Sunday, December 21, 2008

Late Sunday Linkfest: Focus on Security

Wow.  What a busy last couple of days!  I’m only now coming up for air.

Been playing taxi taking Alvis to school and picking her up early as she has short days due to finals.

Then there was that two-day jaunt through the piney woods up to Jasper, Texas for an extended family wedding.

Today Lavie and I started some of the Christmas shopping. We made a small dent but much remains to be done.  I always start to get a bit stressed out during this time, despite all the reminders (at home and church) of what the real focus needs to be.  I guess I want to be sure everyone is taken care of and happy, so I sometimes over-extend myself.

Expect a slightly lighter posting around the place as I try to pause from time to time.

Somehow I think I won’t be alone….

Here are some security bits that I picked up this week.

  • Microsoft Security Bulletin MS08-078 - Critical: Security Update for Internet Explorer (960714) – Microsoft released an out-of cycle patch for a serious flaw.  Go get your Windows Updates if you haven’t already.  Applies to almost every recent and upcoming Internet Explorer builds.

  • The Security Development Lifecycle : MS08-078 and the SDL – Microsoft opens up a bit and lets it team share a bit more technical data about the flaw.  They go into the specific reason for the flaw, why it wasn’t identified sooner (by them) and supposition on how it might have been discovered in the wild.  More for code-heads, but still it provides some insight into the bug-finding and patching process.

  • Memoryze - (freeware) – MANDIANT’s new tool is a “…memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems can include the paging file in its analysis.” That link contains a full summary of features.  It also is able to run a full battery of actions against “…live system memory or memory image files – whether they were acquired by Memoryze or other memory acquisition tools.”   Mandiant also details other uses for this tool such as traditional memory forensics, incident response support, malware analysis, reverse engineering, and rootkit  and hook detection.  One thing I’m not sure of (yet) is how this fits with “do-no-harm” forensics works as the download appears to be an MSI  installer and must be installed and run on the live system.  On a forensically captured system, the install process would by necessity overwrite captured drive space, and by it’s very presence, possibly alter the system/memory you are attempting to capture  I don’t know if it has a “portable agent” component like their Mandiant Red Curtain - Incident Review Software (GSD Post review).  Anyway, looks interesting and I’ll be playing with it more in the coming weeks.  Spotted over at gaetano zappulla’s soup

  • Volatility seems to be one of the premier memory acquisition and forensics tools out there at the moment.  I guess this is what Memoryze is “competing” against.  It’s another tool I haven’t had the pleasure of getting my feet wet in yet.  However it looks like it could be useful in dealing with incident response and malware analysis as well.  I did see word last week that it might have some    very specifically arising memory sample data corruption issues.  As this isn’t my area of expertise by a long-shot, I can’t say much more about it than that.

  • Lavasoft Anti-Virus Helix – This was curious.  At first blush, it appears that Lavasoft (of Ad-Aware anti-malware fame) is now releasing some new and cool anti-virus scanner as well.  No it is not free.  However, users knowledgeable in consumer AV products might be wondering where they have seen that GUI before..  Turns out that Lavasoft has just rebranded Avira AntiVir Personal which is a free product.  I imagine that that Lavasoft paid version offers a few more features like it’s paid Avira personal AV product as well so comparison to the free version isn’t quite accurate, but it is darn close..  However, I really can’t see much reason why folks would spring for this one over the Avira AntiVir Personal (free) version.  I guess Lavasoft is just trying to work on its security suite-building and feel it needs to offer an AV product as well.  For more details on this whole Lavasoft Helix/Avira AntiVir thing and comments from Lavasoft, see Ad-Aware gets an antivirus cousin over at the Download Blog.

  • Helix3 – forensics “LiveCD” -  I’ve had this in my software kit for many years and really love it.  The version 3 is very polished.  One tool in particular that I have found on it is called Pre-Screen/SearchIt and was developed by Paul Bright over at the NCIS. Basically it allows you to scan a drive/folder for a variety of image files to determine if any items are found that may warrant a deeper inspection of the system.  It’s a cool and very tiny little application.  Despite all my attempts, I haven’t been able to locate a download source for it other than snagging it off the Helix ISO file itself (download).  So I don’t know if newer versions exist.  In my use of the GUI on systems it still seems a bit buggy and hung up if i got too deep of the main menu options on both Vista and XP systems.  I also did some more looking if other similar (and free) software existed but didn’t find anything close.  It seems to be a bit slow on scans from my usage.  Does anyone know of any other alternatives I could try?  I know there are a lot of large graphic/thumbnailers out there but this one seems to not leave any “trace” on the local system when running and doing its thing.  Paul’s done a great job on this tool and I am grateful for his sharing with the community.  I’m no coder so I can’t critique it too hard and don’t mean for this to come across wrong, but I wonder if someone could write a bit faster and slightly easier to navigate tool to index major graphic image files on a system and display both a listing and adjustable thumbnails.  It may already exist, and it is also possible that Paul has a newer non-public version out there as well of his tool.  It just seemed so close to perfect greatness with just a little bit more tweaking and performance gain.  Alas, I also haven’t had time yet to snag and play with DEFT Linux computer forensics live cd.  It’s also on my “to-do” list this week.

  • Windows Viewers & Information Extractors for Various File Types - SANS Computer Forensics, Investigation, and Response blog. Great and most wonderful roundup of many, many tools to assist with system information extraction, file handling, and file viewing.  While I did have quite a few of them in my toolbox already, I came across a number of new and curious tools that will demand more study such as NavRoad Offline HTML Browser, GlobFX Swiff Player, Wimpy FLV Player, Exiftool, and Pinpoint Metaviewer.  That last one has a number of additional interesting apps from the developer to check out also!

  • Case Study: Suspicious Network Traffic -  TechScrawl blog.  Brief but interesting review of tracking down some weird network traffic.  Lots of good points and observations.

  • Syn: The Story of an Insider - Part 3. Playing at CSI – SynJunkie wraps up this second “story” about a security incident and response.  This one is especially juicy as it shows how the aforementioned Helix cd is used by a sysadmin to do a live dd capture of a system, port it into a virtual session using Live View.  Live View is for VMware virtualization.  I wonder if a similar tool exists for Virtual PC or Virtual Box software.  Anybody know of any they could recommend?

  • – Neat little site that pulls in and displays the site-code of a web-page without you having to actually load it first in your browser.  I had been doing a Google search in Chromium earlier this week and landed on page that started out normally, then some javascript ran and I got a pop-up for a rouge security warning that locked up the browser.  Having dealt with these before, I knew none of the “cancel” or “exit” buttons would actually do that and the only one that would “work” was the live download button, which I didn’t want to use.  I was able to CTRL-ALT-Delete and pull up Process Explorer which I had set as my alternative task-manager.  Using that I suspended the Chromium process then killed it.  That got me safely away from the page. But now I was curious.  I wanted to explore the page-code, but didn’t want to muck around with reloading it in a Linux “LiveCD” session and I didn’t have my more hardened Firefox build at hand.  So I captured the URL of the website in question, fed it to, and it regurgitated the page-code safely for me.  Buried in there were a number of javascript calls and checks for browser versions with URL redirects that generated the rouge security product popup call.  Curious stuff.  So I reported the malicious URL to a number of anti-malware tracking sites for good measure and Net citizenship.

Enjoy your holidays!

--Claus V.

No comments: