grand stream dreams

Sunday, April 28, 2013

ForSec News Roundup

Final GSD post of the weekend.

Strategies of a world-class computer security incident response team - Help Net Security - Carson Zimmerman presents “…ten fundamental qualities of an effective CSIRT that cut across elements of people, process, and technology.” Run-time is just over 33 min.

ProcDOT - Visual Malware Analysis - SANS Computer Forensics and Incident Response blog. Christian Wojner introduces it thusly…“It correlates Procmon logfiles and PCAPs to an interactively investigateable graph. Besides that ProcDOT is now also capable of animating the whole infection evolution based on a timeline of activities. This feature lets you even quickly find out which server or which requests were responsible that specific data/code got on the underlying system, by which process it was written, how often, who injected what, which autostart registry key was set, what happened when, and so forth ...” Get it via ProcDOT - CERT.at

From the ProcDOT project page:

Screenshot

Instruction-Media

The User Interface
Tutorial-Video 1: The User Interface
Tutorial-Video 2: The Graph
Tutorial-Video 3: Analysis (Part 1)
Tutorial-Video 4: Analysis (Part 2): The Timeline

Over at the ISC Diary blog, Mark Baggett has been posting a great series of articles examining the tug-and-pull between those in IT/Sec who advocate a full OS wipe/reload after a malware infection and those who say “save-time-and-clean-it” by removing the malware infection, but not reimage the system. There still seems to be some kind of mysterious desire by staff to possibly prove what a clever IT person we are by digging an infection out of a system rather than just recovering the user’s data, wiping the system, then restoring it from a clean image and putting the data back. Maybe we all want to be a hero. However, as Mark’s posts show, if not done properly and effectively, the malware may remain persistently hidden but functional and you may be back before you know it (and the rest of your data secrets lifted or network exploited). These posts are a good guide and gut-check for how challenging these threats can play hide-and-seek. Familiarity with these techniques might be your last line of defense if your shop doesn’t have a fast-n-hard policy of recover/wipe/restore remediation.

Wipe the drive! Stealthy Malware Persistence Mechanism - Part 1 - ISC Diary blog
Wipe the drive! Stealthy Malware Persistence - Part 2 - ISC Diary blog
Wipe the drive! Stealthy Malware Persistence - Part 3 - ISC Diary blog
Wipe the drive! Stealthy Malware Persistence - Part 4 - ISC Diary blog

Tracking Down Persistence Mechanisms - Journey Into Incident Response blog - Not to be outdone, Corey Harrell does a great companion-piece to the ISC Diary blog posts above. Corey details how he uses Microsoft Autoruns utility in that process.

From one of the comments there, we jump over to Finding Evil: Automating Autoruns Analysis post over in the trustedsignal blog from Dave Hull.

And then in spot-on timing within the ForSec community, Mark Woan at woanware releases a new utility called autorunner.

“Autorunner is based upon the AutoRuns tool by the Sysinternals/Microsoft gurus. It is designed to perform automated Authenticode.aspx) checking for binaries designed to auto-start on a host. Its primary purpose is to aid forensic investigations.

“…autorunner is designed to work around all of these issues. It will check against all user profiles associated with the host. It will parse out LNK files to the actual binary (one level down). It allows the user to specify multiple drive mappings, so that if the forensic image contains multiple partitions you can map the original drives to mounted drives on the forensic workstation.
“The application should be used against a forensic image that has been mounted using whatever method you desire.”

Securely wiping an SSD - TinyApps blog - Getting back to the drive-wiping thought, this quick-post reminds us of some of the hazards of attempting to sanitize a SSD device. Some might think using a SSD device to hold image captures might be a good idea but if you do, be sure it is one you can truly “zero-out” and sanitize before porting your image over to it! Does anyone use SSD devices yet for that purpose? What other challenges (cost aside) would this present. Are there any benefits to a SSD over a HDD for storing or capturing disk images?

Placing the Suspect Behind the Keyboard – NEW BOOK! - Windows Forensic Environment - Congratulations to Brett Shavers for his new book! It’s been added to my Amazon.com wish-list queue for triggering once my next Amazon.com gift certificate ship comes into port.

