Saturday, June 20, 2015

FireCAT 2.0: What’s that hot kitty been up to?

I was reading with interest a recent post Turn Firefox into a Security Information Powerhouse at gHacks Tech News.

Martin Brinkmann did a very good job lining up a collection of Firefox extension that most regular users might indeed find helpful expanding user-security while browsing.

Please read Brinkmann’s full post for his take on the value of each extension and the feature set.

It’s a pretty good roundup and while I might not be too keen to load them all up in a web-browser, more than a few could be useful.

However, it seemed a bit thin to be used with the description “powerhouse” when it comes to security-related Add-on integration with Firefox.

See, this post jogged my memory cells and called me back to a GSD post from 2009 that introduced FireCAT to Mozilla’s browser.

Both of these tools brought be back to the excellent FireCAT 1.5 collection of Firefox add-ons used for security/network/pen-testing and other high-value activity in Firefox. FireCAT is maintained by Security Database Tools Watch.  Check out this FireCAT 1.5 PDF for the full list and if you don’t want to pick-n-choose hop over to the lover-ly Firecat package for Firefox Files on SourceForge.net to get the whole collection at once.  What surprises me is that no-one has yet submitted it as Firefox Add-ons Collection.  Looks like I may need to crank up a “standalone” profile of Firefox called FireCAT, install them all, then upload the collection like I did for my Claus Valca’s Extension List (Home)   What think thee? Useful perhaps?

I did follow that post up with actually building a FireCAT 1.5 "Plus" Edition collection.

So after reading the gHacks post I got digging to see if FireCAT was still around and worthy of delivering a true security “powerhouse” for Firefox.

Turns out it was updated back in 2013.

FireCAT: Firefox Catalog of Auditing exTensions – version 2.0

There are now over 90 different security focused extensions in the list covering areas such as information gathering, proxies, web page/code editors, network utilities, IT-security, and application auditing, Check out the catalog page for the list.

Besides the newer extensions since the previous version, the developers also worked towards melding FireCAT with OWASP Mantra.

Granted, this is a few years old, but could still form a good framework to bring forward for your own personal needs. I don’t (yet) know how many of the extensions are compatible with the newest Firefox build versions.

More:

Given that it’s been another two years since that publishing, I’m betting that FireCAT 2.0 could probably be updated to version 2.5 with even more extensions that have come out since.

BTW…would a Chrome/Chromium based version be called ChromeCAT or Cr(24)CAT? 

A customized portable version of Firefox (or Chrome) coupled with a bevy of FireCAT /CR(24)CAT extensions sounds like an incredible portable network toolkit. Now that is what I could call a browser-based security powerhouse.

I feel a new challenge coming on!

(This is why I struggle to get things done on the weekends around the house…)

Cheers!

--Claus Valca

Browsers, Browsers, Browsers!

I’ve been all over the place with web browsers lately.

Fussing at (and tweaking) Mozilla/Firefox

Base Jumping with Vivaldi snapshots

I continue to be impressed with where Vivaldi is going on their project.

And Polishing up the Chrome

Discovery of uBlock Origin was a super-duper find for me a few weeks ago.

I have always used Adblock Plus in my “public release” Firefox and Chromium browsers, though I did not in the Developer Mozilla build. I also layered in Ad Muncher at the system level.

So when I learned about uBlock I thought I would give it a try. I liked it so much that I’ve installed it in all my Mozilla browser builds and in my Chromium browser as well. Top shelf.

I also run NoScript in my Mozilla browsers, but didn’t in Chromium. Never thought I could find a product that could be its equal.

I’m a stanch defender of the use of ad/script-blocking tools in my web-browsers. Not so much against the ads (annoying as they can be) but rather as a perimeter defense against malvertizing and zero-day attack campaigns. I follow these attacks time after time in the security blogs where trusted domain sites get nailed with malicious ad injections. Kind of like wearing your seatbelt while driving. It’s not that I myself am planning on being in an accident each time I get into the car to drive, but it comes from having a keen awareness that accidents occur when you least expect them and the seatbelt will provide a level of safety when it happens. (Well, and Texas law requires us to wear them too.) Anyway, hopefully the analogy stands.

Other security experts agree.

