Saturday, September 20, 2014

Windows 9 quick-bits

I posted a ton of links leading up to Windows 8 release.

In fact I still have a bunch of out-dated, un-posted links for Windows 8/8.1 that are languishing.

So it is with reservation that I offer these quick Windows 9 links…

Again, I really, really like the kernel core of Windows 8/8.1 compared to my lovely Windows 7.

Lavie has adjusted to life in Windows 8/8.1 and almost never complains any longer.

I love and have my Windows 7 primary system all dialed in just the way I like it and since a Windows 8 upgrade would come at a upgrade expense ($-$$) I cannot find a way to justify the jump.

But, if Microsoft does a good job on Windows 9 and also if rumors are true that it will be offered as a free OS upgrade for Win 7/8 users, then I might just make the jump from Windows 7 to Windows 9.

From Mary Jo Foley’s ZDNet article post:

“The Microsoft OS team is hoping to get as many Windows 7 users moved to Windows 7 Service Pack 1 and Windows 8 users to Windows 8.1 Update in preparation for (hopefully) getting them to move to Threshold once it is out. It's still early in the Windows development cycle for Microsoft to have decided on packaging, pricing and distribution, but my sources say, at this point, that Windows Threshold is looking like it could be free to all Windows 8.1 Update, and maybe even Windows 7 Service Pack 1, users.”

So I will be excitedly looking forward to the Windows 9 technical previews.


--Claus Valca

Mitigating Recent Firefox and ABE Annoyances

Last weekend I went on and on about recent changes to Firefox that included some “safebrowsing” features and particularly how it seemed to be getting in the way of downloading some binaries from NirSoft (as an example).

This week I saw notice from the Firefox Extension Guru that a minor update was released.

I’m always looking to keep my web browsers current on their patching for security reasons, but I was also curious if it would address the crazy behavior I blogged about.

Sure enough, once the update was applied and Firefox rebooted, I could now download the particular PasswordFox zip file without any more blocking/malware messages.

I checked the Firefox Release Notes (32.0.2) carefully but didn’t seem to find any reference to safebrowsing. I also checked my about:config and did NOT find the “browser.safebrowsing.appRepURL” key present either.  So the current possibilities stand thusly,

  • The 32.0.2 update fixed something that wasn’t documented in the release notes.
  • Something on Nir Sofer's side/site changed to allow the download/site to be seen as legit, or
  • Something changed in Google’s Safe Browsing application reputation database that now allowed Nir Sofer's site and/or some apps to now be considered legit/safe, or
  • Magic.

I really can’t weigh any one as more probable than the other and I’m really leaning towards the last one as Lavie and I are re-reading the Harry Potter books again together.

Honestly Annoying ABE

Another annoyance I have been struggling with recently is NoScript Security Suite Add-On for Firefox. Overall I love it and use it to help protect my system during web-browsing since I haven’t quite yet felt brave enough to install and use Malwarebytes Anti-Exploit on my “production” system though the recent v1.04.1.1012 release seems to be working much better than the previous version.

(FYI on my Win 7 test-bench VM system Malwarebytes AE is coupled with The Enhanced Mitigation Experience Toolkit (EMET 5.0), GlassWire firewall, and AVG Free Antivirus 2015 and all four seem to play well with each other.)

I think I am generally a pretty savvy NoScript user but recently (arising in the past 2-3 weeks?), hyperlink jumps from either Google search results or The Portable Freeware Collection to NirSoft domain pages have met with a NoScript ABE block. That’s been very annoying.

Mozilla Firefox_ABE

I’ve been able to work around them by either temporarily disabling ABE inside NoScript, or copying the URL to NirSoft and then opening a new tab and pasting the link in and going manually. Neither is great and sometimes I even got an ABE rule block when downloading a NirSoft zip file from the product page.

I shot an email to the NoScript developer but haven’t heard back. I could have dropped some feedback in the forums but it wasn’t that big a deal.

This morning I did a bunch more research and experimentation with custom ABE rule sets and cobbled together something that allows the hyperlink jumps to NirSoft from The Portable Freeware Collection site to not trigger an ABE alert/block rule; and as a bonus, allow the link jumps to NirSoft in Google to work as well.

Now, I’m still not 100% sure what these changes are doing, so I might be making things tons worse (browser security-wise) than not having anything at all, but I’m putting it out there as a starting point and for discussion if any ABE rule pros want to chime in and help me improve it:

The default “System” Ruleset in ABE is something like this:

# Prevent Internet sites from requesting LAN resources.
Accept from LOCAL

The default “USER” Ruleset is effectively blank.

