Saturday, September 20, 2014

Windows 9 quick-bits

I posted a ton of links leading up to Windows 8 release.

In fact I still have a bunch of out-dated, un-posted links for Windows 8/8.1 that are languishing.

So it is with reservation that I offer these quick Windows 9 links…

Again, I really, really like the kernel core of Windows 8/8.1 compared to my lovely Windows 7.

Lavie has adjusted to life in Windows 8/8.1 and almost never complains any longer.

I love and have my Windows 7 primary system all dialed in just the way I like it and since a Windows 8 upgrade would come at a upgrade expense ($-$$) I cannot find a way to justify the jump.

But, if Microsoft does a good job on Windows 9 and also if rumors are true that it will be offered as a free OS upgrade for Win 7/8 users, then I might just make the jump from Windows 7 to Windows 9.

From Mary Jo Foley’s ZDNet article post:

“The Microsoft OS team is hoping to get as many Windows 7 users moved to Windows 7 Service Pack 1 and Windows 8 users to Windows 8.1 Update in preparation for (hopefully) getting them to move to Threshold once it is out. It's still early in the Windows development cycle for Microsoft to have decided on packaging, pricing and distribution, but my sources say, at this point, that Windows Threshold is looking like it could be free to all Windows 8.1 Update, and maybe even Windows 7 Service Pack 1, users.”

So I will be excitedly looking forward to the Windows 9 technical previews.

Cheers,

--Claus Valca

Mitigating Recent Firefox and ABE Annoyances

Last weekend I went on and on about recent changes to Firefox that included some “safebrowsing” features and particularly how it seemed to be getting in the way of downloading some binaries from NirSoft (as an example).

This week I saw notice from the Firefox Extension Guru that a minor update was released.

I’m always looking to keep my web browsers current on their patching for security reasons, but I was also curious if it would address the crazy behavior I blogged about.

Sure enough, once the update was applied and Firefox rebooted, I could now download the particular PasswordFox zip file without any more blocking/malware messages.

I checked the Firefox Release Notes (32.0.2) carefully but didn’t seem to find any reference to safebrowsing. I also checked my about:config and did NOT find the “browser.safebrowsing.appRepURL” key present either.  So the current possibilities stand thusly,

  • The 32.0.2 update fixed something that wasn’t documented in the release notes.
  • Something on Nir Sofer's side/site changed to allow the download/site to be seen as legit, or
  • Something changed in Google’s Safe Browsing application reputation database that now allowed Nir Sofer's site and/or some apps to now be considered legit/safe, or
  • Magic.

I really can’t weigh any one as more probable than the other and I’m really leaning towards the last one as Lavie and I are re-reading the Harry Potter books again together.

Honestly Annoying ABE

Another annoyance I have been struggling with recently is NoScript Security Suite Add-On for Firefox. Overall I love it and use it to help protect my system during web-browsing since I haven’t quite yet felt brave enough to install and use Malwarebytes Anti-Exploit on my “production” system though the recent v1.04.1.1012 release seems to be working much better than the previous version.

(FYI on my Win 7 test-bench VM system Malwarebytes AE is coupled with The Enhanced Mitigation Experience Toolkit (EMET 5.0), GlassWire firewall, and AVG Free Antivirus 2015 and all four seem to play well with each other.)

I think I am generally a pretty savvy NoScript user but recently (arising in the past 2-3 weeks?), hyperlink jumps from either Google search results or The Portable Freeware Collection to NirSoft domain pages have met with a NoScript ABE block. That’s been very annoying.

Mozilla Firefox_ABE

I’ve been able to work around them by either temporarily disabling ABE inside NoScript, or copying the URL to NirSoft and then opening a new tab and pasting the link in and going manually. Neither is great and sometimes I even got an ABE rule block when downloading a NirSoft zip file from the product page.

I shot an email to the NoScript developer but haven’t heard back. I could have dropped some feedback in the forums but it wasn’t that big a deal.