It was reading the comments in that SANS post that I then found the NoScript counterpart for Chrome/Chromium browsers:

Using ScriptSafe has been a bit of a learning curve adventure for me. Use of NoScript and fine-tuning the settings is second-nature now to me. However since I never used one in my Chromium browser, I am still scratching my head when pages don’t load as expected until I remember (again) that I have ScriptSafe now installed and have to tweak the domain/page rules to allow it to load properly but strip out the “unwanted” stuff.

The interfaces for making those choices (allow/block/etc.) are very different but as easy as they both are to use, I’m gradually liking the interface for ScriptSafe just a touch more. It is more user-friendly.

Regardless, I’m thrilled to now have two more tools to lock down the gates of my web-browsers with; uBlock and ScriptSafe.

Meanwhile the battle rages on for new ways to get ads past the blockers and deliver (in some malicious cases) their 3vil payloads.

Cheers,

--Claus Valca

Stop UAC screen blackouts or UAC dimming delays

Last weekend I got fed up with UAC.

I like UAC.

I haven’t disabled UAC.

However, when I would go and run certain apps or installers, UAC would kick in, my system would hang up for an unbearable 5-seconds or so. The screen would turn black/dim. Then about 5-10 seconds later I would get my security prompt to allow the action I wanted to take to be confirmed.

It wasn’t so much the dimming of the screen, but the amount of time (as insignificant as it is) to go through the process was frustrating me.

I realized I didn’t encounter this issue at work where UAC also is enabled…the screen didn’t go dim. That was the difference and the responsiveness was so much better.

So I found this tip over at the How-To Geek blog.

Make User Account Control (UAC) Stop Blacking Out the Screen in Windows 7 or Vista 

It took just a few seconds to dial down the UAC behavior and I was rolling so much faster, but still had the same level of protection as before; and my systems don’t “feel” like they are locking up when UAC triggers.

rkoo3mmu.xs1

Whew.

So if you are an advanced Windows user and practice good security hygiene on your system, AND if you are experiencing system performance issues when desktop screen dimming occurs with UAC, consider dialing back UAC to this setting. I find it to be a good balance.

Cheers,

--Claus Valca

Another Exploit Protection Option: HitmanPro.Alert

I take a layered approach to my personal Windows systems; defense in depth.

With beefy i5-i7 cores and lots of system RAM, strategically running multiple (complementary) security products has been fine so far.

One of the more “recent” set of layers added has been deployment of zero-day “anti-exploit” tools that monitor system activity and application behavior, particularly at the web-browser applications.

Malwarebytes Anti-Exploit (free version) seems to be doing quite a good job.

I couple that with Microsoft’s Enhanced Mitigation Experience Toolkit (EMET). Although, on Lavie’s Windows 8.1 system I had to disable the IE browser protection (or heavily tweak it) to get it to play nicely with MAE.

So, while I was combing through my RSS feeds recently, I saw a mention in a HitmanPro blog posting that referenced another anti-exploit tool; HitmanPro.Alert.

The information on the SurfRight product page for HitmanPro.Alert gives a very good overview of the different exploit protections HitmanPro.Alert provides. They “handily” compare their product to four other products, general AV, MBAE, EMET, and PaloAlto Network’s TRAPS.

Unfortunately, while they do provide a free download link, it isn’t exactly clear that this is a trial version.

I installed it on my workhorse Win 7 x64 bit system “Alister” and it went on quick. The interface was easy to navigate (and I liked the Advanced view option).  It began with a scan that found a gajillion threats out of the box on my system. Sadly they were but a sample of the security, network scanning, and account recovery tools and utilities I keep handy. No true “threats” were actually found--which is a good thing I suppose. I’m sure I could have whitelisted apps, folders, etc. to cut down on these. It was great that it found so much so quickly, but on my system, this extra layer of AV protection was a bit more than I expected or needed from an anti-exploit product; EMET, MBAE, MBAM, MSSE, & CrytpoPrevent have me heavily covered.

I couldn’t find a purchase option for HitmanPro.Alert by itself. Rather it seems that you can purchase it as part of a licensing bundle with their HitmanPro subscription license.

That said, if you are looking to up your game for exploit protection and don’t wish to fiddle with the advanced management required by EMET, HitmanPro.Alert may be worth considering. It also seems to provide additional protections beyond both the free and premium ($) versions of MBAE.

Cheers,

--Claus Valca

Innounp Update Tip (updated)

Update to the GSD: Innounp Update Tip back from 2012

I use Universal Extractor from LegRoom.net pretty often to tear open setup packages of software.
There are lots of install packages that use 7-ZIP formats, quite a few MSI based installers, primarily from Microsoft, but more time than not, many packages are wrapped by Inno Setup.

Universal Extractor hasn’t been updated for quite some time. And in many cases, if you stick with the default package, you will encounter a Inno packed set that it can’t open up.

Luckily, because there are so many supported formats Jared Breland has packed in there, it generally is pretty easy to figure out what component you need to update, check that source location, and swap the older one out with a newer one.

Accordingly, I keep a very close eye over at innounp so I can always have the newest version of an Inno unpacker tucked into my Universal Extractor.

Current version of Innounp is 0.42 supporting Inno Setup versions 2.0.7 through 5.5.5.

Cheers.

--Claus V.

Sunday, June 14, 2015

GSD Hurricane Tracking Links – 2015 edition

nmev1i1k.h2uCC attribution: by "An Honorable German" (Charles McCain) on flickr.

The last several years have been really quiet on the tropical storm front here on the Texas Gulf coast. So I ended up skipping a GSD Hurricane Tracking Links page update in 2013 & 2014.

And like in 2012, we again begin to turn our attention out into the Gulf waters and begin our monitoring of tropical development Invest 91L.  So here we go just like back in 2012’s drill. Fire up the engines, check and re-check the GSD hurricane linkages, and get this post into the skies.

Refresh your bookmarks!

Gulf Coast Watch List

Here is the updated list of hurricane links I am watching at home and work. Not a whole lot of changes this year, but some URL’s have changed and some sites have gone dark. 

Listed in order of my current personal preference…

Google Earth – Google Earth has taken 1st place in the list this season. (You may not be aware but you can now get the “Google Earth Pro” for free!) But to harness the power of tropical storm tracking in Google Earth, you must first install the wicked-awesome Google Earth Network Link For Entire Basin (direct download link) KMZ files provided by the Tropical Atlantic website and you are ready for some major storm-path modeling. When a storm comes, you can also go to the specific storm page and download/use the KMZ files for just that storm as well. Once you download the file, be sure to save it “permanently” in your Google Earth preferences so it will be available and “updatable” with the latest data when needed. Lay in some of the FEMA flood hazard layers for more usefulness. Finally, supplement it some more with tools from these Google Earth Blog links: Storm Tracking With Google Earth & More tools to help track Hurricane Irene that has a link to the Live Hurricane Hunter Missions.

WunderMap® - Interactive Weather Map and Radar via the Weather Underground. It still surprises me that so many of my coworkers, family and friends still don’t know about this site. The radar data seems very close to “real-time” where other radar sites have a 5-10 min lag time. The main page shows you your area weather typically with weather stations and radar showing. However if you go to the side bar, you can add a ton of more weather data and projections. For my purposes in this context, I generally remove the “weather stations” overlay, add the “Severe Weather” overlay, sometimes the “Tornado” overlay also. Then you can add the “Tropical” layer and check (as needed) the “Hurricanes”, “Sea Surface Temps” overlay, the “Storm Surge” overlay, and (hopefully not required) the “Evacuations Routes” overlay. If you aren’t careful you can get a big overload of stuff on your screen!   Each of those layers has it’s own settings to fiddle with. For the “Hurricane” overlay, you can look at the wind radius, the cone of uncertainty, the forecast, the past track observations, hurricane hunter observations, and computer model tracks. THEN, you can also go down to the “Model Data” layer and pick different models, map-types to your heart’s desire, and model-runs. Finally, you can run a forecast projection loop. How awesome is this!

SciGuy “Weather” & SciGuy “Hurricanes” category blogs - Chon.com’s Eric Berger - It’s probably not a good idea to attempt to interpret all these charts and data on your own to make life-impacting decisions as a hurricane bears down on you. Fortunately, Eric continues to faithfully provide Houstonians and neighbors beyond his outstanding details, no-nonsense, no hyperbole commentary, live chat-sessions, and analysis of all science and prognostication tropical. Highly recommended as a filter of reason and temperance in a media-market filled with over-hype, smashing graphics, and fear-factor extremes. Besides that, you can count on Eric to provide great meteorological linkage to excellent source material like this GFS global model or this the European model. It’s a must-follow/must-RSS feed blog for all Texas Gulf Coast residents. Period. (see also Jeff Masters’ Wunder Blog : Weather Underground).

