Network Link Roundup

And yet another pile of URL web-linkage. This collection focuses on network techniques, tools, and software releases.

Grab a fork and dig in!

• Let me tell you about Wireshark 2.0 - Sniff free or die
• Wireshark 2.0 - Top 10 Filters (by Chris Greer) – LoveMyTool
• Wireshark 2.0 Statistics Endpoint Report (by Tony Fortunato) – LoveMyTool
• Wireshark Use Case: Slow Response Times - Part 2 (by Paul Offord) – LoveMyTool
• Wireshark Use Case: Slow Response Times - Part 3 (by Paul Offord) – LoveMyTool
• How to Detect a Worm with a Network Anayzer (by Nancy Liu) – LoveMyTool
• Announcing Microsoft Message Analyzer 1.4 - Microsoft Message Analyzer
• Selection Tool Window – Microsoft Message Analyzer
• Message Analyzer Videos – Two More - Microsoft Message Analyzer
• YouTube Message Analyzer channel
• Message Analyzer Blog
• Packet Sniffing with PowerShell: Looking at Messages - Hey, Scripting Guy! Blog
• Packet Sniffing with PowerShell: Getting Started - Hey, Scripting Guy! Blog
• Use PowerShell to Parse Network Trace Logs—The Video - Hey, Scripting Guy! Blog
• EMCO Ping Monitor – A sophisticated uptime monitoring tool - 4sysops
• BPF is your Friend - NETRESEC Blog
• NetworkMiner 2.0 Released - NETRESEC Blog
• Detecting Periodic Flows with CapLoader 1.4 - NETRESEC Blog
• Analyzing Web Browsing Activity - NETRESEC Blog
• clumsy 0.2 – utility for simulating broken network for Windows Vista / Windows 7 and above
• Clumsy makes your Windows network conditions worse, on purpose - gHacks Tech News
• NetSpot - free WiFi Site Survey Software for MAC OS X & Windows
• NetSpot 1.0 Wi-Fi analyzer and troubleshooting tool launches on Windows – BetaNews
• Create detailed Wi-Fi Surveys with NetSpot for Windows - gHacks Tech News
• Download NetSpot for Windows – NetSpot
• HeatMapper - Free Wi-Fi coverage mapping software for homes and small offices.
• NetSurveyor - 802.11 Network Discovery Tool
• Xirrus Wi-Fi Inspector
• inSSIDer 3.1.2.1 - Download - FileCroco.com – link to one of the last “free” versions of inSSIDer
• Mostly Wi-Fi and Network Security: Linkfest – GSD blog post
• toolsmith #114: WireEdit and Deep Packet Modification – HolisticInfoSec
• WireEdit - A Full Stack WYSIWYG Packet Editor for Pcap.
• TraceWrangler – Jasper’s awesome tool that can also do sanitization and anonymization of PCAP and PCAPng files
• Sanitized IEEE OUI Data (oui.txt) – linuxnet.ca – when you need a cleaned up version of oui.txt
• What SSL or TLS level are you using? – Soussan DAS Computer Consultants post
• Colasoft – collection of their freeware network utilities.
• HostedNetworkStarter – NirSoft – ad-hoc Wifi Hotspot Creator for Windows 10/8/7
• HostedNetworkStarter: turn your PC into a WiFi Hotspot - gHacks Tech News
• New utility to easily start a wifi hotspot on Windows 10/8/7 – NirBlog
• The Ars guide to building a Linux router from scratch - Ars Technica
• A Bettercap Primer – Daniel Miessler
• Performing network forensics with Dshell. Part 1: Basic usage - InfoSec Handlers Diary Blog
• Tcproute - MoonPoint Support Weblog
• How to identify and prevent programs from phoning home - gHacks Tech News
• Use Fiddler to determine which connections Windows 10 establishes automatically - gHacks Tech News
• Sniffing encrypted traffic – Tinyapps.org
• NetRipper
• Pi-Hole: Standalone Raspberry Pi Ad-blocker – I smell a new Raspberry Pi project coming on!

Cheers.

Claus Valca

TRAINING: Windows Security & Forensics

“New” Microsoft Virtual Academy training course spotted.

• TRAINING: Windows Security & Forensics - Kurt Shintaku's Blog

Topics:

1. Windows Security and Forensics
   Take a look at the current state of the security landscape, Windows Security, and what "computer forensics" are.
2. Windows Memory Attacks and Forensics
   Learn how and why hackers attack a system’s memory, and see how Memory Forensics can help address the problem.
3. Windows Authentication Attacks and Forensics
   See demonstrations of how attackers use credential dependencies to gain elevated access to systems and to perform lateral movement. Plus, learn how to detect and prevent many of these attacks.
4. Windows Forensics
   Explore Digital Forensics, and find out what to do as a first responder to preserve evidence for legal actions.
5. Network Forensics
   Explore network forensics, along with case studies, best practices, and online analysis techniques.
6. Malware Incident Response
   Learn about malware incident response, including identifying, locating, and removing malware.
7. Windows 10 Forensics
   Take a look at Windows 10 forensics, and hear about new security features and innovations that can help forensic experts with their work.

Learn the following through this course:

• Examine how and why hackers attack a system’s memory.
• Identify how attackers use credential dependencies to gain elevated access.
• Review what to do as a first responder to an attack; learn to preserve evidence for legal actions.
• Explore network forensics.
• Learn about innovations of Windows 10 that can help forensic experts do their jobs.
• Learn the basics of computer forensics.
• See how to respond to malware incidents.

This won’t instantly make you a professional forensicator it looks to give sysadmins a well-rounded introduction into key topic and foundational approaches when deciding where to begin – if there isn’t already a formal support structure in your organization for these items.

• Windows Security & Forensics - Microsoft Virtual Academy

Claus Valca

Summer’s On! Super Sysadmin Linkfest

Little Bro and I just wrapped up some Saturn Ion A/C system repairs in the driveway. Got the chill winds blowing in the cabin again. So with that resolved, time looks available for a summer’s on, super sysadmin linkfest dump to cover all the bases.  (And expect another Shade-tree Saturn Ion Mechanic tip post very soon, too.)

CryptoPrevent (Foolish IT) News

I personally use and recommend the awesome CryptoPrevent Malware Prevention utility from Foolish IT.

It is simple to use, hasn’t caused me any issue with the default security level settings, and gives me the comfort of having an additional layer of protection against ransomware threats. The free version works nicely on our home systems.

If you are using CryptoPrevent, this technical post may be useful: CryptoPrevent, ShadowExplorer, and VSSADMIN - Foolish IT.

