Showing posts with label XP. Show all posts
Showing posts with label XP. Show all posts

Sunday, February 16, 2014

From Bad to Worse…when you don’t want to see the bull’s-eye hit

More news and details out on the Target Breach…and even more POS malware attacks go public…

Recaps:

So new this week:

…and it just continues like wildfire for others…

Some technical details for the curious…

…and with some “perspective” tossed in for dessert.

--Claus Valca

Posted by Claus at 0 comments
Labels: , ,

Monday, January 20, 2014

And now…back to regular GSD posting…

ForSec News

Most of these seem to be timely links in light of the recent malware-induced data breaches of late…

Patch Time Again!

Yesterday when flipping channels between a re-broadcast of Downton Abbey and the AFC playoff game (yeah--real contrast right?) Dad called in a panic as his dear wife had been browsing the InterTubes on their Vista system and they got an apparent Microsoft Security Essentials virus detection alert.

Only it didn’t quite look like what they were used to. So I popped on remotely and took a look.

Long story short, it was actually a fake AV alert image embedded in an IE tab page. Clever. Not.

Using ProcessExplorer I was able to confirm it was a “click here to clean” IE browser session only and not an actual malware fake AV binary causing the display. So a few targeted process kills later all was gone.

We did a trial to show again how the real MSSE client they have running on their system presents a legitimate detection alert.

This is a pretty common event now for them and their system. The vector seems to be that she opens up IE (the latest IE version offered for MS Vista is 9 which they have). Her home page is Yahoo.com. So then she just types in what she is looking for in the “handy” Yahoo search bar on that page and flows down the Internet River.  Often getting amazing numbers of multi-page ad/scam loads in new browser tab sessions. Yahoo seems to be the wild-west of this time of ad/page hijacking. Anyway…

We set up Google Chrome for her to use and depreciated IE as much as we could from the desktop/quick-launch in hopes that Chrome might provide a bit more protection. I ran out of time before having to head to the church-house for service support and didn’t get a chance to load it up with some additional ad-block protections but that is on the to-do list.

Anyway, before I bailed I also brought up their Java (needed unfortunately), Flash, Shockwave, Air versions to current status.

Fingers cross this will hold the dam back a bit more until little brother and I can convince Dad it is time for an OS upgrade to Win7/8 from Vista.

So with that background in mind…go get your patches!

XP support under Microsoft Security Essentials Extended (kinda)

Microsoft has come out with clarification that their Microsoft Security Essentials product will no longer be offered for download to XP OS system users after April 2014. However MS will continue to offer DAT file downloads/updates for already installed MSSE clients on XP though April 2015.

Small consolation, but really, other than looking for AV support of XP from other security software vendors, it really is time to upgrade to Windows 7 (or Win 8 I suppose).

Sysadmin Links

Defrag Tools over at Channel 9 has posted “Part 3” of their Message Analyzer video set:

TRAINING: “Windows Performance Jump Start” – Jan 23rd, Online - Kurt Shintaku's Blog

Bitrot and atomic COWs: Inside “next-gen” filesystems - Ars Technica

How to nuke your encrypted Kali install - Kali Linux

New Utilities of Note

PCI-Z - freeware - Detect unknown PCI devices. Spotted via this Identify unknown PC hardware with PCI-Z post over at BetaNews.

Recuva - freeware - version update to 1.50. - This file recovery software has some major feature updates added.

Piriform News - Recuva v1.50

Change log:

  • Added ISO 9660 file system support
  • Added recovery from unmounted drives
  • Improved duplicated file name recovery
  • Added Junction Point recovery support
  • Improved optical drive detection and recovery
  • Improved scan statistics accuracy

Bit more detail on what some of those features mean over at this Betanews post: Recuva now recovers data from unmounted drives, ISO-formatted optical discs

Cheers!

Claus V.

Posted by Claus at 0 comments
Labels: , , , , , , , , , , , , ,

POS attack - a bit more now known

Just about the same time our replacement bank-cards are rolling in, better details on the Target consumer data breach also are trickling out.

I’m mostly posting this for friends and family, who like us, have been fairly regular customers of this merchant and were hit hard by the breach.

Naturally we are invested in understanding just what happened and what (if anything) we as consumers (and IT sysadmins) can learn from it.

Tech and security journalist Brian Krebs has the most details, and there is little doubt more will be coming as the investigation and forensic response continues to mature.

Super-basically summarizing the reported information to-date, the attackers appear to have breached Target’s perimeter defenses and compromise a company web-server. From there they installed (pushed?) malware onto store POS terminals (all? some?) the cashiers use (as opposed to skimmers on the card-swipe hardware). It captured the raw card data read off the magnetic stripe swiped on the terminal while it was in the POS terminal’s memory, and then used a control server inside Target’s network to accumulate all the scraped card data. From there, about 6-days later the stolen data was transmitted out to an external FTP server using another infected system inside Target’s network. The data was then grabbed and removed off the FTP server over a two-week period.

So this is quite a bit more complex and sophisticated than hacking into a company network and finding a big pile of customer account information just sitting around for the taking in a company-created database file-set, grabbing it, and running for the hills.

It appears from Mr. Krebs’ articles that the Target POS systems were using custom software on top of Windows XP Embedded and Windows Embedded for POS. How the malware interacted with the OS and how the OS was protected by security software (AV/AM/heuristic) protection is also not known.

What is reported is that the malware used wasn’t flagged (at the time and at least though January 16th) by any of the 40+ AV tools listed on virustotal.com. And someone uploaded a copy of the POS malware used in the attack to ThreatExpert.com on Dec. 18th.

Side-note…I’ve not seen it reported but wonder if any of the other online automated malware analysis sandbox services (short GSD list from 2012 Malware Analysis Resources) also got a copy uploaded for the record to them?

Attacks like this may be much more common moving forward.

You can hardly go shopping or eat out in a restaurant, or pull cash from an ATM, or visit the doctor who is carrying a specialized tablet and not see a POS terminal doing the job. And just because the GUI doesn’t look like Windows doesn’t mean that there isn’t the possibility that Windows (or another OS) is actually running underneath.

Microsoft will continue to support Windows Embedded XP for a number more years, even though their primary consumer/enterprise XP OS platform support will be ending in Spring of 2014. That means merchants get some more time to decide to keep on running as is, look to upgrade their POS systems to a newer “modern” version of Windows Embedded, or look to a different POS OS solution entirely.