Moreweather.com -- Tropical Atlantic Weather Page - T-Storm Terry Faber has created a great hurricane system page here. Not only does it have lots of links to any active systems, but it also contains links to radar and satellite images, many in great details and high resolution. The hurricane tracking maps and projections are there, of course. T-Storm Terry also provides links to other sources of information as well as historical data on previous storm systems.

Tropical Atlantic: NHC Model Data for Tropical Storms – TropicalAtlantic – For folks who need to have more than one storm-track model.  Look at the top of the page to select any current storms.  Then you can select either the “in-browser” Google Maps mash-up or the Google Earth TMZ builds.  Additional NOAA summary of storm-track models. Also, Tropical Atlantic: Information About Atlantic Hurricanes – main-page. 

National Hurricane Center - Website maintained by the National Weather Service. Lots more linkage on the sidebar for hurricane related topics and preparations. The main page has links to a number of graphics and advisories.

(NHC's) Atlantic Graphical Tropical Weather Outlook - A sub-page of the site listed above. This is pretty cool. Any current tropical systems are overlayed on a satellite image with an icon. Hovering over the icon pulls up a quick update view. Clicking on the update popup then takes you to the system's detailed page.

Tropical Weather : Weather Underground - This is a fantastic site that has the widest range of linkages, maps, images, models, and everything. Just about the only thing it doesn't provide is winds blown into your face through the monitor. Which is why I put this at the bottom and not the top: there is just so much information it overwhelms.

Tropical Cyclone Guidance Project | Real-Time Guidance - NCAR Research Applications Laboratory - “The real-time guidance system generates an individual page for each active storm in the North Atlantic, Northeast Pacific, and North Central Pacific basins. Each individual storm page features the latest plots of model guidance and intensity forecast aids for that storm, as well as other diagnostic and observational information.” Drill down into great plot track guidance models.

Oklahoma Weather Lab | Hoot - Models: GFS Model Upper-Level Wind 850mb provided us great forecast models of the high/low pressure zones and ridges leading up to Ike’s eventual landfall and really helped us understand the forces driving its path.

WeatherBELL Models - Amazing collection of high-quality weather models and data. Until you get focused, you can easily get lost for hours in the charts, visual model animated “loops”. My head is spinning and I’m afraid I will start to be dreaming in whirls of colors! There are both subscription and free map data on the page. Look for the links under “freely available” such as this “HRRR 3-km Simulated Radar” 15-hr Animated GIF loop projection.

Skeetobite Weather - Charts and data site. Good stuff here with nice clean graphs, graphs, and data linkage.

Hurricane and Storm Tracking - Terrapin's site remains a dear favorite. It is lean and simple and allows for quick location of information without lots of graphic overkill. The storm-track plots come in two flavors, a simple historical and future projection track that is static as well as a java-based animated one. Loads fast and updated as new forecasts are posted.

Atlantic and Caribbean Tropical Satellite Imagery - Satellite Services Division / Office of Satellite Data Processing and Distribution and Gulf of Mexico Imagery - Satellite Services Division / Office of Satellite Data Processing and Distribution from the NOAA.  Special thanks to GSD frequent commentator “Bozo” for sharing this great source of satellite images from NOAA with me.

Experimental forecast Tropical Cyclone Genesis Potential Fields - Department of Earth, Ocean, and Atmospheric Science, Florida State University - Great supplemental animated and static image data on a lot of key tropical weather-related information points.

National Weather Service - another top-level landing point to drill down deeper into forecast maps, radar imagery, etc.

National Weather Service Doppler Radar Images - link to various NWS/DoD Radar sites. Select your focus then add additional details and information via the bottom control bar as well as run loops from the left control bar.

Tropical Cyclone Heat Potential Page: Global Fields - Select your basin map field on the left (such as the Gulf of Mexico). Put very simply, understanding what the water temperatures are and combining them with storm-track information might help one forecast potential intensification/intensity of a tropical storm. Of course lots of other factors play into the mix as well…

Gulf of Mexico AVN Color Imagery – NOAA Satellite Services Division - nice radar loop imagery with options to add additional data markers to the base image. Provided by the NOAA Satellite and Information Service/NESDIS) (AVN=Aviation)

Satellite Analysis Branch Tropical Homepage – NOAA Satellite Products and Services Division – Stuff at the top but scroll down and get some additional product data views. I like the MTCSWA to show mid-level wind analysis.

