Sunday, March 15, 2015

…and if you did patch this week…syadmin tips and helps

Sadly, if you did apply your Windows Updates last week, it’s possible something broke.

Don’t give up hope…here are some tips and tools to keep you distracted

Cheers!

Claus Valca

Did you overlook any patching last week?

What a crazy, patch-filled couple of weeks it has been!

I’m dizzy.

First there are the Windows patches

Next there are those Adobe patches

Go get ‘em!

And for good measure, sometime recently Oracle released it’s own patches for Java. I didn’t realize I was behind until I checked!

Go get ‘em

Considerations…

Living without plug-ins such as Flash or Java - gHacks Tech News

Two EASY ways to check if you are up to date on your plugins:

Stay patched my friends!

--Claus Valca

Linkfest for Firefox, Vivaldi, and Chrome news

Firefox looks like it will be seeing some advanced feature options in an upcoming release

Vivaldi browser has some new snapshot releases out

And here is a tip that may help with image rendering speed improvement in Chrome

Cheers,

Claus Valca

Exploit Update

Why do I work so hard to bolster the defense-in-depth of our home Windows systems?

  • like keeping the browsers updated to their most current patch level?
  • like keeping all the third-party plug-ins updated to their most current patch level?
  • like running EMET, and Malwarebytes Anti-Exploit, and AV/AM software all at the same time?
  • like keeping our Windows OS’s religiously patched?

Because all it takes is tripping onto just one “good/trustworthy” website that has been exploited to serve up malware to a vulnerability and your system could be compromised and hosed.

More web exploits and attempts to stem the tide by the pros…

Constant Vigilance!

--Claus Valca

EMET 5.2 Now Out

News dropped this week that Microsoft released version 5.2 of their Enhanced Mitigation Experience Toolkit – EMET.

It has some new enhancements.

It installed just fine on both my Win 7 x64 systems along side Malwarebytes Anti-Exploit.

As previously mentioned, I’ve disabled the EMET protection for “iexplore.exe” so they play nicely, but that strategy seemed to work fine.

However, when I installed EMET 5.2 on Lavie’s Win 8.1 x64 laptop, despite disabling/removing the EMET protection settings for Internet Explorer, the browser continued to hang while I hat Malwarebytes Anti-Exploit going.

I could run just EMET 5.2 OR just Malwarebytes’ AE but I decided I still like the idea of both so I ended up having to roll back to EMET 5.1 where I don’t have an issue when iexplore.exe is disabled.

So, that’s my experience with EMET 5.2 so far.

Cheers,

--Claus Valca

Sunday, March 08, 2015

Sundry Sunday Sysadmin Links

As we face a multi-day rain deluge, and adjust to the “spring-forward” cycle of DST I’ve got a smidgen of new linkages of possible interest to sysadmins.

Take off those Wellingtons and pop open some hard-cider with me and find solace in the warmth from humming computer equipment and a good HDTV screen.

Enjoy.

I’m a bit late to the IE10/11 party for enterprise with the “Enterprise Mode” feature. We are still (yes) running IE 8 at the hot-dog factory and more than most in-house applications still require IE 8 platform compatibility – so here we stay for now. I’m hoping we can do some pilot testing of IE 11 and leverage these new IE technologies; Enterprise Mode, Enterprise site List, and Enterprise Site discovery. Hence the linkage below for additional research on my part.

Speaking of web-browsers and compatibility, careful and reflective readers of the GSD blog may recall quite the technical post (rant) a while back on Firefox and malware-detection/download monitoring that got my hackles all up and bothered.

Well, it looks like an upcoming (Firefox 39) version release will include a much-needed “bypass” option for the Safe Browsing security feature.

I get the core security concerns Safe Browsing was supposed to provide, but as a technical user, not having an easy override option was seriously frustrating. I’m glad to hear about this development.

Other Mozilla security features on the way or tips for addressing current issues from the Mozilla Security blog.

As a Samsung SSD EVO 840 user (and loving every minute of that upgrade decision), I’m always on the watch for news updates on firmware of software upgrades, and here is some tantalizing news. According to the Samsung Magician software used to manage the drive, I’ve currently got the most current firmware available; EXT0BB6Q. So I’m watching these like a hawk.

