Sunday, April 28, 2013

ForSec News Roundup

Final GSD post of the weekend. 

Strategies of a world-class computer security incident response team - Help Net Security - Carson Zimmerman presents “…ten fundamental qualities of an effective CSIRT that cut across elements of people, process, and technology.” Run-time is just over 33 min.

ProcDOT - Visual Malware Analysis - SANS Computer Forensics and Incident Response blog. Christian Wojner introduces it thusly…“It correlates Procmon logfiles and PCAPs to an interactively investigateable graph. Besides that ProcDOT is now also capable of animating the whole infection evolution based on a timeline of activities. This feature lets you even quickly find out which server or which requests were responsible that specific data/code got on the underlying system, by which process it was written, how often, who injected what, which autostart registry key was set, what happened when, and so forth ...” Get it via ProcDOT - CERT.at

From the ProcDOT project page:

Screenshot

3crmye3k.ddd

Instruction-Media

The User Interface
Tutorial-Video 1: The User Interface
Tutorial-Video 2: The Graph
Tutorial-Video 3: Analysis (Part 1)
Tutorial-Video 4: Analysis (Part 2): The Timeline

Over at the ISC Diary blog, Mark Baggett has been posting a great series of articles examining the tug-and-pull between those in IT/Sec who advocate a full OS wipe/reload after a malware infection and those who say “save-time-and-clean-it” by removing the malware infection, but not reimage the system. There still seems to be some kind of mysterious desire by staff to possibly prove what a clever IT person we are by digging an infection out of a system rather than just recovering the user’s data, wiping the system, then restoring it from a clean image and putting the data back. Maybe we all want to be a hero. However, as Mark’s posts show, if not done properly and effectively, the malware may remain persistently hidden but functional and you may be back before you know it (and the rest of your data secrets lifted or network exploited). These posts are a good guide and gut-check for how challenging these threats can play hide-and-seek. Familiarity with these techniques might be your last line of defense if your shop doesn’t have a fast-n-hard policy of recover/wipe/restore remediation.

Tracking Down Persistence Mechanisms - Journey Into Incident Response blog - Not to be outdone, Corey Harrell does a great companion-piece to the ISC Diary blog posts above.  Corey details how he uses Microsoft Autoruns utility in that process.

From one of the comments there, we jump over to Finding Evil: Automating Autoruns Analysis post over in the trustedsignal blog from Dave Hull.

And then in spot-on timing within the ForSec community, Mark Woan at woanware releases a new utility called autorunner

“Autorunner is based upon the AutoRuns tool by the Sysinternals/Microsoft gurus. It is designed to perform automated Authenticode.aspx) checking for binaries designed to auto-start on a host. Its primary purpose is to aid forensic investigations.

“…autorunner is designed to work around all of these issues. It will check against all user profiles associated with the host. It will parse out LNK files to the actual binary (one level down). It allows the user to specify multiple drive mappings, so that if the forensic image contains multiple partitions you can map the original drives to mounted drives on the forensic workstation.

“The application should be used against a forensic image that has been mounted using whatever method you desire.”

Securely wiping an SSD - TinyApps blog - Getting back to the drive-wiping thought, this quick-post reminds us of some of the hazards of attempting to sanitize a SSD device. Some might think using a SSD device to hold image captures might be a good idea but if you do, be sure it is one you can truly “zero-out” and sanitize before porting your image over to it! Does anyone use SSD devices yet for that purpose? What other challenges (cost aside) would this present. Are there any benefits to a SSD over a HDD for storing or capturing disk images?

Placing the Suspect Behind the Keyboard – NEW BOOK! - Windows Forensic Environment - Congratulations to Brett Shavers for his new book! It’s been added to my Amazon.com wish-list queue for triggering once my next Amazon.com gift certificate ship comes into port.

Tool Time - The Hacker Factor Blog - A great post in the theme of “know your tools” before you trust the results they provide. One of the gem finds in Dr. Neal Krawetz’s post is his link to the National Institute of Standards and Technologies (NIST) and National Institute of Justice (NIJ) 2012 Computer Forensics Tool Testing Handbook from their computer forensic tool testing program. It’s got 173 pages of goodness to review. The latest publications can be found on this Topical Collection: Computer Forensic Tool Testing Publication Database | National Institute of Justice.

4:mag Issue #1 - Forensic 4cast. A very nice and slick digital publication debuts. This edition covers topics in iOS device/application data & malware, starting out in the digital forensics field, and hard-drive secrets.

The students over at the Champlain College Computer & Digital Forensics department have been busy working on papers addressing Private Browsing. Expect more in this series:

RegRipper Ripper (3R) and the list of reg keys covered by RR plugins - hexacorn bog.