Either choice may be costly…and to be fair to the POS OS…we don’t yet know how the POS’s themselves were compromised. It might have been nothing to do with any vulnerabilities in the Windows Embedded OS itself. Clearly if the internal network structure is compromised and actors are able to push a software installation or “update” to the POS systems, then that might not be an OS issue at all but rather an operational security one.

It seems more likely that a good portion of the defense in depth layer was breached. The more important questions would be how was it possible, how could the breakdown/breach of each of those separate events been detected sooner, and how could the activity generated been identified and flagged; on the server(s), on the POS systems, and finally, on the network traffic inbound/outbound/internally.

I’m sure there will be lots of great (hard) lessons to be learned across the board on this one.

More linkage:

Stay tuned for updates.

Claus V.

Posted by Claus at 0 comments
Labels: , , , , ,

Saturday, January 11, 2014

Sysadmin Linkfest Grab-Bag Collection

Over the past several months I’ve collected the following interesting links, articles, blog-posts, and utility notices that caught my fancy.

I’m pretty confident you will be able to find at least one link here to entertain yourself with.

ComputerZen Ultimate Utility List 2014 Edition

Scott Hanselman's 2014 Ultimate Developer and Power Users Tool List for Windows - Scott Hanselman - I found more than a few power-tools listed here that I use and several new ones I made the note to explore further. Many of the tools here are developer specific but that doesn’t mean the average sysadmin cannot locate something they could use.

Utility Rundown

Updates: Coreinfo v3.21, Disk2vhd v2.0, LiveKd v5.31 - Sysinternals Site Discussion

Using Autoruns to validate system drivers - Clint Huffman's Windows Troubleshooting in the Field Blog

RawCopy - reboot.pro - NTFS file copier for low-level disk reading by parsing the $MFT, including locked ones.  Spotted via this BetaNews post: RawCopy lets you copy any NTFS file -- even if it’s locked

Of course that “RawCopy” shouldn’t be confused with these other (also great) file copiers:

USB Related

USB Image Tool 1.64 released. See the USB Image Tool main page for one of the best USB device imaging apps I’ve ever used.

Having trouble making files contiguous on a USB drive? - RMPrepUSB, Easy2Boot and USB booting.  Great tip on using Defraggler to make specific files contiguous on your USB drive.

Sysadmin Tips and Talk

How to Copy Recovery Drive to an External Drive in Windows 8.1 - Next of Windows

Adobe credentials and the serious insecurity of password hints - Troy Hunt’s blog

How to Get a Windows XP Mode Virtual Machine on Windows 8.1 - Lenny Zeltser - very clever!

Remotely query user profile information with PowerShell - 4sysops

WinSxS Folder Cleanup – Regain disk space in Windows 7 - 4sysops

Remoting Week: Non-Domain Remoting - Hey, Scripting Guy! Blog

Case Of The Missing Ini Files – A WinDbg Reconstruction - chentiangemalc - Brilliant explanation on how with tremendous patience and WinDbg, some missing INI files were re-created for customer program operation.

Video: Checking the Digital Signature of Windows Executables - Didier Stevens

Virtual Machines

Releasing IE11 virtual machines to modern.IE - Windows blog

IE11 Virtual Machines Now Available on modern.IE - IEBlog

Basically, IE 11 for Windows 7 and IE 11 on Windows 8.1 virtual machines have now been released by Microsoft. Go get ‘em!

Oracle VM VirtualBox - Version 4.3.6 was released a while back. See the Changelog for details.

Project Management Software

I hesitated dropping these links here rather than giving them their own post. But here they will sit.

Project Management Tips and Software - my original post from back in 2007. Been a while…

Express Project - free project planning software. I think this is what got my re-hunt for project management software restarted. Screenshots

GanttProject - free desktop project management tool

Bridging the Gantt - PDF Link - SANS Institute Reading Room paper. Nice intro to the Gantt tool.

OpenProj - Project Management - Free project management program.

Open Workbench - another free project management program.

TaskJuggler - free project tool.

dotproject - Open Source project and task management software

ΤΙΜΙΟΣ Gantt Chart Designer - almost as simple as you can get.

Manual Gantt Charting in Excel - David Seah

Miscellaneous Software Finds

NimbleText - a fine little freeware (for now) tool

PhotoFilmStrip - Ken-Burns Slideshows in Full-HD - just updated to version 2.0 in late November 2013. I love this tool and it really makes doing videos of static digital picture files much more interesting for presentations.

LibreCAD, 2D-CAD - version 2.0 was recently released.  MS Visio does all my heavy lifting, but I’ve seen some CAD masters do amazing floor plans with their CAD app that can run circles around my Visio work. So this seems like a great place to get your feet wet in CAD software at a great price point - Free! See also the large list of YouTube video tutorials: librecad - YouTube. For those who want to really try with no commitment, check out LibreCAD Portable 2.0.0 (2D computer-aided design (CAD) tool) over at PortableApps.com

Ultimate Windows Tweaker 3.0 for Windows 8 - I’ve not done much tweaking to Lavie’s Windows 8 system. We did add a start-button replacement utility and make some minor tweaks but that was pretty much it. That said, this would be a great tool for doing some more advanced tweaks to Windows 8.

Projects - Bitdefender Labs - Bitdefender has a number of free security-focused tools here for the interested.

Cheers,

Claus V.

Posted by Claus at 0 comments
Labels: , , , , , , , , ,

Saturday, September 14, 2013

What an MS Update Cycle This Month + others as well

n0fusp3j.4gt

Is it just me? Or has this been a super-challenging MS Update cycle this time ‘round?

At home on our Windows 7/8 systems I must have had scan for updates, install updates, reboot, re-scan for updates, install more updates, reboot, re-scan for updates, install final round of updates a few more times than I can previously recall.

Lots and lots of updates (though that may be partially my fault for leaving Office 2007 on when I installed Office 2010).  I do that for trouble-shooting support as not all my peeps are are on the same version of Office that I would like to be on.

And at work on our XP systems, for some reason we got bit with the MS bug where we successfully install KB2760411 and KB2760588 but after reboot, Windows Update says they still need to be installed! Wow.

Here is more linkage than  you need regarding Microsoft and third-party app updating this month.

