Sunday, December 28, 2008

Calling H-Town Techies: Help Save our Laptop!

One quick request for Houston-area Tech repair knowledge.

Seems that over the last few weeks, our Gateway laptop has been sick.  The screen was flickering and it was going on/off battery-power even though plugged into the AC brick.

At first I thought it was the AC cord up by the plug, so I picked up a replacement adapter/plug set but that didn’t help at all.

Now I am certain that the DC plug has been damaged. 

For a while I could do a funky cousin to the old-school rabbit ears tweaking and by putting the cord a certain way and putting just a certain bit of pressure, the AC power would flow steady.  Now that is next to impossible to do.

I’ve done some research and though I am bold enough to try a motherboard swap on the laptop, I’m not yet ready to drop approximately $400 for a replacement just yet.

I am NOT brave enough to attempt a re-solder job myself.  But I don’t think the issue is with the pins.  From some web-searching, I think that these units (and similar brands) are using a plug that had slightly more brittle plastics and the component itself is cracked.

I’ve done some research and it looks like there is an outfit down in Webster that seems like it can do a replacement of the DC plug.  Unfortunately, they’ve been closed during the holiday season so I haven’t been able to contact them just yet.

I’ve also found a shop up in the North East that specializes in these as well, but I really would like to try to stimulate the local economy first (and avoid the ship-off).

Do any of my Houston tech readers have any recommendations for a reputable shop in the Houston-Metro (south/east/southeast preferred) area that could replace the DC plug on the laptop systemboard?

I’d really appreciate any leads as it turns out I have grown more attached to this laptop for blogging than I would like to admit.  Lavie likes it as well as that means I can sit with her in the living room and not holed up in the study on the desktop system.

I’m planning on yanking the HDD from it first (for security).  I figure the system will still power up and hit the BIOS so that should be sufficient.

Danke!

--Claus V.

Merry Christmas and Happy New Year!

I hope your Christmas holiday season has been as enjoyable as ours around the Valca homestead.

I have purposefully worked to not spend much time on the computers this year.  I think this decision has been a good thing from me and the girls.

With the exception of picking out digital family pictures and bulk post-process formatting them for transfer to the digital photo-frames we got most of the family, I think total hours logged on-line has been under an hour this past week.

Amazing.

That’s not to say we have been completely devoid of tech in our holiday time.

Little bro decided we needed to adopt a homeless Sony Bravia 46” flat-screen HDTV.  We happily accepted it even though it hasn’t been housetrained  yet.  Although truth be told, he actually gave it to Alvis’s hamster.  Lucky rat.

It was quickly put to work displaying multi-hour long jam sessions of Guitar Hero with the two axes we got as well.  Family time has never been so intense!  When we went over to Lavie’s uncle’s place for the extended-family get-together, a Wii version of GH was also set up and kids of all ages (grandparents to the mini-me’s) took turns all afternoon and night long on it.  It really is funny how this game appeals to everyone!  I’m still trying to graduate from the “Easy” level.

We go back to work this week (except for the 1st) and then one last round of family holiday visits and then back to the comfort of our family routines.  So please expect the posts to pick up again by the end of next weekend.

Hope everyone is well and best wishes for the new year to you and all your loved ones.

Cheers!

--Claus V.

Monday, December 22, 2008

Early Monday morn Linkfest: Utility Focus

Looks like this posting session might stretch into the cold and windy wee hours of the morning.

I just can’t help but share!

Goodness me.

CLI Tips

Always on the lookout for arcane but useful CLI tips I found these this past week:

  • Run cmd.exe as Local System in Safe Mode – TinyApps blog. Great tip from Miles on how to load a command-line window (cmd) session in LocalSystem Account while in Safe Mode. That is something that isn’t normally possible. From Miles’ more thorough accounting in his post:

Here are the combined steps (which assume you are booted into Safe Mode):

  1. Add a key to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Minimal named lscmd or what have you.
  2. sc create lscmd binpath= "cmd /K start" type= own type= interact
  3. sc start lscmd
  4. A new cmd.exe window will open with LocalSystem privileges. When you are finished, close the window, delete the registry key you made, and delete the service: sc delete lscmd .
  • Batch Files, Task Scheduler and PSTools – and a EULA? - Ask the Performance Team. I love Sysinternals tools and they work great. However you may have noticed that some tools launch (for the first time run) on a system by popping up a EULA to clear first. If you are trying to fire them off via a batch-file or Task Scheduler, they might fail due to the need to accept the EULA first.  The Performance Team provides two clever workarounds.  One involves dropping some registry keys to show that the EULA was agreed to, prior to executing the file.  The other involves passing the Sysinternals tool a –accepteula argument as well.  They note this may or may-not work on all tools.

Clearly Chrome (with a Foxy tease tossed in)

GSD commenter “comment gravity well” has been keeping me on my toes with Chome/ium lately!  I had teased that I had found two neat new Chrome/ium related items this week and was reminded in the process that I had to go back and check progress on some other related items I hadn’t spent time with lately.

  • Chrome Privacy Guard (CPG) - Die Milchtüte - (freeware) – Mini utility that strips out the unique ID from each installed build of Chrome on a system. Most users of Chrome don’t know about this feature or if they do, could care less.  Some however would like a little more privacy and to be free of this “feature” for Chrome.  Source-code available from site for inspection. From the developer’s description:

…I wrote a small tool that automatically deletes the unique Client ID before each run of Google Chrome.

People that never close their browser will obviously not benefit from that tool. In the future you should always start the included ChromePrivacyGuard.exe instead of the original Chrome executable. This tool scans the "Local State" file inside the Chrome directory and removes all informations regarding the Client ID and afterwards automatically starts Chrome.

In any case you should also disable the option inside Google Chrome to allow it to send statistical data to Google.

  • UnChrome - (freeware) – An alternative tool to remove the Unique ID from Chrome.  Closes source and you get a pop-up ad for the developer’s other software offerings as well.  Your choice.  Spotted via Download Squad.

  • Iron - (freeware) – This German build of Chrome/ium is for privacy (though not an anonymizer) fans in that it strips out not only the Unique ID from Chrome, but a host of additional concerns and “features” that Chrome brings with it. “comment gravity well” also adds that it has some rudimentary ad-blocking as well.  I’m going to have to play with this one a bit.

  • Greasemetal - an Userscript Runtime for Google Chrome – Adds some additional custom functionality to Chrome.  Not quite at “Add-on” level like one would think of with Firefox, but some of the scripts can add some additional features.  Your mileage may vary.

  • Mozilla Firefox, Portable Edition 3.1 Beta 2 Released - PortableApps.com – Just in case you wanted to see what all the fuss was about with Firefox 3.1b2 but didn’t want to hose or risk damage to your existing 3.0.x installation.  This is a safe way to test and play.

USB Tools and Utilities

I love a good utility to help with USB devices.  I’ve found some new ones and am reposting some oldies but goodies!

  • PAR – EjectUSB - (freeware) – Clever little utility that assists you in automatically shutting down any running programs that might tie into a USB device and then eject the USB device in question. From the developer’s description:

Designed to be a simple utility to close all programs running from a specified drive or folder and then attempt ejection if a drive was specified. Extended functionality includes flushing the file cache, closing Explorer windows and removing registry entries and Recent Document shortcuts referencing the specified drive or folder.

  • USB Disk Ejector - (freeware) – Nice, simple and works the majority of the time. Provides a “real-world” GUI window that offers up a clear image and description of the USB device you are trying to eject.  Helps (but isn’t perfect) about cleanly ejecting USB devices without some of the hangs that sometimes occur using the Windows USB ejection method. For stubborn cases keep reading this section for a better alternative. I use this one almost daily as I have a number of USB storage devices connected to my work system and was often ejecting the wrong one!
  • AutoRunGuard - (freeware) – Neat little batch-file/executable combo that allows you to set your system to auto-scan an attached USB drive for virus/malware (and then some).  Really cool and not nearly as challenging to use as you might think. More at this recent GSD post: Grand Stream Dreams: USB Security: AutoRunGuard, Encryption ...
  • USBDeview - (freeware) – NirSoft application that lists all USB devices currently and historically connected to your computer. Lots of detailed log information. Must carry application.
  • USB drive letter manager – USBDLM - (freeware) – Neat little sysadmin’s friend that (with a bit of INI file modding) can force USB devices to use a particular drive letter, or range of drive letters. It has a few more bells and whistles, but that pretty much covers it. Not a regular tool, but folks who do network drive mapping might find it useful and handy.
  • Desk Drive - (freeware) – Blue Onion software helps you mange your USB devices by allowing quick access to your inserted USB storage contents.  When running Desk Drive adds a desktop icon pointing to the drive.  When the device is removed, the shortcut goes away. Perfect!
  • USB Image Tool - (freeware) – Use this neat tool by Alex’s coding playground that simply and easily creates images of USB flash drives.  From the website:
  • Features

    • create image files of USB flash drives
    • restore images of USB flash drives
    • compressed image file format
    • show USB device information
    • manage favorite USB images
    • command line utility

  • USB Safely Remove - (freeware) – Amazing tool that not only gives you “real names” for USB devices so you can remove them correctly and accurately, but it also provides detailed information on what process/files are keeping a USB device from ejecting and the ability to close/terminate that process first, set custom autorun scripts to execute before the device is ejected (say make a backup), command-line support, eject memory cards (and not the reader device), and remove “phantom” memory card drives, and a host of other tools. Awesomeness for USB device wrangling. Giddy-up!

