ForSec/Sysadmin Super Linkfest

Yes indeed. I have been super-busy at home and work of late. Though the material keeps rolling in daily, my ability to get it out has been hampered a bit with “real-life” commitments.

So I’m taking advantage of a lull in the storm to dump my link hopper for your enjoyment and my reference.

Grab some snacks, make sure your wireless mouse is fed up on batteries and cheese, and settle in for some serious linkage dumping.

The Java/Flash Patch Cycle

In a sign of just how long it has been since I posted (and the activity that has transpired since mid-January) I submit the following. Note sarcasm attached.

• Java 0-Day patched as Java 7 U 11 released - ISC Diary
• Oracle patches widespread Java zero-day bug in just three (days, that is) - Ars Technica (Java 7.11). Hurray! Patched & Secure!
• Security experts on Java: Fixing zero-day exploit could take 'two years' - ZDNet. Umm. So I’m not patched after patching?
• Critical Java vulnerabilities confirmed in latest version - Ars Technica. Snap.
• Java’s new “very high” security mode can’t protect you from malware - Ars Technica. So the point is, what exactly, Oracle? 
• Another day, another Java security failure - Ed Bott.
• Oracle releases emergency patches for Java - The H Security: News and Features - Yea! See it didn’t take Oracle ‘two-years’ to patch Java after all! Hurray!
• Mozilla pulling plug on auto-running nearly all plugins - The H Security: News and Features.
• Firefox will block by default nearly all plugins - HelpNet Security. Umm. Mozilla? Do you know something the rest of us don’t on those patched plugins?
• Zero-Day Vulnerabilities Found in Adobe Flash Player - TrendLabs Security Intelligence Blog.  And not be left outdone in publicity, Adobe Flash steps up with new vulnerabilities. Time to patch.
• Adobe issues emergency Flash update for attacks on Windows, Mac users - Ars Technica
• Research & Analysis of Zero-Day & Advanced Targeted Threats: LadyBoyle comes to town with a new exploit - Malware Intelligence Lab from FireEye - Flash exploit in action.
• Thanks, Adobe. Protection for critical zero-day exploit not on by default - Ars Technica - Now what? For crying-out-loud Adobe, I’ve got to enable some exploit protections manually? How the friggin’ are non-tech users to know and keep up with this? Sheesh.
• Mitigate the Adobe Reader/Acrobat XI Vulnerability - F-Secure Weblog : News from the Lab
• Adobe Acrobat and Reader Security Update Planed this Week - ISC Diary.  Really? Is this another one I need to manually activate or will you activate it for me this time?
• Java Archive Downloads - Java SE 7 - get your Java 7 SE downloads in all their prior versions
• Java Downloads for All Operating Systems - Java SE 7 - get your latest version here (currently 7.13).
• Java Runtime Environment 6 Downloads - Java SE 6 - Get your latest version for Java 6 here (currently 6.39).
• JavaFX Download for JDK6 - You may or may not need this. But if you do need JavaFX you can get the latest here.
• Where can I get the latest version of Java 6? - Java. Umm. So Oracle seems to be saying they are pulling public download support for future versions of Java 6. Other sites will mirror older versions, but the pickings are about to get thin. Hopefully if you are running Java SE, you can jump to 7 if you haven’t already done so.

Java SE 6 End of Public Updates

After February 2013, Oracle will no longer post updates of Java SE 6 to its public download sites. Existing Java SE 6 downloads already posted as of February 2013 will remain accessible in the Java Archive on Oracle Technology Network. Developers and end-users are encouraged to update to more recent Java SE versions that remain available for public download

• Adobe Flash Player Distribution - Adobe. Get your latest exe/msi version downloads here.
• Shockwave Player Distribution Downloads - Adobe. Get your latest exe version downloads here.

So where does that leave us?

Remove Java? I doubt it. - Malware Analysis Blog. I did!

I actually have decided to remove Java SE from our home systems. I do like to run some Java apps but that is pretty rare so I will install, run, de-install Java as needed. Small price for system security.