RegRipper Consolidation - Windows Incident Response blog. Harlan and crew have been super-busy trying to clean house and tie up some loose ends in the RegRipper landscape. This new effort should help make “one-stop-shopping” and development support for RegRipper and plug-ins much easier. Additionally, Harlan has been working hard on the blog to post additional background information on some of myriad (Cory referred to 280+ in his post) RegRipper plug-ins.

Forensic 4cast Awards 2013 – Meet the Nominees - Forensic 4cast. Voting is now open. You can place your votes here.

Encrypted Disk Detector Version 2 - SANS Computer Forensics and Incident Response blog - Chad Tilbury announces and introduces a new version that is out. Get it here over at Magnet Forensics.

What is "up to date anti-virus software"? - ISC Diary.Great post and great discussions in the comments.

Case Leads: LivingSocial Hack, New Cyber Warriors, analyzeMFT update and more... - SANS Computer Forensics and Incident Response blog

Cheers!

--Claus Valca.

ForSec LiveCD bits

Things have been fairly quiet in the ForSec LiveCD world since the Kali Linux distro dropped.

They dropped a minor update last week for Kali Linux Accessibility Improvements for blind or visually impaired users. That was a nice touch.

--Claus V.

Browsers Browsers Everywhere!

…and in browser news and trends, things are getting pretty interesting…

Firefox/Mozilla

…meanwhile over at the other hot-rod shop…

Sadly, I remain terribly frustrated that Chrome developers just will not add a “sidebar” feature for bookmark management to Chrome like Mozilla has. This is a soapbox I just can’t seem to climb down from with Chrome. Again I say, if it were not for this one missing feature, I might jump to using Chrome/Chromium as my primary browser and relegate Firefox to the #2 slot.

The closest “solution” I have found are tree-style tab organizers…but the drawback of them is having to leave the tabs open.  Something I don’t like doing.

Sigh.

Finally…it’s a bit older post, but I really found this post by Alex Limi very fascinating from a power user’s standpoint in using a browser. I don’t at all like the idea of removing control and configuration settings from access. That said, as a sysadmin, you can certain spend many frustrating hours troubleshooting a user’s web-experience problems before finding a buried browser setting that was causing the issue.

Cheers,

--Claus Valca

Lindi Ortega - Guilty Musical Pleasure of the week

Discovered via Kent Newsom’s blog Newsome.Org

BTW…according to Lindi’s website, she will be performing locally July 2nd 2013 at McGoingel’s Mucky Duck.

I listen to almost every genre of music…from Gregorian chant, to classical, to Scandinavian metal-rock, and enjoy all things in between. My iPod/iPhone library is a real eclectic mess of material!

But for some reason Americana/Bluegrass seems to tickle my soul like nothing else lately.

Lavie and Alvis are amazed that my car radio has been lingering on the local country-music channel.

I don’t know what the big deal is….

CV

News around the Water Cooler for Sysadmins

wkkl3lgn.m5w

via Wikimedia Commons via Zach Tirrell under CC 2.0 attribution

And here is some Sysadmin news and tips now collected over the past few weeks.

Sorry, but someone took all the paper cone water cups off the water cooler and is doling them out like party-hats so you need to find your own glass this week.

Cheers.

--Claus V.

Network fun and news

And here is a roundup of tips, news, tools and techniques in the world of networking…

Cheers.

--Claus V.

Flash/Java Updating

Unless you really do live under a rock, the past two weeks have been pretty full of news of Adobe Flash and Oracle Java update news.

Here you go for those under-ground dwellers.

All done and loaded up? Fire up this Qualys BrowserCheck page in each of your web-browsers and check to be sure.

--Claus V.

Recent Utility Updates

Here is a small collection of tools and utilities that have been updated that caught my eye, and some new offerings from NirSoft and Sysinternals as well.

Cheers.

--Claus V.

Ubuntu 13.04 (Raring Ringtail) Upgrade..a bit faster this time

Yesterday turned out to be a deluge of epic proportions.  A moisture-saturated atmosphere dumped an unexpectedly large amount of water across the upper Gulf Coast. The Houston area had to deal with waves of hail, flooded freeways littered with floating and abandoned cars, high-water rescues, and general misery. What the local forecasters said on Friday would be a 10-30% chance of scattered showers became a 100% certainty of something floating in backyards everywhere. 

So it was the perfect day to settle in with my visiting father-in-law as the girls swam around town and watch home-improvement shows on cable and perform an upgrade to by VirtualBox session of Ubuntu.