This morning I did a bunch more research and experimentation with custom ABE rule sets and cobbled together something that allows the hyperlink jumps to NirSoft from The Portable Freeware Collection site to not trigger an ABE alert/block rule; and as a bonus, allow the link jumps to NirSoft in Google to work as well.

Now, I’m still not 100% sure what these changes are doing, so I might be making things tons worse (browser security-wise) than not having anything at all, but I’m putting it out there as a starting point and for discussion if any ABE rule pros want to chime in and help me improve it:

The default “System” Ruleset in ABE is something like this:

# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny

The default “USER” Ruleset is effectively blank.

# User-defined rules. Feel free to experiment here.

I tried a combination of ruleset options under both User or System but this was the one I cobbled together under “System” that got things unjammed. I did add the (redundant) commenting just because I may forget what I meant to do later. It’s ugly and probably fundamentally flawed at protecting the system just to get hyperlinks to NirSoft domain working from other sites, but it’s a noobie’s start.

# Prevent Internet sites from requesting LAN resources.

Site LOCAL
Accept from LOCAL

# This one defines normal application behavior, allowing hyperlinking
# but not cross-site POST requests altering app status
# Additionally, pages can be embedded as subdocuments only by documents from
# the same domain (this prevents ClickJacking/UI redressing attacks)
# And strips off any authentication data
# (Auth and Cookie headers) from requests outside the
# application domains,

Site http://nirsoft.net/
Accept POST SUB from SELF http://nirsoft.net/
Accept GET
Anonymize

# This one defines normal application behavior, allowing hyperlinking
# but not cross-site POST requests altering app status
# Additionally, pages can be embedded as subdocuments only by documents from
# the same domain (this prevents ClickJacking/UI redressing attacks)
# And strips off any authentication data
# (Auth and Cookie headers) from requests outside the
# application domains,

Site http://portablefreeware.com/
Accept POST SUB from SELF http://portablefreeware.com/
Accept GET
Anonymize

Deny

As I understand from the documentation, the rule(s) are read from the top down. I’ve also added some line breaks just to keep it more legible.  Putting “Deny” after each rule-set caused it to stop working and it would again just block hyperlink jumps to NirSoft domain.

Putting the “extras” under “User” didn’t work either.

And here is the pile of link references I read through to come up with the above.

Comments and (gently) recommended corrections/refinements are welcome and appreciated!

Cheers,

--Claus Valca

Upgrading to iOS 8 (the long way ‘round)

Unless you totally are not into the Apple scene you may have heard that

Lavie’s 8GB iPhone 4 is getting very sad and tired and she is itchy to upgrade. I think the best deal for her (now out of her 2 year contract) would be to get either a 16 GB iPhone 5s or 5c. I’m leaning to the 5s myself even though it will be more expensive. However her thrifty-ness surprises me sometimes so she might be OK with the 5c.  She is not a power-user of apps or streaming so from a hardware perspective either should be more than adequate after the 4 she has now.

Last night I went ahead and decided to upgrade my 4th gen iPad Retina to iOS 8.  What should have been a quick process went super bad super fast.

It’s a 32 GB model but I have it jammed packed with videos (mostly sysadmin/training videos) and PDF whitepapers of for/sec/admin-related topics to read when I’m between activities.

As such I had < 5 GB of free space so I couldn’t do a WiFi only iOS update. But if you do the upgrade from iTunes you don’t need to have free space on your device.

Mistake #1: Not confirming/taking a backup.

Mistake #2: Plugging the device in to a powered USB hub rather than directly on my system.

I plugged the iPad into a brand-name USB powered hub extender and the iPad was detected ok.

I mis-read the initial prompt about do I want to backup some apps that were on the iPad and not my iTunes and said “no”.  Bad decision.

The update downloaded and began to apply.

As part of the process the iPad rebooted but it would not reconnect automatically to the USB port, which caused the iTunes update to fail.

I repeated again and more fails and each time I retried it said I had to do a device Restore. Yikes!

Finally after hunting down error codes and update failures I switched the cable over to a USB port directly on my laptop.  I did a hard-reset of the device and then the iOS 8 upgrade went on. Yea!