Foolish IT has been hard at work on a new version and this post shows some of the new features and GUI - CryptoPrevent v8 Teaser.

Alternative remain thirdtier.net’s Cryptolocker Prevention Kit (updated) over at Spiceworks.

Considering the rash of ransomware infections at work lately, I’m surprised the AD and security team hasn’t gotten together to review the settings in the prevention kit noted above.  Just say’n…

Malwarebytes Tips and Updates

• New Malwarebytes Anti-Exploit Version Is Out! - Malwarebytes Unpacked
• Malwarebytes Anti-Exploit – version 1.07 – Malwarebytes
• History of Product Releases, Updates & Fixes – Malwarebytes
• Malwarebytes Anti-Malware Premium configuration guide - gHacks Tech News

How-To’s

• How To Set Up The Hidden Start Menu in Windows 8.1 - Next of Windows
• How to run command prompt commands from desktop shortcuts in Windows - gHacks Tech News
• Zoom Option in RDP 10 and How To Use It - Next of Windows
• Get MS Word To Remove Formatting When Pasting Text From The Browser – AddictiveTips
• How to set a Network to a "Private Network" in Windows 8.1 - Scott Hanselman

In my GSD post (mostly) Fast burn video file to DVD-playable format I ended up using DVDStyler Portable to burn some miscellaneous video files to a DVD. I really wanted to use DVD Flick (see this interesting comment thread and this one too regarding a portable version) but problems and a limited amount of time to solution the issue prevented a real trial. I had also found this Free Video to DVD Converter at DVDVideoSoft .

So it was with interest I spotted this post that looks like it could do the job as well.

• How to burn mkv video files to DVD - gHacks Tech News

The app mentioned was Freemake Video Converter. It is clearly stated in the post and in the comments that the application comes bundled with OpenCandy that may be tricky to decline installation thereof. A comment in the thread recommended running the installer from the command-line with the “/nocandy” switch. I tried that and it seemed to work. When you download the installer off the product web-site it is just a “stub downloaded” which then fetches and retrieves/installs the “full” package. In my case it was:

C:\Users\<PROFILEID>\Downloads\FreeVideoToDVDConverter.exe /nocandy

A follow-up scan with Malwarebytes Anti-malware come back clean (…well except where it found it embedded in the full app download package placed in the TEMP folder) and it always detects OpenCandy in installer packs (based on my personal experiences).

So here is a fourth option worth considering if you need a free utility to burn various video files into a single DVD compilation.

Passwords

• Google splits Sign-in process into two pages - gHacks Tech News
• Time to replace traditional password managers like KeePass, 1Password, LastPass, et.al.? – TinyApps.org

I’m a hard-core user of the free KeePass Password Safe & MiniKeePass (iOS) utility. That said, I have to confess that it is very challenging keeping the core database synced between mine and Lavie’s various iDevices and laptops. Add to the fact that the master password datebase file is a hot target for hacking with all the keys to the kingdom I’m sincerely open to a new model for complex/random password management. And at work KeePass (and all password managers) are not approved software so I have to do a super-kludgy solution with using a Bitlocker volume file.

Master Password – project page.  Thanks to the TinyApps blogger I’m now very intrigued and will likely be seeing if I can incorporate this into my routine. There is lots of documentation available (both on TinyApps’ post and on the project page) and is is all very human-readable. The desktop version is a Java app so there is that “issue” if you are on Windows and have stripped Java from your system, though I guess you could go with jPortable and the jPortable Launcher from portable apps as a compromise. The developer also has a beta version of a Web app that could work.

Encrypting Windows Hard Drives - Schneier on Security

Network Nuggets

• Message Analyzer 1.3 has Released (Build 7540) – MessageAnalyzer Blog
• Download Microsoft Message Analyzer – Official Microsoft Download Center
• Microsoft Message Analyzer Operating Guide – Microsoft TechNet
• Process Tracking with Message Analyzer – MessageAnalyzer Blog
• Memory Usage with Message Analyzer – MessageAnalyzer Blog
• Nmap 6.49BETA1 released - InfoSec Handlers Diary Blog – Nmap project page/downloads
• Turn Your Raspberry Pi into a Network Monitoring Tool – HolisticInfoSec blog

TraceWrangler – Jasper Bongertz’s awesome tool for sanitizing and anonymizing trace files was updated a while back to beta build 0.4.0 build 616 in x32/x64 flavors. ChangeLog. Sadly, I don’t (yet) do the twitter so there doesn’t seem to be an RSS alternative to watching for update releases without stopping by for a visit from time to time. Update! Jasper Bongertz has kindly now updated the project page to include a RSS feed! Awesome and many thanks! See also these recent posts by Jasper:

• Sanitizing IPv6 addresses – Packet-Foo blog (Jasper Bongertz)
• Port Numbers reused – Packet-Foo blog (Jasper Bongertz)
  
• Fiddler - updated to version 4.5.1.2. - ChangeLog
• A first look at Windows Firewall Notifier 2 - gHacks Tech News
• New speed test at DSLReports – TechBlog -

Link to test –> Speed test – DSLReports

Note to get the application to run successfully in Firefox (running NoScript) I had to temporarily do the following:

Adblock, or NOSCRIPT - is blocking access to remote IPs (not scripts).
Set NOSCRIPT>Options>Advanced>Trusted>Cascade top document.

Once testing was done, I disabled that option setting.

New or Interesting Utilities

• Update: AccessChk v6.0, Autoruns v13.4, Process Monitor v3.2, VMMap v3.2 - Sysinternals Site Discussion blog
• New utility that displays the result of WMI queries in a simple table - SimpleWMIView - NirSoft

SimpleWMIView reminded me a bit of WMI Explorer over at CodePlex. Probably would be complimentary apps.

• New utility that shows all tasks from the Task Scheduler of Windows Vista/7/8/10 – TaskSchedulerView - NirSoft
• Tools to Convert Virtual Machine from VMDK to VHD Format - Next of Windows
• Microsoft to open source its popular Live Writer blogging tool [Update: Maybe] - Ars Technica
• Desktops – Sysinternals – This free portable app allows you to spawn up to four virtual desktop sessions under your Windows account. That’s an old feature for most *Nix users and is getting added into Windows 10. But with this single file you can bring it to your Windows desktop OS right now.

SterJo NetStalker – SterJo Software – This is an interesting app. I particularly like that it comes in a portable version. As noted in the gHacks post, it is very similar to (but with some differences) to Nir Sofer’s CurrPorts utility.

