to prevent that. You can block all connections and whitelist those that you require, use a program like Windows Firewall Notifier that display notifications when programs try to connect to the Internet, or use Folder Firewall Blocker to block all executable files in a folder. Folder Firewall Blocker Folder Firewall Blocker is a simple program. All you need to do to make use of it is to launch it, click on folder to select a local folder, and then on the block button to block all executable files in that folder. A prompt is displayed when you hit the block button that acts as a confirmation. Hit yes to proceed or no to cancel the operation. Folder Firewall Blocker adds rules for every .exe program in the folder to Windows Firewall. It highlights that in the interface while it is adding the rules. You may verify this by checking the inbound or outbound rules in Windows Firewall as well. Shortcomings As great as the option is to block connections of every executable file in a folder, its use is limited. The program has several shortcomings that prevent it from reaching a wider audience: It supports only .exe files and not other executable file types. It won't parse subfolders, only the root folder. It won't block future additions to the folder. While you may be able to work around the second and third issue, there is nothing that you can do about the first. You may simply run the program on each folder separately. While that works to get all exe files blocked, it may take a long time depending on the folder structure. If you wanted to block all user profile executable files from connecting to the Internet, you'd spend a long time running Folder Firewall Blocker on all folders under the path. You can run the program regularly to cover new executable files, but the protection won't be realtime. Closing Words Folder Firewall Blocker is a promising program that needs work. While it may be useful to some users right away, only an updated version will prove useful to a wider audience. The author should consider adding support for file types besides .exe files to the program. Options to parse all folders under the selected path improve it further. Now You: Which firewall do you use, and why? Source
  19. Hy, I am looking for an antivirus with firewall, if possible, that I can install on my friend’s computers (a few of them), activate it and it will work/update without my attention for more than one year. This means that the crack/trial reset will be effective for that long, or a free antivirus with firewall. I like ESET Smart Security, AVG Internet Security, Avast Internet Security, Kaspersky, Bitdefender... but from what I see, around here there are only keys that are valid for a period of time, a few months very rare a year. Currently I am using ESET Smart Security 8 and mara-fix v1.8 as a crack/Trial Reset. But mara-fix doesn't work with the new version 9 and I will have to move on from it (ESET 8). Thanks
  20. For many years traditional network and endpoint security tools have been the go-to defenses that organizations have relied upon. Companies have always invested heavily in Firewalls and Anti-virus to create a perimeter-focused security infrastructure that has, until more recently, been effective enough to protect data to a reasonable degree. However, things change, and so has the threat landscape. Most businesses are now not adequately equipped to handle today’s increasingly complex cyber threats and lack the higher-end tools required to quickly spot and recover from them, instead opting to rely on the traditional methods that functioned well enough in the past. “The problem is, business has invested a lot into the protection they have and its served them okay thus far, but now the bad guys have evolved to get around it and business is struggling to see why the tens of thousands of pounds worth of Firewalls that it bought last year are now ‘pointless’ according to the experts,” said Jay Abbott, MD, Falanx Cyber Defence. “Thinking you can ‘keep the bad guys out’ by building a wall and then letting all the users inside the wall request data through it from the outside world, is near lunacy,” he argued. The facts are clear; traditional security tools, whilst still serving a purpose, are simply not enough on their own to help companies deal with threats that are constantly evolving and becoming far more targeted. They focus too greatly on protecting the perimeter, but if a hacker manages to break through the periphery, they’re pretty much free to pillage the network to their heart’s content until the attack is eventually spotted and stopped. So, what else do companies need to be doing? Just how do they go about implementing the type of holistic security infrastructure that is up to scratch and can defend against cyber-criminals that are now so sophisticated they operate within set ups that are akin to professional organizations with their own recruitment specialists and HR departments. Abbott believes security information and event management (SIEM) goes a long way to answering that question, and it’s something that has often been overlooked. “The simple truth is you detect modern attacks through monitoring your environment for abnormal behavior,” he explained. “Tools can help, but for the most part it’s about the basics, collect all the logs, define a baseline of ‘normal’, analyze events against normal, flag ‘interesting’ events for follow-up and then investigate the interesting things. Do this proactively with a SIEM engine of your choice backed off to your in-house security team or with a managed service provider that can do it all for you.” Luis Corrons, PandaLabs technical director agrees, telling Infosecurity SIEM, when used alongside Anti-virus and Firewalls, is one of the key factors to boosting a company’s security. He also