Tool Time - The Hacker Factor Blog - A great post in the theme of “know your tools” before you trust the results they provide. One of the gem finds in Dr. Neal Krawetz’s post is his link to the National Institute of Standards and Technologies (NIST) and National Institute of Justice (NIJ) 2012 Computer Forensics Tool Testing Handbook from their computer forensic tool testing program. It’s got 173 pages of goodness to review. The latest publications can be found on this Topical Collection: Computer Forensic Tool Testing Publication Database | National Institute of Justice.

4:mag Issue #1 - Forensic 4cast. A very nice and slick digital publication debuts. This edition covers topics in iOS device/application data & malware, starting out in the digital forensics field, and hard-drive secrets.

The students over at the Champlain College Computer & Digital Forensics department have been busy working on papers addressing Private Browsing. Expect more in this series:

Private Browsing Forensics: Introduction - (PDF Link) Private Browsing Forensics: Introduction
Private Browsing Part 2 - (PDF Link) Private Browsing Part 2

RegRipper Ripper (3R) and the list of reg keys covered by RR plugins - hexacorn bog.

RegRipper Consolidation - Windows Incident Response blog. Harlan and crew have been super-busy trying to clean house and tie up some loose ends in the RegRipper landscape. This new effort should help make “one-stop-shopping” and development support for RegRipper and plug-ins much easier. Additionally, Harlan has been working hard on the blog to post additional background information on some of myriad (Cory referred to 280+ in his post) RegRipper plug-ins.

Forensic 4cast Awards 2013 – Meet the Nominees - Forensic 4cast. Voting is now open. You can place your votes here.

Encrypted Disk Detector Version 2 - SANS Computer Forensics and Incident Response blog - Chad Tilbury announces and introduces a new version that is out. Get it here over at Magnet Forensics.

What is "up to date anti-virus software"? - ISC Diary.Great post and great discussions in the comments.

Case Leads: LivingSocial Hack, New Cyber Warriors, analyzeMFT update and more... - SANS Computer Forensics and Incident Response blog

Cheers!

--Claus Valca.

ForSec LiveCD bits

Things have been fairly quiet in the ForSec LiveCD world since the Kali Linux distro dropped.

They dropped a minor update last week for Kali Linux Accessibility Improvements for blind or visually impaired users. That was a nice touch.

CAINE 4.0 and NBCaine 4.0 codename "Pulsar" released! - CAINE. Main features include the 3.2.0-38 kernel & GuyMager 0.7.1, additions of LibreOffice 4.0.1, Squliteman, Remote Filesystem Mounter, adparm, netdiscover, and fixes to netcat works and GHex. On the windows side of the CD, NirLauncher with FTK Imager and Sysinternals tools packed in as well. Lots of neat improvements here so go download your ISO!
New Release of REMnux Linux Distro for Malware Analysis - Lenny Zeltser on Information Security announces Version 4 of the REMunx Linix Distro.
Installing the REMnux Virtual Appliance for Malware Analysis - SANS Computer Forensics and Incident Blog has a great walkthough post from Lenny Zelter.
ISC Handler Lenny Zeltser's REMnux v4 Reviewed on Hak5 - ISC Diary. Review picks up at the top by Hak5’s host Shannon Morse.

REMnux: A Linux Distribution for Reverse-Engineering Malware - Home page and download links
WinFE and UEFI Secure Boot! - Windows Forensic Environment blog. Brett Shavers has some notes of interest on some of the technical challenges facing WinFE users with UEFI secure booting.
WinFE CTIN 2013 Presentation - Windows Forensic Environment blog. Brett Shavers has graciously shared his WinFE presentation: WinFE CTIN (PDF file link).

--Claus V.

Browsers Browsers Everywhere!