Only it was a (mostly) factory restore.  Somehow, some backup items were found from an older backup (or maybe the device itself?) and restored.

I had to put all my music library, videos, photos, and videos specific to my VLC app library back on manually; a few apps that I hadn’t downloaded to iTunes also had to be restored/reinstalled. That took a very long time. Luckily all my (considerable) ebooks and whitepaper PDFs stored in Adobe Reader and Documents apps were all present and accounted for.

It took a long time (4-5 hours!) for the whole process before I was chilling again on the couch with the iPad but I finally got it tweaked back to the way it was before.  I’m wondering what I haven’t found missing yet because after the upgrade and auto/manual rebuild, I’ve now got around 10 GB of free space.

So this Saturday morning I’ve been busy doing manual iTunes updates (we don’t back up to iCloud) of both our iPhones as well.

I’m not in much hurry to upgrade my iPhone 5 just yet after that iPad update drama and Lavie’s iPhone 4 doesn’t qualify for the iOS 8.

I also figured out how to review and delete a bunch of old iTunes backups to clean house:

The other big headache after the upgrade and restoration was coming to terms with all the new features and setting changes brought by 8.  I had a ton of re-tweaking deep in the Settings to do to ensure it was set to my comfort levels.

Here is a list of iOS 8 items you may want to review before/after you do your iOS 8 journey. Many of these tips and suggestions have been super-helpful to me.

Cheers.

--Claus Valca

Sunday, September 14, 2014

Tools, News and Linkage for the Sysadmins

Wow.

I’m nearing the end (finally) of clearing out my “to-be-posted” bookmark piles.

What a journey (and long weekend wedded to my desk).

Here is a final collection of linkage with all kings of bric-a-brac.

The Administrator of Things (AoT) – A Side Effect of Smartification - Security Intelligence Blog at Trend Micro - I really get this. All too often I get calls from family and friends asking for advice on the latest technology gadget and what to do. It’s not just enough to buy it and deploy it. Consider a “simple” home router. Sure, I can give you a recommendation, and even set the thing up initially. But what about the long-term support? Firmware updates? Configuration changes when your home-network needs change? What? Lost the WiFi password and it’s the holiday and your relatives are visiting with their new WiFi devices and want to hook in? What’s the password? What’s the risk?!

In the Valca home proper we have BluRay players that need constant firmware updating to playback the newest disks, two “active” Windows laptops, a network-enabled printer, iPhones (x2), an iPad, a 1st gen Kindle and another Kindle fire eReader device. I’ve also got an older laptop and small-form factor PC that I am trying to decide what to do with for “projects”. Yep. Router, switches, as well all reside here.

I’m a tech-savvy person and if I’m not careful, management and maintenance of these devices alone can take up a full month’s of work; wash-rinse-repeat!

How about the non-tech users out there who may or may not have friends or family to help them with?

These devices may get smarter and easier to manage, or they will just go unsupported/unpatched, or maybe new businesses will spring up to meet the consumer device management needs.

Time will tell. I agree that we may just not have SysAdmins but also specialized AoT’s in the present and future.

Updates: Handle v4.0. Procdump v7.01, Procexp v16.04, Regjump v1.02, Autoruns v12.03 - Sysinternals Site Discussion blog

The Case of the App Install Recorder - Aaron Margosis' Non-Admin, App-Compat and Sysinternals WebLog - SysAdmins! Stop right now. Drop over to that post. Bookmark it and snag the ZIP file of resources. It’s a super-effective way to capture app install events (and with some imagination other events as well). Older (but helpful) video-demo of it in action at Defrag Tools: #81 via Channel 9.

Case of the 8 Minute Windows 8.1 First Logon - chentiangemalc

Case of the Windows 8.1 Audio Glitches - chentiangemalc

Case of the 30 minute Windows 7 Logon - chentiangemalc

All those posts are awesome diagnostic analysis exercises tracking down buggy Windows behavior. They show skilled use of the Windows Performance Recorder from the Windows 8.1 ADK.  If you are curious, I have some related Windows Performance Analysis Toolkit (WPT) linkage on this GSD post Case of the Unexplained Donut of Death.