First Up: Microsoft Patching Information

Microsoft fixes bad patch detection - ZDNet Zero Day blog

Why all the errors in Microsoft updates lately? - ZDNet Zero Day blog

Update for Outlook 2013 breaks folder pane - ZDNet Zero Day blog

Microsoft botches still more patches in latest Automatic Update - Microsoft windows - InfoWorld

Outlook 2013 Folder Pane Disappears After Installing September 2013 Public Update - Office Sustained Engineering - TechNet Blogs

I’ve actually been holding off running my monthly WSUS Offline Update build until word comes out that these have been resolved.

Microsoft Patch Tuesday, September 2013 - SpiderLabs Anterior - Amusing and helpful patch summary

Lovely tokens and the September 2013 security updates - MSRC blog - details with pretty graphs

Assessing risk for the September 2013 security update - Security Research & Defense blog

Microsoft September 2013 Black Tuesday Overview - ISC Diary post

Next in Line: Adobe (Flash, Shockwave, Air)

Adobe September 2013 Black Tuesday Overview - ISC Diary post

Update Flash, Shockwave ASAP! Adobe also patches Acrobat and Reader - ZDNet Zero Day blog

Adobe, Microsoft Push Critical Security Fixes - Krebs on Security

Chrome Releases: Flash Player Update - Chrome Releases blog

On the Tail End: Oracle’s Java

It's about time: Java update includes tool for blocking drive-by exploits - The Register

Oracle Updates Java - Threatpost

Oracle finally adds whitelisting capabilities to Java - Computerworld

Security of Java takes a dangerous turn for the worse, experts say - Ars Technica

New features aim to shore up Java’s flagging security - Ars Technica

Go Get ‘Em Cowboy!

Hopefully your system is already set to download and process your Microsoft Updates. If not, stop, drop, and roll and get them on now manually if you must.

Adobe Flash may do an auto-updating or not, depending on your installation and settings.  I've not seen Air or Shockwave self-update ever.

Java might offer the update to you…or not.

If in doubt, you should be able to find direct downloads here.

Finally, if you have any doubt at all regarding your update level for these particular applications try one of these options; or even better, run both.

They are really nice and pretty and are often overlooked…like the proverbial girl next door.

However they will hold your hand just as warmly and the kisses are just as sweet!

Stay patched, my friends.

Cheers!

--Claus Valca

Posted by Claus at 0 comments
Labels: , , , , , ,

Sunday, August 11, 2013

Some Notes for a Certain Project

Just some scratch notes for a special project I am working on.

Nothing of interest for most other folks.

Remote Desktop and Automatic Login - Microsoft Visual Studio Forum

try using this
   mstsc /admin /v:ComputerName

or these
   mstsc /console /v:ComputerName

Be sure to “Log Off” rather than click the “X” to leave the session running if you aren’t coming back. Kinda like your mom telling you to shut the door behind you on the way out of the house when you were a kid. Heard it all the time…

Generally it seems you cannot use Microsoft’s Remote Desktop Connection service to establish an interactive remote control session with the logged in/active user’s desktop (session 0 ?)  unless you do it with the appropriate above arguments. However doing so may make a mess of things depending on how you exit…at least this appears to be my current understanding.

Just because you can doesn’t mean you should, and if you don’t log off properly…like I said you can make a mess for others coming behind you. If you find just such a mess, these tips might help clean things up.

In the end, RDC/RDP might be great or it might be messy.

If you are fortunate to be able to run UltraVNC services on some of your systems, you have some more options…especially if you are making a “headless” server box on a desktop OS platform. I’m personally more of a TightVNC guy myself but hey, close enough.

One of the problems might be that you want it to be a secure (AD/Domain) authenticated connection, but you don’t want someone to have to click “Allow/Disallow” on the headless system to approve that connection.

Fortunately there are options!

And then…

User Redge wrote:

configure and set MS Logon I or II required only at VNC server.
a) following the doc...
http://www.uvnc.com/features/authentication.html
b) no if the UltraVNC setup was followed and exactly.
http://www.uvnc.com/install/installation.html
c) MS Logon I = Require MS Logon
http://www.uvnc.com/features/authentica ... l#mslogon1
d) MS Logon II = New MS Logon
http://www.uvnc.com/features/authentica ... l#mslogon2
Should set and required only at vnc server.
Important:
do not set vnc server as New MS Logon II on XP Home, won't work at all.

MSLogon can work, require turn OFF simple file sharing
windows XP

Open an Explorer window>Tools>Folder Options>View>The bottom check box

Headless systems are a pain…even if a modern BIOS can support booting without keyboard/mouse attached, and even if you can admin-pw lock the BIOS settings to prevent the USB ports from being active and used. Your system still may not boot if the NTLDR doesn’t see a proper video driver.

Headless System (Windows Embedded Standard 2009)  - Microsoft Developer Network post

In Windows Embedded Standard 2009 the support for headless devices starts with the availability of null-drivers for the standard MMI devices. Of course, the BIOS needs to support this kind of configuration, as well, but this should not be a problem on recent systems. The generic keyboard and mouse drivers in Standard are still present as well, when no hardware is connected, but the null driver for the VGA adapter needs to be added to the configuration. This requires the following components:

VGA Save could be left out, if there really is no VGA compatible chip on the board. This will create a dependency error, which in this case can be disregarded. Nevertheless, the benefit of having VGA Save in the image is that any time a graphics adapter card is plugged into the system VGA Save gets loaded instead of the Headless VGA driver. This enables screen output e.g. for field personnel troubleshooting the device. The VGA Boot Driver is required by NTLDR at boot time.

One last element,

The BIOS should be configured to “re-spawn” like a good digital soldier in the event that the power is lost (even a UPS dies if power is off too long) or if someone hits the Power-off button perchance.

Likewise, if the Windows system is NOT on an AD Domain, and logging into a local workstation/workgroup account profile, then you lock it down pretty well (to the bare minimums to function, and enable the auto-login to the set profile: Tip: Auto-Login Your Windows 7 User Account | Cool Stuff | Channel 9. Pretty easy stuff for the auto-login.

The challenge comes up if you want to add it to the AD Domain and use a domain-based account for security/auditing purposes.

There are a number of ways to do this, each with their nuances. Some work better than others. Some are more secure than others. Consider the risk carefully before choosing grasshopper!

[SOLVED] Windows 7 - Auto Logon With Domain Computer - Mockbox.net post.  Easy enough with this registry-based solution BUT the user account and password are stored in the registry in clear-text.  You can roll your own .REG files for deployment with this method. However this could be a big security risk!