…and in browser news and trends, things are getting pretty interesting…

Firefox/Mozilla

Firefox turns 20—version 20, that is - Ars Technica
Firefox 20.0: Find out what is new - GHacks.net
New In Firefox 20: Private Window, Improved Download Manager & More - AddictiveTips blog
Download Manager Tweak - Firefox Extension Guru's Blog. I actually like the new Download Manager feature a lot, still haven’t yet shed my Download Statusbar Add-on in Firefox. But I probably could and likely will.
Download Manager Tweak - Firefox Extension Guru's Blog
Samsung teams up with Mozilla to build browser engine for multicore machines - Ars Technica
Mozilla and Samsung team up to kill Chrome mobile - BetaNews
Newsfox: 1.0.8.4.2 - RSS reader Add-on for Firefox just got some updates. Release notes
Firefox Stub Installer on Beta Channel - Firefox Extension Guru's Blog. As The Guru points out, newer versions of Mozilla Beta/nightly releases download a small “stub” and than then downloads and installs the main binary sets over the wire. This does keep initial download sizes low, but also can wreak havoc on controlling custom deployments of some of these packages. Chrome does the same thing and they also “hide” their Chromium Dev download sources very well so now I have ended up dropping over to PortableApps.com: Google Chrome Portable/Additional Versions at SourceForge.net to snag and apply my portable Dev builds. Not impressed…especially now that Mozilla is rolling that direction as well. More info here on the Mozilla nightly stub-installer background if you are curious: Mozilla Adds Chrome-Like Downloader to Streamline Firefox Installs - TheNextWeb & Stub Installer in Firefox Nightly – Try it out, Give feedback, and Test it! - QMO – quality.mozilla.org
Firefox prefetching: what you need to know - Firefox Extension Guru's Blog - Great tweaking tips from The Guru.

…meanwhile over at the other hot-rod shop…

Google going its own way, forking WebKit rendering engine - Ars Technica
Blink: A rendering engine for the Chromium project - Chromium Blog
Does WebKit face a troubled future now that Google is gone? - Ars Technica
Blink - The Chromium Projects

Sadly, I remain terribly frustrated that Chrome developers just will not add a “sidebar” feature for bookmark management to Chrome like Mozilla has. This is a soapbox I just can’t seem to climb down from with Chrome. Again I say, if it were not for this one missing feature, I might jump to using Chrome/Chromium as my primary browser and relegate Firefox to the #2 slot.

The closest “solution” I have found are tree-style tab organizers…but the drawback of them is having to leave the tabs open. Something I don’t like doing.

Sigh.

Get A Tree Style View Of Chrome Tabs; Group & Hibernate Them - AddictiveTips blog.
Sidewise Tree Style Tabs - Chrome Web Store
Tabs Outliner: the ultimate Chrome tab management extension? - GHacks blog
Tabs Outliner - Chrome Web Store

Finally…it’s a bit older post, but I really found this post by Alex Limi very fascinating from a power user’s standpoint in using a browser. I don’t at all like the idea of removing control and configuration settings from access. That said, as a sysadmin, you can certain spend many frustrating hours troubleshooting a user’s web-experience problems before finding a buried browser setting that was causing the issue.

Checkboxes that kill your product — Alex Limi

Cheers,

--Claus Valca

Lindi Ortega - Guilty Musical Pleasure of the week

Discovered via Kent Newsom’s blog Newsome.Org

BTW…according to Lindi’s website, she will be performing locally July 2nd 2013 at McGoingel’s Mucky Duck.

I listen to almost every genre of music…from Gregorian chant, to classical, to Scandinavian metal-rock, and enjoy all things in between. My iPod/iPhone library is a real eclectic mess of material!

But for some reason Americana/Bluegrass seems to tickle my soul like nothing else lately.

Lavie and Alvis are amazed that my car radio has been lingering on the local country-music channel.

I don’t know what the big deal is….

News around the Water Cooler for Sysadmins

wkkl3lgn.m5w

via Wikimedia Commons via Zach Tirrell under CC 2.0 attribution

And here is some Sysadmin news and tips now collected over the past few weeks.

Sorry, but someone took all the paper cone water cups off the water cooler and is doling them out like party-hats so you need to find your own glass this week.