Windows Live Writer – Update

Yep. Most everyone’s favorite blogging tool has just gotten another update.  This might be the last before it goes “gold”!

I can’t tell much of a difference between this one and the previous version I was using. The link has a change-log of sorts, but most of those features I either wasn’t interested in using, or thought they already had something similar going already  I still dislike the lightened color-bar customizing. It is way too washed out an effect than the previous versions.  I also am bummed I can’t seem to customize the toolbar nor am I offered a quick-pick for font-color changing. However, minor quibbles aside, it’s still the strongest blogging tool out there (IMHO) and I use it exclusively for all posting.

NirSoft Updates

If it’s from Nir, it’s all good! Here are the updates on particular utilities that interest me.

  • PingInfoView version 1.20 -- Great tool that allows Pinging to multiple host names/IP addresses.  Updates include New column: % Failed, and new options: Beep On Failed Pings and Put Icon On Tray.
  • RegFromApp version 1.15 – Allows monitoring and generation of RegEdit .reg file from Registry changes made by a monitored application.  Multiple updates include automatic stop when the process that you inspect is terminated, remembers that last sort in select process dialog-box, added new command-line option: /AttachProcess, automatic save to .reg file and exit when the inspected process is terminated (/AutoSave in command-line)
  • WirelessKeyView version 1.20 – Use this tool to recover lost WEP/WPA keys stored by Windows Wireless Zero Configuration service.  This update allows extraction of the wireless keys from an external instance of Windows XP (in Advanced Options) which could be useful to investigators or sysadmins.
  • WirelessNetView version 1.12 – More wireless fun that monitors wireless networks in your area.  Now provides a new option: Beep On New Network.
  • MozillaCacheView version 1.16 -- - Great and handy tool that simply and effectively displays the cached files of Mozilla/Firefox browsers. Nir does some deep under-the-hood repair work on this one and has added a 'Hide Missing Cache Files' option as well as fixed a serious bug in that for some systems, MozillaCacheView didn't display all cache files. Oops!  Now all better!

Happy Holidays!

--Claus V.

Sunday, December 21, 2008

Late Sunday Linkfest: Focus on Security

Wow.  What a busy last couple of days!  I’m only now coming up for air.

Been playing taxi taking Alvis to school and picking her up early as she has short days due to finals.

Then there was that two-day jaunt through the piney woods up to Jasper, Texas for an extended family wedding.

Today Lavie and I started some of the Christmas shopping. We made a small dent but much remains to be done.  I always start to get a bit stressed out during this time, despite all the reminders (at home and church) of what the real focus needs to be.  I guess I want to be sure everyone is taken care of and happy, so I sometimes over-extend myself.

Expect a slightly lighter posting around the place as I try to pause from time to time.

Somehow I think I won’t be alone….

Here are some security bits that I picked up this week.

  • Microsoft Security Bulletin MS08-078 - Critical: Security Update for Internet Explorer (960714) – Microsoft released an out-of cycle patch for a serious flaw.  Go get your Windows Updates if you haven’t already.  Applies to almost every recent and upcoming Internet Explorer builds.

  • The Security Development Lifecycle : MS08-078 and the SDL – Microsoft opens up a bit and lets it team share a bit more technical data about the flaw.  They go into the specific reason for the flaw, why it wasn’t identified sooner (by them) and supposition on how it might have been discovered in the wild.  More for code-heads, but still it provides some insight into the bug-finding and patching process.

  • Memoryze - (freeware) – MANDIANT’s new tool is a “…memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems can include the paging file in its analysis.” That link contains a full summary of features.  It also is able to run a full battery of actions against “…live system memory or memory image files – whether they were acquired by Memoryze or other memory acquisition tools.”   Mandiant also details other uses for this tool such as traditional memory forensics, incident response support, malware analysis, reverse engineering, and rootkit  and hook detection.  One thing I’m not sure of (yet) is how this fits with “do-no-harm” forensics works as the download appears to be an MSI  installer and must be installed and run on the live system.  On a forensically captured system, the install process would by necessity overwrite captured drive space, and by it’s very presence, possibly alter the system/memory you are attempting to capture  I don’t know if it has a “portable agent” component like their Mandiant Red Curtain - Incident Review Software (GSD Post review).  Anyway, looks interesting and I’ll be playing with it more in the coming weeks.  Spotted over at gaetano zappulla’s soup

  • Volatility seems to be one of the premier memory acquisition and forensics tools out there at the moment.  I guess this is what Memoryze is “competing” against.  It’s another tool I haven’t had the pleasure of getting my feet wet in yet.  However it looks like it could be useful in dealing with incident response and malware analysis as well.  I did see word last week that it might have some    very specifically arising memory sample data corruption issues.  As this isn’t my area of expertise by a long-shot, I can’t say much more about it than that.

  • Lavasoft Anti-Virus Helix – This was curious.  At first blush, it appears that Lavasoft (of Ad-Aware anti-malware fame) is now releasing some new and cool anti-virus scanner as well.  No it is not free.  However, users knowledgeable in consumer AV products might be wondering where they have seen that GUI before..  Turns out that Lavasoft has just rebranded Avira AntiVir Personal which is a free product.  I imagine that that Lavasoft paid version offers a few more features like it’s paid Avira personal AV product as well so comparison to the free version isn’t quite accurate, but it is darn close..  However, I really can’t see much reason why folks would spring for this one over the Avira AntiVir Personal (free) version.  I guess Lavasoft is just trying to work on its security suite-building and feel it needs to offer an AV product as well.  For more details on this whole Lavasoft Helix/Avira AntiVir thing and comments from Lavasoft, see Ad-Aware gets an antivirus cousin over at the Download Blog.

  • Helix3 – forensics “LiveCD” -  I’ve had this in my software kit for many years and really love it.  The version 3 is very polished.  One tool in particular that I have found on it is called Pre-Screen/SearchIt and was developed by Paul Bright over at the NCIS. Basically it allows you to scan a drive/folder for a variety of image files to determine if any items are found that may warrant a deeper inspection of the system.  It’s a cool and very tiny little application.  Despite all my attempts, I haven’t been able to locate a download source for it other than snagging it off the Helix ISO file itself (download).  So I don’t know if newer versions exist.  In my use of the GUI on systems it still seems a bit buggy and hung up if i got too deep of the main menu options on both Vista and XP systems.  I also did some more looking if other similar (and free) software existed but didn’t find anything close.  It seems to be a bit slow on scans from my usage.  Does anyone know of any other alternatives I could try?  I know there are a lot of large graphic/thumbnailers out there but this one seems to not leave any “trace” on the local system when running and doing its thing.  Paul’s done a great job on this tool and I am grateful for his sharing with the community.  I’m no coder so I can’t critique it too hard and don’t mean for this to come across wrong, but I wonder if someone could write a bit faster and slightly easier to navigate tool to index major graphic image files on a system and display both a listing and adjustable thumbnails.  It may already exist, and it is also possible that Paul has a newer non-public version out there as well of his tool.  It just seemed so close to perfect greatness with just a little bit more tweaking and performance gain.  Alas, I also haven’t had time yet to snag and play with DEFT Linux computer forensics live cd.  It’s also on my “to-do” list this week.

