Secunia PSI Forum

It seems that the Flexera guys didn't like that we, as a new user, posted about the VulnDetect project, despite them discontinuing the beloved Secunia PSI.

We would very much appreciate if you would gently the spread the word and a few links to vulndetect.org / https://vulndetect.com/?1, it is much needed, so we have a lot of testers once the alpha is ready.

We also feel that it is important to invite all the PSI forum users to come here and join the VulnDetect forum.

We are also very open to creating new Categories and Sub-categories here, where different, related subjects can be discussed and provide moderator privileges to those who want to contribute.

/Tom

group multiple instances of a vulnerable program in the listing and allow me to expand that section when I want

Suggested by @CTaylor

At this point, we believe that we have developed approx. 80% of the core functionality, this includes:

• Binary to collect data on the client system
• Scheduling of the binary
• Data collection and parsing from the binary
• Authentication and account management
• Backend for curating data about software and vulnerabilities
• Infrastructure

ToDo:

• Processing of the collected data / matching with the curated data
• UI
• Optimisation and testing of the binary
• Curating data

And loads of more stuff, but first we need to finish the above and get an alpha version out to you.

/Tom

LibreOffice has been added. It has been added as one product, since the vendor doesn't seem to support the individual apps with individual updates.

@ted OK, this explains, the agent did not yet do an inspection. With the current schedule it will take 10 hours.
Btw. you may want to delete / modify the picture / comment, since it displays your IP.

The agent already has support for this. How we display this, is decided in each rule. Thus, we may treat this independently for each program, but it seems most likely, that we will report individually, since most programs require separate updates for 32 and 64-bit versions.
It is something that we will pay attention to and if you see errors in the results, then it should be reported individually for each program.

Hi Ascendor,

Did you read this, we do link to this during installation:
https://secteer.com/privacy-policy-personal-carma/

SecTeer will collect the following information for CARMA consumer accounts:

Name (optional)
Email / Username (mandatory)
Password (mandatory)
Other personal information is not required to use the product, but you may be encouraged to supply this
IP addresses used to log in and submit data

The SecTeer CARMA products will collect the following information from your PC or device:

Program file names (NOT data files)
Meta data of program files, including, but not limited to size, version information, date, hashes, digital signatures, and other header / meta information
Directory structure i.e location of program files
Registry information related to installed software
Hostname or other unique identifier, to ensure correct correlation in reporting

Unfortunately, we do not offer a way around this nor do we have any plans to offer a different way of detected this and providing the results.

If you are concerned about this, then you can achieve a bit more anonymity, by registering using an alternative email address and perhaps send your data via a VPN (we do not support a proxy yet, but that may be implemented at a later stage).

And, soon, we will start anonymizing the data further i.e. by using placeholders for usernames in e.g. "c:\Users<yourusername>". However, this has NOT been implemented yet.

We've also planned another feature, which will allow you to exclude certain folders or drives.

Nitro PDF Reader and Nitro Pro has been added.

You should note that version 5 went End-of-Life long ago and should be considered insecure.

UI should be GUI not line

Suggested by @Alex-Connolly

In order to uninstall the Adobe Genuine Service (AGS) silently using the Custom Software feature, you need to download the following ZIP file:
https://helpx.adobe.com/content/dam/help/en/enterprise/using/uninstall-creative-cloud-products/jcr_content/root/content/flex/items/position/position-par/procedure/proc_par/step_0/step_par/download_section/download-1/Win_AdobeGenuineCleaner.zip

Once extracted, you need one file:
AdobeGenuineCleaner.exe

This requires one argument --UninstallUserDriven

You are now ready to assign it to one or more hosts in order to uninstall this service.

Secunia includes both an Installed version number and (if different), a Secure version number of each program. The latter is useful for when I need to find the update myself.

Suggested by @HempOil

report on programs with security vulnerabilities for which a patch is not yet available (zero-days). This should be categorized separately from other things (patches available or bugfix/feature updates.

Suggested by @CTaylor

Updating your Microsoft 365 installations using Custom Software is very easy.

We have made the below simple sample code, which will update it in a safe manner.

You may want to alter this:
/update user displaylevel=false forceappshutdown=false

The displaylevel can be set to true, then the user will see a popup.

And you would be able to close the apps by changing forceappshutdown to true. Our tests shows that this is safe, as it doesn't close the apps, if people have unsaved documents open. However, please test this on a few hosts, before doing this across the entire company network.