NEWS: It’s Patch Tuesday. (4/9/13) - Kurt Shintaku's Blog
INFO: Reference Library for Microsoft Downloadable eBooks - Kurt Shintaku's Blog
Copy in-use files from the command line - TinyApps blog. Lots and lots of great freeware and open-source tools!
Error installing Windows 7 - TinyApps blog…when using a Zalman (iodd-like) USB device…
Recent additions to File/Backup - TinyApps blog - some nice tiny tools for backup/sync operations.
FREE: WMI Administrative Tools - WMI Object Browser and WMI CIM Studio - 4sysops
FREE: SAPIEN Technologies WMI Explorer - 4sysops
FREE: MoW PowerShell WMI Browser - 4sysops
Antivirus programs tested for Windows 8 - The H Security
New on modern.IE: Free VM Downloads, Windows 8 QuickStart Kits, Enhanced Code-Scanning Tools, and More - IEBlog
Get the best RDP 8.0 experience when connecting to Windows 7: What you need to know - Remote Desktop Services (Terminal Services) Team Blog
Solving Windows Update error 80070003 - Ed Bott
Blue's Clues: Enabling Kiosk Mode - Within Windows
Blue’s Clues: Kiosk Mode - Windows 8 content from Paul Thurrott's SuperSite for Windows
Windows To Go – Some tips and an odd boot problem (error code: 0xc000000e) - 4sysops
Howto: Add a Digital Signature to a PDF File – Free Software - Didier Stevens

Cheers.

--Claus V.

Network fun and news

And here is a roundup of tips, news, tools and techniques in the world of networking…

Troy Hunt: The beginners guide to breaking website security with nothing more than a Pineapple - Troy Hunt - If you use or support WiFi stop what you are doing right now and read this. And be terrified. and then make sure you go back and audit/configure your WiFi router and browser and system as securely as you can. Crap. Now, where did I put those 50’ Cat-6 patch cords from Cables-to-Go?
Detecting TOR Communication in Network Traffic - NETRESEC Blog
NetFort Span Port Configurator (by Tony Fortunato) - LoveMyTool blog
ColaSoft nChronos Intro and Troubleshooting (by Tony Fortunato) - LoveMyTool blog
The Importance of Watching the Wire - Packet Life
NetConnectChoose - New NirSoft utility - Set the default Internet connection and view general connection information. More information in this NirBlog post - New utility to select the default Internet connection and to view Internet/network connection information
TcpLogView - New NirSoft utility - Creates TCP connections log. More information in this NirBlog post - New utility that displays TCP connections log
LDWin: Link Discovery for Windows - What the.....? blog - new Windows utility to discover link information for devices connected to devices that support the Link Layer Discovery Protocol (LLDP) as well as Cisco Discovery Protocol (CDP). Free! See also the developer’s super handy for troubleshooting tool WinCDP
How to install the loopback adapter in Windows 8 - 4sysops

Cheers.

--Claus V.

Flash/Java Updating

Unless you really do live under a rock, the past two weeks have been pretty full of news of Adobe Flash and Oracle Java update news.

Here you go for those under-ground dwellers.

Adobe updates Flash Player and AIR, announces future plans - Betanews
Adobe April 2013 Black Tuesday Overview - ISC Diary
New security protection, fixes for 39 exploitable bugs coming to Java - Ars Technica
How to protect your computer against dangerous Java Applets - Microsoft Malware Protection Center
Java 7 Update 21 is available - Watch for Behaviour Changes ! - ISC Diary
Java 8 release schedule delayed for renewed focus on security - ISC Diary
Java Downloads for All Operating Systems - Oracle. Right now sitting on 7.21
Adobe Flash Player Distribution - Adobe. Right now sitting on 11.7.700.169
Shockwave Player Distribution Downloads - Adobe. Right now sitting on 12.0.2r122
Archived Adobe AIR SDK version - Adobe. Right now sitting on 3.7.0.1530

All done and loaded up? Fire up this Qualys BrowserCheck page in each of your web-browsers and check to be sure.

--Claus V.