Weekend Scripter: The WMI Explorer Tool - Hey, Scripting Guy! Blog - The Scripting Guys point to a very exciting WMI tool WMI Explorer. It seems to really expand WMI information lookups.

Analysis of Chinese MITM on Google - NETRESEC Blog - Amazingly detailed post exploring a MITM attack.

NetAdapter Repair All In One - SourceForge.net - Advanced network utility that runs from a single EXE file. Requires Admin rights on Windows systems to do most functions. Spotted via this BetaNews article: Troubleshoot network problems with NetAdapter Repair All in One.

WinAudit - CodePlex project page - Recently got an update in June to version 3.0.8 for the interested.

Malwarebytes Anti-Exploit - Free Zero-Day Exploit Protection - Looks like it got bumped to 1.04.1.1012 if this is your thing. I’ve not loaded it up yet on my VM where I am experimenting with it. I’ll post an update to see if it fixes some behavior issues I’ve noticed with IE 12. Nor have I had a chance yet to deploy and test GlassWire just yet.

I seem to have a massive iTunes cover art issue!  While most of my track cover-art is correct, much of it is not and I don’t know what happened!  Albums generally are OK but single tracks often pull cover art from entirely unrelated tracks. Strange!  So I’m eager to see if this tip Batch download and embed album cover art from tinyapps.org blog can fix things up; two options are presented.

Aside from apparent safe-browsing changes in Firefox 31/32 releases, there have been other more subtle UI changes as well.  The Firefox Extension Guru has some of these covered!

SigcheckGUI - Skwire Empire - Free GUI extension to the command-line SigCheck tool from Sysinternals. Spotted via DonationCoder.com

USB Image Tool - alex’s coding playground - This “critical” app (to me) creates/restores images of USB drives. Version 1.67 was released based on .NET 4.0 and added some really nice extras. However something with the .NET 4.0 broke the program operation on XP systems so the latest is Version 1.68 that restores .NET 3.5 use to ensure XP compatibility. I suppose if you aren’t running it on XP systems and want to use the .NET 4.0 supported version you could, but you would have had to download it already when first released as it isn’t offered on the previous version links.

Google Software Removal Tool "Beta" - Google - This was a new find yesterday! What does it do? Well, it seems to be a tool offered by Google that scans a system and removes software that has modified the Google Chrome browser functionality/settings.

To be clear, not only does it do a Chrome browser setting factory “reset”, but it will also remove “programs” installed on the Windows system that could negatively (in Google’s evaluation) impact the Chrome browser operation. 

According to the gHacks link below, this tool does not require installation. Download, run, review the findings, and take action accordingly.

It also doesn’t support Chromium and other Chromium-based browsers, just Chrome browser proper.

More references to Google Software Removal Tool

Might be worth keeping it in the toolbox, just in case.

Unfortunately, a listing of the apps Google considers harmful to their Chrome browser isn’t presently offered for review.

Cheers!

--Claus Valca

Mega malware-focused link-dump

OK.

Now we arrive at the malware-focused link-bin.  This one seems a bit all over the road despite my best efforts at categorizing them a bit.

Cheers,

--Claus Valca

Mega ForSec link-dump - Mostly Musings and Considerations

The previous post were technical links.

This next collection also goes back a few months, and it covers most-excellent white-papers, musings, and other perspectives in ForSec and incident response handling.

Brainwashed by The Cult of the Quick - TaoSecurity

Linkz for SIEM - Journey Into Incident Response - Corey Harrell goes into great detail on security information and event management (SIEM).

SIEM Use Case Implementation Mind Map - Journey Into Incident Response - an expansion on the above post.