  • Windows Viewers & Information Extractors for Various File Types - SANS Computer Forensics, Investigation, and Response blog. Great and most wonderful roundup of many, many tools to assist with system information extraction, file handling, and file viewing.  While I did have quite a few of them in my toolbox already, I came across a number of new and curious tools that will demand more study such as NavRoad Offline HTML Browser, GlobFX Swiff Player, Wimpy FLV Player, Exiftool, and Pinpoint Metaviewer.  That last one has a number of additional interesting apps from the developer to check out also!

  • Case Study: Suspicious Network Traffic -  TechScrawl blog.  Brief but interesting review of tracking down some weird network traffic.  Lots of good points and observations.

  • Syn: The Story of an Insider - Part 3. Playing at CSI – SynJunkie wraps up this second “story” about a security incident and response.  This one is especially juicy as it shows how the aforementioned Helix cd is used by a sysadmin to do a live dd capture of a system, port it into a virtual session using Live View.  Live View is for VMware virtualization.  I wonder if a similar tool exists for Virtual PC or Virtual Box software.  Anybody know of any they could recommend?

  • ViewHTML.com – Neat little site that pulls in and displays the site-code of a web-page without you having to actually load it first in your browser.  I had been doing a Google search in Chromium earlier this week and landed on page that started out normally, then some javascript ran and I got a pop-up for a rouge security warning that locked up the browser.  Having dealt with these before, I knew none of the “cancel” or “exit” buttons would actually do that and the only one that would “work” was the live download button, which I didn’t want to use.  I was able to CTRL-ALT-Delete and pull up Process Explorer which I had set as my alternative task-manager.  Using that I suspended the Chromium process then killed it.  That got me safely away from the page. But now I was curious.  I wanted to explore the page-code, but didn’t want to muck around with reloading it in a Linux “LiveCD” session and I didn’t have my more hardened Firefox build at hand.  So I captured the URL of the website in question, fed it to ViewHTML.com, and it regurgitated the page-code safely for me.  Buried in there were a number of javascript calls and checks for browser versions with URL redirects that generated the rouge security product popup call.  Curious stuff.  So I reported the malicious URL to a number of anti-malware tracking sites for good measure and Net citizenship.

Enjoy your holidays!

--Claus V.

Sunday, December 14, 2008

Custom Win PE Boot Disk Building: Step Two – PGP Injection

First please review the prior links in this series.

The goal is to produce a WinPE 2.0 boot disk, that has PGP WDE driver support, and brings in a shell that is notches more sophisticated than the standard CMD window normally offered by WinPE 2.0. Oh yeah, and that works on Dell Optiplex 745/755 USB keyboards.

Note: I always do my PE/PGP/VistaPE building under an Administrator level permissions account, and all folders have security settings (and contained objects) set with full permissions for both “Administrator” and “Everyone”.  That seems to work with the least amount of headaches on both XP Professional and Vista systems.  Your mileage may vary.

PGP Prep-Work

Let’s lay the groundwork.

From Step One, we now have created the following folder (and contents) on the root of our C: drive:

c:\winpe_x86

Now let’s create two new folders on the root of C: that we will use for our PGP processing.

First create the following folder:

c:\WDE

Second create the following folder “PGP”

c:\PGP

Done?  Great!

Get the PGP Driver Files

You will need to have access to a PGP WDE Windows encrypted system for this next part.  That should be pretty easy because I’m assuming only system admins who support such configured systems would be taking the time and effort to do all this work in the first place!

Our systems use XP Professional, and my primary building is done on a XP Pro system as well.  However, Vista could also be used.  Regardless, go to that system and the files should be able to be found as follows:

c:\Program Files\PGP Corporation\PGP Desktop\pgpbootb.bin

c:\Program Files\PGP Corporation\PGP Desktop\pgpbootg.bin

c:\Program Files\PGP Corporation\PGP Desktop\PGPwde.exe

c:\Program Files\PGP Corporation\PGP Desktop\Stage1  (note “Stage1” is the filename with no extension)

c:\Windows\system32\PGPsdk.dll

c:\Windows\system32\PGPsdknl.dll

c:\Windows\system32\PGPwd.dll

c:\Windows\system32\drivers\PGPwded.sys

Copy each one of these files and place them into the C:\WDE folder.

Easy!

PGP PE Tools

Hop over to PGP Knowledgebase Answer ID 807 and scroll down to the “PGP Desktop PGP PE Tools” section.

You will need to download the appropriate ZIP file according to the version of PGP WDE you have deployed across your environment.  Be sure to pick the right one!

Download the ZIP file to your system.  I’m going to be using PGPpe990.zip

Now unpack, unpack, unpack the contents to the c:\PGP folder.

Note: that threw me off for a bit at first. See for some reason, the two files you need – pgppe.exe and pgpstart.exe are in a zip file, inside a zip file, inside a zip file.  So you will have to keep unzipping and unzipping, and unzipping until you can finally get at the two files inside.  Unless your ZIP program allows you to drill down inside them all and directly extract them.  Don’t give up, they really are in there!

When you are all done, you should now have the following files/folder:

c:\PGP\pgppe.exe

c:\PGP\pgpstart.exe

PGP PE File Injection

Now comes the fun part!

Open a command-prompt window. (Note: On Vista systems you must run the CMD window as Administrator-level.)

Browse to the c:\PGP folder

Run the following command:

Pgppe /winpe c:\winpe_x86\ c:\wde

It should only take a few moments and then if all goes well you will see the following return:

image

I actually ran a Process Monitor capture session on this some time back.  There’s a lot of activity going on behind the scenes. It basically mounts the winpe.wim file in a writeable mode, copies the special PGP files out of the folder we tucked them into their proper locations within the wim file, adds a number of registry keys, then dismounts the wim, saving the changes.  They packed a lot of activity into those command-line actions.

Do the winpe.wim / boot.wim file flip-flop

Last step in this stage is that we need to replace the winpe.wim file which will be our ultimate boot PE 2.0 wim with our now PGP WDE driver-injected winpe.wim version.

Open Windows Explorer and browse to the c:\winpe_x86 folder.

Copy the winpe.wim file there.  (This is the one we modified in the previous step.)

Browse deeper into the c:\winpe_x86\ISO\sources folder and paste it next to the boot.wim file already there.

Now move the boot.wim file in there out to the c:\winpe_x86 folder for safe-keeping.  It really is just a differently-named copy of the original winpe.wim file, pre-PGP driver injection.

Now go back into the c:\winpe_x86\ISO\sources folder and rename your updated winpe.wim file to “boot.wim”

You should note that the file size is now larger in the PGP-modified wim file version than the original.  That’s a good sign.

Hurray!  We are now done with this stage!

Pretty easy wasn’t it?

For Early Quitters

At this stage, if all you wanted was to have a plain-Jane WinPE 2.0 boot CD, all you would need to do are the following following steps:

Go to the Start menu and under All Programs find the Microsoft Windows AIK folder and launch Windows PE Tools Command Prompt, or open a command prompt and type

cd c:\program files\Windows AIK\Tools\PETools.

Then, type

oscdimg -n -bc:\winpe_x86\etfsboot.com c:\winpe_x86\ISO c:\winpe_x86\winpe_x86.iso

(again, all one line)

An ISO file will be created inside the c:\winpe_86 folder.

With the ISO image file created, you can now burn the image file to CD.

However, while this will fit the bill, we have higher aspirations for our boot-cd.  Stay tuned!

Additional Notes:

More information on injecting PGP WDE drivers into WinPE 1.0, WinPE 2.0, Vista upgrade installations of pre-encrypted PGP WDE systems, and use with the XP Recovery Console can be found in this PGP Document:

Windows Preinstallation Environment & BartPE Tools – PGP Knowledgebase Answer ID 807

It also contains the CLI commands you will need to actually manually couple the user’s passphrase in with the pgpwde software you have added to the boot disk.

I’ll share them later in the process, but if you are curious check out the PDF file on that page.

Also, if you look carefully thought their PGP WinPE 2.0 building section, you will see that I’ve modified my commands/locations just a bit from the ones they recommend.  My method seems to keep things a bit more ordered, IMHO.

Next up?

Building a VistaPE base file set to work with.

--Claus V.

USB Security: AutoRunGuard, Encryption options, and Forensics

Deep into my earlier Security and Forensics Roundup: Heavy Version #2 post, I shared the renewed threat-vector of USB drives in general and the auto-run behavior in particular.

Then I immediately noted the need to get Alvis her own personal USB drive.