• NetStalker checks and notifies you of Internet connections in real-time - gHacks Tech News

At the church-house we run a program called Shelby Systems. It is a client/server based model and though most all of the systems have the client software on it, only one user in particular is constantly having issues connecting to the server unless we shut-down the (Windows) server’s firewall, allow the client communication to establish, then turn on the firewall again. So it looks like the server firewall has some not-yet-located firewall rule in play not set correctly. I’m hoping that this and/or CurrPorts can help us hone in on the specific issue. If I do solve it, I’ll post a troubleshooting guide.

SterJo Software – Products – SterJo offers a number of freeware utilities that may be of use to some sysadmins.

Troubleshooting Tips from the Pros

• How to use Process Monitor and Process Explorer - Scott Hanselman
• The Mysterious Case of the Rogue Roaming Browser History - Removing OneView Internet Login - Scott Hanselman
• Performance Analysis Tool (PAL) PerfMon Templates Don’t Load in Win10 | chentiangemalc
• Hybrid Analysis: analyze Windows files in a browser sandbox - gHacks Tech News
• Access to Ext 2/3/4, HFS and ReiserFS from Windows – DiskInternals freeware product
• Troubleshooting Is A Lost Art (By Casey Mullis) – LoveMyTool blog. Interesting timing as I had only just before found the DiskInternals tool mentioned prior.
• Windows 10 Build Upgrades Break VMWare Workstation Network - chentiangemalc

Windows SysAdmin Tips and Techniques

• Local Administrator Password Solution, at Ignite - Aaron Margosis' Non-Admin, App-Compat and Sysinternals WebLog
• Introduction to Microsoft LAPS (Local Administrator Password Solution) - 4sysops
• Set up Microsoft LAPS (Local Administrator Password Solution) in Active Directory - 4sysops
• Set up clients for Microsoft LAPS (Local Administrator Password Solution) - 4sysops
• How to install the GUI on Windows Server 2016 - 4sysops
• What’s new in Windows Server 2016 Technical Preview 2 - Windows Server Blog
• Microsoft Deployment Toolkit: Automate MDT image capture - 4sysops

Microsoft Trainings and Infographics

• TRAINING: Microsoft Ignite 2015 – On-demand presentations available now! - Kurt Shintaku's Blog
• TRAINING: Microsoft BUILD 2015 – On-demand presentations available now! - Kurt Shintaku's Blog
• DOWNLOAD: Infographic/chart comparing Outlook vs Gmail - Kurt Shintaku's Blog

Kali & Docker

• Kali Linux 2.0 Release Day Scheduled - Kali Linux
• Official Kali Linux Docker Images - Kali Linux
• Publishing an ASP.NET 5 app to Docker on Linux with Visual Studio - Scott Hanselman

McAfee & The Great Stinger “feature update” Debacle

So McAfee’s standalone Stinger AV tool is/has-been/was a great tool to run in an attempt to scan a system for specific threats and attempt to neutralize/remove them.  It is updated often with new definition patterns and has been a long-time tool in the GSD infection response toolkit.

However a while back an uproar occurred when it was found a new version upgrade with enhanced features left a running/persistent McAfee service (the 'McAfee Validation Trust Protection Service' mfevtps.exe) on your system afterward; even when the binary was removed, and with no clear way to remove it.

• McAfee Stinger Removed From App Directory Due to Malware-Like Behavior - PortableApps.com
• McAfee Stinger installs McAfee Validation Trust Protection Service - gHacks Tech News
• Warning the McAfee Stinger (bloatware on board) -  Borns IT and Windows Blog (G-Translated from German)

It seemed that the only way to really “clean” your system from McAfee after you tried to clean your system with McAfee’s Stinger was to follow these steps: How to uninstall or re-install supported McAfee products using the Consumer Products Removal tool

Only what I didn’t see in the aftermath were any notices that McAfee reported the persistent service module everyone was hollering about was due to a bug in the application. It was quickly fixed and now Stinger behaves the way it used to, fully cleaning itself up after run.

PortableApps McAfee Stinger news Comment thread post. From that comment..

John - thanks for reporting this issue.

The McAfee Validation Trust Protection Service is needed for Stinger to perform rootkit scanning of a system. This service is temporarily installed during a Stinger scan and is removed once the rootkit scanning portion is completed.

In a recent update to the Stinger's rootkit scanning engine, an issue was found where it wasn't getting uninstalled in certain conditions. We've fixed that in last week's release. The latest Stinger available for download should not leave behind any components post a scan.

Please let me know if you require any other clarification.

Best,
Vinoo Thomas
Product Manager, McAfee Labs

Possibly interesting (or conversational) but not related to McAfee Stinger debacle - Beware: Free Antivirus Isn’t Really Free Anymore – How-To Geek blog. I may come back to this post in more detail at a future time…

Microsoft Surface / Surface Pro News & Tips

• Setting Up Microsoft Surface Pro with Dual Monitors - Next of Windows
• Running your own app at the click of the Surface Pen button – Rafael Rivera’s blog
• Microsoft releases May 2015 firmware upgrades for Surface Pro 3, Pro 2 – BetaNews
• Microsoft releases June 2015 firmware updates for Surface Pro 3, Surface 3 – BetaNews
• Download Surface software, firmware, and drivers - Official Microsoft Download Center

iOS 9 Peeks & Misc Apple News

I’m really excited to see some dual-tasking coming to the iPad device in iOS 9!

• Apple releases the first iOS 9 public beta - Ars Technica
• First look: iOS 9 public beta is the update the iPad deserves - Ars Technica
• Video: iOS 9 multitasking on the iPad Air 2 - Ars Technica
• Apple Saves Publishing... For Itself - Co.Design

Whew!

--Claus V.

FireCAT 2.0: What’s that hot kitty been up to?

I was reading with interest a recent post Turn Firefox into a Security Information Powerhouse at gHacks Tech News.

Martin Brinkmann did a very good job lining up a collection of Firefox extension that most regular users might indeed find helpful expanding user-security while browsing.

Please read Brinkmann’s full post for his take on the value of each extension and the feature set.

It’s a pretty good roundup and while I might not be too keen to load them all up in a web-browser, more than a few could be useful.

However, it seemed a bit thin to be used with the description “powerhouse” when it comes to security-related Add-on integration with Firefox.

See, this post jogged my memory cells and called me back to a GSD post from 2009 that introduced FireCAT to Mozilla’s browser.