WindowsAutoLogin - freeware - IntelliAdmin. One nice feature of this application is that you can also control the number of times it allows an auto-login to occur and then after that “X” number of logins specified, it becomes disabled. That could be handy for some unattended (but brief) service events that require multiple reboots.

Autologon - Microsoft Sysinternals - Much better and easy enough to use. Per this post Safely setting autologon for Windows from the “Confessions of a Microsoft Consultant” TechNet Blog, we learn that AutoLogin saves the account/password string in the registry as a LSA secret.  That’s better than storing it in the Registry in plain-text, but it still is “easy enough” to penetrate and capture:

Autologon - commercial product from LogonExpert . I haven’t tried this product but it says it stores the logon information encrypted in AES 256, interacting directly with the WinLogon service to ensure nothing can grab the data. It has some really, really neat features.  The author has an overview of Free Solutions like what I have outlined above, as well as a Learn More about the product. There is an active download link from the page but I’m not sure if it is a limited-trial version or what. This may be a product that can provide both the “setup” features to enable AD-based auto-login and the security-needed for implementation. I’m really intrigued by this particular product.

Use this information wisely!

--Claus Valca

Posted by Claus at 0 comments
Labels: , , , , , , , , , , ,

Sunday, July 28, 2013

Personal Whole Disk Encryption

So about two or three weeks ago I decided to bite the bullet and install a whole-disk-encryption solution to my personal laptop.

We use whole disk encryption (WDE) at work on all our systems for security and data-loss prevention so the whole concept is well covered here and I’ve done a number of posts on PGP WDE in particular, when combined with WinPE solutions.

But PGP is a commercial solution, and like some other commercial WDE products, is pretty costly and not a practical solution for most home users.

The whole concept of whole disk encryption is that even if someone physically steals your computer/laptop/portable-drive, they cannot access the data in a readable format without the use of an encryption key. In many ways, I think this is one of the very last bastions of standard computing security practice that hasn’t made it down to the average consumer level…and sadly…many companies and small businesses.  I always shudder when I see computers in small mom-and-pop businesses sitting out in the open near windows and wonder if their customer data is really safe at rest on them.

Anyway, it was time to lock-down the Valca laptops.

There were a small number of free/$$ consumer products out there for whole disk encryption I could have gone with. The two major factors I was particularly concerned with were 1) would system/disk performance be negatively impacted and 2) would recovery options to off-line mount the encrypted disk be available for me to use under a WinPE platform?

Advances in standard desktop hardware performance pretty much rendered the first one not a concern, and I have been using the portable version of TrueCrypt off USB drives and in WinPE for quite a while.

In the end I went with TrueCrypt and haven’t been disappointed.

The whole process is very easy to go through and I’ve seen absolutely no performance issues. In fact, I did all my recent HD video editing exercise with nary a performance blip shortly after my system was running the TrueCrypt whole disk encryption.

You might want to consider some of the points that Michael Pietroforte raised last week over at 4SysOps

  • Is TrueCrypt trustworthy? - 4sysops. I think he does make some valid points, but regardless, my primary concern is data loss prevention from robbery/burglary/my-own-stupidity and not from possible back-door exploits from shadowy gobernment data-collection operations run against the citizenry. Anyway, I thought Michael provided a great and often unconsidered perspective.

Alternative whole disk encryption solutions worth considering for home users

CE-Infosys - Free CompuSec PC Security Suite - I first stumbled across this German based software solution back when I was seeing how WDE might protect against KON-BOOT. It is completely free for both personal and professional use.

DiskCryptor - Open Source disk partition encryption program. I am not as familiar with this program but it has been kicking around now for a very long time. In addition it also supports Windows LiveCD integration.

Microsoft BitLocker/TPM - Note you need to be running Windows 7 Enterprise or Ultimate (or other Vista/Win 8 supported editions). Windows 7/8 Home editions don’t support it. A system board with TPM chip is not required, but recommended.

For commercial products, this article may be helpful:

Buyer's Guide to Full Disk Encryption - eSecurity Planet

Cheers and stay secure,

Claus Valca

Posted by Claus at 1 comments
Labels: , , , , ,

Sunday, July 14, 2013

File under “That’s one way to do it.”

A KACE solution is used to produce a multi-platform image of our systems.

I’m not exactly sure how they make the master editions. The Home Office works behind closed doors once every few months when the moon cannot be seen at midnight. I guess it’s an “eye of newt, toe of toad” thing.

Anyway, we get the master USB stick, deploy it with much chanting and spinning to a local system, then pass some Latin command-line FU to the all powerful “Run" box. About 3-4 hours later a completely built KACE system (re)imaging stick spawn results. Then we have to repeat to build the next storm trooper clone.

It’s a time consuming process, and since I don’t have a physical multi-USB drive replication device, it can take up to a week (while multi-tasking) to update all the drives our team carry for system reimaging when a new refresh occurs.

So what I do is to to build a single updated one, then use Alex’s awesome USB Image Tool to capture a full image of the built stick. For the standard 16 GB stick we use, it doesn’t take too long to capture the “IMG” file back to the system HDD.

Once I have that, I just turn around and write that image back to each of the follow-on USB sticks. The process still takes up to an hour per stick to write back out, but that’s several hours faster than the standard process takes.

One alternative is OSForensics - ImageUSB. I like it and USB Image Tool as they allow you to take an image and write an image all with the same tool.  I also found Flash Drive Image Creator which just lets you take an image, and Win32 Disk Imager or USBWriter which then allow you to write that image to a USB drive. I haven’t used them unlike ImageUSB or USB Image Tool so YMMV.

All this is well and good until recently we got some 64 GB USB sticks to use.

The stock scripted process we follow from the master set of building files works fine with them…up to a point. See when done, it results in a 16 GB formatted partition. The remaining volume space is left unallocated in the process.

As I understand it (but haven’t verified myself) the process the KACE tool uses to create each of the sticks using the long-process uses UFDPREP.EXE to do the target USB drive’s formatting and conditioning to make it bootable to the KACE PE (just a custom WinPE) environment from which the image deployment scripts run out of.

It has been said (again I haven’t been able to find documentation to support) that UFDPREP only supports setting the formatting size for the flash drive up to 16 GB.  As I haven’t tested it independently, it might be that the script that the UFDPREP runs for in the drive building process is set somewhere to just use a 16 GB size. Changing its “/size=n” argument value to /size=65536 might work. Maybe.