explained that you can take a step further by using Endpoint Detection and Response (EDR) solutions that include SIEM, AV and FW and also add other layers of security, such as anti-exploit technologies and the ability to monitor and classify in real time all the processes running in each and every computer (workstations and servers) in the network. “With EDR you can prevent most of the attacks, even the targeted ones, and you can even configure your most critical systems in lock mode, which means that only pre-approved software will be allowed to run there. Some vendors that provide these solutions give you the option to use their own SIEM, or in case you already have one they can connect to your current SIEM and send there all the information, IoCs, etc,” he added. What’s clear is organizations have to be prepared to invest and introduce these newer security techniques, and they have to avoid resting on their laurels in the hope their traditional tools are going to keep them safe. Thanks to the Internet of Things and the Cloud, the perimeter is now limitless, so relying on security tools that focus on a quantifiable perimeter than does not exist anymore is a huge risk. Threats are changing all the time; new malware, direct and zero-day attacks are hitting companies hard and it’ these types of attacks that the traditional tools don’t and can’t spot until it’s far too late. Article source
  21. Windows Spy Blocker is a regularly updated collection of firewall, hosts file and Proxifier rules that block Windows 10 phone home functionality. While Microsoft collected telemetry data in previous versions of the Windows operating system as well, data collection was intensified with the release of Windows 10. The default installation has most telemetry data settings set to enabled and while options are provided to turn off some settings, some cannot even be turned off in the operating system's settings. According to Microsoft, the data collecting is all for the greater good as it helps Microsoft make the product better for the user. While there is certainly some truth to that, it is not the whole story and since no one knows what Windows 10 PCs are submitting to Microsoft in regular intervals, some prefer to block connections to Microsoft servers altogether. Lots of tools have been created in the past year that aim to help users improve privacy when using Windows 10 machines. You can check out our comparison of privacy programs for Windows 10 for that as a starting point. Windows Spy Blocker Windows Spy Blocker is a collection of rules that its author has discovered while running Wireshark on a Windows 10 Professional system. The provided download includes a batch file that updates rules files, and files with the latest set of rules as well. Hosts file The hosts directory lists three files that block Windows Telemetry, Windows Update, and third party applications (using servers operated by Microsoft). You can copy and paste the information into the Windows hosts file directly, which you find under C:\Windows\System32\drivers\etc, or by using hosts managers which may be easier to use and support extra features such as backing up the hosts file or resting a previously backed up copy. Firewall The firewall directroy includes the batch file. You get a number of options when you run it, including one to download and add rules from the GitHub repository, or to add or remove rules so that Windows Firewall uses them on the computer. Proxifier Some hosts are not blocked even when they are added to the hosts file. The author of Windows Spy Blocker suggests to use a top level application such as Proxifier for these instead, and that's what this set of rules are designed for. You can use other means, like blocking hosts on the router level or hardware firewall if one sits between the device and the network/Internet. Closing Words Windows Spy Blocker offers a handy set of rules to block Windows 10 devices from phoning home. While you may be tempted to use them all without verification, it is highly suggested to make sure you are not blocking services or features that you require or use. This includes Windows Update, and especially so if you are not using other means to retrieve updates for the operating system running on the device. crazy-max/WindowsSpyBlocker Article source
  22. Windows Firewall is the default software firewall of the Windows operating system. It is enabled automatically after installation unless another firewall has been installed already and taken over. The firewall is configured for convenience and not maximum protection by default. Microsoft configured the firewall to block all incoming connections and allow all outgoing connections except for those for which rules exist by default. Any program for which no outbound rule exists may send data from the local computer to hosts on the Internet. Programs with phone home functionality, regardless of whether it is designed to check for updates or other purposes, is allowed to do so by default. Windows users may also want to be aware of what is happening in the background on their system in regards to outbound connections, as it may reveal useful information about programs and their behavior. Blocking outbound traffic in Windows Firewall To open the Windows Firewall configuration applet, do the following: Tap on the Windows-key on your keyboard. Type Windows Firewall with Advanced Security. Note: you may not need to type the full name for the result to show up. Select the entry from the results. If that does not work, use the following method instead: Use the keyboard shortcut Windows-Pause to open the classic Control Panel. Select All Control Panel Items when the new window opens. Select Windows Firewall on the next page. Select Advanced Settings located on the left sidebar to open the advanced firewall configuration window. Windows Firewall Configuration Note: While it makes sense to block outbound connections by default and create rules for processes that you want them to make, blocking outbound connections may have the effect that programs or program functionality may not work properly anymore. Windows Firewall in addition does not notify you when processes try to establish outbound connections. This means that you will have to check logs to find out about it, or use third-party software like Windows Firewall Control for that. Getting Started Windows Firewall may use different rules for the three profiles it supports: Domain Profile for domain joined computers. Private Profile for connections to private networks. Public Profile for connections to public networks. All three profiles share the same configuration by default that blocks inbound connections and allows outbound connections for which rules do not exist. Select Windows Firewall Properties on the window to change the default behavior. Switch the outbound connections setting from Allow (default) to Block on all profile tabs. Additionally, click on the customize button on each tab next to Logging, and enable logging for successful connections. The changes block all outbound connections of processes unless a rule exist that allows the process to make outbound connections. Once you are done, you may want to check out the existing outbound rules to make sure only programs that you want outbound connections to establish are listed there. This is done with a click on Outbound Rules on the left sidebar of the Windows Firewall with Advanced Security window. There you find listed rules that ship with the Windows operating system but also rules that programs have added during installation or use. Rules may be very broad (allow outbound connections to any remote address), very specific (only allow outbound connections to a specific address using a specific protocol and port), or something in between. You can create new outbound rules with a click on the "new rule" link under actions. This may be necessary once you notice that programs stop working correctly. You will find all programs with update functionality in the blocked outbound connections log as they cannot contact remote servers anymore to check for updates. You may also notice that file uploads to the Internet won't work anymore unless you allow programs like web browsers to make outbound connections, and that web browsers may not load sites anymore. Core Windows services and tools will function properly as outbound rules ship with the operating system by default. Still, some Windows features or tools may not work properly as well after you start to block all outgoing connections. That's where a program like Windows Firewall Control comes into play. The program supports several options to add rules to allow programs to make outbound connections, but only one is available to free users Click on the "select program window" button and then on the window of the program that you want to allow to make outbound connections. The registered version, available for a one-time payment of $10, adds notifications to the app which display prompts that make this process a lot easier. Closing Words It is certainly inconvenient to block outbound connections by default, and that is likely the main reason why Microsoft set outbound connections to allow by default. While it takes time to configure the firewall properly, doing so gives you better control over your system and the programs running on it. Article source
  23. EVORIM Free Firewall is an advanced firewall for Windows computers that provides protection against hackers, botnets, malware and other online threats. It is a very fast and proactive firewall that thwarts all the attempts of cyber-criminals who wish to gain access to your Windows PC by making use of the known vulnerabilities in Windows or third party applications. Although Windows operating system comes with a firewall of its own, the Free Firewall extends this functionality by allowing you to quickly block any application running in the background. Every time a previously unrecognized program tried to access the internet Free Firewall asks you for the permission whether you want to permit or block the connection. This helps you prevent any malicious or suspicious program from accessing the internet. The Free Firewall works in two modes – Credulous mode and the Paranoid mode. The credulous mode is for the people who are sure that their PC is clean of malware and they are using latest up-to-date software. In the credulous mode, all applications are permitted to access the internet unless you specifically block one or more of them. The paranoid mode is complete opposite of the credulous mode – it blocks all the applications and allows only the ones that you trust to be safe. In addition to blocking and allows the applications from accessing the internet, Free Firewall also offers some others features like the blocking of the telemetry data being sent over to the Microsoft servers or prevention of the analysis or tracking of the users. Summary: Free Firewall is a very small, lightweight and yet powerful firewall software for Windows PC. It works flawlessly with Windows 7, 8.x and 10. Moreover, it can block malicious apps running in the background and prevent the attempts of the Windows telemetry services to send user’s data to Microsoft servers. EVORIM Free Firewall Article source