Where's the IR in DFIR Training? - Journey Into Incident Response - Corey Harrell touches on a subject I continually struggle and get frustrated with. It seems that so much of what I personally see (from my admittedly limited “sysadmin” perspective) is reactive response; something tripped an alert rule, it matches some pattern descriptions, instructions are received to drop everything and go wipe and reload it! It leaves me wondering about where the role of post-incident response activities should come in organizationally; such as evaluating what happened, what was the impact, is this event part of a larger trend, and what can we learn? I really gobbled down this post and the lively follow-on discussion in the post comments.

A guide to leading and motivating highly driven professionals - (PDF link) - SANS Institute Reading Room whitepaper by George Khalil.

Practical Threat Management and Incident Response for the Small- to Medium-Sized Enterprises - (PDF link) - SANS Institute Reading Room whitepaper by Jacob Williams.

Implementing an Information Assurance Awareness Program: A case study for the Twenty Critical Security Controls at Consulting Firm X for IT Personnel - (PDF link) - SANS Institute Reading Room whitepaper by John Dittmer.

Under Threat or Compromise - Every Detail Counts - (PDF link) - SANS Institute Reading Room whitepaper by Jake Williams.

Case Study: Critical Controls that Could Have Prevented Target Breach - (PDF link) - SANS Institute Reading Room whitepaper by Teri Radichel.

Incident Response in a Microsoft SQL Server Environment - (PDF link) - SANS Institute Reading Room whitepaper by Juan M. Walker.

(IN)SECURE Magazine - ISSUE 42 (June 2014) - (PDF link here) - articles include control/privacy discussion, “Incident response and failure of the ‘Just Fix It’ attitude” written by Mike Horn, and “Are you ready for the day when prevention fails?” written by Tom Cross which is another good IR-focused article.

Browser Fingerprinting and the Online-Tracking Arms Race - IEEE Spectrum - Not from your typical ForSec source, IEEE Spectrum looks into browser tracking beyond the stale cookie objects. Lessons for the ForSec community?

Incident Response with Triage-ir - SANS Diary post

USB firmware: An upcoming threat for home and enterprise users - Microsoft Malware Protection Center blog

Security of Password Managers - Schneier on Security- great post with links to some supporting whitepapers on the subject.

So on that last article, here’s a question for those still reading…what (Windows-based) options are available if password manager software is not approved in your organization? Seriously. How could one manage (and/or securely store) lots of credentials/strong-passwords on a “stock” Windows system?  The easiest solution is to stretch that grey matter and just memorize them; a modern twist perhaps to the great oral storytelling traditions of Homer and the bards that followed? Writing them down seems like an anathema. And then there is the challenge of “manually” generating strong/complex and/or random passwords that many password managers can assist with. Bother. (This was interesting: XKPasswd - Secure Memorable Passwords). Thoughts or suggestions?

Stay sharp my friend!

--Claus Valca

Mega ForSec link-dump - Mostly Technical Stuff

My cup runneth over with technical ForSec blog posts! Some of these reach back a ways…

Cheers,

--Claus Valca

WinFE LinkFest

It really hurts to get behind in my postings.  Brett Shavers has been running in overdrive mode lately over at the WinFE blog.

In case you have been living under a rock, or just been busy and harried like me, here is a sampling of the exciting news and events over at WinFE blog.

Which was quickly followed by new update posts…

WinFE Course and Free WinFE course, and finally the big announcement Windows Forensic Environment – WinFE Online Course Now Available - WinFE blog

Just in case anyone isn’t clear, the course page is linked below so everyone can find is easily. I’m probably blind this morning but didn’t seem able to find a big/direct course-reference link from the drop-down menu options or displayed prominently on the side-bar.

Note: There are two “preview” course sections you can look at without first having to sign up if you are curious.

WinFE blog points to this course review by Ken Pryor at the Digital Forensics Blog if you are curious on what to expect before signing up: Windows Forensic Environment Training Course Review

And a review of these posts should bring pretty current one current on the WinFE world.

Kudos to Brett Shavers and all the hard work he is doing for the community!