In a bit of irony, shortly before drafting this blog-post statement, Lavie brought me her iPhone and iPod and told me she sent me a link to a band she follows. As a hard-core fan, she was treated to a free download of some tracks from the artist’s portfolio. She needed these added to her devices. When I followed the link to download the tracks on our system, I was presented with a dialog box to install Java SE. Turns out their download manager app uses Java SE. Nice.  Install, download files, de-install Java again. I did notice it linked to the Java 7.13 bits. That’s something.

Sadly, I can’t get away with doing the same at work. We run a non-current release version of Java 6 “standard” at work. If you are running Java 7 automated auditing reports tattle on you and you either have to justify your use of Java 7 or it will be auto-uninstalled and roll-back to the standard level of Java 6.

Sweet baby Jebus.

For home users who are non-technical (or are and just don’t have the time to follow the web-browser plugin patching game) I recommend popping in once a week to the Qualys BrowserCheck on each of their installed web-browsers. Maybe that way you can catch and patch dated versions fairly easily.

Why the Patching Fuss?

Failure to patch and run current versions of Java/Flash/<insert plugin-here> (not to mention your OS) could lead the following headaches and pubic shame and liability.

• Facebook engineers compromised by Java zero-day - The H Security: News and Features
• Facebook computers compromised by zero-day Java exploit - Ars Technica
• Facebook Hacked, Mobile Dev Watering Holes, and Mac Malware - F-Secure Weblog : News from the Lab
• Employees targeted with fake DocuSign "confidential message" - Help Net Security
• Chinese Hackers Infiltrate New York Times Computers - NYTimes.com

And you thought having someone guess your Yahoo password and use it to send spam was a headache.

Not software-based, but Amazon users are exploited also…

Saw these links this past week. Fascinating.

• Chasing an active Social Engineering Fraud at Amazon Kindle - Scott Hanselman
• Two-for-one: Amazon.com’s Socially Engineered Replacement Order Scam - HTMList.com, A Web Development Blog by Synapse Studios

For the ForSec Crew

OMG! What an amazing number of posts and material from our ForSec experts! Especially timely after all these latest Java patching dramas we have been enjoying lately.

• Java, Timelines, and Training - Windows Incident Response Blog
• BinMode: Parsing Java *.idx files, pt trios - Windows Incident Response Blog
• Why "BinMode"? BinMode: Parsing Java *.idx files, pt. deux - Windows Incident Response Blog
• BinMode: Parsing Java *.idx files - Windows Incident Response Blog
• BinMode - Windows Incident Response Blog
• Java IDX Sample Files from Java Spearphishing Attack from SANS FOR508 - SANS Computer Forensics and Incident Response blog.
• Extracting ZeroAccess from NTFS Extended Attributes - Journey Into Incident Response blog
• Detecting Extended Attributes (ZeroAccess) and other Frankenstein’s Monsters with HMFT - hexacorn blog
• Beyond good ol’ Run key, Part 3 - hexacorn blog
• Links for Toolz - Journey Into Incident Response blog
• Deobfuscating Potentially Malicious URLs - Part 1- Open Security Research blog
• Attributing Potentially Malicious URLs - Part 2 - Open Security Research blog
• Evaluating Potentially Malicious URLs - Part 3 - Open Security Research blog
• Interesting Malware in Email Attempt - URL Scanner Links - If the OSR links above wet your appetite, this GSD post has some additional related resources you might be interested in.
• Tips on Malware Analysis from Jake Williams - Lenny Zeltser On Information Security blog. Link to three posts regarding malware analysis.
• There Are Four Lights: The Forensic Scanner - Windows Incident Response Blog
• What is PALADIN Forensic Software? - Sumuri - the free forensic liveCD is now released at version 4.0.
• CAINE 4.0 codename "Pulsar" is cooking. It’s not hear yet but the CAINE liveCD distro is in works now as well
• Apple Hates Forensicators - Forensic 4cast
• Got a PC problem? Try OSForensics 2.0 - Betanews - Nice review on OSForenics. I find it helpful for sysadmin support duties as well. OSForensics - Download

