Daily Archives: February 16, 2016

The Windows 10 Security Settings You Need to Know

Posted on February 16, 2016 | 3 comments

windows10-microsoft-story-582x437
So you finally installed Windows 10 and joined the ranks of the other 67 million users. You open your browser to search for a place to grab lunch, and Bing already knows your location. You notice that all the banner ads are geared toward your secret knitting hobby. And when you open Cortana to ask what’s going on, she knows your name and the embarrassing nickname your mother calls you.

This may seems like a stretch, but you’d be surprised by the amount of personal information Windows 10 collects from its users—information including phone numbers, GPS location, credit card numbers, and even video and audio messages. Of course, Microsoft’s privacy statement outlines all the data that is collected, and you agreed to this when you downloaded Windows 10 and checked the terms of service.

In this Age of the Unread Terms of Service Agreement, it’s important to, well, read the ToS. It’s too easy for our technologies to gather personal information without our realizing it. Microsoft is far from the only perpetrator, but since it just delivered us an exciting new operating system, it’s time to dig into those settings.

The Fine Print

In the privacy statement mentioned before, Microsoft goes through three ways it uses personal data: “(1) to operate our business and provide (including improving and personalizing) the services we offer, (2) to send communications, including promotional communications, and (3) to display advertising.” If you want to know more about what Microsoft is talking about, I highly encourage you to browse the privacy statement (seriously), but here’s the gist of it:

1. “To operate our business…”: Many of Microsoft’s applications require personal information in order to operate. For example, if you are using the Maps application, it will need your location to function properly. This instance makes sense, but not all applications are quite as direct with their usage of your information. Cortana also uses your location, and the only way to prevent this is to not use Cortana. Microsoft also collects data to understand why certain applications crash in order to improve them, but this also means tracking your usage of these applications. This means that if Microsoft Office crashes while you are using it, Microsoft will be able to see the Excel or Word documents that were open during the crash.

 2. “To send communications…”: Microsoft gathers contact information to make sure it can reach you if any of its primary means of communication fail. Recall that Microsoft already disclosed in the privacy statement that it collects the phone number, email, and mailing address of its users. But Microsoft mainly disclosed that it uses this information to send promotions. Microsoft does this because it wants you as a loyal customer, but to manage these communications click here if you have a Microsoft account, or here if you do not. It is also important to mention that this information is shared with “Microsoft partners.”

3. “To display advertising”: It seems like standard internet procedure to track users in order to sell ads. Facebook does it, Google does it, and Microsoft does it. Microsoft generates revenue from ads, and by selling demographic information to third-party advertisers, Microsoft can make even more. This is called interest-based advertising, and Microsoft even gives you your own advertising ID to make things easier. You can opt-out of interest-based ads, by following this link. However, opting-out does not prevent data collection nor does it result in less ads.

Turning Off the Tracking

First things first: Head to your privacy settings. Hit Start, then finding Settings, then clicking Privacy. From the Privacy menu you can alter how your computer uses the information from your location, microphone, camera and so on. While in the Privacy menu, you’ll want to click Feedback & Diagnostics and change the Feedback Frequency to “never” and Diagnostic and Usage Data to “basic.” Doing this will help prevent Microsoft from gathering random information.

Guard Your Browser History

Edge sends your Internet browsing history to Microsoft in order to “help Cortana personalize your experience.” You can turn this off by clicking on the ellipsis button in the top right corner of Edge, then go to Settings > Advanced Settings > View Advanced Settings, and under Privacy and Services turn off “Have Cortana Assist Me in Microsoft Edge.” And while you’re in the Privacy and Services menu, make sure you turn off “use page prediction to speed up browsing, improve reading, and make my overall experience better” (which is an incredible title for a default setting).

Don’t Get Tricked Into Creating a Microsoft Account

Windows 10 also prompts you by default to create a Microsoft account, but you should probably skip this if you are concerned about your private information. Not creating an account will keep your activity and information local to your computer, while having an account will create a link for Microsoft to piece all of the metadata it gathers back to your identity. Before creating a Microsoft account, be sure to read up on its privacy policy.1

In order to delete or manage your Microsoft account go to Settings > Accounts > Your Account.

Exercise Cortana Caution

While Cortana may be one of the most exciting parts of Windows 10, she’s a bit intrusive. Microsoft prides itself on Cortana’s ability to learn about you and create a more personal experience, but in order to do this Cortana has to gather a lot information from you. This information includes anything from location, contacts, and even speech and handwriting data. Perhaps most significantly, all your interactions with Cortana are stored in the cloud.

All of this is part of Microsoft’s attempt to make Windows 10 more personalized, but if that sounds too creepy for you, you can adjust your settings by logging in here. From there you can clear the “interests” data that Cortana and Bing learned about you, as well as clear other Cortana data including “Speech, Inking and Typing” information.

Make sure to recheck your settings after each Microsoft Update !!

3 Comments

Posted in Security, Technology

Tagged , , , , ,

Password cracking attacks on Bitcoin wallets net $103,000

Posted on February 16, 2016 | 1 comment

wallet-640x464
Hackers have siphoned about $103,000 out of Bitcoin accounts that were protected with an alternative security measure, according to research that tracked six years’ worth of transactions. Account-holders used easy-to-remember passwords to protect their accounts instead of the long cryptographic keys normally required.