(Side note: yes I know there are lots of ways and tons of tools to accomplish the formatting and boot-support prepping of a flash drive to almost whatever upper size you want limited only by the physical memory capacity of the device. The challenge here is that the official tool/process automates use of UFDPREP at the very onset of the scripted build process to the target device. So a maximum 16 GB formatted partition is what you get on the output if you want to also get the built image deployment tools and files with it.)

Anyway, I didn’t have the spare time to look into this too deeply. I needed a solution now.

So what I did was take my previously captured IMG file of a 16 GB built USB imaging stick and used “USB Image Tool” to restore it to one of the 64 GB sticks.

It went on fine and quick and resulted (as expected) in a fully functional USB stick for imaging purposes that had a 16 GB volume (just like the original it was captured from) with the remainder unallocated space. That would work “as is” for image deployments but we can’t let that unallocated space go to waste can we?

So I then booted a lab system with a Parted Magic “LiveCD”.

I attached the 64 GB stick and used the “Partition Editor” utility to first locate the device (I think it was listed as “/dev/sdb”), then went though the process to resize the 16 GB partition to take in the remaining unallocated space. I ran the operation and after a warning that it might screw up the data it completed with no fuss. See a visual walkthrough on the process concept below.

When the properties for the updated device were checked on a Windows system, the full 64 GB size available on the stick partition was now showing!  Further testing in image deployments found that no corruption to the files/data occurred. It worked great.

I understand that if instead of XP we were running Windows 7 (or Vista) -- which we are not -- then I could have accomplished the same thing natively with the Disk Management tool. Maybe that day will come soon.

I found using Parted Magic a breeze. It was super fast and has been dead-on reliable all the years I have used it to clean up and fiddle with drive partitions.

However there are some other free partition management software tools that run natively in Windows. Check the licensing requirements to make sure they are not “personal use only” and respect accordingly. Some of the free versions have stripped down feature from the “pro” paid version the same company offers.

I keep one or two of these on my USB utility stick as a “just in case” if either DISKPART or Parted Magic fail me. But they really aren’t the butter for my bread.

That said, they look like they could do the same thing that Parted magic is delivering if Linux isn’t your thing.

Like I said, file this under “that’s one way to do it” for using a USB IMG file created from a smaller sized partition on a larger sized USB flash drive, then restoring the additional unallocated space.

If any GSD readers have any additional ways to accomplish the same thing via Windows Command-Line Fu or a small GUI utility I’d love to hear your suggestions; especially if the utilities are freeware/open-source or command-line only and especially if they would work in XP.

Also, if anyone can find documentation on any formatting size limitations that UFDPREP.EXE carries, I’d love to see the linkage. My Google search skills are not too shabby but I haven’t had luck with the right key search terms just yet. I’d like to know formatting limits of the tool before I tear into the actual process to see if our method is passing it a hard-coded \size=16384 or not.

Cheers.

--Claus V.

PS: Misc links I found in the process of searching for info on UFDPREP.EXE that might be interesting to someone:

WinPE Bootable USB - Creating from XP - The CD Forum - Walkthrough on where to get the binary file (from original source) and how to extract it (note it involves Microsoft’s Windows Embedded feature pack).

A Deep Dive into USB Boot - msdn - How UFDPREP actually does it’s magic.

Posted by Claus at 0 comments
Labels: , , , , ,

Sunday, June 30, 2013

Microsoft’s EMET v 4.0 Released … in case you missed it

Microsoft’s Enhanced Mitigation Experience Toolkit 4.0 - EMET - just got released about two weeks ago.

It really hasn’t made that big a splash in the security news pond; maybe getting lost in all the waves from coverage on our domestic network digital data gathering, leaks in the SS Minnow, and that whole Facebook Shadow Profile data collection fiasco.

Oh, then there is that whole breaking story in the food world that has everyone shocked and a-twitter--How Cronuts Are Driving New York City Crazy.

So it’s not surprising that news of the release of a Windows-specific security tool to prevent advanced malware attacks got little notice.

So here you go.  Little rock toss into a big pond.

a0n12tap.xsg

I’ve got it running on all our home systems as well as all my Windows virtual machines. I’ve seen no performance issues at all and it is super-quiet; no chatter at all. Accordingly, I would recommend it to all my friends/family-members, especially those who insist on using Internet Explorer and do a lot of work in MS Office applications and documents. It is not a solution to replace any existing anti-virus/anti-malware security software you have, but rather it works to supplement and harden it.  I’m running it aside Microsoft Security Essentials (Win 7 systems), Windows Defender (Win 8 systems), and Bitdefender Antivirus Free (Win 8 systems). It works great.

Not impressed enough yet to download?

Well, did I mention it has “skins” so you can change the theme to some pretty snazzy color schemes?

Seriously, if you spend any time on the Web (particularly in IE) and run a Windows system, then you really should consider deployment of this tool. Just take the default configuration settings to get started, then you can tweak away and add additional protection coverage after you read the manual.

Cheers!

Claus Valca.

Posted by Claus at 0 comments
Labels: , , , , , , , , , ,

Sunday, October 28, 2012

For-Sec & Utility Jumble Linkfest

Wordle_2012-10-28_10-49-54

The short weekend is done. The “Sandy Watch” is on for what could be -- for our northeastern friends -- a storm event to be remembered for many years to come. So comes a pile of security/forensic and utility-minded links spill out below for the curious and information hungry.

Forensics and Security

Girl, Unallocated: Be Very Quiet... I'm Tracking Emails Through Headers - Girl, Unallocated Blog. The Girl has a great post looking at email headers and their bits and perils. One gem is a report (PDF) from Stroz Friedberg and a particular focus on email headers. The report as a whole is a great read and again provides a lesson in technical report writing and presentation as well as some forensics pushback on anti-forensics techniques. At 102 pages, it isn’t a brief, but well worth the time to download and study.

The Girl’s post reminded me of another great publicly-available report that addressed emails in a forensic investigation.  In my GSD post Interesting Malware in Email Attempt - URL Scanner Links, I wrote the following bits at the end:

A recent Digital Forensics Case Leads post has mention of a super-fantastic investigation/forensic report involving anonymous emails. This is must-read material, not just in terms of the investigative methodology but also the way the report was composed and presented. Very clearly done!  I’m keeping a saved copy of the report for future reference; both technically and as a report template. From the post via the link above:

“University of Illinois recently released a detailed investigation report (PDF) regarding anonymous emails allegedly sent by its Chief of Staff to the University's Senates Conference. The report is an interesting read, and also serves as a potentially useful model for those looking for report samples and templates.”