Great tips were offered by forensic gurus Hogfly and Harlan on dealing with USB security along with “Steve”.

That led to a minor post-post post NTFS Formatting an Imation USB Disk after which I received additional feedback from school IT administrator reminding me that Alvis would unlikely be able to use TrueCrypt at school due the fact the system-drivers would not load under the students’ restricted account policy settings.

So now I’ve had a bit more time to dwell (and research the subject) and am working on a few new angles worth sharing.

“Semi” Automatic USB device scanning – Foundation

From the first post comments, Steve suggested looking at Didier Stevens’ USBVirusScan which can be configured to launch an AV application when a USB stick gets inserted.

I did so and it looks like it could fit the bill. The way it works is (basically) you download the zip file and unpack.  Then you edit a .bat file to the specific drive letter and CLI path to executable you wish to run.  Set it all up and when the main-program detects a USB device loading, it triggers the pre-configured program to run.

See this Ditii blog post for some popular AV CLI commands to use: USBVirusScan: Automatic virus scanning, when plug in USB Flash Drive

As Steve (and Didier) suggest, this is great when tied to an AV/AM CLI supported software solution to scan the device in question immediately.

However, after reading Didier’s post, I (per usual practice) studied the post comments in depth looking for feedback and some additional practical applications.

Since some time has passed since Didier’s original post, the comments were filled with loads of comments.

And in them was an even better gem built on USBVirusScan.

And then there was AutoRunGuard

Dan McCloy took Didier’s work and expanded it in a pretty awesomely effective way.

But first, Dan shows his chops by breaking down the definitions and operations of Windows AutoRun, AutoPlay, and EDDC.  It really helps to clear up the finer points of what is going on.

Dan McCloy’s Autorun Reference Guide

Well worth reading the concise and organized page. Dan provides a number of strategies for reducing the effectiveness (for security gains) of AutoPlay and AutoRun

(Note: see also How to correct "disable Autorun registry key" enforcement in Windows – Microsoft KB953252)

Then Dan drops the bomb:

AutoRunGuard – freeware bat-file work combined with Didier’s USBVirusScan tool.

In its most basic default configuration, when a USB device is inserted, it opens a CLI window and asks you if you want to scan the drive, inoculate the device against future auto-run threats, or browse the device contents with Windows Explorer.

Cool.

However what takes Dan’s program off the chart is that with some careful cmd-file editing, you can edit it to respond based on a particular device’s volume name, treat cd material differently, do MD5-based authentication of drive items to ensure they were not altered or compromised, and much more.

I have to confess, even for a bat-file builder like myself it was a bit intimidating at first with all the stuff Dan crammed in there. But once I quickly identified the particular drive-letter to be used on my system(s) and had carefully read the attached help-file (well done I might add) I had the program configured in no time.

The setting that you are most likely to need to customize is the command line for your particular anti-virus scanner.  Following are some samples that may match what you need. 

Test it first by running the command exactly as shown except that you should replace %d% with a drive letter and a colon for this test.  Then in the AutoRunGuard.cmd file, scroll down about 135 lines to where it says,

:: [[ Modify the following line to be whatever your system needs for performing a virus scan. ]]

Then replace the setting in the following (set MenuCmd=...) line with the one that worked for you.

Note that the path and parameters that a program uses may vary from one version and edition to another.  You might try browsing your Program Files folder to find the actual .exe files.  Note also that some programs offer both a command-line version (text will appear in the AutoRunGuard window) and a means to call the normal scanning window.

Worked like a charm.

For boot to shutdown protection, add a shortcut for USBVirusScan to the startup folder (or schedule the event to run at login in Vista). It will be ready and waiting for your USB disk to arrive for scanning!

Highly recommended.

Curiosity

As I am currently testing VIPRE Antivirus + Antispyware and wanted to set it up as the target AV scanner for AutoRunGuard’s cmd file.

Although VIPRE wasn’t included in the sample listings for CLI templates, I did find Sunbelt Software Support Answer ID 1759 to guide me in writing my own.

VIPRE offers you the ability to run a scan from the command line scanner.
Note: Using VIPRE's command line scanner is an advanced feature and should only be used by knowledgeable computer users.

The following parameters are available for the command line scanner with the syntax: SBAMCommandLineScanner.exe [parameter]:
Parameter Description

/displaylocaldefversion - gets current version number of risk definitions
/displayvipreversion - gets current VIPRE software version number
/displaysdkversion - gets current SDK version number
/scannowquick - starts a Quick scan
/scannowdeep - starts a Deep System scan
/updatedefs - starts update definition
/enableap - enables active protection

However it didn’t provide information on how to run a scan on a particular drive/volume target. The scannowquick seems to totally skip all additional drives (non-system partitions) and the scannowdeep will get the USB mounted drive, eventually, as it scans ALL mounted volumes/partitions in the process. 

Thus, my line 136 of the AutoRunGuard.cmd file looks like this:

set MenuCmd="%ProgramFiles%\Sunbelt Software\VIPRE\sbamcommandlinescanner.exe" /scannowdeep "f:"

I saved it, launched the main USBVIrusScan executable, inserted my USB stick and then picked the option to scan drive when offered by the CLI window that appeared.

VIPRE began its (full) scan and about an hour and 1/2 later, all the drives including the USB one were scanned.

That’s a long wait in many cases for it to arrive at the USB device with VIPRE’s CLI options.  I might be done using the USB stick and have ejected it by the time it finishes, despite VIPRE’s speed.

I fired off an email to the product support team, and even though it was the weekend, the TIER 1 support rep responded later in the day confirming what I suspected. It appears there are no command-line arguments (documented/undocumented) that will allow a CLI scan for just a particular drive-letter.  That can only be set and handled with a custom scan via the program GUI interface.

That doesn’t help me (and I hope it can be considered as a feature in a future version of VIPRE), but all is not lost.  I will just have to use an alternative Portable Anti-Virus/Malware Security Tool that supports CLI drive-targeted scanning parameters. I listed a number of free ones to pick from.  Just ends up being another AV/AM tool to manually update DAT files for, however.

Users of other popular AV/AM tools won’t have that problem at all as most all support scanning just a particular drive via the CLI arguments they offer.

USB File/Volume Encryption - Revisited

As has been noted, TrueCrypt does require Admin rights to run the drivers, even if they don’t have to be installed.

I did find one alternative to TrueCrypt that seem to get around that limitation and might be a better solution for Alvis and other users desiring USB volume encryptions but working under restricted Windows accounts.

Rohos Mini Drive – freeware – Creates a hidden and encrypted volume on USB devices and does not require admin rights to run on any system. Nice. The interface is much more user-friendly GUI than TrueCrypt. Encryption algorithm: AES 256 bit key length. NIST approved. Size of encrypted volume is 1 GB. While not humongous, this should be more than adequate for the average user’s needs.  It also packs a virtual keyboard to attempt circumvention of any keyloggers. Learn more about it’s features and see screenshots.  Spotted on Download Squad.

I also found the following application that looked promising:

Cypherix LE Free Encryption Software – freeware – Similar to Rohos, this product (formerly known as Cryptainer LE) uses a 128 bit implementation of the Blowfish algorithm in Cipher Block Chaining (CBC) mode with a block size of 64 bytes. And you can create multiple 25 MB sized containers on your USB device. The interface is a bit more advanced than Rohos, but not quite to the TrueCrypt level of complexity. The USB portable version seems to be referred to as Cypherix Mobile.

Now for the administrator rights requirement test:

Can Cryptainer be installed without administrator privileges?

Unfortunately this is not possible. Cryptainer runs as a process within the Windows framework. It needs be enabled as well be started up and shut down on request. It is necessarily constrained, by the overall Windows configuration, of the client machine.
This in turn is derived from the security, permissions, to illustrate just one instance of the client machine.

Please note that while Cypherix Mobile cannot be used without Administrative Privileges, The full version (Cryptainer) can be installed on any machine, with or without Admin privileges.

Thus it doesn’t appear to fully fit the bill for students. Too bad, but less competition for Rohos I guess.

USB Related Security Matters

Expanding the USB device theme a bit more:

Prevent Your PC From Booting If Your USB Drive Is Not Inserted - MakeUseOf.com.  Beware! Here be dragons!  Varun Kashyap provides a clear--if not dangerous--way to create a poor-man’s SmartCard boot dongle.  Basically you set your BIOS (if supported) to boot from USB devices first, and move some critical Windows system boot files to a USB device (boot.ini, NTLDR and ntdetect.com).  When the system boots it looks to the USB device and reads the files needed. No USB device with needed files? No boot. Written for XP but should work in principle with Vista as well.