Cheers,

--Claus Valca

IsoStick & Zalman/IODD enclosures

Update: I really hate when I loose a primary source that inspires me to write a post to begin with! The following Malwarebytes Unpacked blog post was the genesis of this entire post. Not only does it provide good context for the IsoStick’s usage but also a great “Pros/Cons” roundup as well. - CV

I have two main hardware data-storage platforms I prefer to use. Both carry my library of “portable” sysadmin & for/sec tools and utilities when working with systems. The other also carries ISO files of LiveCD’s and other ISO-packaged installation media. Both are LiveOS bootable; however the first is limited to WinPE type loads while the second gives me an expansive array of LiveBoot options.

The first is my trusty Kanguru Solutions brand (write-block switched) 16 GB Kanguru USB flash drive. The latest iteration are call “FlashBlu30” and use the USB 3.0 format. Mine is a older 2.0 version but is still very spiffy. Unfortunately, despite all the house-cleaning, I’ve only got less than 2 GB of free space remaining so I’m trying to decide if I want to invest in a 32GB or 64 GB newer version. Decisions!

The second is my faithful iodd : Multi-boot madness! external hard drive enclosure. It has gone through a lot of changes since first coming out and the current distributor/name is Zalman. Long story short, these external HDD drive enclosures allow for storage of ISO files and then loading/launching them as virtualized drives. Basically, instead of carrying a large stack of CD/DVD media with you, just load your ISO images of them on the drive and then select/boot accordingly from your external drive enclosure. Cool! Amazon has a large select of Zalman enclosures at crazy-cheap prices, including USB 3.0 models. And who doesn’t have some spare 2.5” hdd’s lying around these days to drop into one?  I personally like the ZM-VE300 and ZM-HE130 models. Oh, one more thing, they also have physical write-block switches to protect your drive from write-back if used on a questionable (infected) system.

So with those preferences in mind, I’ve been watching the steady development and growth of a product that seeks to marry the convenient-carry of a USB stick with the ability to load ISO files via a virtualized optical drive like the IODD/Zalman enclosures.

So how does it work? Basically when you purchase the ISOSTICK, you are getting a USB stick “enclosure” in which you can load/swap microSDXC cards. Seems more convenient in some ways to the IODD/Zalman approach. It does require use of the FAT32 format but can split ISO files so the 4 GB limit isn’t an issue. (With later firmware updates, the IODD/Zalmans could support NTFS formatted partitions.) And it also comes with a hardware read-only switch. Available in the US from Amazon.com: isostick for under $100.

If you are looking at -- or already using -- an ISOSTICK, I recently spotted this project worth exploring.

And the reboot.pro forums have a lot of good resources for general ISOstick users and the curious: ISOstick - reboot.pro

Cheers,

--Claus Valca

For/Pen/Sec LiveCD Updates

Here are some updates regarding forensic/pen-test/security aligned LiveCD projects released over the past several weeks.

Kali Tools Website Launched, 1.0.9 Released - Kali Linux - The latest release version of Kali is 1.0.9. Also now available is their Kali Linux Tools which documents all the tools included in Kali, including descriptions, link-back to the tool’s main-page, and sample output from the tool. Very helpful stuff.

Kali Linux 1.0.8 Released - EFI Boot Support - Kali Linux - Previous release information (July 2014).

Kali Linux 1.0.7 Released - Kali Linux - Previous release information (May 2014)

Official Kali Linux Downloads - Kali Linux - ISO/torrent download page

Offensive Security Kali Linux ARM and VMWare Images - Alternative builds download page

New Release of REMnux Linux Distro for Malware Analysis - Lenny Zeltser on Information Security - from the linked post, “The new release adds lots of exciting free tools for examining malicious software. It also updates many of the utilities that have already been present in the distro.”  The post has a great listing of the added tools with link-backs. ISO/virtual-appliance downloads and details at REMnux.

DEFT 8.2 ready for download - DEFT Linux - Computer Forensics live CD - some bug fixes and Ubuntu package updates.

PALADIN EDGE and Creating a USB - SUMURI LLC - PALADIN EDGE is based on the current Ubuntu release and will not contain their “Forensic Toolchest” package. Their PALADIAN build will continue to have the package and is based on the long-term-support (LTS) version of Ubuntu.