How a Google Headhunter's E-Mail Unraveled a Massive Net Security Hole - Threat Level @ Wired.com.  I almost overlooked Kim Zetter’s post on how Mathematician Zach Harris -- as an exercise -- discovered a flaw in some providers user of a weak DKIM key to sign emails originating from them. Fascinating and short read.

DEFT 7.2 and DEFT english manual, ready for download! DEFT Linux - Computer Forensics live cd . New DEFT version out. Last one in x32 bits. Future versions will be strictly x64 flavored.

Xplico – Xplico 1.0.1 - Xplico new version release just dropped. From the brief post:

ChangeLog:

  • nDPI integration
  • performace improved
  • FTP dissector improved
  • Added the prism dissector
  • CLI execution bug fixed
  • PCAP-over-IP SSL encryption
  • IRC dissector improved
  • File reconstruction from Fragmented Payloads improved
  • FaceBook Chat updated
  • FaceBook Message (partial)
  • HTTP without initial packets (packets lost)
  • RTP dissector improved
  • PCAP2WAV, RTP2WAV interface added

And don’t forget! Now you can update/get via apt-get! for Ubuntu 11.04 and higher.  Sweet!

sudo bash -c 'echo "deb http://repo.xplico.org/ $(lsb_release -s -c) main" >> /etc/apt/sources.list'
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 791C25CE
sudo apt-get update
sudo apt-get install xplico

LastActivityView - Nirsoft brand new utility! - Use this new tool to view the latest computer activity in Windows operating system. Nir Softer has some more details on his NirBlog: New utility that shows general computer activity. Could be useful for incident response and analysis and other “quick peeks” for key system activity indicators to narrow down the search.

FileAlyzer Portable 2.0.5.57 (detailed file analyzer) Released -PortableApps.com

Hacking KeyLoggers - Open Security Research has a great post that not only identified a USB keylogging device, but takes it to the next level in hacking it to determine the impact of the device and when it might have been dropped. Clever stuff.

Attacking TrueCrypt - The H Security: News and Features. Another interesting post that almost slipped by me. Interesting by itself but also shows the benefit of using “cascaded algorithms” in TrueCrypt to thwart current attacks…for now.

Restoration of defocused and blurred images - Yuzhikov.com. This is super cool.  Vladimir Yuzhikov hasn’t just done a proof of concept for de-fuzzing blurred imaged (either out of focus or those blurred with a mathematical algorithm), no, he has actually released a free Windows app to demonstrate the possibilities. Besides images, text that is out of focus can be unblurred as well. This is very fascinating and could assist investigators facing images and other digital files with blurred faces or content. It’s not exactly easy or guaranteed to work, but it is very promising start and Vladimir notes he is continuing development and refinement. Read his work please and snag the download.

Google Drive opens backdoor to Google accounts - The H Security: News and Features . Quoting from the post, “The Windows and Mac OS X desktop clients for Google's Drive file storage and synchronisation service open a backdoor to users' Google accounts which could allow the curious to access a Drive user's email, contacts and calendar entries.”  read the post for more info. As usual it seems to be a convenience versus security trade-off again. Choose your cake wisely. I stick with using only the web interfaces and pass on the client versions of these cloud-based storages services…for now.

Virtualization

The TinyApps bloggist has been hard at work digging out great tips and techniques for importing the virtualized “Windows XP Mode” into popular virtualization software. As always, the posts are impeccable with lots of details and supporting source documentation for additional study and research.

Oracle VM VirtualBox - Version 4.2.4 just dropped…by the way. I almost missed it were it not for my RSS feed filters. See the changelog for more details.  And be sure to grab the 4.2.4 VM VirtualBox Extension Pack as well.

Miles’ posts reminded me of an earlier GSD summer post Virtual Solutions and his great post comment guiding me to getting MS’s IE VirtualPC images running in Virtual Box.

How to run Microsoft’s IE VPC images in VirtualBox
http://tumblr.jonthornton.com/post/11405634980/how-to-run-microsofts-ie-vpc-images-in-virtualbox

ievms - Automated installation of the Microsoft IE App Compat virtual machines
https://github.com/xdissent/ievms

Browser Plugin Update Time…Again.

Yes dear readers, it is “Jack and Jill” time again. Bother.

Adobe Shockwave got updated, as of this post, the newest (Windows) version of Adobe Shockwave is currently 11.6.8.638.

Adobe Flash was updated as well. Newest (Windows) version is currently 11.4.402.287.

Java also got a quick update to both build versions. Windows Java updates are available in 1.6.0_36 and 1.7.0_09.

Trying to figure out if all your browser plug-ins are current can be a super-pain for the inexperienced and geekless.

My go-to recommendation remains to pop over to Qualys BrowserCheck in each of your installed web-browsers, be it Chrome, Windows IE, or Firefox. Alas, Opera, Safari, and other browsers are not currently supported, however a check in one of the supported browsers may quite likely uncover a outdated plug in, patching it may fix the others in the process.  For a backup check, hope over next to The Secunia Online Software Inspector for a second opinion.

If you want a good all-in-one location to manually download your plugs, check out Browsers and Plugins Downloads over at FileHippo.com.

Utility and SysAdmin Finds of the Week

Defrag Tools: #13 - WinDbg - Defrag Tools @ Channel 9. New video on Sysinternals tool usage; specifically integrating Debugging Tools for Windows.

Case of the CertUtil Import Refusing The Correct Password - chentiangemalc. Great practicum post on troubleshooting a strange password error where the password was correct but not being taken.

SpeedyFox - Boost Firefox,Skype,Chrome,Thunderbird in a Single Click! - CRYSTALIDEA Software . It has been forever…like dinosaurs roaming the earth eras ago…since I last saw any post anywhere on speeding up a pokey Firefox browser by “optimizing” the JSON databases. This is a dead-simple process to improve launch-time for a well-used Firefox browser. It’s been months since I last optimized mine. When I went to run SpeedyFox, my favorite tool to do so, I wondered if there had been an updated release. My version was at least a year old.  Happily I found there was a newer version, and that it now supports optimizing Chrome-based browsers as well. It remains available as a free edition. Current version is 2.0.3 but while I was sleeping, the developers have been adding support for Skype, Chrome (including SRWare Iron and Pale Moon), Mozilla Thunderbird, and Firefox (including Epic Browser). There is a Mac version (Firefox only) also.

