Sunday, March 09, 2014

Security Watch Quickpost

Last but not least, here is a roundup of interesting for/sec posts.

Hiding in plain sight: a story about a sneaky banking Trojan - Malwarebytes Unpacked

Sunsets and Cats Can Be Hazardous to Your Online Bank Account -  Security Intelligence Blog | Trend Micro

Tools for Analyzing Static Properties of Suspicious Files on Windows - SANS Digital Forensics and Incident Response Blog

Is OllyDbg Version 2 Ready for Malware Analysis? - SANS Digital Forensics and Incident Response Blog

(IN)SECURE Magazine issue 41 released - HelpNet Security blog

More Tracking User Activity via the Registry - Windows Incident Response blog

Reconstructing Data Structures - Windows Incident Response blog

Exploring Windows Error Reporting - Journey Into Incident Response

Windows 8 Prefetch 101 - Invoke-IR | PowerShell Incident Response blog

Beyond good ol’ Run key, Part 8 - Hexacorn Blog

Post-Snowden Forensics - Forensic Methods

Repurposing Network Tools to Inspect File Systems - repurposing-network-tools-inspect-file-systems-34517 (PDF file link) - SANS Reading Room whitepaper. Very interesting thinking.

Pineappling all the things in Utah - Troy Hunt’s blog


--Claus Valca

Boot Me: LiveCD’s/WinPE/WinFE and other things…

Quick-post for the offline system booting and LiveCD/USB-booting crowd.

“One of our goals when developing Kali Linux was to provide multiple metapackages that would allow us to easily install subsets of tools based on their particular needs. Until recently, we only had a handful of these meta packages but we have since expanded the metapackage list to include far more options:

  • kali-linux
  • kali-linux-all
  • kali-linux-forensic
  • kali-linux-full
  • kali-linux-gpu
  • kali-linux-pwtools
  • kali-linux-rfid
  • kali-linux-sdr
  • kali-linux-top10
  • kali-linux-voip
  • kali-linux-web
  • kali-linux-wireless

“These metapackages allow for easy installation of certain tools in a specific field, or alternatively, for the installation of a full Kali suite. “


--Claus Valca

News for the Sysadmins

Here is a quick-post for sysadmins in the crowd.

RELEASE: Office 2013 Service Pack 1 - Kurt Shintaku's Blog

How to force Office 365 to upgrade to Service Pack 1 - BetaNews blog

Microsoft releases fix for Windows Update corruption errors - ZDNet

Fix Windows Update corruption errors such as 0x80070002 and 0x80070057 - Microsoft Support

Description of Software Update Services and Windows Server Update Services changes in content for 2014 - Microsoft Support

Fix it tool available to block Internet Explorer attacks leveraging CVE-2014-0322 - Security Research & Defense blog

Fix problems that programs cannot be installed or uninstalled - Microsoft Support - I mentioned this tool in a previous GSD post but at the time hadn’t deployed it yet. What it does is give you the option to deploy to the system at hand to in a “portable” mode to carry with you. When you run the tool it gives you a menu from which you can select the category of issue you are running into, as well as a more detailed sub-listing of specific issues to pick from. Once selected, it will deploy the possible fix to the issue.

Sadly, it was no help to me in my repeated failures to get IE 10 or IE 11 installed on the church-house Win 7 x64 bit PC’s. It keeps failing with cryptic error messages that the required updates are not on the system, but even laboriously manually downloading and installing the documented IE 10/11 prerequisites results in the same failure.

INFO:    Setup exit code: 0x00009C57 (40023) - Prerequisites failed to install.

I’ve spent a lot of time picking though the IE 10/11 update log file (IE11_main.log) generated and cross matching it with a system that has a good/successful log install report, but despite everything so far, IE 10/11 upgrades just keeps failing. I’m not alone in this issue. That will be a post for another day, though…  And I haven’t done an Process Monitor trace file capture yet either…speaking of…

[Aaron Margosis will] be on Defrag Tools (Channel 9) - Aaron Margosis' Non-Admin, App-Compat and Sysinternals WebLog. This one sounds exciting:

We talked about the upcoming Sysinternals book I'm writing with Mark Russinovich, and demonstrated a very cool "App Install Recorder" built with Process Monitor and some PowerShell scripts.