Both of these tools brought be back to the excellent FireCAT 1.5 collection of Firefox add-ons used for security/network/pen-testing and other high-value activity in Firefox. FireCAT is maintained by Security Database Tools Watch.  Check out this FireCAT 1.5 PDF for the full list and if you don’t want to pick-n-choose hop over to the lover-ly Firecat package for Firefox Files on SourceForge.net to get the whole collection at once.  What surprises me is that no-one has yet submitted it as Firefox Add-ons Collection.  Looks like I may need to crank up a “standalone” profile of Firefox called FireCAT, install them all, then upload the collection like I did for my Claus Valca’s Extension List (Home)   What think thee? Useful perhaps?

I did follow that post up with actually building a FireCAT 1.5 "Plus" Edition collection.

So after reading the gHacks post I got digging to see if FireCAT was still around and worthy of delivering a true security “powerhouse” for Firefox.

Turns out it was updated back in 2013.

FireCAT: Firefox Catalog of Auditing exTensions – version 2.0

There are now over 90 different security focused extensions in the list covering areas such as information gathering, proxies, web page/code editors, network utilities, IT-security, and application auditing, Check out the catalog page for the list.

Besides the newer extensions since the previous version, the developers also worked towards melding FireCAT with OWASP Mantra.

Granted, this is a few years old, but could still form a good framework to bring forward for your own personal needs. I don’t (yet) know how many of the extensions are compatible with the newest Firefox build versions.

More:

• Firefox and FireCAT as a Platform for Ethical Hacking - Mozilla Hacks – the Web developer blog
• OWASP Mantra: OWASP Mantra Security Toolkit 0.92 beta – Janus

Given that it’s been another two years since that publishing, I’m betting that FireCAT 2.0 could probably be updated to version 2.5 with even more extensions that have come out since.

BTW…would a Chrome/Chromium based version be called ChromeCAT or Cr(24)CAT? 

A customized portable version of Firefox (or Chrome) coupled with a bevy of FireCAT /CR(24)CAT extensions sounds like an incredible portable network toolkit. Now that is what I could call a browser-based security powerhouse.

I feel a new challenge coming on!

(This is why I struggle to get things done on the weekends around the house…)

Cheers!

--Claus Valca

Network Tools and Tips – Linkfest

Here are a bunch of tools and tips for you network support geeks.

• WirelessConnectionInfo – New NirSoft utility for getting stats on active WiFi connections. More information on Nir Sofer’s blog post.
• Determining network protocols - Packet Foo
• Lizard Stresser Runs on Hacked Home Routers — Krebs on Security
• Hunting For MAC Addresses In a Switched Environment (by Tony Fortunato) – LoveMyTool blog
• Entering Promiscuous Mode on OS X – Daniel Miessler’s blog
• Colasoft Ping Tool 1.2 – tips from Moonpoint Support blog
• Free Visual Traceroute – 4sysops – review of the Visual Traceroute freeware tool from WhatsUpGold
• Announcing Message Analyzer 1.2 – MessageAnalyzer – new build version out. Update now!
• Message Analyzer Glossary – MessageAnalyzer
• WinsockReset - Foolish IT LLC
• Wireshark: Filter Expression Buttons (by Joke Snelders) – LoveMyTool blog
• Record Web Traffic with FiddlerCap for Windows – The WindowsClub blog review
• Recording Web Traffic with FiddlerCap – Telerik. Mini-version of their Fiddler tool.
• FiddlerCap with Firefox – Telerik tip
• Download Fiddler Web Debugging Tool for Free – Telerik – New version release to 4.4.9.9 came out Feb 3rd. Update now!
• Free Portable LAN Network Benchmark Tools for Windows - Next of Windows
• When Is A Lost Packet Not Lost? (by Tony Fortunato) – LoveMyTool blog

Whew!

--Claus Valca

Super-Scale ForSec Linkpost

I think this post is going to have the same number of URLs as Christmas tree ornaments and mantle decorations that I hung and set out this afternoon. That’s to say there are a lot, and I am quite behind when considering the calendar.

I’ve been collecting these for at least two months and there are too many now to continue to put off posting them for reference. I’ve tried to group them somewhat for consistency in theme.

Exploits

• POWELIKS Levels Up With New Autostart Mechanism – TrendLabs Security Intelligence Blog
• YARA Registry Scanner - Didier Stevens Videos – example is with poweliks.
• Operation Pawn Storm: Putting Outlook Web Access Users at Risk – TrendLabs Security Intelligence Blog
• Banking Trojan Targets South Korean Banks; Uses Pinterest as C&C Channel – TrendLabs Security Intelligence Blog – This was interesting as it used information seeded in Pintrest “comments” for command and control.
• Malvertising hits ‘The Times of Israel’ and ‘The Jerusalem Post’, redirects to Nuclear Exploit Kit - Malwarebytes Unpacked
• IRS phone scammers double up their efforts for the holidays - Malwarebytes Unpacked
• Here, Vishy Vishy… - Malwarebytes Unpacked
• Malware Detected by Malwarebytes Anti-Malware 2014-11-16 – MoonPoint Software blog
• Scan of Windows system with Malwarebytes Anti-Malware on 2014-12-07 – MoonPoint Software blog
• Rogue E-Books Could Pose Threat to Amazon Accounts - Malwarebytes Unpacked

Advice and Guidance

• You got the well-paid IT Security job. Now what? – Hexacorn blog
• Do you have a Data Breach Response Plan? – SANS Infosec Community Forums
• How to Track Your Malware Analysis Findings – Sans Digital Forensics and Incident Response blog
• The Human and Process Elements of an Incident Response Plan - Speaking of Security RSA blog
• Scalable Incident Response Strategies - Speaking of Security RSA blog
• Security Done the Right Way: Adaptive Defense - FireEye Blog
• Has your threat feed made you lazy – Handler Diaries
• Why breaches happen under IR teams noses – Hexacorn blog
• The 3 stages of 3ages – Hexacorn blog

AV/AM

• CryptoPrevent v7.3.x - Improved Protections and New Features! - Foolish IT LLC
• CryptoPrevent: Does it work on the NEW Crypto-whatever? - Foolish IT LLC
• Bitdefender Offers CryptoWall Vaccine – Bitdefender Labs
• Bitdefender releases free CryptoWall Immunizer – BetaNews
• Vinsula releases free tool to brute force ZeroLocker decryption keys – Bleeping Computer News
• Microsoft cloud protection - Microsoft Malware Protection Center blog
• Close means close: New adware detection criteria - Microsoft Malware Protection Center blog
• Staying in control of your browser: New detection changes - Microsoft Malware Protection Center blog
• Microsoft antimalware to lock down system settings - ZDNet
• The art of disrespecting AV (and other old-school controls) – Hexacorn blog
• The art of disrespecting AV (and other old-school controls), Part 2 – Hexacorn blog
• Researchers test EMET 5 protections, find them wanting – Help Net Security news