If you use Firefox/Chrome/Thunderbird, stop, drop and run right now!  Did I mention it supports custom paths to your browser profiles so you can optimize portable versions on your drive/disks? Sweet baby Jebus!

CR2 Converter - I shot a lot of photos for Lavie and her family last weekend with the Canon 5D Mark II.  Pops asked for copies and when I was getting ready to pass them off, I realized I had not changed the setting from “RAW” only to RAW+JPEG. So I had over 300 digital images in RAW .cr2 format that his computer cannot read and that are not really a practical format for him anyway to use. Sure, I could batch-convert them in Lightroom/Photoshop, but I really just needed to get them quickly on a CD for him.  I have more than a few RAW freeware tools for tweaking individual RAW file images but that was too time-consuming to use. Luckily, with just a bit of Google diving, I found the freeware Canon RAW Image Converter “CR2 Converter”.   It supports batch-conversion and did an acceptable job for this task. My i7 x64 8 GB RAM system chewed through converting the files in no-time.  To my eyes the resulting images were a bit lightly purple-tinted…not bad or unpleasant but definitely noticeable when compared to the RAW file. Nothing that some simple color correction can’t fix if really important. For Pops it wasn’t but YMMV.  I wouldn’t use it everyday for batch processing but for quick-n-dirty RAW .cr2 to JPEG/JPG/GIF/BMP/PNG/TIFF conversions it is a super time-saver. Tuck it away for when needed in a pinch.

Cheers and hopes and prayers for the very best across the north-east seaboard as Sandy rolls in.

--Claus V.

Posted by Claus at 0 comments
Labels: , , , , , , , , , , , , , , , , , , ,

Friday, October 19, 2012

Grandpa would not be impressed…

My late maternal grandfather was an F.B.I. Special Agent back from the ‘40’s to late 1960’s.

So I was bemused when a gentleman from the church brought me his wife’s XP laptop that when booted displayed an “official” looking lock screen from the “FBI” (complete with FBI seal) saying computer violations were found and locked by the FBI unless the user paid them a fine via a legitimate “MoneyPak” service.

Really?

No.

It was just a run-of-the-mill Trojan drive-by infection crafted by scummy scammers.

It took the better part of a Monday night NFL football game to clean, but I was able to get things restored and back in service.

…and then updated all the third-party browser apps (Java, Flash, Shockwave, etc.) as well as the latest version of the installed AV/AM software.

Related: SOPA reincarnates to hold your computer hostage - ZDNet.

--Claus V.

Posted by Claus at 2 comments
Labels: , ,

Saturday, August 04, 2012

FreeCommander micro-tip

I’m a SuperFan of the FreeCommander freeware file manager.

I have quite the collection of Windows file manager applications and each one has its own coolness factor.

But when it come down to just the daily file management operations, I reach for this one every single day.

The tabs, features, tools, and customizations just make it hands-down awesome.

Developer Marek Jasinski has been hard at work for some time on the next version, FreeCommander XE.

He offers frequently updated Preview Release versions in both installers and “Portable” versions.

I’ve actually been running a non-public “donor” build of FreeCommander XE for quite a while and it has been very stable and fast on my Windows 7 (x64) system.

So when I finally got around to putting a recent copy on an XP system, I was startled to get the following error dialog window when launched.

"The Procedure Entry point ConvertToGlobalHandle could not be located in the dynamic link library KERNEL32.dll".

Super-strange. Interestingly, I could close the error dialog and the application otherwise seemed to function fine. It just appeared at launch.

I did some Google work and eventually found the cause via a similar error reported in the ImgBurn (a optical-media burning/ripping software I also recommend and use):

Imgburn error, entry point not found - ImgBurn Support - ImgBurn Support Forum

The error comes from ImgBurn, but it's not really ImgBurn's fault.

I ran into a similar symptom running ImgBurn under WinXP 32-bit.  In my case, the missing dynalink error dialog box on ImgBurn startup was caused by a copy of the Win9x-specific SvrAPI.dll in the c:\Windows\system32\ directory.

SvrAPI.dll dynalinks to the Win9x Kernel32.dll's ConvertToGlobalHandle() API.  But the Kernel32.dll of NT-based Windows OSes, like WinXP and Win7, doesn't export ConvertToGlobalHandle().  So if you try to load the Win9x SvrAPI.dll on an NT-based Windows OS, you get a missing dynalink error dialog box.  Removing c:\Windows\system32\SvrAPI.dll, which is not used under NT-based Windows OSes, fixes the problem.

Under Win9x, SvrAPI.dll exports the subset of the Net...() APIs available on that platform.  Under NT-based Windows OSes, NetAPI32.dll exports a much fuller set of the Net...() APIs.  ImgBurn, correctly, attempts to explicitly load some OS-specific DLLs via LoadLibrary(), like SvrAPI.dll and NetAPI32.dll.

This issue is not really a bug in ImgBurn since SvrAPI.dll should typically not be installed on an NT-based Windows system.  However, ImgBurn could work around this issue by attempting to load NetAPI32.dll first and only attempting to load SvrAPI.dll after NetAPI32.dll fails to load.  It looks like the explicit loading of SvrAPI.dll was added in ImgBurn 2.5.6.0.  ImgBurn 2.5.5.0 does not attempt to explicitly load SvrAPI.dll, and so does not generate the missing dynalink error dialog box.

I went digging on my Windows XP system system32 folder and -- sure enough -- found the SvrAPI.dll file there.  I renamed mine “SvrAPI.dll.old” instead of deleting it.

Re-launched FreeCommander XE and no more error. Mkay.

That has been about three weeks ago and I can’t find any harm has been done with “disabling” the file like I did. No telling what application I had previously installed that put it there. YMMV.

I was going to post a followup bug note in the FreeCommander Forums about the issue, but found someone else had already ran into the same issue (note to self, check in the program forums first) and reported the behavior and presence of the SvrAPI.dll file; also linking back to the ImgBurn forum link I found.

FreeCommander Forum • View topic - Entry point ConvertToGlobalHandle not located

Hopefully this or the forum link will help others who encounter this weirdness.