The heists were carried out against almost 900 accounts where the owners used passwords to generate the private encryption keys required to withdraw funds. In many cases, the vulnerable accounts were drained within minutes or seconds of going live. The electronic wallets were popularly known as “brain wallets” because, the thinking went, Bitcoin funds were stored in users’ minds through memorization of a password rather than a 64-character private key that had to be written on paper or stored digitally. For years, brain wallets were promoted as a safer and more user-friendly way to secure Bitcoins and other digital currencies, although Gregory Maxwell, Gavin Andresen, and many other Bitcoin experts had long warned that they were a bad idea.

The security concerns were finally proven once and for all last August when Ryan Castellucci, a researcher with security firm White Ops, presented research at the Defcon hacker convention that showed how easy it was to attack brain wallets at scale. Brain wallets used no cryptographic salt and passed plaintext passwords through a single hash iteration (in this case, the SHA256 function), a shortcoming that made it possible for attackers to crack large numbers of brain wallet passwords at once. Worse, a form of the insecurely hashed passwords are stored in the Bitcoin blockchain, providing all the material needed to compromise the accounts.

By contrast, Google, Facebook, and virtually all other security-conscious services protect passwords by storing them in cryptographic form that’s been passed through a hash function, typically tens of thousands of times or more, a process known as key stretching that greatly increases the time and resources required by crackers. The services also use cryptographic salt, a measure that requires each hash to be processed separately to prevent the kind of mass cracking Castellucci did. Security-conscious services also go to great lengths to keep password hashes confidential, a secrecy that’s not possible with Bitcoin because of the transparency provided by the blockchain.

Brain drain

According to a recently published research paper, the brain wallet vulnerability was known widely enough to have been regularly exploited by real attackers going after real accounts. Over a six-year span that ended last August, attackers used the cracking technique to drain 884 brain wallet accounts of 1,806 bitcoins. Based on the value of each coin at the time the theft took place, the value of the purloined coins was $103,000.

“Our results reveal the existence of an active attacker community that rapidly steals funds from vulnerable brain wallets in nearly all cases we identify,” the paper authors wrote. “In total, approximately $100K worth of bitcoin has been loaded into brain wallets, with the ten most valuable wallets accounting for over three-quarters of the total value. Many brain wallets are drained within minutes, and while those storing larger values are emptied faster, nearly all wallets are drained within 24 hours.”

The paper, titled “The Bitcoin Brain Drain: A Short Paper on the Use and Abuse of Bitcoin Brain Wallets,” is scheduled to be presented later this month at the Financial Cryptography and Data Security 2016 conference. Its publication comes about six months after Brainwallet.org, the most widely used Bitcoin-based brain wallet service, permanently ceased operations. The service voluntarily shut down following the Defcon presentation by Castellucci, who is one of the authors of the most recent paper.Crackers tap new sources to uncover “givemelibertyorgivemedeath” and other phrases.

To identify brain wallets and then crack them, the research team compiled 300 billion password candidates taken from more than 20 lists, including the Urban Dictionary, the English language Wikipedia, the seminal plaintext password leak from the RockYou gaming website, and other large online compromises. By collecting words and entire phrases from a wide body of sources, the researchers employed a technique Ars covered in 2013 that allowed them to crack words and phrases many people would have considered to be strong passwords. Cracked passphrases included “say hello to my little friend,” “yohohoandabottleofrum,” and “dudewheresmycar.”

The researchers ran each password candidate through the SHA256 function to derive a list of potential private keys for Bitcoin addresses used by brain wallets. They then used a cryptographic operation based on elliptic curves to find the public key corresponding to each potential private key. Since the Bitcoin blockchain contains the public key of every account wallet, it was easy to know when a password guess was used by a real Bitcoin user.

The paper reported that vulnerable accounts were often drained within minutes of going live, and in an interview, Castellucci said that some accounts were liquidated in seconds. Castellucci said he suspects the speed was the result of attackers who used large precomputed tables containing millions or billions of potential passwords. While many of the attackers who drained vulnerable accounts earned paltry sums for their work, the top four drainers netted about a total of $35,000 among them. Meanwhile, the drainer who emptied the most brain wallets—about 100 in all—made $3,219.

The thefts were often chronicled in online forums, where participants would report that their Bitcoin wallets had mysteriously been emptied. For a while, people assuming the role of a digital Robin Hood claimed to crack vulnerable wallets, drain them of their contents, and then wait for the victim to publicly complain of the theft on Reddit or various bitcoin forums. The Robin Hood and Little John hackers would then claim to return the funds once the victim proved control of the compromised private key.

While plenty of people publicly warned of risks of brain wallets over the years, the vulnerability was often dismissed as theoretical by some. Brain wallets are now generally shunned by Bitcoin users, but Castellucci warned that an alternative crypto currency known as Ethereum can use a brain wallet scheme that’s every bit as weak as the Bitcoin one was. He is withholding details for now in the hopes that Ethereum brain wallets will soon be abandoned.

1 Comment

Posted in Encryption, Hacking, Hacks, Security, Technology

Tagged , , , , ,