As the article points out, it isn’t “secure” in the sense that a system would be with a whole-disk-encryption method using either freeware software CompuSec or TrueCrypt.  As long as any advanced IT user had a LiveCD to boot the system with (Win PE or Linux) the files on the otherwise non-bootable system would still be accessible, quite easily.

The NOISY U3 Thumb Drive File Access behavior in Windows - SANS Computer Forensics, Investigation, and Response. Great post by J. Michael Butler using the older Sysinternals FileMon (now replaced by the more advanced Process Monitor) tool to capture U3 USB drive application behavior. He even identified a U3 activity log created under the user’s application temp folder containing dates, times and serial numbers. Neat!

Forensic Incident Response: Tales from the field – Great analysis from Hogfly of a malware infection response that also involves a USB drive and autorun behavior execution.

Forensic Incident Response: Old is new - Tales from the field – Hogfly details how old attack methods against the MBR and autorun files on removable devices are being repurposed for renewed system attacks. Good stuff, especially as new discovery techniques are matched against them!

Forensic Incident Response: Beware the key – Last one.  Reminder of applying common sense and some protective measures already discussed in this post against USB device autorun features.

Motto for the night: Plug up your holes before plugging into your USB ports!

--Claus V.

Saturday, December 13, 2008

Security and Forensics Roundup: Heavy Version #3

070824-F-5957S-367

Public domain photo: taken by U.S. Air Force Senior Airman Julianne Showalter

Been a busy week in the security world this past week.

Lots of hurt coming up from the swamplands and lots of smack-back from the anti-malware forces.

Pull up a chair, it’s story-time from the trenches.

Malware and Rogue Security Products

Sunbelt blog points us to a recent whitepaper that look at the issues around classification of malware variants: Learning and classification of malware.  Just like virus and trojan classifications, to the average end-user, there seems little rhyme or reason in the way malware and viruses are classified. Adding to confusion, names given by one AV vendor may differ significantly from other vendors, leading to difficulty for both researches and end-users attempting to get uniform and detailed information from vendors.

It’s an interesting paper and while a deeply academic in parts, some sections could benefit both malware-busters and forensic examiners in behavior pattern descriptions and background. Working link to the 20-page PDF here.

FakeXPA... Journey of a Rogue and Win32/Yektel - the Other Kind of Rogue - Microsoft Malware Protection Center – Two short but sweet looks at rogue security products that attempt to lure users into paying for their software by use of fake false-positives and “official” looking Windows Security Center presentations.

The first post contains some new (to me) images where the rogue presents a fake "BSOD” graphic on screen and then a followup fake Windows “reboot” screen image.  While knowledgeable Windows users wouldn’t be fooled, unsophisticated users could easily be taken for an expensive ride “registering” the rogue product. The second post illustrates how a Browser Helper Object (BHO) can get installed and present warnings and alerts during IE browsing sessions eventually leading a user to “register” the rogue product online. Bad, bad, bad behavior!

There are a few security sites that seem to delight in uncovering and exposing these security rogues.  Malwarebytes blog » Rogues is one with a number of great catches. Sunbelt Blog is another great source. In fact, Alex Eckelberry has captures a year’s worth of rogueness on his 2008 Scareware perspective - a set on Flickr page.  I feel a bit guilty for enjoying it so much!

Many AV/AM products can remove a good number of these rogues including Microsoft’s Malicious Software Removal Tool (MSRT), Malwarebytes’ RogueRemover FREE and Malwarebytes' Anti-Malware programs, and Sunbelt Software’s VIPRE Antivirus + Antispyware program.

The Windows Security Blog – New blog from Windows. Anticipate more Windows Vista/W7 related security posts here.

Advanced Malware Examinations

For deeper explorations of malware behavior (always good to understand from both a preventative and incident response perspective) look no further than these articles. It pays to know your enemy.

MS08-076: Windows Media Components: Part 1 and Part 2 – Microsoft Security Vulnerability Research & Defense blog. Now fixed vulnerability that linked two issues to create a combined vulnerability.  Not going to be a common vector, but it just takes one event.

MS08-075: Reducing attack surface by turning off protocol handlers – Microsoft Security Vulnerability Research & Defense blog. Now fixed vulnerability in Windows Explorer in Vista and Server 2008 that was exposed through the search-ms protocol handler.  Required user interaction so this post provides information on turning off any protocol handlers you may not be using.

MS08-067: Worms, Worms, Worms - Ask the Performance Team blog.  Goodness knows there are lots of legitimate reasons your Windows CPU cycles can go off the chart.  It’s a Windows things. In some cases it could be due to malicious software.  This post looks at detecting specific malware that exhibits that particular behavior.

What makes Rustock tick? – Sunbelt Blog – Notice of a presentation by Sunbelt researcher Chandra Prakesh on the Rustock malware at a industry conference. (PDF and PowerPoint).  According to Alex Eckelberry, “Rustock is quite interesting, as it is a complex backdoor trojan that turns a compromised system into a covert proxy, using highly sophisticated methods of evasion.”

Who needs to watch “Law and Order” reruns on cable with this geeky investigative goodness?

Security FAIL

Digging Deeper Into the CheckFree Attack - Security Fix. Yep. For a while folks who logged into CheckFree bill payment system (host to over 330 companies). Attack vector appears to be a phishing or credentials hijack of a website administrator. Changes were thus made to the website and customers accessing the site were directed to a site that attempted a password-stealing application installation. No word if and how-many customers may have been compromised.  The post goes on to examine how this vector at the keepers of the keys may grow instead of attacks at the customers directly.  Good stuff

Yep. The otherwise useful MSRT actually ended up removing a few files from legitimate applications.  Microsoft pushed an updated version that corrected the failures a day later via Windows Updates out of cycle.

Now a word about that IE Zero-Day exploit thing…

Best I can tell at this point, it all started when a researcher found some malware in a Chinese forum that may have been used primarily for the hackers to steal credentials from Chinese gamers.  Or maybe not.

In the base-case, code exploits a bug in the way IE handles XML (Extensible Markup Language) and works on the browser about one in three times.

At first it looked like it was just an IE 6 thing on XP, but then it encompassed IE 7 on XP, and Vista platforms might also be impacted.  Now it appears that all versions of Internet Explorer from 5.x up to 8 betas are probably at risk.

Patch is still pending from Microsoft and most recommendations are folks to temporarily switch to an alternative browser including Google Chrome, Opera Browser, Firefox, or Apple Safari. If you haven’t tried one before most all should auto-import your IE bookmarks, but you can also try using the freeware Transmute utility.

For “official” word from Redmond see this Microsoft Security Advisory KB961051 which includes a number of workarounds (hint, look at the bottom of the expanded Suggested Actions section), although the risk is relatively low for users who practice safe computing behavior.  As summarized by rmogull at Securosis.com they are:

    1. Set Internet and Local intranet security zone settings to “High” to prompt before running ActiveX Controls and Active Scripting in these zones.
    2. Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.
    3. Enable DEP for Internet Explorer 7.
    4. Use ACL to disable OLEDB32.DLL.
    5. Unregister OLEDB32.DLL.
    6. Disable Data Binding support in Internet Explorer 8

Late breaking update: Clarification on the various workarounds from the recent IE advisory – Microsoft Security Vulnerability Research & Defense blog:

The vulnerability is caused by memory corruption resulting from the way Internet Explorer handles DHTML Data Bindings. This affects all currently supported versions of Internet Explorer. Malicious HTML that targets this vulnerability causes IE to create an array of data binding objects, release one of them, and later reference it. This class of vulnerability is exploitable by preparing heap memory with attacker-controlled data (“heap spray”) before the invalid pointer dereference.

Which workarounds should you apply?

The advisory now lists nine different workaround options. We have been adding additional workarounds with each advisory revision to give you more surgical options to cut off the vulnerable code path. Only IE8 has an option to turn off data binding altogether. So unless you are using IE8, you’ll need to:

  • (A) block access to the vulnerable code in MSHTML.dll via OLEDB, protecting against current attacks
  • (B) apply the most secure configuration against this specific vulnerability.

Optionally, you may choose to (C) make it much harder to heap spray.

The table…lists what type of protection each advisory workaround provides.