FreeCommander and FreeCommander XE (still in beta).

Highly Valca recommended!

--Claus V.

Posted by Claus at 0 comments
Labels: , ,

Monday, May 28, 2012

Virtual Solutions

Continuing in the troubleshooting theme today, here are a couple of solutions I worked out playing with some virtualization software and machines this weekend.

Tip # 1 - Microsoft Tester VHD images still available

When I moved to my “then new” laptop, I ended up discarding a lot of virtual machine images I had been keeping around to testing and lab-work. One of which was an XP tester build in Microsoft’s Windows Virtual PC.

While Virtual PC on XP had been pretty easy to use, the “embedded” operation of it in Windows 7 is a bit more of a headache. (Note: I wonder if Windows 8 will retain an “XP Mode” feature? Anybody know?). So I had dumped them when I started using Oracle VM VirtualBox.

Last week I needed to do some work in XP again and decided to grab one of Microsoft’s IE App Compat VHD’s over at the Microsoft Download Center.  I snagged the tiny (by comparison Windows_XP_IE6.exe) package. They also have some larger Vista/Win7 VHD packages also.

While these do time out/expire (they can be “re-armed” following the instructions on the download page above), they provide a quick and easy way to grab and run XP for testing purposes.

Tip # 2 - Converting other virtual disks to VMware format

(Alert: dead-end coming)

While I was able to get the XP VHD working just fine in Virtual PC on my Windows 8 system, I wondered if the performance would be better in VMware Player. It also has slick support for “Unity” which is a “XP Mode” feature that doesn’t require you to be using Windows 7 in Professional/Ultimate builds.

So I figured I would just convert the VHD file and convert it to the VMWare format and roll on.

First I tried StarWind Free V2V converter. Downloaded and installed OK with no fuss, however when I tried to launch the converted VMDK file in VMware, it bombed out.  That said, I’m still keeping it around as I suspect something else was going on and it wasn’t an issue with the software.

Next I read about WinImage which per a handy post from VMpros, can convert VHD to VMDK. However since it is trial-ware, I decided to skip that option.

Finally, I settled on the free VMware vCenter Converter. Download requires registration with VMware but it was painless and the application was a breeze to use. In no-time it converted my VHD file to VMDK format and I had it running in VMware Player. For a good walkthrough check out this AddictiveTips post Convert & Use Your Physical Machine In VMware, VirtualBox & Virtual PC.

Well…not really.  See as I found out (and should have remembered but it has been too long) the Microsoft IE Tester images are set up only for Virtual PC specific “hardware”. By that I mean while you can convert them to another virtualization platform, XP will then see that your “hardware” has changed and require re-activation and require you to put in a fresh product key from scratch to activate it.  I suppose a clever person could work around it and get it working in VMware, but that would seemingly violate the EULA agreement for these packages.

Like I said, this lead to a dead-end, but it was fruitful in finding the Microsoft IE Tester packages are still available for use and (for a bit longer) still offer XP as an option.  Also, I found the VMware vCenter Converter software to be wonderful to use and am sure I will rely on it more in the future.

Tip # 3 - Don’t Forget your old install media

After the dead-end above, I remembered I still had an old XP Home (SP1a) install disk and license I had bought when I built my first small-form-factor desktop. Since that time, all the newer systems we bought came pre-loaded with Vista/7 so eventually that SFF system (and the XP load) were wiped clean and while the SFF box patiently waits re-purposing to FreeNAS one day, the XP Home OS has not been used since.

So I used it to build/activate a fresh install directly in VMware Player and got it fully patched/updated and running smoothly for all my XP testing needs.

Tip # 4 - Getting ChromiumOS (Hexxeh’s Vanilla builds) running in VirtualBox

After all the fun I was having getting these virtual systems tweaked, on a whim I decided I wanted to check out Chromium OS.

I decided to take the easy way out and use a “Vanilla” build of the Chromium OS builds by Hexxeh. I downloaded the VirtualBox file, got it configured in VirtualBox and launched away.

Only while it ran fine, I couldn’t get though the first-launch setup landing page I because the “network” was unavailable and no networks were offered. I was using “NAT” setting but no dice.

I did some digging and found that there were a number of folks with Questions Tagged With network - CrOS QA in the forums.

Took a while but I finally figured out the trick (at least if you NAT for network connection on VirtualBox).

Go into the Network settings for your ChromiumOS virtual machine. if you NAT by default it should look like this.

dlewztqm.njx

Next click the “Advanced” triangle (as shown above) to expand it.

Change the adapter type to an appropriate "Intel PRO” interface. Your options may appear differently from the one I selected below.

lcndulra.heq

Save your settings and re-launch the virtual machine.

This time the network was available and I was able to complete the setup and running of Hexxeh’s ChromiumOS build with no issues.

I need to play more with it before posting my opinions but it worked just fine.

Tip # 5 - VirtualBox supports Windows 8 “natively” now.

In my recent Windows 8 GSD blog post I bemoaned being able to successfully install the VirtualBox additions into my Windows 8 Consumer Preview build in VirtualBox.

Thanks to the comments of a kind anonymous tipster, I realized many older “how-to” instructions on the process on the web recommended selecting “Windows 7” as the OS type during the creation process, then running the VirtualBox Additions in “Compatibility Mode” to install. The newer versions of VirtualBox now offer “Windows 8” as an OS type during the virtual machine setup process and if done so, you can just run the Additions “as-is” with no need to do so in Compatibility mode. They go on just fine.

1dojf5jn.fy0

Anyway…by the time I had already figured this out I had since followed an Install Windows 8 Consumer Preview on VMware Player that worked so seamlessly I don’t think I’ll use VirtualBox for Windows 8 testing at this time. YMMV.

Tip # 5.5 - VirtualBox 4.1.1.16 now out

On 2012-05-22 Oracle released a new version of VirtualBox: Changelog – Oracle VM VirtualBox

Get the Download – Oracle VM VirtualBox along with the matching VirtualBox 4.1.16 Oracle VM VirtualBox Extension Pack that is also on that page.

Tip # 6 - More Virtualization Tippage sites/blogs

By no means complete, these sites seem to have great tips on virtualization platforms.

Cheers.

--Claus V.

Posted by Claus at 1 comments
Labels: , , , , , , , , ,
Subscribe to: Posts (Atom)