$path64 = "C:\Program Files\Common Files\microsoft shared\ClickToRun"
$path32 = "C:\Program Files (x86)\Common Files\microsoft shared\ClickToRun"
$file = "OfficeC2RClient.exe"
$arguments = "/update user displaylevel=false forceappshutdown=false"
function updateOffice ($clicktorun, $arguments) {
    Start-Process -PassThru -FilePath $clicktorun -ArgumentList $arguments
}
if (Test-Path -LiteralPath "$path32\$file" -PathType Leaf -ErrorAction SilentlyContinue) {
    updateOffice -clicktorun $path32\$file -arguments $arguments
}
elseif (Test-Path -LiteralPath "$path64\$file" -PathType Leaf -ErrorAction SilentlyContinue) {
    updateOffice -clicktorun $path64\$file -arguments $arguments
}
else {
    Write-Host "Error: $file not found in default locations, aborting."
}

NOTE: A signed edition of the script can be found here:
https://stream.vulndetect.com/e/update-office.ps1

Remember to select All files:

Categorize programs that have security vulnerabilities separately from those that are just bug fixes and feature updates. Best would be a simple filter. I could look at just security vulnerabilities normally, but would flip a switch to see bug fixes/ feature updates

Suggested by @CTaylor

@gregalexandre Yes, this is due to the way we detect programs. One of the upcoming features of our rules, will be the ability to "group" based on what program it was bundled with. 7-zip is bundled with a lot of different apps, including certain Nvidia packages, so, in the future, you should only see Nvidia, and then when you expand Nvidia, you will see that it also includes 7-zip (which can't be updated). But again, that is part of the many things we are still working on, so please be patient.

Hi,

With this post, I’d like to encourage everybody to share and discuss their views on subjects related to IT-security and privacy.

One thing that I personally have spent a lot of time refining over the past years, is my handling of the ever increasing number of services and apps that I rely on, and the credentials used to authenticate with these.

I don’t believe that I have the perfect solution, if such a thing ever will exist. However, I’ve aimed for a reasonable compromise between usability and security. Too often, the two don’t go well hand-in-hand, but I am growing increasingly pleased with my own little semi-homegrown solution.

But before we go on to that, I want to ask you, if you ever checked whether your credentials were exposed somewhere online?

One good site to check this is (feel free to suggest others):
https://haveibeenpwned.com/

The intentions behind the site seems legit and genuine, the guy behind it is Troy Hunt.

One of my email addresses is currently listed as breached from 3 well known sites.

Fortunately, I’ve never used any of these three services for anything I deem sensitive, nor did I reuse my credentials, so I am pretty sure that the risk of this having any further impact on me, is very limited.

One easy way to avoid reusing credentials is to let your browser remember usernames and passwords for the sites you visit.

Personally, I HATE that concept.

Why do I hate this?

Well, I like technology, and I like to be free. If I use one browser to store my credentials, then I am stuck, at least with the browser, perhaps even with both the Operating System and the browser.

Yes, I do know that most browsers are so nice and offer to share your settings (and credentials) between devices, and today you can even get Edge for Android, Firefox and Chrome (Chromium) is on all platforms I use, so is Opera. Yet, I would risk being stuck with one browser or having to import / export between them. No fun.

Also, what is the most exposed piece of software on your rig or device? The browser! So not a particularly good place to store all your sensitive passwords IMHO.

So, what’s the solution then?

Well, I don’t know what will work for you. But I chose, years ago, to go with a simple old school password manager.

The one I chose, stores all usernames, URL’s, passwords, comments, and even files, encrypted. It’s Keepass 2 or KeePassXC, depending on the platform I use.

There is a bunch of plugins and stuff you can use, to make it run on other platforms or integrate with your favorite browser(s). Personally, I use the plain vanilla editions of the two, with no additional tools.

Because of the encryption, utilized by KeePass, I feel fairly safe, even though I actually share my password database between all my platforms via a (public) cloud drive service.

I will not go into which cloud drive service is better for this purpose, and you may have to play around to find the one that suits your needs best, as not all cloud drives behave equally well, on all devices.

One thing you need to ensure, is that the cloud drive is fast at recognizing changes to the password database and sync it with the cloud.

I’d like to stress one little annoying thing, when it comes to syncing between devices, sometimes you may find that updating on one device overwrites the changes made by another device, if you didn’t load the latest version, before adding a new set of credentials.

I “solved” this, in a reasonably neat way, using a feature in KeePass 2, called “Synchronize” -> “Synchronize with File”. This allows merging / synchronizing two password databases (that share the same password / keyfile).