Cheers,

--Claus Valca

Saturday, September 13, 2014

Thoughts on keyboards

Besides pointing to (new to me) KeyChatter with all kinds of resources about the mechanical keyboard world, the Tiny App blog’s post Hard keyboard carrying cases brought back all kinds of memories!

The most valuable (in terms of applied practicality and life-skills) educational class I ever took was my touch-typing course in high school. It was an elective and everyone thought I was bonkers for doing so. Because I hung with the brainz of the school often there were Hermione’ish discussions about what classes we should or should not take as if they weren’t AP-type they might count for a lower rating and hurt our class ranking even with an A. This one definitely wasn’t on the AP class chart.  I took it anyway, got an A and learned to touch-type on the old IBM Selectric typewriter like nobody’s business! (And still managed to graduate within in the top 10!)

That gave me the confidence to write well at the typewriter and easily transition to the world of PC keyboarding.

Those IBM Selectrics had a great feel and I still can’t help but tickle those keys when I find one buried in an office every now and then.

The nearest equivalent in my early PC days was a GRiD brand keyboard that had a mechanical touch like the fabled IBM Model F keyboard & Model M keyboard with the chunky five-pin DIN connector.

When the transition to PC’s/servers with the PS2 and later USB connectors came, out went the mechanical touch and in with the grief of the plastic/rubber dome (and similar) cheap & disposable keyboards we now find.

So thanks to TinyApps, here is a bunch of related links for mechanical keyboards that I have found. While I have always admired the Das Keyboards the most, the revival of other mechanical keyboards at a more reasonable price-point makes me more comfortable with putting it on the Christmas wish-list!

Happy clickity-clacking!

--Claus Valca

Firefox Malware Detection Download Monitoring: Thoughts

As is usually the case, here I was all set to toss up some linkfest posts and I got seriously sidetracked.

It started like this.

  1. Boot system, go into RSS feed reader.
  2. Discover new rounds of updated utilities and apps.
  3. Download said updated utilities and apps using Firefox
  4. Spend Saturday unpacking them and updating portable USB tool library.

Only a little issue tripped me up and down I went chasing the White Rabbit.

See, I use the Firefox Add-on Download Status Bar to help me manage and mind my downloads since the dinky little stock download indicator in Firefox isn’t helpful to me.

When I’ve got all the files addressed and stowed away, I clear the bar.

Only I had a file that wouldn’t clear off no matter what. NirSoft’s PasswordFox

Improving Malware Detection in Firefox _ Mozilla Security Blog_2014-09-13_11-51-55

Eventually I realized that the file info was reading “0K” for the size which was strange. It was almost like it didn’t actually download…thus the Download Status Bar app couldn’t remove the reference from itself…since it didn’t actually exist.

I opened up my download manager directly in Firefox and found this:

_2014-09-13_11-51-31

OK. Clearing that item then allowed me to successful clear the Download Status Bar item showing.

But why was Firefox suddenly blocking this download? I didn’t recall having that issue within the last few weeks.

Turns out (starting with release version 31) that Mozilla has baked in some more sheeple protection features to keep the average user safe from malware/attack sites, etc.

Until recently, we only had access to lists of reported malicious web sites, now the Safe Browsing service monitors malicious downloaded files too. The latest version of Firefox (as of July 22) will protect you from more malware by comparing files you download against these lists of malicious files, and blocking them from infecting your system.

The next version of Firefox (released in September) will prevent even more malicious downloads on Windows. When you download an application file, Firefox will verify the signature. If it is signed, Firefox then compares the signature with a list of known safe publishers. For files that are not identified by the lists as “safe” (allowed) or as “malware” (blocked), Firefox asks Google’s Safe Browsing service if the software is safe by sending it some of the download’s metadata.

Google has offered an application reputation feature to detect malicious downloads as part of Google Safe Browsing since 2012 [1]. Although this part of the Safe Browsing API is not documented, they have offered it to us for use in Firefox. Malicious download detection is separate from detection of phishing and malware pages (present in Firefox since 2.0), though both features use some of the same mechanisms.