Analysis

• Two Sides to Every Story: Advanced Analytics in Security - Speaking of Security RSA blog
• The Targeted Forensics Series: Confirming Remote Desktop Connections (Part 1 of 2) - Speaking of Security RSA blog
• The Targeted Forensics Series: Confirming Remote Desktop Connections (Part 2 of 2) - Speaking of Security RSA blog
• Registry Analysis with CrowdResponse - Forensic Methods
• RegRipper v2.8 is now on GitHub - Windows Incident Response
• Windows Event Logs - Windows Incident Response
• Tr3Secure Collection Script Updated – Journey Into Incident Response
• Timeline Analysis by Categories – Journey Into Incident Response
• Prefetch File Meet Process Hollowing – Journey Into Incident Response
• CSIRT Request Tracker Installation Guide – Journey Into Incident Response
• File History Research - Part 1 - Random Thoughts of Forensics
• File History, Research - Part 2 - Deconstructing the Catalog. - Random Thoughts of Forensics
• Introducing Filescanner.exe - Didier Stevens
• FileScanner.exe Part 2 - Didier Stevens
• FileScanner.exe Part 3 - Didier Stevens
• FileScanner.exe Part 4 - Didier Stevens
• PDF Tools - Didier Stevens
• PDF Creation – Public Tools - Didier Stevens Videos
• Five Anti-Debugging Tricks That Sometimes Fool Analsysts - Malwarebytes Unpacked
• Beyond good ol’ Run key, Part 18 – Hexacorn blog
• Beyond good ol’ Run key, Part 19 – Hexacorn blog
• 3R updated to cover new RegRipper plug-ins – Hexacorn blog
• Regulex & Visualized regexes – Hexacorn blog
• Decompiling compiled AutoIT scripts (64-bit) – Hexacorn blog

Web Security

• Does an insecure website compromise the security of a payment system in an iframe? - Troy Hunt’s blog
• Watching “Have I been pwned?” Pastebin notifications in action - Troy Hunt’s blog
• “Have I been pwned?” – now with RSS! - Troy Hunt’s blog
• Introducing paste searches and monitoring for “Have I been pwned?” - Troy Hunt’s blog
• LinkedIn Feature Exposes Email Addresses - Krebs on Security
• Website Security - RSS Reveals Malware Injections - Sucuri Blog

Network Bits

• Bitdefender's BOX hardware protects your entire home network, not just your PC – PCWorld – Yes, we have now reached the point where network perimeter defense appliances have reached the home market. I expect this will be just the tip of a new round of such devices.
• Detecting irregular programs and services installed in your network - InfoSec Handlers Diary Blog
• Flushing out the Crypto Rats - Finding "Bad Encryption" on your Network –InfoSec Community Forums
• The Easy-to-Miss Basics of Network Defense - TrendLabs Security Intelligence Blog
• Verifying Chinese MITM of Yahoo - NETRESEC Blog
• toolsmith: HoneyDrive - Honeypots in a Box - HolisticInfoSec

In the Library (mostly whitepapers)

Note: Many of these are PDF links and will open in your web-browser as a PDF…

• (IN)SECURE Magazine issue 44 released – Help Net Security News
• The whitepapaer and .pdf presentation slides for GRR: Find All the Badness, Collect All the Things – Black Hat 2014
• Security Visibility in the Enterprise – SANS Reading Room (PDF link)
• MalwareD: A study on network and host based defenses that prevent malware from accomplishing its goals. – SANS Reading Room (PDF link)
• Forensic Images: For Your Viewing Pleasure – SANS Reading Room (PDF link)
• Home Field Advantage - Using Indicators of Compromise to Hunt down the Advanced Persistent Threat – SANS Reading Room (PDF link)
• A Guide on How to Find Cardholder Data without Automated Tools for PCI Assessors – SANS Reading Room (PDF link)
• Validating Security Configurations and Detecting Backdoors in New Network Devices – SANS Reading Room (PDF link)
• Creating a Threat Profile for Your Organization – SANS Reading Room (PDF link)
• Security Operations Centre (SOC) in a Utility Organization – SANS Reading Room (PDF link)
• Hardening Retail Security – SANS Reading Room (PDF link)
• Breaches Happen: Be Prepared – SANS Reading Room (PDF link)
• Finding the Advanced Persistent Adversary – SANS Reading Room (PDF link)
• Forensicator FATE - From Artisan To Engineer – SANS Reading Room (PDF link)
• Intelligence-Driven Incident Response with YARA – SANS Reading Room (PDF link)
• Security Skills Assessment and Training: The Critical Security Control that can make or break all others – SANS Reading Room (PDF link)
• Evidence Collection From Social Media Sites – SANS Reading Room (PDF link)

Live CD News

• CAINE Live USB/DVD - CAINE Computer Forensics Linux Live Distro
• CAINE 6.0 Dark Matter 64bit released! – CAINE Computer Forensics Linux Live Distro

Whew!

Cheers!

--Claus Valca

Sysadmin Links - QuickPost

Stand back from your browser! Here comes a messy GSD Quickpost with tons of linkage for sysadmins….

New or Useful Software

• Find and optionally rename very long file names and paths - TinyApps blog - tiny tool referenced is Cut Long File Names by ReplSoft.
• Update for RDCMan - Ben Armstrong
• Using RDCMan v2.7 to Connect to a VM - Ben Armstrong

PowerShell

• PowerShell Break All Command - Windows PowerShell Blog
• PowerShell Remote Script Debugging in the ISE - Windows PowerShell Blog
• PowerShell Script to Retrieve Internet Explorer Telemetry Data - Anything about IT
• Windows Management Framework 5.0 Preview November 2014 is now available - Windows PowerShell Blog
• Weekend Scripter: A Graphical Tool to Explore PowerShell Help - Hey, Scripting Guy! Blog

Windows Diagnostic tool “PerfView”

• Download PerfView - Microsoft Download Center - This little gem of a Windows performance collection tool is sweet! I’m really loving the easy of its data collection.
• PerfView Tutorial - Channel 9 - Different video series than the “Defag Tools” listed below, Vance Morrison has some short mini-videos reviewing the tool, its usage, and some example applications. Good stuff!

Additional videos that are longer and more detailed on the tool.