We pause for a PSA…

• Yes, that PC cleanup app you saw on TV at 3am is a waste - Ars Technica

Network News of Late

• CapLoader 1.1 Released - NETRESEC Blog
• Analyzing 85 GB of PCAP in 2 hours - NETRESEC Blog
• Extracting Metadata from PcapNG files - NETRESEC Blog
• Wireshark releases v1.8.5 and 1.6.13 - ISC Diary
• Wireshark - Download
• Wireshark - Wireshark 1.8.5 Release Notes
• Connect OpenVPN - OpenVPN for iOS
• URL Snooper - Mouser Software at DonationCoder.com
• WAN Circuit Topologies - Packet Life
• Security alert for D-Link routers - The H Security: News and Features
• More Wi-Fi devices with security holes - The H Security: News and Features
• Microsoft Message Analyzer Beta 2 is released (build 5950)! - MessageAnalyzer blog

Tools, Utilities and Treats for the SysAdmins

• Undelete Navigator Is A File Recovery Tool With Better Browsing - AddictiveTIps blog
• Kickass Undelete - a free, open source file recovery tool for Windows - Version 1.3 beta
• FreeRecover - SourceForge.net
• Recuva v1.45 - Piriform
• Comodo Rescue Disk for Windows - Download Rescue Disk Software
• COMODO Rescue Disk (CRD) v2.0.261647.1 is formally released - Comodo
• COMODO Rescue Disk 2.0 combats even deeply embedded malware - BetaNews
• LSoft Technologies - Freeware products
• RKill terminates malware processes - BetaNews
• RKill Download - bleepingcomputer
• Remove malware from an already-infected PC with Malwarebytes Chameleon - Softwarecrew
• Chameleon - Malwarebytes
• Updates: Pendmoves v1.2, Process Explorer v15.3, Sigcheck v1.91, Zoomit v4.42 - Sysinternals
• Updates: Autoruns v11.41, Handle v3.51, Movefile v1.01, Procdump v5.13, Sigcheck v1.9 - Sysinternals
• Update: Autoruns v11.42 - Sysinternals
• DISM GUI 3.5 Released - Mike's Blog
• JavaRa 2.1 - SingularLabs - Tool to assist with removal of Java from Windows systems.
• MemTest86 now maintained by PassMark Software - BetaNews
• Outlook 2013 deprecated features and components - Outlook Blog
• WSUS Offline Update - Update Microsoft Windows and Office without an Internet connection

Bits and Pieces

• Information about ComboFix being infected and what you should do - Bleeping Computer. From time to time I have recommended or posted links to ComboFix tool to remove certain malware infections. It appears a particular release version of ComboFix was compromised. the latest version is clean but I thought it would be good to note this thread for the curious or concerned.
• Universal Plug and Pray - F-Secure Weblog : News from the Lab
• Exposed UPNP Devices - ISC Diary
• ScanNow for Universal Plug and Play (UPnP) - Rapid7. Download and install this tool to check your network for potential UPnP issues. Only be aware it does require Java SE installation as a pre-requisite…so that may bring it’s own issues to the table. If in doubt, install Java SE and this tool. Run both to audit/assess. Make your notes….then uninstall.
• Universal Plug and Play Check by Rapid7 - online version of the tool to check your router for issues. Limited features.
• Comodo - free security products for home users.
• Search & Browse The History Of All Web Browsers On A PC From One Place - AddictiveTips
• My Computer Tweaker: Massive Collection Of Windows Registry Tweaks  - AddictiveTips
• Control Panel - My Computer Tweake - by ~KeybrdCowboy on deviantART
• New: UNetbootin Portable 583 (create bootable Linux USB drives) Released - PortableApps.com
• New: Smart Deblur Portable 1.27 (sharpen out of focus and blurry images) Released - PortableApps.com
• Spybot - Search & Destroy: The Simple, Yet Effective Route For Cleaning Your PC Of Malware - MakeUseOf blog review.
• Spybot - Search & Destroy Portable - PortableApps.com

Enjoy.

-- Claus Valca