The episode will go live next Monday, March 10, at 9:00am Pacific Time.


--Claus V.

For the iOS crowd

A few nights ago, I came home from work and Lavie was quite frustrated with her iPhone.

She had heard a local news story about how the iPhone can track the user and how to disable the feature…only she couldn’t find the news story on the station’s web-site despite their comment.

I was familiar with a number of “feature” settings that could conceivable track and “spy” on your iPhone usage habits and personal travels, but none of those seemed to satisfy Lavie’s understanding of the news story.

Took me a few days but I finally tracked it down for Lavie:

The applicable part was this bit in the story:

“On an iPhone, it’s a bit more complicated. Just go to ‘Settings’, click ‘Privacy’, then select ‘Location Services’, scroll down to ‘System Services’, that’s where you find ‘Frequent Locations’. Just turn that feature off.”

The news story wraps a lot of drama around the issue but it certainly succeeded in getting Lavie’s attention.

I also found these new-to-me reports of other iOS security concerns.

And by the way…

Dad?  These links are for you and that iPad.  I’d say you could blame it on the cats but you don’t have any pets in the house…


--Claus Valca

PSA: Adobe Patch recently came out, again

File under the been there, done that, thought I would need to wait but had to do it again category…

From mid-February,

--Claus V.

More PCI pains

In a non-binding informal survey of family and friends these past two weeks, almost everyone polled reports they are fed up with having to have their bank/credit cards replaced.

Previous soap-box posts from this GSD blog:

Now even more reports are rolling in of these types of PCI hacks.  It was bad enough consumers had to be on the constant lookout for malware on their own systems that could steal their account information, then there are the ATM/skimmers we have watch out for, now, even within a merchant’s own POS systems and network these bad-boys lurk.

And even when notified by their own bank, now customers are doubly confused and hesitant if the call is legitimate or another social-engineering-hack-attack playing on the public fears and news reports.

When we got a similar call on the voice-mail last week, Lavie didn’t even bother writing down the call back number left (good girl!). Instead she pulled out our local bank branch contact information and went directly to the source.  Yep it was legit -- another merchant we shopped at also got hit in a breach similar to Target’s. Yep, more card replacements on the way; again.

A few simple searches on Google will demonstrate the bank card industry has been wresting with these issues for a long time. Only previously, it seems the scale of the problem had been small enough to fly under the general public consciousness radar. With Target it was so big and touched so many that the barn doors were flung wide open and the cows were in the corn for everyone to see. Now we see shadows behind every merchant’s POS system.

The battle between the fraud perpetrators and the security pros ratchets up a few more notches. It’s the new cold-war baby…oh, wait…I hear that’s starting up again as well. I guess I need to start watching “The Americans” on FX to get prepared again.

For more reads on the topic; both breaches and proposed solutions to get the cows back in the barn…


Claus Valca

Microsoft EMET 5.0 Technical Preview released

I’ve been running the Microsoft Enhanced Mitigation Experience Toolkit (now at version 4.1) for some time on all our home systems.

So with news of new threats that seemed to successfully bypass the EMET protections…

…I was excited to see that a new “technical preview” release of EMET 5.0 was available.

Now I’ve been running EMET since at least back from June 2013, and have seen or heard nary a peep from it.  I’m not complaining. That’s a good thing. I’m just running it with the standard default settings selected at installation.

Strangely enough, this weekend, using EMET 5.0 TP I saw my very first alert occur!

For whatever reason, when I use Internet Explorer 11 I find that this EMET 5.0 TP version is particularly active spotting and blocking potential gotcha’s.




I can’t wait to see what the final EMET 5.0 will do when it finally comes out.

…an ounce of protection…


Claus Valca.