What is very beneficial from this late-breaking article is that it then goes into depth in technical discussion on why the various protection method workarounds work, and why some are “better” than others.  Neat and quite open material from Microsoft on a potentially impactful IE exploit.

Here is a roundup of what may be useful cross-referencing linkage on the IE exploit.

Forensic and Security LiveDVD goodness

Some GOLDEN find in Live boot disk compilations.  I carry several of these disks in my software kit, but these just might lead me to reduce the # considerably:

SUMO Linux – Combines Backtrack 3, Helix 2.0, Samurai Linux, DBAN, and DVL live distros into a single package.  How awesome is that!  Spotted via Room362 blog

MultiISO LiveDVD - Something for everyone - BadFoo.NET Pen Testing Shells -

…an integrated Live DVD technology which combines some of the very popular Live CD ISOs already available on the internet. It can be used for security reconnaissance, vulnerability identification, penetration testing, system rescue, media center and multimedia, system recovery, etc. It's a all-in-one multipurpose LiveDVD put together. There's something in it for everyone. I hope you enjoy it.

MultiISO LiveDVD Version 1.0 consists of Backtrack 3, Damn Small Linux (DSL) 4.2.5, GeeXboX 1.1, Damn Vulnerable Linux (Strychnine) 1.4 edition, Knoppix 5.1.1, MPentoo 2006.1, Ophcrack 1.2.2 (remastered to contain SSTIC04-5k [720MB] table sets), Puppy Linux 3.01, and last but not least Byzantine OS i586-20040404.

Spotted, yet again, via Multi-Boot Security LiveCD DVD – Room362 blog. That link also contains a link to a podcast review and more information.

Bonus Linux find: DEFT Linux LiveCD that contains Xplico; an alternative Sniffer/assembler from Wireshark and ClearSight Analyzer that combines many of the best of their features and capabilities.  Spotted over on the Eternal sunshine of the geeky mind blog’s: Network forensics beyond Wireshark post.

Yeah baby!

Crime and Smackdown Punishment

Nigerian Defense - Eternal sunshine of the geeky mind blog.  Really officer, I was duped!

CYB3RCRIM3 –new blog I discovered via above story.  Great writing and analysis on the intersection of criminal and civil laws and technology.  I lost a full afternoon just reading the many posts.  Interesting meter of just how laws and technology are changing each other.

Sunbelt Blog: FTC goes after Winfixer and Sunbelt Blog: The Innovative Marketing saga continues. From the first post:

At the request of the Federal Trade Commission, a U.S. district court has issued a temporary halt to a massive “scareware” scheme, which falsely claimed that scans had detected viruses, spyware, and illegal pornography on consumers’ computers. According to the FTC, the scheme has tricked more than one million consumers into buying computer security products such as WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus. The court also froze the assets of those responsible for the scheme, to preserve the possibility of providing consumers with monetary redress.

As we used to say to the neighbor’s sweet boxer Rufus, “Sic ‘em!”

Miscellany

Syn: The Story of an Insider - Part 2. The Sys Admins Story – SynJunkie’s second story detailing an insider threat and the security incident response is getting into high-gear now.  I sense a collision coming on!

Windows Physical Memory: Finding the Right Tool for the Job - SANS Computer Forensics, Investigation, and Response blog. Wonderful roundup of many free and a few commercials tools that can be of use to both forensic investigators as well as curious system administrators.

Got Download?

--Claus V.

Browser Bullets: #3

Browser related items from the past week.

Commentary provided at no charge…

Firefox

Yep.  Firefox 3.1 beta 2 was released this week to the public and curious.  I duly updated my systems. It’s stable and fast on my systems.

  • First look: Firefox 3.1 beta 2, now with private browsing – ars Technica – Good master-review of the newest features and additions in this version.
  • Firefox 3.1 nightly finally gets linking in source viewer – ars Technica – Very minor but cool feature.  When you view source in a webpage, the source-code URL’s are now hyperlinked so you can do direct jumps as needed and no-longer need to copy/paste them into the address bar.
  • Privacy, tabs and web content overhaul in Firefox 3.1 Beta 2 - Mozilla Links – Wonderful detailed review of the finer updates and changes making their debut in 3.1 b2 including enhanced program updating information, new session-restore dialog window and feedback provides bad-site recovery isolation, multiple-bookmark management, tagging refinement, among many others.
  • Mozilla Project Weekly Status: December 8th -Firefox Extension Guru’s Blog – What’s next!
  • Tip: Dragging Current Page to Bookmarks Folder - Firefox Extension Guru’s Blog – Firefox 3.1b2 now brings “tab-tearing” to Firefox.  That could be a good thing but many Firefox users are likely to find a realm of issues getting used to this new “feature”.  Previously I drag-n-dropped tabs into bookmark folders for my bookmark capture.  Now with tab-tearing, this creates all manner of havoc. New Firefox windows for tabbed pages littered my system.  The Guru’s tip? Instead of using the tabs to bookmark, drag-n-drop the favicon for the page on the address-bar. Simple and it works.  Now if I can just unlearn my previous bookmarking habit.

First Ever Firefox Malware Attack? NOT!

  • Firefox extension used as password stealer? – SANS ISC. First wind blew in regarding a rogue Firefox Add-on.
  • Firefox Malware? – meandering wildly blog – Johnath provides information on the attack vector (users have to be tricked to download and install the bad .xpi file) identification (look in you extensions Add-on list).  From that post:
  • Does This Mean that Firefox is Insecure?

    No, and here’s why:

    • This particular malware targets our program, but once you have malicious software running on your system, it can just as easily attack other programs, or harm your computer in other ways.
    • This isn’t contracted by just browsing around the web with Firefox 3. In fact, the Malware Protection features in Firefox 3 are designed specifically to prevent sites from being able to attack your computer.

    The people getting infected here are either downloading enticing files that have the malware hiding inside (which is why Firefox 3 hands off all downloads to your computer’s virus scanner once downloaded) or, as some sites are reporting, people who have already been infected in the past having their computers forced to download this file as well.

    Typical Firefox 3 users who avoid downloading software they don’t trust are unlikely to ever see this, and even the sites reporting it describe its incidence as “rare”.

  • Trojan.PWS.ChromeInject.B – BItDenfender write up on the technicals.

Of course they make a really lame statement trying to appear cutting-edge in their response.

It is the first malware that targets Firefox. The filtering is done by a JavaScript file running in Firefox's chrome environment.

Many other tech-sites took up the salaciousness of this statement and in typical security consciousness on the web ran with that as the hook.

Umm. Not even close.

Lest we forget so soon, installation of malware into Firefox has been a rare, but not-unheard occurrence for regular Firefox users and watchers.

  • Firefox add-on contains malware - heise open source UK – Remember this one from May 2008? It contained malware in a Vietnamese language pack add-on for Firefox on the servers of the Mozilla project and had been floating around since at least February 2008.
  • FormSpy - Spyware program hooks into Mozilla Firefox - Harry Waldron - Corporate and Home Security.  This bad-boy dates all the way back to July 2006 and in fact is remarkably similar to the current version in that its purpose is “…monitoring the user's browsing habits, stealing information including monitoring and logging information from Web forms”

As Johnath pointed out, users who don’t download unsolicited software/add-ons via email enticements and who use common sense are in no way to be fooled. Those users who do this regularly probably already suffer from bigger problems, the least of which should be blamed on Firefox or any “vulnerabilities” of this particular sort.

Finally, attempting to bring calm to this misguided train-wreck is Dancho Danchev who hasn’t forgotten previous attempts with malicious xpi file add-ons.  He suggests the damage is likely to be minimal at best. From his Password stealing malware masquerades as Firefox add-on post over at ZDNet.

Despite the novel approach used, the malware would have made a huge impact if it were released several years ago when E-banking authentication was still in its infancy since plain simple keylogging is one part of the session hijacking tactics used. And while they will indeed obtain the accounting data, this is no longer sufficient for a successful compromise of a bank account. In comparison, the techniques used by sophisticated crimeware like Zeus, Sinowal and Wsnpoem undermine the majority of two-factor authentication mechanisms used by E-banking providers, since once you start doing E-banking from a compromised environment nothing’s really what it seems to be anymore.

Enough said.  Lest I begin to sound like an Apple fanboy.

Chrome/Chromium

A number of goodies here.