  1. Find in RSS feeds that my Ubuntu 12.10 Quantal Quetzal install has a 13.04 Raring Ringtail upgrade available.
    ●  Ubuntu 13.04 is ready to deploy - Ubuntu
    ●  Ubuntu 13.04 boosts graphics performance to prepare for phones, tablets - Ars Technica
    ●  Ubuntu 13:04 Raring Ringtail published: The most important features at a glance - Caschys Blog (GTranslated)
    ●  New Ubuntu version hits today! - Boing Boing
    ●  Ubuntu 13.04 'Raring Ringtail' gives some, takes some - BetaNews
    ●  Hands-On With The New Features In Ubuntu 13.04 Raring Ringtail - AddictiveTips
  2. Begin making plans to do an in-place upgrade of my VirtualBox Ubuntu build…forgetting I had recently updated VirtualBox to 4.2.12 and it didn’t hurt my Windows VM systems…so why should I care about Ubuntu impact.
    ●  Downloads – Oracle VM
    ●  Changelog – Oracle VM VirtualBox
  3. Launched my VirtualBox Ubuntu build and logged in normally…and got a blank desktop. I did this several times. I could launch the VM and get the expected account login window for Ubuntu 12.10 just fine, but the desktop would never load. Hmmm. Wonder if that recent VirtualBox update had anything to do with it? Probably.
  4. Did some research and found some posts regarding VMWare upgrades screwing with Ubuntu in the past and they had tips about disabling 3D acceleration in the VM machine settings. VirtualBox has a similar feature (that was enabled) so I disabled it, relaunched the Ubuntu VM and now was able to load the desktop! Lesson learned; after upgrading VirtualBox, disable 3D acceleration on first-boot.

    hk3ijk2t.dbz
    ●  Latest Ubuntu update broke cinnamon · Issue #1763 · linuxmint/Cinnamon - GitHub
    ●  Later remember I also had 3D headaches last Ubuntu upgrade that I had to power-through.
  5. At that point I was able to install/upgrade to the latest VirtualBox Extension pack within Ubuntu proper. It ran slow as molasses but got the job done. Shut down the VM when done, re-enabled 3D acceleration in the VM machine settings, and was able to log back into the Ubuntu desktop with no issues and it was super-fast again. Yea! Looks like my former fixes from that post are still sticking:
        ● Ubuntu 12.10 – VirtualBox Guest Additions not Working -Complete, Concrete, Concise
        ● #10901 (vboxvideo fails to auto-load on Ubuntu 12.10 Guest) – Oracle VM VirtualBox
        ● virtualbox.org • View topic - Ubuntu 12.10 "virtually" unusable
        Edited “/etc/modules” file to include “vboxvideo” line as suggested above. Shut down.
        ● [ubuntu] newbie question on editing as root - Ubuntu Forums
        Edited “/etc/modules” file to include “vboxvideo” line as suggested above. Shut down.
        ● [ubuntu] newbie question on editing as root - Ubuntu Forums
  6. Used Daniel Benny Simanjuntak’s tip in the last Ubuntu post comments I did to run the following command from the terminal to start the upgrade process: Piece of Cake (and it wasn’t a lie)!
         …through terminal one can upgrade as well using the command:
          sudo do-release-upgrade -d
  7. Let it run forever…do a few reboots…
  8. When it is all settled down, I log in and kick the tires a bit, and change the desktop to the snazzy Raring Ringtail image.

    52rur2va.rbu
  9. Check “Upgrade to Raring Ringtail” off my to-do list.

I keep this particular Ubuntu build around mostly for working with the super-cool NFAT Xplico. However it is good for testing additional specialized software utilities and just trying to get more familiar with the Ubuntu environment in general.

This particular virtual HDD is just 8 GB so free space is a premium. I could expand it to at least 10 GB but HDD space on my laptop is at a premium so for now I’m trying to keep it thin.

After I got the upgrade done, I uninstalled some extra programs that had come in the default Ubuntu build to make room. I also ran through a few of the tips in this older Mike's Software Development Blog: Freeing hard disk space in Ubuntu Linux post. There may be more tips for freeing up space I haven’t found yet. I’m open for new tips and tricks!

Finally, the super awesome and brilliant Ubuntucat must be living here on the Gulf Coast as well as she has found a bunch of free time (homebound due to biblical-portioned rainstorms perhaps?) and is ripping out tons of posts on Ubuntu 13.04 over the last two days! Thank you, Thank you, Thank you Ubuntucat!

--Claus V.

Drives…

I’ve still not had the time to build a little home NAS server yet.

It’s on my “to do” list but time is a rare commodity around the Valca home of late.

I’d also like to find a solution that uses full-disk encryption on the data stores…but while I’ve done some limited research on that option, I’ve not yet found a solution in either a standalone hardware rig or a home-built system running a *Nix NAS solution that really gets me excited yet about spending the cash or doing the work converting my old SFF shoebox pc into a NAS unit.

However, I’m still keeping one eye open and collect and carefully read home NAS solutions and reviews.

The Hacker Factor Blog has a great recent article posted on the Synology DiskStation.