• Defrag Tools #113 - PerfView Part 1 - Defrag Tools on Channel 9
• Defrag Tools #114 - PerfView Part 2 - Defrag Tools on Channel 9
• Defrag Tools #115 - PerfView Part 3 - Defrag Tools on Channel 9
• Defrag Tools #116 - PerfView Part 4 - Defrag Tools on Channel 9
• Defrag Tools #117 - PerfView Part 5 - Defrag Tools on Channel 9
• Defrag Tools #118 - PerfView Part 6 - Defrag Tools on Channel 9

Tips and Tricks

• How To Fix No Wireless Network In Ubuntu 14.04 and 14.10 - It’s F.O.S.S.
• How To Re-Create A Bootable ISO From Extracted Windows Installation Files - Next of Windows
• SystemRescueCD - MoonPoint.com Blog
• DNSQuerySniffer v1.35 - MoonPoint.com Blog
• Measuring the Impact of Folder Redirection - Application Launch & SMB Version - Helge Klein - part five of their Folder Redirection review series. See previously from Helge Klein:
  • Part one: How Folder Redirection Impacts UX & Breaks Applications
  • Part two: Visualizing the Impact of Folder Redirection – Logon and Application Launch
  • Part three: Visualizing the Impact of Folder Redirection – Start Menu Search
  • Part four: Measuring the Impact of Folder Redirection – User Logon

Windows 10

• Windows 10: Build 9879 now available as an ISO file - Caschy’s Blog
• Can Windows 10 Technical Preview be Upgraded to RTM Version? - Next of Windows
• Subscribe to Windows 10? Microsoft Evaluates Alternative Payment Models For Their Products - MakeUseOf blog
• December Update on the Windows Insider Program - Blogging Windows
• Join us to hear about the next chapter of Windows 10 - Blogging Windows
• Will Windows 10 mean the end of malware? - TechRadar
• Windows 10 New Feature: Enhanced Snap for Both Desktop and Modern Apps - Next of Windows
• Latest Windows 10 update shows how rapid releases work in practice - Ars Technica
• What to expect in the next Windows 10 build – BetaNews

Windows/Updating

• Adobe December Patch Tuesday - InfoSec Handlers Diary Blog
• Adobe Pushes Critical Flash Patch - Krebs on Security - November cycle
• Microsoft, Adobe Push Critical Security Fixes — Krebs on Security - December cycle
• Bonus Windows updates fix other Windows updates - ZDNet
• Microsoft update blunders going out of control – ZDNet
• Windows Update KB3004394 triggers error messages – BleepingComputer
• Microsoft withdraws bad Windows 7 update that broke future Windows 7 updates - Ars Technica

Network Nuggets

• Free Best Network Monitor Tool on Windows for Home Network - Next of Windows
• Wireshark 1.12.2 and 1.10.11 Released - Wireshark
• Wireshark 1.12.2 Release Notes - Wireshark
• Wireshark - Download
• Snort 3 a complete rewrite, aims high - ZDNet
• Fiddler free web debugging proxy - Fiddler has released a new update - version 4.4.9.8
• A look at a portable USB3 network TAP - Packet Foo

Cheers!

Claus Valca

New and Improved Utilities

Network Stuff Found and Updated

• Announcing the Message Analyzer 1.1 Release! - MessageAnalyzer Blog
• Message Analyzer Performance - MessageAnalyzer Blog
• Download Microsoft Message Analyzer 1.1 - Microsoft Download Center
• Fiddler - version 4.4.9.4 released
• Fiddler Add Ons - Not sure how I missed these, but here are a number of additional “add-on” packages to extend the features and capabilities of Fiddler.
• httpry - *nix packet sniffer to display and log HTTP traffic. Spotted at One Thing Well
• Top 5 Network Monitoring Tools for Windows 8 / 7 - Well, according to the Windows Club at least.
• Nmap - Now updated to version 6.47. For details see the Nmap Change Log.
• Easily Blocking Application in Windows Firewall with Firewall App Blocker - Next of Windows
• NetSurveyor 802.11 Network Discovery Tool - NUTS ABOUT NETS - There are already more than a few handy free Wi-Fi identification and troubleshooting tools but here is another one I have just found.
• NetWorx - SoftPerfect - free tool to monitor bandwidth, connection speed, and traffic usage. Has installable and portable versions. Nice tool for the network troubleshooting toolbox.

Which brings me back to the pretty cool Windows “firewall” application GlassWire. Previously featured via tinyapps.org, I spotted a new review of it that had some fresh examples of its usefulness; illustrating alert event marking for later examination. In one case, it helped a user discover network activity from malware that had gone undetected.

• Meet GlassWire, The Prettiest Bandwidth & Internet Security Monitor For Your Windows PC - MakeUseOf blog.

Then in those comments there was a reference to the KDE application KNemo - Network Monitor.

Utilities of Usefulness

• AOMEI PE Builder - I’m always keeping one eye open on new WinPE building tools and this seems useful for the non-tech crowd who may not be up to taking on a project from the WinBuilder tool or one of the many specialized building sets at reboot.pro. For someone just getting their feet wet, this might be a good place to get started.
• OPSWAT AppRemover - I keep rediscovering this tool every year or so. It is updated regularly and can aid in the removal of many Supported Applications. Good for a first-pass on a new OEM system.
• GEGeek Tech Toolkit - Considering the work I do finding and maintaining all the tools and utilities on my own USB stick, this seems like a cheat, but if you are lazy, here you go. Related are the NirLauncher package builder and KLS Soft’s WSCC - Windows System Control Center (also update to version 2.3.0.1 as of Sept 2014).
• OpenSaveFilesView - NirSoft - new utility that displays files previously opened with the open/save dialog box. More on NirBlog.  Spotted via this Betanews post.
• FixWin v 2 for Windows 8, Windows 8.1 - The Windows Club - Easy but powerful tool to fix common Windows issues. Use with caution. Similar tool may be (the no longer developed but still available) d7 Free tool from Foolish IT LLC.

Lights, Sound, Action!

• Lightworks - Version 12 released - New in v12. For a quick summary see this BetaNews posting.
• Audacity - Version 2.0.6 released - 2.0.6 Release Notes. For a quick summary see this BetaNews posting.

Cheers,

Claus Valca

Network News Nuggets

Yes. I’m in the process of emptying out my “to blog” hopper.

Bear with me. The next several posts will be positively boring as I get them up for future reference.

NetworkMiner 1.6 Released - NETRESEC Blog; drag and drop support, improved email extraction handling, DNS analysis, live sniffing performance improvements, PCAP-over-IP remote sniffing added to the free version.