# User-defined rules. Feel free to experiment here.

I tried a combination of ruleset options under both User or System but this was the one I cobbled together under “System” that got things unjammed. I did add the (redundant) commenting just because I may forget what I meant to do later. It’s ugly and probably fundamentally flawed at protecting the system just to get hyperlinks to NirSoft domain working from other sites, but it’s a noobie’s start.

# Prevent Internet sites from requesting LAN resources.

Accept from LOCAL

# This one defines normal application behavior, allowing hyperlinking
# but not cross-site POST requests altering app status
# Additionally, pages can be embedded as subdocuments only by documents from
# the same domain (this prevents ClickJacking/UI redressing attacks)
# And strips off any authentication data
# (Auth and Cookie headers) from requests outside the
# application domains,

Accept POST SUB from SELF
Accept GET

# This one defines normal application behavior, allowing hyperlinking
# but not cross-site POST requests altering app status
# Additionally, pages can be embedded as subdocuments only by documents from
# the same domain (this prevents ClickJacking/UI redressing attacks)
# And strips off any authentication data
# (Auth and Cookie headers) from requests outside the
# application domains,

Accept POST SUB from SELF
Accept GET


As I understand from the documentation, the rule(s) are read from the top down. I’ve also added some line breaks just to keep it more legible.  Putting “Deny” after each rule-set caused it to stop working and it would again just block hyperlink jumps to NirSoft domain.

Putting the “extras” under “User” didn’t work either.

And here is the pile of link references I read through to come up with the above.

Comments and (gently) recommended corrections/refinements are welcome and appreciated!


--Claus Valca

Upgrading to iOS 8 (the long way ‘round)

Unless you totally are not into the Apple scene you may have heard that

Lavie’s 8GB iPhone 4 is getting very sad and tired and she is itchy to upgrade. I think the best deal for her (now out of her 2 year contract) would be to get either a 16 GB iPhone 5s or 5c. I’m leaning to the 5s myself even though it will be more expensive. However her thrifty-ness surprises me sometimes so she might be OK with the 5c.  She is not a power-user of apps or streaming so from a hardware perspective either should be more than adequate after the 4 she has now.

Last night I went ahead and decided to upgrade my 4th gen iPad Retina to iOS 8.  What should have been a quick process went super bad super fast.

It’s a 32 GB model but I have it jammed packed with videos (mostly sysadmin/training videos) and PDF whitepapers of for/sec/admin-related topics to read when I’m between activities.

As such I had < 5 GB of free space so I couldn’t do a WiFi only iOS update. But if you do the upgrade from iTunes you don’t need to have free space on your device.

Mistake #1: Not confirming/taking a backup.

Mistake #2: Plugging the device in to a powered USB hub rather than directly on my system.

I plugged the iPad into a brand-name USB powered hub extender and the iPad was detected ok.

I mis-read the initial prompt about do I want to backup some apps that were on the iPad and not my iTunes and said “no”.  Bad decision.

The update downloaded and began to apply.

As part of the process the iPad rebooted but it would not reconnect automatically to the USB port, which caused the iTunes update to fail.

I repeated again and more fails and each time I retried it said I had to do a device Restore. Yikes!

Finally after hunting down error codes and update failures I switched the cable over to a USB port directly on my laptop.  I did a hard-reset of the device and then the iOS 8 upgrade went on. Yea!

Only it was a (mostly) factory restore.  Somehow, some backup items were found from an older backup (or maybe the device itself?) and restored.

I had to put all my music library, videos, photos, and videos specific to my VLC app library back on manually; a few apps that I hadn’t downloaded to iTunes also had to be restored/reinstalled. That took a very long time. Luckily all my (considerable) ebooks and whitepaper PDFs stored in Adobe Reader and Documents apps were all present and accounted for.

It took a long time (4-5 hours!) for the whole process before I was chilling again on the couch with the iPad but I finally got it tweaked back to the way it was before.  I’m wondering what I haven’t found missing yet because after the upgrade and auto/manual rebuild, I’ve now got around 10 GB of free space.

So this Saturday morning I’ve been busy doing manual iTunes updates (we don’t back up to iCloud) of both our iPhones as well.

I’m not in much hurry to upgrade my iPhone 5 just yet after that iPad update drama and Lavie’s iPhone 4 doesn’t qualify for the iOS 8.

I also figured out how to review and delete a bunch of old iTunes backups to clean house:

The other big headache after the upgrade and restoration was coming to terms with all the new features and setting changes brought by 8.  I had a ton of re-tweaking deep in the Settings to do to ensure it was set to my comfort levels.

Here is a list of iOS 8 items you may want to review before/after you do your iOS 8 journey. Many of these tips and suggestions have been super-helpful to me.


--Claus Valca

Sunday, September 14, 2014

Tools, News and Linkage for the Sysadmins


I’m nearing the end (finally) of clearing out my “to-be-posted” bookmark piles.

What a journey (and long weekend wedded to my desk).

Here is a final collection of linkage with all kings of bric-a-brac.

The Administrator of Things (AoT) – A Side Effect of Smartification - Security Intelligence Blog at Trend Micro - I really get this. All too often I get calls from family and friends asking for advice on the latest technology gadget and what to do. It’s not just enough to buy it and deploy it. Consider a “simple” home router. Sure, I can give you a recommendation, and even set the thing up initially. But what about the long-term support? Firmware updates? Configuration changes when your home-network needs change? What? Lost the WiFi password and it’s the holiday and your relatives are visiting with their new WiFi devices and want to hook in? What’s the password? What’s the risk?!

In the Valca home proper we have BluRay players that need constant firmware updating to playback the newest disks, two “active” Windows laptops, a network-enabled printer, iPhones (x2), an iPad, a 1st gen Kindle and another Kindle fire eReader device. I’ve also got an older laptop and small-form factor PC that I am trying to decide what to do with for “projects”. Yep. Router, switches, as well all reside here.

I’m a tech-savvy person and if I’m not careful, management and maintenance of these devices alone can take up a full month’s of work; wash-rinse-repeat!

How about the non-tech users out there who may or may not have friends or family to help them with?

These devices may get smarter and easier to manage, or they will just go unsupported/unpatched, or maybe new businesses will spring up to meet the consumer device management needs.

Time will tell. I agree that we may just not have SysAdmins but also specialized AoT’s in the present and future.

Updates: Handle v4.0. Procdump v7.01, Procexp v16.04, Regjump v1.02, Autoruns v12.03 - Sysinternals Site Discussion blog

The Case of the App Install Recorder - Aaron Margosis' Non-Admin, App-Compat and Sysinternals WebLog - SysAdmins! Stop right now. Drop over to that post. Bookmark it and snag the ZIP file of resources. It’s a super-effective way to capture app install events (and with some imagination other events as well). Older (but helpful) video-demo of it in action at Defrag Tools: #81 via Channel 9.

Case of the 8 Minute Windows 8.1 First Logon - chentiangemalc

Case of the Windows 8.1 Audio Glitches - chentiangemalc

Case of the 30 minute Windows 7 Logon - chentiangemalc

All those posts are awesome diagnostic analysis exercises tracking down buggy Windows behavior. They show skilled use of the Windows Performance Recorder from the Windows 8.1 ADK.  If you are curious, I have some related Windows Performance Analysis Toolkit (WPT) linkage on this GSD post Case of the Unexplained Donut of Death.

Weekend Scripter: The WMI Explorer Tool - Hey, Scripting Guy! Blog - The Scripting Guys point to a very exciting WMI tool WMI Explorer. It seems to really expand WMI information lookups.

Analysis of Chinese MITM on Google - NETRESEC Blog - Amazingly detailed post exploring a MITM attack.

NetAdapter Repair All In One - - Advanced network utility that runs from a single EXE file. Requires Admin rights on Windows systems to do most functions. Spotted via this BetaNews article: Troubleshoot network problems with NetAdapter Repair All in One.

WinAudit - CodePlex project page - Recently got an update in June to version 3.0.8 for the interested.

Malwarebytes Anti-Exploit - Free Zero-Day Exploit Protection - Looks like it got bumped to if this is your thing. I’ve not loaded it up yet on my VM where I am experimenting with it. I’ll post an update to see if it fixes some behavior issues I’ve noticed with IE 12. Nor have I had a chance yet to deploy and test GlassWire just yet.

I seem to have a massive iTunes cover art issue!  While most of my track cover-art is correct, much of it is not and I don’t know what happened!  Albums generally are OK but single tracks often pull cover art from entirely unrelated tracks. Strange!  So I’m eager to see if this tip Batch download and embed album cover art from blog can fix things up; two options are presented.

Aside from apparent safe-browsing changes in Firefox 31/32 releases, there have been other more subtle UI changes as well.  The Firefox Extension Guru has some of these covered!

SigcheckGUI - Skwire Empire - Free GUI extension to the command-line SigCheck tool from Sysinternals. Spotted via

USB Image Tool - alex’s coding playground - This “critical” app (to me) creates/restores images of USB drives. Version 1.67 was released based on .NET 4.0 and added some really nice extras. However something with the .NET 4.0 broke the program operation on XP systems so the latest is Version 1.68 that restores .NET 3.5 use to ensure XP compatibility. I suppose if you aren’t running it on XP systems and want to use the .NET 4.0 supported version you could, but you would have had to download it already when first released as it isn’t offered on the previous version links.