BETA: Windows Assessment and Deployment Kit (Windows ADK) for Windows 10 Technical Preview - Kurt Shintaku's Blog – Previously mentioned. I finally got around to downloading it alongside my Windows 8.1 ADK set and my Windows 7 AIK set and pulled out all the performance assessment, USMT, and deployment (WinPE) tools. Nice and sweet! Playtime continues with these upgraded Windows 10 toolsets.

INFO: Blogs, Sites & Social about Surface - Kurt Shintaku's Blog – I’m starting to familiarize myself with the Surface Pro 3 unit we got into the shop a while back. I’ve not fiddled with the stylus just yet, but the general usage is pretty straightforward. Kurt’s got some great linkage to additional blogs and sites for Surface Pro users so the best of these will be added into my RSS feed piles. The following in particular seemed quite good from a technical-support aspect (in contrast to product placement and cheerleading news).

Fixing Cisco AnyConnect Failed to Initialize Connection Subsystem on Windows 8.1 - Next of Windows – so basically a recent Windows Update may have hosed Cisco AnyConnect just a bit on Win 8.1 systems. The fix (workaround) is to just configure it to run in compatibility mode for Windows 8.

Windows: Black screen after February 2015 Update – Borns IT and Windows Blog (Google Translated from original) – I’ve seen this more than a few times at work after Windows Updates going back to at least December. The updates go on, the system reboots, and just seems to “hang” on a black screen forever. Rebooting doesn’t help and no visual indications present to let you know “something” is happening on the system. Like Gunter Born says, my experience is with some patience and waiting (from a few minutes to hours) the system finally resolves what it is doing and the “loading Windows” graphics appear and the system comes up. I’ve had techs who were too impatient and couldn’t wait and just wiped/reimaged the system so there is that approach as well, but patience goes a long way. I just wish this trend would be addressed on the next round of Windows Updates. It’s annoying at the worst and frustrating at best.

Update Error 8024001F by Microsoft FREAK workaround – Borns IT and Windows Blog (Google Translated from original) – I’ve been watching and monitoring the FREAK situation but haven’t been posting on it here. That said, Gunter Born’s post is worth reading for sysadmins, even if you aren’t directly in charge of working on the FREAK issues in your shop. For some cribbing on FREAK see below:

How to Remove uTorrent’s EpicScale Crapware From Your Computer – How-To Geek – I can’t really fault uTorrent as the installer seems to clearly indicate an option to install EpicScale “add-on” software but one wonders how many people were paying attention carefully during the installation process. That’s how lots and lots of third-party “I don’t really want or need it” enhancement-ware packages get pummeled into users’ systems. Anyway…here’s the discussion summarized and how to get it off your system if  you use uTorrent.

D-Link fixes the latest flaw in its routers, more patches on the way – Betanews – My DIR-655 router from D-Link is a hardware type “A” and as right now, I’m still running the most current (06/1/2013) firmware release version 1.37 so alas, no updates yet. Fingers crossed one will be offered in the near future. I’m not ready to pick up a new router yet as this one continues to work super-great and is more than fast enough.

DelFix deletes portable disinfection tools from your system automatically - gHacks Tech News – As someone who advocates use of free and portable adware and security tools, it’s nice to know there is a utility DelFix that can do some post-adware cleanup of the adware-cleaning software remnants. I like the concept but per Martin Brinkmann’s article on gHacks, it doesn’t currently offer a log advising you in advance what is going to get cleaned/nuked so you may be taking a risk to use it and I have to agree that I’d look forward to a future version that include some ability to review the actions to be taken (and selectivity accept them first) before execution.

Program launcher SyMenu integrates Nirsoft, Sysinternals and other programs - gHacks Tech News – I really like the SyMenu application. It is in my “projects” pile to fiddle with to see if it can help me manage my portable USB application folder. I’m sure it would do a wonderful job rather than my current method of just rummaging around in my utility folders for the tool I’m looking for. That said, it also includes the ability to integrate the NirSoft suite and the Sysinternals Suite. Pretty cool. Other tools that help with that process are:

Finally, every so often I drop in over at NoVirusThanks to check out some of their free tool offering and to see what they have been up to for new portable security and system utilities. Besides their free tools, they also offer some free network tools. Most may be replicated in other local utilities but it still may be worthwhile to bookmark them for reference just in case your USB stick isn’t handy.

Cheers!

Claus Valca

Harmonizing EMET and MBAE

In the GSD post “Anti-Virus Software Update - GSD Thoughts” I outlined the layered security approach I generally take on our Windows systems.