  • Official Google Blog: Google Chrome (BETA) – Official Google Blog – Recent updates have convinced Google to remove the beta designation on Chrome.  Well deserved.
  • Google Code - Browser Security Handbook landing page – Great write up from Google on issues related to web-browser security.  This is not Chrome specific and provides a wonderful read for technically minded folks on browser security.
  • Google’s Chrome Team Mulls Local File Restrictions – InformationWeek. Thinking here is that Chrome might be better locked down in the way it is allowed to handle and execute local web-page format files on the system.  It is sensitive for Web-hosted page files, but security permissions might be looser locally and could be used for malicious purposes.
  • Chromium Nightly Updater v1.2 – I don’t use Chrome, but Chromium instead and the nightly updates in particular.  Since the internal updater doesn’t function very good with these, I use this to help me keep an eye on the latest versions.  This update adds a number of great and needed features:
      • Now checks the last 5 builds to see if one of them is working instead or just the last one.
      • Better informational messages.
      • Fixed: The URL to the page listing the latest builds was changed by the Chromium devs, thus causing the updater to always report it [the build] as not working.
      • Fixed: In certain situations the build status could be reported incorrectly.
      • A few other minor improvements and bug fixes.

  • Just another chromium updater - Google Chrome Forum – Alternative version that does the same thing but has a different layout and some different features.
    • retrieve logs/builds information partially.
    • get the latest 20-30 revision record with availabe download links in just 20s.
      (this depends on your net speed, the faster your network is,the more records you get.)
    • upper-casing keywords(update, bump, fix... etc) in revision logs
    • simple download function.
    • copy file link to clipboard on doubleclick on the links

  • Chromium Updater v1.01 – One last updater that is pretty simple. Run, downloads latest versions and installs the update. As a control-freak I want to do the unpacking and installing myself, but for those who don’t care, perfect.

In other IE Vulnerability news…

Yes, I do know about that current “0-day IE exploit” thing, but this isn’t related to that one.

This involves XSS weakness found in IE 8 Beta 2.

Internet Explorer 8.0 Beta 2 Anti-XSS Filter Vulnerabilities – cgisecurity blog.  Reported by Rafel Ivgi, I can only hope this one gets fixed in the next IE 8 Beta release. As explained in the first link, quoted from the source second link:

"Aspect9 has discovered several vulnerabilities in Microsoft Windows Internet Explorer 8.0 Beta 2. This new version of Microsoft's famous browser includes new security improvements such as a Cross Site Scripting(XSS) filter. This version also includes a new object that safely allows transferring data across domains, allowing them to interact with each other.

The Anti-XSS filter has been found to have some security holes in the current implementation. Microsoft decided to filter "Type 1 XSS" which is free text send to the server being reflected to the user and therefore injecting HTML code into the website's page. They chose not to handle certain situations such as injection into a JavaScript tag space, which would be extremely difficult to filter. The software giant also chose not to filter injection into HTTP headers, which will drive hackers to focus on discovering CRLF vulnerabilities."

There you go!

--Claus V.

Mid-December Linkfest: Snowflake version

This past Wednesday night we Texas Gulf-Coast residents were treated with a very rare sight:

Snow.

It started coming down while we were at our church-house and on the drive back it was full flurries.  Visibility driving was something else.  Alvis had been soaked by antics while I was wrapping up some training (for me) on the software used to build and project displays during the Sunday services.

It was late when I got out and it was cold and I wanted to get home and cook dinner for the girls.  So instead of playing for a moment, we jumped in and got home quick.

The next morning (Thursday) most of the East-side Houston freeways and overpasses were shut down due to ice.  Our cars were covered with at least 4 inches of powder-grade snow as were all horizontal and some vertical surfaces.

I made a really horrible mistake that I have been chastising myself for the rest of the week.

See I should have paused being a responsible adult and taken  the moment (or hour) to have a snowball fight and do other stupid things with Alvis and Lavie.

Instead I diligently worked to scrape down the cars so they would be safe to drive, pre-warm them by running the engines, and fuss at Alvis to stay back because of the mud, water, and the rush to get her off to school.

Big FAIL.

Once all was contained and all were in their designated places of action, reality hit me Dad-style for missing a rare opportunity to play in thick and deep snow with the girls.

I mean how many chances do we have to do that?  Apparently only after a major hurricane hits us.  That seems to be the pattern at least (Rita-snow/Ike-snow).

Lesson learned and not to be forgotten.

Take a moment to play in the snow…then move on with life.

It will still be there waiting.

Linkage

Here are some miscellaneous links for you to play in today.  No mess no fuss.

--Claus V.

Utility Bag dump-out

Here are some updated and improved tools you might want to take a look at:

Process Monitor v2.03 – Windows Sysinternals - “This update to Process Monitor, a real-time file, registry, process and network monitor, adds the ability to import and export configuration settings, shows an icon in the operations column depicting the event class of the operation, and fixes a symbol configuration bug on Windows XP.”

Autoruns v9.36 – Windows Sysinternals – “Autoruns changes the Hide Microsoft Entries to only hide Windows entries, fixes a bug in the Find behavior, allows enabling and disabling entries using the space bar, and fixes a number of minor bugs.”

Process Explorer v11.31 – Windows Sysinternals – “This update works around a bug in the latest Debugging Tools for Windows debug engine DLL and fixes a bug that could cause objects to show up as <unknown type> when Process Explorer was run without administrative rights.”

CleanAfterMe v1.30 – NirSoft - Clean Registry entries and files in your system adds new options: Fill files with zero bytes before deleting them (In Advanced Options), Don't ask me before cleaning my temporary folder (In Advanced Options), New cleaning items for Outlook/Word/Office temporary folder.

SpecialFoldersView v1.05 - Nirsoft – Utility to easily jump to special folders in Windows now adds 'CSIDL Name' column.

DriverView v1.16 – Nirsoft – Utility that lists all device drivers currently loaded on your Windows system now adds new option to hide Microsoft drivers.

NetworkMiner V0.87 released – SourceForge- NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows that can detect the OS, hostname and open ports of network hosts through packet sniffing or by parsing a PCAP file. NetworkMiner can also extract transmitted files from network traffic. Version update deals with bug fixes.

Anti-Malware Toolkit v1.06.157 – Lunarsoft – Acts as a central anti-malware/anti-virus tool and program downloader.  Select the items you wish to download and it will auto-download the files to appropriate folders.  In many cases, users must still “install” the applications locally, but this does  provide “one-stop” downloading for harried support staff.  From the author’s website linked above:

Changes:

  • [Added] Tab control added to user interface to access Main, Settings and About.
  • [Added] Proxy settings including username and password for authorization.
  • [Added] Setting to download into categories (E.G.: Applications, Definitions).
  • [Added] Option to save download path.
  • [Added] Ability to open download folder when downloads complete.
  • [Added] Settings are now saved to an xml file.
  • [Added] Regedit now available under Tools menu.
  • [Added] Auto-update feature and option in Settings.
  • [Added] Update status added in statusbar.
  • [Changed] Links menu contents rearranged. Windows Update now under Tools; PC Cleanup, PC Security and Lunarsoft links found under Help.

According to Download Squad this version now “…supports 37 different downloads in five categories, including:

  • Spyware: Spyware Blaster, CCleaner, RogueRemover, SUPERAntiSpyware, Malwarebytes, Spybot, Hijack This
  • Definitions: Avast, Avira, Spybot, Malwarebytes, SUPERAntiSpyware
  • Utilities: Dial-a-fix, JavaRA, Autoruns, Process Explorer, Rootkit Revealer, Unlocker, LSPFix, MS Malcious Software Removal, Windows Installer Cleanup
  • Uninstallers: Avast, Avira, AVG (x86 and x64), BitDefender, Kaspersky, McAfee, One Care
  • Recommendations: Firefox, Opera, Thunderbird, Avast, AntiVir, Comdo (x86 and x64), Auslogics Defrag, PageDefrag, UPHClean “

Blue Badge rev. 3 – Within Windows blog – This Windows7 alpha image hack tool now “…no longer patches system files, no longer requires administrative permissions, and is no longer locked to any specific build. It inserts all the known protected feature GUIDs as of build 6956 into the current user’s branch of the registry.” These unlocked registry override bits allow activation of various disabled features including "Aero Peek".

Go get updating kiddos!

--Claus V.

(In)Security Response: Room for Improvement

I gotta confess.  I’m a bit depressed at the moment.

No, strike that.  Depressed is a word too strong and connotative.  Maybe melancholy?