  24. Bangladesh's central bank was vulnerable to hackers because it did not have a firewall and used second-hand, $10 switches to network computers connected to the SWIFT global payment network, an investigator into one of the world's biggest cyber heists said. The shortcomings made it easier for hackers to break into the Bangladesh Bank system earlier this year and attempt to siphon off nearly $1 billion using the bank's SWIFT credentials, said Mohammad Shah Alam, head of the Forensic Training Institute of the Bangladesh police's criminal investigation department. "It could be difficult to hack if there was a firewall," Alam said in an interview. The lack of sophisticated switches, which can cost several hundred dollars or more, also means it is difficult for investigators to figure out what the hackers did and where they might have been based, he added. Experts in bank security said that the findings described by Alam were disturbing. "You are talking about an organization that has access to billions of dollars and they are not taking even the most basic security precautions," said Jeff Wichman, a consultant with cyber firm Optiv. Tom Kellermann, a former member of the World Bank security team, said that the security shortcomings described by Alam were "egregious," and that he believed there were "a handful" of central banks in developing countries that were equally insecure. Kellermann, now chief executive of investment firm Strategic Cyber Ventures LLC, said that some banks fail to adequately protect their networks because they focus security budgets on physically defending their facilities. POLICE BLAME BANK, SWIFT Cyber criminals broke into Bangladesh Bank's system and in early February tried to make fraudulent transfers totaling $951 million from its account at the Federal Reserve Bank of New York. Most of the payments were blocked, but $81 million was routed to accounts in the Philippines and diverted to casinos there. Most of those funds remain missing. The police believe that both the bank and SWIFT should take the blame for the oversight, Alam said in an interview. "It was their responsibility to point it out but we haven't found any evidence that they advised before the heist," he said, referring to SWIFT. A spokeswoman for Brussels-based SWIFT declined comment. SWIFT has previously said the attack was related to an internal operational issue at Bangladesh Bank and that SWIFT's core messaging services were not compromised. A spokesman for Bangladesh Bank said SWIFT officials advised the bank to upgrade the switches only when their system engineers from Malaysia visited after the heist. "There might have been a deficiency in the system in the SWIFT room," said the spokesman, Subhankar Saha, confirming that the switch was old and needed to be upgraded. "Two (SWIFT) engineers came and visited the bank after the heist and suggested to upgrade the system," Saha said. GLOBAL WHODUNIT The heist's masterminds have yet to be identified. Bangladesh police said earlier this week they had identified 20 foreigners involved in the heist but they appear to be people who received some of the payments, rather than those who initially stole the money. Bangladesh Bank has about 5,000 computers used by officials in different departments, Alam said. The SWIFT room is roughly 12 feet by 8 feet, a window-less office located on the eight floor of the bank's annex building in Dhaka. There are four servers and four monitors in the room. All transactions from the previous day are automatically printed on a printer in the room. The SWIFT facility should have been walled off from the rest of the network. That could have been done if the bank had used the more expensive, "managed" switches, which allow engineers to create separate networks, said Alam, whose institute includes a cyber-crime division. Moreover, considering the importance of the room, the bank should have deployed staff to monitor activity round the clock, including weekends and holidays, he said. Article source
  25. We've heard plenty about banks and other institutions losing money to ransomware, which essentially holds a company's data hostage, in exchange for money. These kinds of attacks can be hard to combat and protect against, given the number of people using computers inside of a company. But one bank has learned the hard way that you need to at least take the most basic precautions. You may have heard about about the central bank of Bangladesh earlier this year. Thanks to a typo made by hackers, an attempt to steal more than $1 billion was foiled. However, the group still managed to get away with $80 million before they were caught. So how did they manage to get in and swipe all of that money? As it turns out, it really wasn't that hard. You're probably familiar with the term 'firewall.' You've got one on your computer, which can help stop malicious files from doing nasty things. However, there is another type of firewall that sits between an internet connection and the computers running on a private network. This helps keep out nefarious traffic, such as a group of hackers that wants to steal all of your money. They're commonplace in most businesses, for obvious reasons. As it turns out, the bank in our story didn't have a firewall. Now still might not strike you as absurd. So let me put it this way: Not having a firewall is roughly the same as choosing to not install locks on the bank doors. The idea that there is probably a lock will keep intruders away. But once someone does try to test the door, they'll have access to absolutely everything until someone comes along and catches them. Instead of up-to-date networking hardware, the bank was found to be using $10 second-hand switches to keep everything connected. As someone who's worked in the IT industry for more than a decade, this is the sort of thing you'll hear about a mom-and-pop operation. Not something you should ever see in a bank that handles billions of dollars. Due to the fact that there were quite literally no real security measures, investigators are having an understandably hard time tracking down those responsible for the virtual break-in. source