My layered use of the following products meets my own household needs but may not be adequate for less-than-advanced users.

  1. Free Firewall Software by GlassWire - Monitors and logs network connections…more used for logging than “active firewall blocking”.
  2. Sysmon - Sysinternals core service to log application/network executions
  3. Enhanced Mitigation Experience Toolkit - EMET - TechNet Security
  4. Microsoft Security Essentials - Microsoft Windows - Core AV protection
  5. Malwarebytes Premium - Supplemental real-time AV/AM protection
  6. (Optionally) Malwarebytes Anti-Exploit - Free Zero-Day Exploit Protection - browser layer protection

What I failed to clearly explain in that list is the following potential “gotcha” one may trip over.

Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) – while generally very compatible both with Malwarebytes and Malwarebytes Anti-Exploit (MBAE) – seems to prevent smooth launching of the Internet Explorer web-browser when both are using default settings.

On both my Win 7 x64 and Lavie’s Win 8.1 x64 systems Firefox, Chrome/Chromium, and Vivaldi browsers all seem to work just fine with EMET and MBAE running…though I just keep to the default EMET configurations on install and don’t specifically add custom protection for Firefox/Chrome/Vivaldi to EMET. Internet Explorer (iexplore.exe) is included in the default EMET protection. And the free version of MBAE protects Firefox, Chrome, Internet Explorer and Opera browsers.

Many MBAE users recommend just skipping (or uninstalling) EMET but I find they do compliment each other nicely with the exception of Internet Explorer so I continue to run them together at the same time. With the following conditions noted below.

On Lavie’s Windows 8.1 system I actually - though great trial and error – arrived at a combination of EMET iexplore.exe protection feature checks/unchecks to get IE running smoothing with no issues along site MBAE. (When I can get Lavie’s laptop away from her, I’ll update this post with a screen shot of her Windows 8.1 MBAE configuration.)

On both my Windows 7 systems I just punted and disabled EMET protection for Internet Explorer entirely as I almost never use IE myself and will just trust MBAE to cover the EMET opening I’ve created with that strategy.

image

Likewise if you have the paid version of MBAE, you could optionally disable the IE protection in MBAE and leave the EMET protection in place; the free version doesn’t allow adding of processes or disabling of protections.

There are some Malwarebytes MBAE forum threads that try to address the tweaking of EMET more methodically.

Again, I managed to do that on Lavie’s Win 8.1 system and will eventually get around (probably) to either confirming the configuration for iexplore.exe in EMET 5.1 noted in the forum post above. Or I will find the combo that works on my Win 7 systems and post an update here as well.

In case you are curious to know if MBAE is actually protecting  your system, they do offer a series of tests files you can use to trigger the MBAE protection alert for validation.

In case you are curious, while working on researching this post, I found a few notices that a new version of Malwarebytes Anti-Malware (2.1) will be on the way soon. It is currently available in a Beta form if you are daring.

I’m looking forward to the changes and promised performance improvements.

Finally, in case you are interested, the Vivaldi browser I’ve been crushing on lately isn’t included in the free-version of MBAE protection. Again, if I was using the paid version, I’m pretty sure I could add the exe file to the list manually to provide customized protection. I imagine it should play well as it is based on Chrome/Chromium which does get protected by MBAE via its chrome.exe host process coverage.

I did pop into the Protection for new browsers - News, Questions and Comments Malwarebytes Forum and did the responsible thing by asking for vivaldi.exe to be added to the default protected browser list in MBAE.

Time will tell.

Cheers,

Claus Valca

Vivaldi browser–Technical Preview 2 Release + Tip

I’m really liking my Vivaldi browser experience so far. Each snapshot release helps refine the browser that much more.

It still isn’t my primary web-browser but I enjoy the web-browsing experience the more I use it between releases.

So does Ars Technica!  If you haven’t spent much time checking it out based on what I’ve been posting here (my #1 excitement…having a Chrome-like browser but with a true bookmark side-bar like Firefox) check out Scott Gilbertson’s wonderful review below.

The past few weeks have been busy for the Vivaldi team and no less than two “snapshot” releases capped by a Technical Preview 2 release have come out.

One weakness of Vivaldi right now is that it doesn’t yet support plug-ins. For core web-browsing that’s not a problem, but if you like to bolster the security of your browser it can be a bit daunting.