Google Software Removal Tool "Beta" - Google - This was a new find yesterday! What does it do? Well, it seems to be a tool offered by Google that scans a system and removes software that has modified the Google Chrome browser functionality/settings.

To be clear, not only does it do a Chrome browser setting factory “reset”, but it will also remove “programs” installed on the Windows system that could negatively (in Google’s evaluation) impact the Chrome browser operation. 

According to the gHacks link below, this tool does not require installation. Download, run, review the findings, and take action accordingly.

It also doesn’t support Chromium and other Chromium-based browsers, just Chrome browser proper.

More references to Google Software Removal Tool

Might be worth keeping it in the toolbox, just in case.

Unfortunately, a listing of the apps Google considers harmful to their Chrome browser isn’t presently offered for review.


--Claus Valca

Mega malware-focused link-dump


Now we arrive at the malware-focused link-bin.  This one seems a bit all over the road despite my best efforts at categorizing them a bit.


--Claus Valca

Mega ForSec link-dump - Mostly Musings and Considerations

The previous post were technical links.

This next collection also goes back a few months, and it covers most-excellent white-papers, musings, and other perspectives in ForSec and incident response handling.

Brainwashed by The Cult of the Quick - TaoSecurity

Linkz for SIEM - Journey Into Incident Response - Corey Harrell goes into great detail on security information and event management (SIEM).

SIEM Use Case Implementation Mind Map - Journey Into Incident Response - an expansion on the above post.

Where's the IR in DFIR Training? - Journey Into Incident Response - Corey Harrell touches on a subject I continually struggle and get frustrated with. It seems that so much of what I personally see (from my admittedly limited “sysadmin” perspective) is reactive response; something tripped an alert rule, it matches some pattern descriptions, instructions are received to drop everything and go wipe and reload it! It leaves me wondering about where the role of post-incident response activities should come in organizationally; such as evaluating what happened, what was the impact, is this event part of a larger trend, and what can we learn? I really gobbled down this post and the lively follow-on discussion in the post comments.

A guide to leading and motivating highly driven professionals - (PDF link) - SANS Institute Reading Room whitepaper by George Khalil.

Practical Threat Management and Incident Response for the Small- to Medium-Sized Enterprises - (PDF link) - SANS Institute Reading Room whitepaper by Jacob Williams.

Implementing an Information Assurance Awareness Program: A case study for the Twenty Critical Security Controls at Consulting Firm X for IT Personnel - (PDF link) - SANS Institute Reading Room whitepaper by John Dittmer.

Under Threat or Compromise - Every Detail Counts - (PDF link) - SANS Institute Reading Room whitepaper by Jake Williams.

Case Study: Critical Controls that Could Have Prevented Target Breach - (PDF link) - SANS Institute Reading Room whitepaper by Teri Radichel.

Incident Response in a Microsoft SQL Server Environment - (PDF link) - SANS Institute Reading Room whitepaper by Juan M. Walker.

(IN)SECURE Magazine - ISSUE 42 (June 2014) - (PDF link here) - articles include control/privacy discussion, “Incident response and failure of the ‘Just Fix It’ attitude” written by Mike Horn, and “Are you ready for the day when prevention fails?” written by Tom Cross which is another good IR-focused article.

Browser Fingerprinting and the Online-Tracking Arms Race - IEEE Spectrum - Not from your typical ForSec source, IEEE Spectrum looks into browser tracking beyond the stale cookie objects. Lessons for the ForSec community?

Incident Response with Triage-ir - SANS Diary post

USB firmware: An upcoming threat for home and enterprise users - Microsoft Malware Protection Center blog

Security of Password Managers - Schneier on Security- great post with links to some supporting whitepapers on the subject.

So on that last article, here’s a question for those still reading…what (Windows-based) options are available if password manager software is not approved in your organization? Seriously. How could one manage (and/or securely store) lots of credentials/strong-passwords on a “stock” Windows system?  The easiest solution is to stretch that grey matter and just memorize them; a modern twist perhaps to the great oral storytelling traditions of Homer and the bards that followed? Writing them down seems like an anathema. And then there is the challenge of “manually” generating strong/complex and/or random passwords that many password managers can assist with. Bother. (This was interesting: XKPasswd - Secure Memorable Passwords). Thoughts or suggestions?

Stay sharp my friend!

--Claus Valca

Mega ForSec link-dump - Mostly Technical Stuff

My cup runneth over with technical ForSec blog posts! Some of these reach back a ways…


--Claus Valca