Hmmmm.  Not quite there.

Let’s just describe it as reflectively-frustrated.

That will do.

See, I’ve decided that our security responsiveness is kinda “weak”.  And I’m feeling the pull of duty to do my part to kick-it up a notch…and the extra work that will bring on.  And maybe some resistance as well if things are ever implemented.

Background

I don’t see myself as a John Wayne or Walker, Texas Ranger figure.  Sure, I did want to pursue a career in law-enforcement as a young-man and through college.  Even applied at the F.B.I. at one point and talked to a Houston P.D. recruiter.

I think that came from two sources; a deep sense of respect for my late maternal grandfather who was a commended F.B.I. Special Agent (old-school Fed), and a deep curiosity of figuring out things that I currently don’t understand.

My career choices haven’t led me down that path.  However, that curiosity has led me down deeper into the realms of computer forensics and incident response awareness.

Computer systems fail for numerous reasons and I’ve always enjoyed working on them without feeling intimidated in the least.  That led to side-duties in my earlier jobs as a local site pc first contact.  That led me to become pretty darn good on my own troubleshooting local systems.  That was noticed (my offices rarely called into the Help Desk) and I was successfully recruited and joined the IT department. My familiarity with the desktop OS’s led me to pretty quickly detect malicious software without needing to use the traditional “AV” scan tool, and I could remove most infections by hand.

Dealing with malware regularly as part of my job and the go-to-guy led to a deeper and constant review of malware write-ups and analysis by others as well as additional tools used to detect and monitor system processes and activity.  Some of the very best tools and techniques overlap in the computer forensics field.  So I began adding just such websites and blogs to my RSS feed list, always on the lookout to learn more to sharpen my skills in core OS support.

Evolution

Funny thing happens when you do that.  You might grow in unintended ways

Although the majority of my job duties as a SME (subject matter expert) now entail project management and knowledge-base/process documentation and development I continue to actively stay engaged in the the field and topics of OS workings and malware/virus response. I love the challenge it brings.

All those readings and knowledge gleaned from real experts in the forensics and incident response professionals (of which I am not) have rubbed off. 

I have become deeply sensitive to these things, and the standards to which we need to not only aspire to, but master and apply.

And in my role, I have a duty and level of organizational influence to try to do something about it for improvement.

And we probably have a very long climb ahead.

The Peaks

Way up in or organization we have a CSO (chief security officer) who has been doing a great job in bringing security awareness and application into our organization.  We are now working on encrypting all hard-drives org-wide, have a great security policy document on the intranet somewhere, use email encryption, set password policy, and clearly have focused on software solutions for a majority of security weaknesses.

Way over elsewhere we have a crack team of network professionals who do magical things.  They actively monitor and filter the network and are very responsive during high-impact virus/worm/trojan breakouts in our system, blocking infected systems from the network until cleaned.

Finally, we have a very clever desktop and server support group.  They work hard and long to ensure desktop images are patched and up to date.  They coordinate and monitor reports to find local workstations that don’t have current anti-virus defs loaded, as well as systems that have reported in with AV activity.

So here’s the problem.

Our local group of technicians and analysts are tasked with working with these groups and fixing the problems found.  And the vast majority of work in the incident-response plan is sending a technician out to the location, running various cleaning tools (AV/AM) to disinfect the system, ensure it is fully patched and AV DAT files are current. Period.

That’s the bulk of of local incident-response plan and procedure.

And I’m now painfully aware that isn’t sufficient.

  • No attempt to first isolate the system and capture an image of it for review.
  • No attempt to determine the date and duration of initial compromise.
  • No attempt to log and capture the malware/virus/trojan/etc.
  • No attempt to determine what (if any) information on the local system might have been compromised or lost.
  • No attempt to analyze the source and vector of the “attack” infection.

None of the standard incident-response actions.

Usually only if something really “icky” is found, or IT is independently notified by our inspector general’s division, or a special request for review comes in does our IT team scramble the jets and actively do a “incident” response.  But even then, I sometimes wonder if our response process would would meet professional forensic response guidelines.

On most all days and cases it’s just explore, poke around, “clean”, and if it is really yucky, just off-load the user’s data, wipe the system, reimage it, and put the data back.

Scary isn’t it?

How much information is lost?  How much “damage” occurs?  What knowledge is lost by the “cleaning and inspection” process performed on the system by our technicians?

How do we find a balance between getting the end-user back up and running quickly for production work versus performing a thorough incident response to assess what (if any) information leak or compromise has occurred?

Meditations

I know from experience that at the root this is a “cultural” issue in our organization.

Our local staff are low in number and we have a ton of work to do.

They haven’t been trained in incident response methodology.

We don’t have (at least at the local level) any process, procedures, or clear expectations for incident response.  In fact, we really haven’t even clearly defined the scope and impact of what constitutes an “incident’.  Clearly based on our responses, infection of a system with virus/trojan/worm/rootkit/malware is defined as a removal task, not a potential system compromise incident response.

I, D-Man, Mr. No, and the other senior members of the IT team do care and are sensitive to these matters and want to vastly improve what we do in this area.

We are blessed to have a manager whom we report directly to who is also very sensitive and responsive about these issues.

We just need to do our homework, create a incident response structure and plan that fits our environment, do training, and then foster an ongoing and enhanced sense of incident response and awareness.

Right now I’m culling, printing, and using my “free-time” at work to study up materials, incident response forms, policies and structure from the following sources:

Incident Response Resources – U.S. Security Awareness

Best Practices Guide (BPGL) – FIRST Forum of Incident Response and Security Teams

What got me thinking…

Not too long ago we had an incident where an automatic tripwire alerted me to someone with a Chinese IP address attempting to log onto various network devices.  Even though it was the weekend, I alerted D-Man as well as the network gurus.  It appeared no harm was done, and (apparently) this happens all the time and isn’t that big of a concern.  Based on my own analysis of the event and the sphere of control I have, I proposed making some password and ID changes to the specific devices.  That was acknowledged but changes have yet to be implemented.

I read NASA’s Wayne Hale’s blog post Real Engineers and the way organizations look at the value of people based not on the roles people play, but what they can “really” do.

I earned an undergraduate degree in engineering from a prestigious and notoriously competitive university.  After that I went on to do engineering research and complete a graduate degree in engineering from another major university with a reputation for excellence in engineering; along the way I wrote and defended a thesis and authored several papers which were published in professional engineering journals.

When I came to work for NASA, I was fortunate to get a job in the operations area:  mission control.  A thorough understanding of engineering principles and practices was mandatory for my job.

So I was floored just a few months later when I first heard it:  "you are not a real engineer". I was just "an ops guy".

In the NASA pantheon of heros, the highest accolade any employee can be granted is that they are a "real engineer".  Not even astronauts rate higher.  The heart of the organization worships at the altar of engineering:  accomplishment, precision, efficiency.  What does it take to be a "real engineer"?

It’s a great read and while I was originally analyzing it in light of the “forensic examiners now need P.I. certifications” debate going on across states, it struck me that this might apply to our IT culture as well.

Maybe since we don’t see or interact with any “real” security incident responders, we don’t see the importance or value of our role on the front lines in this battle.  Are we just the grunts or infantry men who go in and take out the enemy pill-box and continue to advance?  It’s the job of military intelligence to collect the trends and larger picture. Clean and move on.

I think that is a dated and dangerous stance if true; particularly on the front-lines.  Our technicians play a keystone role in incident response.  Only it look like very few have realized it yet and certainly not drafted a plan for their role in it.

Consider the following recent posts from the professionals Hogfly and Keydet86’s computer incident response blogs on the dynamic tug between first responders and incident responders (who just happen to be two of the very best of many great incident response blog authors):

I promise, it will make your head spin!

Wish us luck. 

Kicking up this potential ant-pile at work seems like the only responsible thing to do.

I’m in no way saying there isn’t any security awareness at our shop or in our organization at large, or that our technicians are the problem, or that any of the groups or individuals charged with securing and responding to incidents in our system aren’t doing their jobs.  We do have clear polices and our staff work extra hard at doing what they are assigned to do.  I just wonder if it currently enough (on multiple levels of application) in today’s IT environment and regulatory demands.

I think we need to do more, and particularly at our field-level.  It’s the Sherpas who those who climb the highest peaks depend on.

And BTW I’m open to suggestions from the professionals on how and where to start this process building and implementation.

Cheers!

--Claus V.