I run Malwarebytes Anti-Exploit as one (of several) layers of system security. More on that in a follow up post.

However the free version doesn’t support Vivaldi.

I also depend on adware blocker add-ons. I totally get the whole argument about how blocking ads cuts into the revenue streams of many full-time bloggers who make their living by ad-generated revenue. However, I’ve also seen the carnage from malware delivered via malvertizing campaigns. That isn’t the fault (usually) of the blogger or web-site but I don’t like the idea of getting infected either. Also, I’m very, very unlikely to purchase a product seen via a web-ad. Word of mouth and in-depth product reviews from trusted bloggers are much more likely to encourage me to check out a product.

I digress…

So I cannot run an ad blocker in Vivaldi (as I do in my primary-use Firefox/Chromium browsers), and want to do so to ensure I have an additional layer of protection against a malvertizing-based attack.

What to do?

Luckily, the tinyapps.org bloggist had the answer for me as posted back in October last year

Download, install, configure, update, protected! System-wide. The developers (Murray Hurps and Jeffery Cole) have recently (and generously) decided to offer their product (formerly $) fully-featured for free.

I’ve got a lot to learn about Ad Muncher, but the gist is that it runs on your system, sitting in the system tray, and can cover ad-blocking in any web-browser (without needing to be an add-on extension).

I recommend reading the Ad Muncher/Frequently Asked Questions page on the Ad Muncher Wiki site. It is a great place to start.

The program is highly configurable and you can add all kinds of extra tweaks and custom filtering.

It does sit as a local-system proxy-of-sorts for your browser web-traffic, so if you are concerned be aware of that and take some time to read the extensive Ad Muncher v4.72 and newer help page for all the technical details.  Also, don’t forget it is running as a proxy of sort as that could through off your troubleshooting a bit.

Check it out and big hat-tip to both tinyapps.org and the Ad Muncher crew.

Cheers,

Claus Valca

Threat Watch Linkfest

Here is a smattering of linkage for threats that caught my attention recently.

MITM/Superfish threats

Thoughts on a VNC-based network probe

It’s not a good sign when the help desk starts getting calls from users asking why IT is trying to remote to their systems with a new “VNC” product. It’s especially not good when IT doesn’t use that product and is not making blanket network connections to our customers.  Someone better tell the little Dutch boy to go stick his finger in the perimeter dyke! 

Some users selected “OK” to allow the remote connection thinking it was the local IT shop. Most did not.

Data has been collected from the incident and I was able to identify some IOC’s to use to go back and search out other systems where users may have selected “OK” but didn’t call in afterward that they had taken the bait.

Looking at logs from some of those systems, it appears that although a remote connection window was presented to the user, the application logs register the inbound connection but do not indicate that a connection was successfully opened to the user’s system, despite the dialog window presentation and the user clicking “OK”.  More research/incident-triage would be beneficial but the order came in to wipe/reimage these systems immediately so…there we are.

My guess (and without additional information it is just an educated guess) is that something got left open on the perimeter, an automated ip/port scan for VNC got by and triggered the local VNC responses seen. The actual mechanism and tool used remains unclear.

Here are some articles and links about VNC-type based attacks for my reference and review.

Dyre Trojan New Variant

Dyre Targets More Websites - ThreatTrack Security Labs Blog – besides looking to steal banking credentials from infected systems, this variant now has expended to file hosting, job hunting, general commerce, and even some income tax service websites!

Previously noted on this GSD blog: Fighting a Hydra named Drye/Dyreza/Upatre

Crypto<insert-name-here>

Turning the Tables

Mr. Zeltser offers a very interesting approach to preventing malware infection of a system. By using known infection-markers and loading them into a clean system, he can inoculate the system from infection.  It uses the tendency of malware writers to check to see if a system is already compromised (or is virtualized) by looking at running processes, maybe registry keys, etc. If those indicators are present, they the payload delivery and infection gets skipped!  The thought here is that if you know what those are, drop the safe “bits” around a system, then when the malware attack comes it “passes-over” the system and the system stays clean.  Very clever indeed!

How Malware Generates Mutex Names to Evade Detection – SANS-ISC InfoSec Handler’s Diary – Great supplemental post to the above by Lenny Zeltzer

See also: Looking at Mutex Objects for Malware Discovery and Indicators of Compromise – SANS Digital Forensics and Incident Response blog – article by Lenny Zeltzer

Constant Vigilance!

Claus Valca