PCAP or it didn't happen - NETRESEC Blog

Wireshark 1.12 Officially Released! - Sniff free or die. Wireshark download

Wireshark 2 Preview (by Tony Fortunato) - LoveMyTool blog

Wireshark: A Guide to Color My Packets - PDF whitepaper at SANS Institute Infosec Reading Room

The trouble with multiple capture interfaces - Packet Foo

Security Analytics: having fun with Splunk and a packet capture file (pcap) - PDF whitepaper at SANS Institute Infosec Reading Room

Network Forensics Puzzle Contest 2014 Walkthrough - Network Forensics Puzzle Contest

Data vs. Metadata - F-Secure Weblog : News from the Lab

The Routing Wall of Shame - IEEE Spectrum

Small devices needs a large Firewall - PDF whitepaper at SANS Institute Infosec Reading Room

Snort on home routers - what a great idea -ZDNet

ntop - It has been a while since I worked with took, but as of August 13th, version 1.2 was released. Worth checking into.

Top 5 Network Monitoring Tools for Windows 8 / 7 - The Windows Club - Nice and simple list of some networking monitoring tools you may already be familiar with, or not.

Cheers!

--Claus V.

Playing Nicely Now: Xplico 1.1.0 & Ubuntu 14.04 LTS

OK, in the grand scheme of World Events, getting the latest Xplico release to update/install in the latest Ubuntu LTS release isn’t that critical.

But it does get frustrating when something so easily-difficult turns into being something a case of something so difficultly-easy to solution.

Submitted for your entertainment and education, upgrading both Ubuntu 14.04 LTS and Xplico 1.1.0.

I’ve covered more than a few guides now here at GSD on getting Ubuntu upgraded in my VirtualBox session. Each time it goes a bit more smoothly than the last.

• Ubuntu 12.10 (Quantal Quetzal) Upgrade - grand stream dreams blog (10-2012)
• Ubuntu 13.04 (Raring Ringtail) Upgrade..a bit faster this time - grand stream dreams blog (04-2013)
• Ubuntu 13.10 Upgrade - Lessons Learned & VIDMA utility found - grand stream dreams blog (11-2013)

Likewise, getting Xplico installed the very first time on my own (rather than using it in a pre-bundled virutal machine appliance or LiveCD distro) was quite the effort.

• Self-Installing Xplico in Ubuntu - Virtual Edition - grand stream dreams blog (03-2011)

Fortunately, after contacting the wonderful team at Xplico, they added some super-easy “scripts” to their wiki page to make the process a breeze for Ubuntu builds up though 13.10.

So what could go wrong this time?

Apparently still quite a lot.

First, let’s cover the Ubuntu upgrade using the well-worn GSD process.

Here you go…documented for your entertainment and my education.

1. Find in RSS feeds that my Ubuntu 13.04 Raring Ringtail install has a Ubuntu 14.04 LTS Trusty Tahr update available.
   ●  Ubuntu 14.04 review: Missing the boat on big changes - Ars Technica
   ●  Ubuntu 14.04 "Trusty Tahr" Brings Small Changes, Long-Term Support - Lifehacker
   ●  Ubuntu 14.04 LTS is here -- Linux fans, download it now! - Betanews
   ●  Ubuntu 14.04 review: Trusty Tahr adds finesse and choices to the Ubuntu desktop - Desktop Linux Reviews
   ●  TrustyTahr/ReleaseNotes - Ubuntu Wiki
2. Made sure my Oracle VM VirtualBox platform I run it is is current. Upgrade accordingly first.
3. Excitedly start the in-place upgrade of my VirtualBox Ubuntu build.
4. Play it safe to prevent VirtualBox upgrades messing with Ubuntu by first disabling 3D acceleration in the VM machine settings.
   
   Then install/upgraded to the latest VirtualBox Extension pack within Ubuntu proper. Unlike last time I knew what the correct option clicks to get the Extension pack installer auto-running after I mounted the CD/ISO file.
   1. First, run the installer from the host.
      
   2. Next choose the “Ask what to do” option.
      
   3. Run the auto installer
      
   4. Authenticate and install
      
      ●  How do I install Guest Additions in VirtualBox? - Ask Ubuntu.
      ●  Installing Guest Additions on Ubuntu - VirtualBoxes
5. Once done, I rebooted the system after re-enabling the 3D Acceleration option in the VM settings.
6. From there I continue my previous successes by using Daniel Benny Simanjuntak’s tip in a previous Ubuntu post comments to run the following command from the terminal to start the upgrade process.
        …through terminal one can upgrade as well using the command:
         sudo do-release-upgrade -d
7. For an alternative method found check out this Upgrade Ubuntu 13.10 (Saucy Salamander) to Ubuntu 14.04 (Trusty Tahr) via Tecmint.com post.
8. Let it run for a while…do a few reboots…looks like a Flash package is causing some non-fatal errors…moving on anyway… 
9. When it is all settled down, I log in and kick the tires a bit, and change the desktop to the more dramatic “Sea Fury” image from the pickings offered.
   
10. Looked for and updated any pending applications needing updating. Done.
11. Check “Upgrade to Trusty Tahr” off my to-do list.

So far so good.

Second, let’s cover getting Xplico working again.

So despite some fairly recent updates with Xplico - Open Source Network Forensic Analysis Tool (NFAT) having come out, for my simple purposes, I’ve been running the Xplico 1.0.0 version up to this point in my previous Ubuntu builds.

As previously mentioned, the Xplico development team (specifically the most gracious and patient Gianluca Costa) kindly corresponded with me after I asked some follow-up questions to my Self-Installing Xplico in Ubuntu post. That eventually helped lead in a small way to:

• Xplico 1.0.0 Released - with notice of the new Xplico Repository and
• the fantastically helpful ubuntu page in the Xplico Wiki giving you the following install options from:
  • The Xplico Repository (currently for Ubuntu 11.04 through 13.10)
  • SourceForge for both Ubuntu 12.04 and Ubuntu 11.04 & 11.10)

Knowing that the Xplico team had recently released Xplico 1.1.0 in late December with some nice feature enhancements, I thought it was finally time to do the upgrade.

First, I launched Xplico 1.0.0 from within my Trusty Tahr machine…and it completely and totally failed to work.

Might have something to do with all that “Apache” stuff I noticed going on during the upgrade to 14.04 LTS perhaps?

No problem…I’ll just go back and reinstall the older Xplico 1.0.0 version using any of those handy Xplico “scripts” on the Wiki page.

Fail.

My first attempt was to use the first installation method from the Xplico repository.

That seemed to “mostly” work except it didn’t really work cause embedded in all the Terminal output were these potential issues:

Err http://repo.xplico.org trusty/main i386 Packages                          
  404  Not Found

and

W: Failed to fetch http://repo.xplico.org/dists/trusty/main/binary-i386/Packages  404  Not Found

E: Some index files failed to download. They have been ignored, or old ones used instead.