To support this, I have the following structure of files:
• MyMasterPasswordDatabase.kdbx
• LaptopPasswordDatabase.kdbx
• HomeRIGPasswordDatabase.kdbx
• TabletPasswordDatabase.kdbx

In other words, I have one database file for each device. This ensures that I never accidentally overwrite changes made on another system. The only thing you need to remember, is to close the password database, when you stop using a device, but that ought to be part of your best practices anyway, no need to let all those passwords float unencrypted in memory, when it isn’t needed.

Occasionally, I will open the “master” file and sync it with all the other files. Practically, this ends up being something I do once or twice a week.

Note, you need to sync all of them twice. This way all changes from each file is stored in the master and in turn the changes made in the master is stored in the other files. This operation only takes a few seconds.

At this point I manage a total of more than 500 sets of credentials. I reckon that around 80-100 are used more or less frequently, the remainder may be purely historical and could probably be deleted, however, given the structure and search features of KeePass, I don’t really feel a need to tidy the contents of my database. And sometimes you happen to revisit a service that you haven’t used for years and then it is a great feeling to still have the credentials.

For most people, this may seem tedious and troublesome at first, but I find this much better, and more convenient, than having a few fixed credentials that I use everywhere or keeping a spreadsheet or other insecure document with credentials.

Currently, I remember about 10 sets of credentials, this includes PIN codes, phone screen lock, system passwords, KeePass password, and a few more. These are never stored in my KeePass, because I use them so frequently (that I easily remember them) and I need them to access the systems where I store my KeePass file(s). But the remaining, around 500, they are safely and conveniently stored in my KeePass.

Once you get going with your password manager, then remember to play with the short cuts, you will find that getting the credentials using autotype and similar features is very convenient.

A few extra tips for added security

The default setup is probably good enough for most, and “perfectly” safe, as long as the password you use for your KeePass is unique and fairly strong.

However, I also chose to add the security of a “Key file / provider”. This is a “secret” file, which you need to keep safe and far away from your cloud drive.

My “Key file” has never been on any public system, nor has it been sent via any network. It has only been transferred from device to device using an (encrypted) USB stick. But be aware, if you lose this file, then you will NEVER be able to access your password database again, so this measure is not for the faint of heart.

Another thing I did, was to change the “Key transformation” and increase the number of “Iterations”. This basically means that your password is “hashed” X number of times, before it is used to unlock the master key for the database. The larger the number, the harder it is to brute force your password, but be aware, that if the number is too high, then it will take a long time to open your database. In my opinion, any number that allows the transformation to happen in less than a second is acceptable. In other words, this allows you to have a shorter and more simple password for your database. My password is more than 20 characters long, which may be slightly exaggerated.

Oh, one last thing, DO NOT USE the “Windows user account” option for unlocking. Read the fine warnings to learn why. No matter how convenient or tempting this may sound, then it is only good and useful in enterprise environments or if you are an expert in Windows networking.

I’d love to hear how you deal with your credentials, feel free to comment and suggest alternative approaches.

option of having updates installed automatically

Suggested by @CTaylor

What you mean is that there should be a notification on the Windows system and not just in the Web UI?

This is detected because it also is an independent program, which you may download and install.
We will not detect system components that are not accessible as standalone programs.
But I suppose we need to add OpenSSH to the list of products that needs contextual rules, so only the user managed versions will be reported and not the one managed by Windows.
Thank you for highlighting this.

Hi,

Welcome to VulnDetect dot org, the forum for discussing SecTeer VulnDetect and related subjects.

Sadly, we have been flooded with SPAM and SCAM posts from simpleminded individuals, criminals and underpaid off-shore workers.

We have therefore started a crude campaign to delete a vast number of accounts and the posts they attempt to make.

Sadly, it appears that we occasionally delete a legitimate post or user. We apologize for that.

Doing a proper vetting of a single registration and post is simply too time consuming.

We have therefore changed the registration process, so first of all you have to answer a simple question, it appears to stop half of the simpleminded individuals who are tasked with spamming sites such as ours, the rest, that means both legitimate users and scammers with a bit of cognitive abilities has to wait for an admin to reject or accept their profile.

We will attempt to do this daily, but can't promise that it always will be done in a timely fashion.

Most users who should have access to this site either already have a connection to a user in our community or knows an employee who works here. If not, please do spend a few minutes on the forum or on the parent website, to find alternate contact information and send us a request to approve your profile and post.

We apologize for all this, but we want to ensure that this forum has a high degree of relevant posts, without boring scam posts about ED, travel advice, erotic services and similar totally irrelevant and probably fraudulent content.

Thank you for your patience and understanding!