Gulf of Mexico Visible Imagery - Satellite Services Division - nice visible satellite loop imagery with options to add additional data markers to the base image. Provided by the NOAA Satellite and Information Service/NESDIS)

Latest Satellite Imagery - NOAA site that has links to a large number of additional satellite imagery. Neat stuff, for example this GOES Floater Imagery with Java, Flash, and GIF loops

READY - Forecast Model Animations – NOAA forecast model animation loops. Good place to grab some projection GIFS for forecasting.

NEXSAT, NRL/JPSS Next Generation Weather Satellite Demonstration Project - Super-duper cool satellite images and loops. Again drill in to get to the NEXSAT area of interest (such as the Gulf of Mexico), then use the controls above and to the left as needed to tweak your views.

NCEP Central Operations - National Weather Service link - Pick the option you want under the topics or side bar and drill down.

Weather & Climate Data - COLA - Additional links for current conditional analysis, forecasts, climate outlooks and hurricane intensity models.

Galveston Bay Operational Forecast System (NGOFS-Galveston Bay) - NOAA Tides and Currents for the Galveston Bay area - super neat tidal and water level information useful for those who dwell on the rim of Galveston Bay. Also reports wind and current data with animated loop views available.

Northern Gulf of Mexico Operational Forecast System (NGOFS) - NOAA Tides and Currents for the wider upper Gulf of Mexico costal areas.

Texas Storm Surge Models - Wunderground - For additional storm surge inundation maps for US coastlines, see this page Storm surge imagery for the U.S. coast | Weather Underground

U.S. NEXRAD and TDWR Radar Stations - Wunderground - I’m linking to the main map from which specific radar stations can be chosen depending on your area of attention; though the Houston Hobby and Houston-Galveston interest me the most. The radar images have lots of cool tweaks you can perform on them so spend some time getting to know them!

Stormpulse / Hurricane tracking, mapping -Stormpulse is now a subscription-based access site . They remain providing a “live” mini-display view on their home page that contains a light amount of the imagery and tracking projections that we all used to love. If you are desperate and pine for the days of Stormpulse of old, then hop over there and just zoom up your browser window display size to your heart’s content.

Local Winds

For local Houston area facts and updates, most of the local news stations have their web-sites powered up.

Even More Weather

I have found these additional links pretty cool:

Road Kill

Again as it bears repeating, you just don’t want to be caught off guard when one of these comes knocking

--Claus V.

Tuesday, May 26, 2015

Browser News: Firefox and Vivaldi (Damp Edition)

From yesterday afternoon though early this morning, the Houston metro area was inundated with rains causing extensive flooding. Highways, bayous, side-streets all have become waterways. Kayaks are more useful right now than cars.

Telework is a good thing for your staff. Just saying.

So while we wait for the waters to recede here are some links touching on Firefox and Vivaldi web browser developments.

Mozilla Firefox

It is just me or does it seem that there are more and more tweaks needed to remove/disable “features” being added to Firefox. I remember the good-old-days when Mozilla Firefox was the browser to go to for a lean-mean no-bloatware featured product. That’s what the “add-on/extension” platform was so exciting. If you wanted to add features, you decided what you wanted and added it! No more it seems. Sigh.

Vivaldi

I’m spending more time settling into Vivaldi. It still runs #4 (behind Firefox, Chromium, and IE 11) as a go-to browser for me. That said if development continues at this pace, it might just get swapped with my Chromium build.

The inclusion of a “true” bookmark side-bar feature is the biggest factor attracting me to Vivaldi. If you have been a hard-core Firefox user and depend on the bookmark side-bar in Firefox, the lack of a corresponding feature in Chrome/Chromium is a real hassle to swapping.

If you haven’t checked out the Vivaldi web-browser project yet, I encourage you to do so. It is still in a Technical Preview/snapshot state but so far it has been very stable for me. I wouldn’t use it with any high-security (banking/bill-pay/shopping) sites due to it’s current build state, but for general web-surfing and meme-following, it is very smooth and dependable.

Cheers,

Claus Valca.