This is secondly important as my 500 GB laptop HDD is more full than I would like. The jump to a Canon EOS 5D Mark II DLSR coupled with my Canon PowerShot S95 means a lot more very, very large file-sized digital images are hanging around. Coupled with the great video quality on my iPhone5, I’m keeping more digital movies in my iTunes library as well.

So I’m having to manage storage space on my laptop a lot more carefully.

Prices on 1TB internal SATA HDD’s on NewEgg are very decent so I will probably have to pull the trigger on one of them pretty soon. I could likely get by with a 750 GB sized drive but the price difference really doesn’t justify going with the lower capacity. The 5400 RPM speed models are a steal while the 7200 RPM modes are almost double the cost.  I’d love to drop in a full SSD drive but the cost is still prohibitive for the capacity I need. As super-awesome it would be to use a SSD for performance, I just can go with a lower-or-same capacity in my laptop.

But according to Ars, there is some hope on the horizon…

Waiting for a 1TB SSD below $1 per GB? Crucial says wait no more - Ars Technica

I also considered a hybrid SSD, but while they are tempting, I’m still not convinced it I a good solution.  Born’s IT and WIndows Blog has a (GTranslated) article about some of the trials and tribulations that come with hybrid HDD technology: Angetestet Seagate SSHD hybrid hard drive.

Finally, TinyApps blog must be reading the musings of my mind and had posted a caveat emptor regarding SSD drives and security. Securely wiping an SSD. Lots of great cross-links (as usual) in the tiny post and unless you get a really modern and correctly configured device, physical destruction of the SSD device may still be the only truly secure solution…and it will hurt badly if you consider the prices you pay for these things.

Cheers.

Claus Valca

It just has to be bigger on the inside…

 

image

Last Christmas, Lavie gifted me with a cute little Jawbone JAMBOX unit.

I thought it was pretty cool. It uses a Bluetooth connection to join from your supported device and provides significantly better sound quality than most “on-board” device speakers do.

But then I use and enjoy the latest Apple ear Pods that came with my iPhone 5 so I was skeptical on just how much use I would get out of.

Turns out Lavie knows me better that I do as the answer to that turns out to be “a lot.”

My use of it started out simple.  I synced it with my iPhone 5 and left it on my bed stand. At night going to bed I would play it with my Naturespace app playing on a timer to fall asleep to relaxing sound loops. The sound quality was so full and rich it provided a great immersive experience. Some of my favorite rainstorm and wind-blowing-in-the-tree loops sounded like I was right there. Since I wasn’t wearing ear pods, I could fall asleep without care.  So with the Wave Alarm to get me up in the morning and Naturespace to lull me to sleep, the bedside digital clock I’ve had for years got removed and went into the garage-sale box.

About a month later, I was finally able to get Lavie interested in watching a DCI Banks series I had enjoyed on PBS. Only it has long-past run. Fortunately I found it still available on a PBS streaming channel and we watched it on the laptop…but the sound quality from the laptop speakers wasn’t quite as nice as desired. So I synced the little Jambox up to the laptop’s Bluetooth and the sound was totally super.

Lately I’ve been now hauling it to work with me each day. Sure, I could connect my iPhone to some spare pc speakers with the mini-plug but the sound from them just doesn’t compare to that coming from the little box. It really fills my cubicle space up with the Naturespace sound loops or tunes from the iPhone library, but because it is so rich, I don’t have to crank it up loud at all and worry about disturbing my fellow cubicle mates or even turning it down/off when incoming phone calls roll in.

The only drawback was the loud “syncing” speaking dialog and sounds when it would establish the Bluetooth device connection.  That was really annoying.

While poking around on the JAWBONE site looking for a new headset a few weeks ago, I took a chance look at the Jambox page and found their MyTALK page. Turns out, you can register for free and then download upgrade software packages to your device that really expand the feature sets. First I upgraded (over USB wire) the firmware for my Jambox. Then I was able to customize a bunch of settings, such as disable the paring vocalizations (this is called Silent Mode) that were irritating me. You can also load different voices if you like the vocalization but just not the voice itself. There are a variety of female and male voices with different accents to pick from. There are also some “apps” that expand features such as using it as a speakerphone to name just a few.

Maybe if I read the manual that came with it I would have figured this out sooner, but if not, and if you do have a Jambox unit, I really encourage you to check out the MyTALK features and easily expand the capabilities of the device.  That’s really the point of this post, to tip off other users of a Jambox who might not have uncovered this ability to update and customize the internals of their device.

It isn’t the only Bluetooth portable speaker device on the market, but it has awesome sound and is very high-quality and solid. And there is just so much high-quality sound pack into that little bitty box, you would swear it must be using Time Lord technology…

Cheers!

Claus V.