Yep…not going to work or continue with the build process with those buggers.

OK, lets move on to the SourceForge package source/method.

Snap, same errors…

Well, granted, I may have been rushing things out the door, maybe waiting a few days would help and the repositories could just happen to be off line.

So I came back a few days later (OK, just this morning) and tried again netting the same results.

So, being a somewhat clever and resourceful person, I did what most folks wouldn’t dare think about doing to fix a technical problem in a area (Ubuntu) they don’t know enough about; I fired up the email and asked for help from the most gracious and patient Gianluca Costa.  Funny thing is his email to me back from January 2012 is still sitting in my Inbox, one of about 8 emails I keep there for quick reference or encouragement. I knew there was a reason for that.

Less than 30 minutes later, from across the globe, came a wonderfully helpful response with the following critical bits amongst some other nice content:

If you like to test the 14.04 packages, their links are:
http://projects.xplico.org/xplico_1.1.0-14.04_amd64.deb
http://projects.xplico.org/xplico_1.1.0-14.04_i386.deb

After checking with him first, Gianluca kindly allowed me permission to share that information with you. Please do note these are still a work in progress and some fine-tuning might occur before their “public” release which should happen very soon...but if you are struggling for Xplico 1.1.0 to get working and just can’t wait, there you go.

Probably for a seasoned Ubuntu professional, that would be all the information needed to get Xplico going again…alas…not so much for me; at first.

Here’s how I finally got it going about an hour after getting the package repository links.

Now to be clear and fair, I did need to make some fresh coffee during the process. So it didn’t really take me an hour total! But then again in more honesty, I made the fresh coffee using a K-cup machine Mom and little Bro gifted me for house-sitting…so the coffee making process didn’t take as long as one might think. Seriously…just a few minutes. Cheese-and-crackers! …now that explanation seems to make it look like it did take me closer to an hour…umm maybe I slowed down to savor that rich Italian roast blend I had to honor Gianluca for his reply?

Moving on…

1. In Ubuntu, I opened up Firefox and downloaded the “xplico_1.1.0-14.04_i386.deb” package to my downloads folder.
2. I then right-clicked the package and selected Open With the “GDebi Package Installer” as that seemed as cool a thing to do as either of the options offered.
   
3. It needed some prompts answered, but it ran OK until near the end when I got this:
   
4. That did NOT look promising…but I can follow instructions like a few people can
5. I opened a fresh Terminal window and ran “sudo apt-get install -f”
6. That did a bunch more things. I’ve saved the text output to place with Alvis’s early macaroni art pictures from kindergarten class but here are the highpoints (yes…I’m leaving some things out for brevity…like that matters at this point in the blog post):

   The following packages were automatically installed and are no longer required:
     libquvi-scripts libquvi7
   Use 'apt-get autoremove' to remove them.
   The following extra packages will be installed:
     apache2 libapache2-mod-php5 libpq5 python3-psycopg2
   Suggested packages:
     apache2-doc apache2-suexec-pristine apache2-suexec-custom php-pear
     python-psycopg2-doc
   The following NEW packages will be installed:
     apache2 libapache2-mod-php5 libpq5 python3-psycopg2
   0 upgraded, 4 newly installed, 0 to remove and 10 not upgraded.

   Setting up libpq5 (9.3.4-1) ...
   Setting up python3-psycopg2 (2.4.5-1build5) ...
   Setting up apache2 (2.4.7-1ubuntu4) ...
   * Restarting web server apache2
   
   Setting up libapache2-mod-php5 (5.5.9+dfsg-1ubuntu4) ...
   php5_invoke: Enable module pdo_sqlite for apache2 SAPI
   php5_invoke: Enable module opcache for apache2 SAPI
   php5_invoke: Enable module readline for apache2 SAPI
   php5_invoke: Enable module json for apache2 SAPI
   php5_invoke: Enable module sqlite3 for apache2 SAPI
   php5_invoke: Enable module pdo for apache2 SAPI
   apache2_invoke: Enable module php5
   * Restarting web server apache2
   
   Setting up xplico (1.1.0-14.04) ...
   Installing new version of config file /etc/apache2/sites-available/xplico ...
   Installing new version of config file /etc/init.d/xplico ...
   Module php5 already enabled
   Module rewrite already enabled
   * Starting  Xplico 
7. Done! And those [OK] tags I saw in the process were very comforting.
8. I then relaunched Firefox using a custom profile setting I have configured for Xplico usage and browsed to “http://localhost:9876/users/login”
9. Looking like this may turn out well!
   
10. Logging in and looking at my testing “cases” everything was back to normal again. Sweet!
    
    Note: PCAP file shown above collected from Network Forensics Puzzle Contest site; contest #3.
11. Next I logged in as admin to check out the installation details to confirm Xplico was 1.1.0
    
12. Yep! It’s a little hard to see there but here you go.
    
13. All is well.

Xplico 1.1.0 is now running nicely in my Ubuntu 14.04 LTS virtual machine.

I’m even more wiser for the process thanks to the kindness of the developer.

I’ve got another blog post to add to the (eventual) GSD Xplico mega post that I keep collecting more material for.

All is well in the world!

Cheers!

Claus Valca

 

P.S. More images from the “xplico_1.1.0-14.04_i386.deb” deb package details when it was all said and done for the curious

Notes on Network-y Stuff

Here is a linkpost on network-related topics for the forsec and sysadmin crowds.

• Identifying Malware Traffic with Bro and the Collective Intelligence Framework (CIF) - Open Security Research blog
• Perform A Man In The Middle Attack With Kali Linux & Ettercap - Computer Howto’s - file under what you don’t know and understand can hurt you…so get familiar!
• Search and Carve Packets with CapLoader 1.2 - NETRESEC Blog - New version released in March.
• Carving Network Packets from Memory Dump Files - NETRESEC Blog
• Keyword Search in PCAP files - NETRESEC Blog
• “Network Device Forensics” Talk - Didier Stevens
• Recorded “Network Device Forensics” Talk - Didier Stevens
• LDWin v2.0 Released - What the.....? - New version release of the Network Link Discovery for Windows tool that can be used to track down which switch/port a system is plugged into. Handy in a pinch if your site documentation can’t easily provide the answer to that question and your toner is out of juice.  Download at chall32/LDWin · GitHub
• Death to Intel PROset!! (and my apologies to Netgear) - Foolish IT LLC - I’ve always had good experiences with the Intel PROset network driver packages…but it turns out some caution should be used!

Cheers,

Claus V.