This document attempts to document all of the things that Google Chrome does, so that even in the absence of official API documentation from Google, we collectively have a better chance of implementing this feature correctly.

I’m not going to go into a consideration if this is a good or bad thing. Let’s just leave it at “thanks for caring” and move on to how we can tweak it for those of us daring users who like to fiddle around with Firefox.

Basically, what I would like to do is turn off just the feature that does the file download check, but leave (for now) the other safe-browsing features enabled.

OK. There are a couple of posts that tell us how to do that:

Security/Features/Application Reputation Design Doc - How to turn off this feature - MozillaWiki

Do any one of the following:

  • Turn off malware detection in Preferences > Security > "Block reported attack sites." This disables all Safebrowsing malware protection, including the warning interstitial that appears when the user navigates to a malware site.
  • Replace browser.safebrowsing.appRepURL in about:config with an empty string. This disables application reputation checks but leaves other Safebrowsing malware protection intact.

Download files more safely with Firefox 31 - Monica at Mozilla. Monica guides us to use the Firefox options panel --> Security preferences, and then disable either “Block reported attack sites” and/or “Block reported web forgeries”. Note that doing this will remove almost all safe-browsing protection, rather than just disabling the (download) impacting application reputation check.

So I checked by about:config and didn’t find “browser.safebrowsing.appRepURL” so I added it and set the value to blank.

Similar advice/discussions for that key found here:

Only it doesn’t seem to work (at least for me and my Firefox instance). Even after relaunches of Firefox after the key value is set thusly (blank), the downloads are still getting blocked.

I’ve triple checked the key to make sure no typos or white-spaced but it seems 100% accurate for the documentation, but the feature modification just doesn’t seem to work for some reason for the “blank” value.

However, when I disable the “Block reported attack sites” option I can now download the files fine.

Library_2014-09-13_12-08-52

Hmmm. All or nothing? Or new bug in 32.0/32.0.1 builds? Or “just lucky me”?

Reading this post Writing for the 98% by Monica at Mozilla I saw reference to some additional keys:

It is also interesting that fewer people disable Google SafeBrowsing checks for malware than for phishing (browser.safebrowsing.enabled and browser.safebrowsing.malware.enabled). Presumably these are disabled for privacy or performance reasons. Are users who disable one and not the other making a mistake, or do these users consider themselves phish-proof but not drive-by-download-proof? If it is a mistake, why do we allow users to construct a set of preferences that are internally inconsistent in reasoning?

Monica’s post reference above is a very interesting insight into the Mozilla development feature considerations and musings. That whole post is insightful and worth reading. I’ve added her blog to my RSS feeds. I’ve got my eye on those who look to move my Firefox cheese!

But seriously…

I found these preferences also but disabling them (value = false) seems to have the same effect as disabling the “Block reported attack sites” in the GUI options.

about_config_2014-09-13_12-05-55

So no help on just isolating & disabling the application reputation check.

If you are curious, the default value for the “browser.safebrowsing.appRepURL” key is https://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_API_KEY%

NirSoft may not be the only site/developer hit by this headache, but he sadly appears to be one of the most well known. It is clear that due to the nature of the tools he writes, they do show up often by malicious users, but a total block is very frustrating for the many, many sysadmins who depend on them for the support work we do, as well as for Nir himself (Nirblog tag link).

Sadly, unlike the advice I found from Mozilla and the mozillaZine forums, blanking out the “browser.safebrowsing.appRepURL” key value does NOT allow me to download the files successfully.

My Firefox version is 32.0.1 at the time of this posting (x32 bit Windows version).

So for now I’m stumped and will likely be resorting to downloading the files using a different web browser.

Or maybe not…

Chromium:

tbti4zsa.izj

Well, at least with Chromium I can choose to “hurt myself” by restoring it!

txv5edza.ytq

Internet Explorer 11 at least isn’t too fussy:

rbmtgbab.jgj

Too bad there isn’t a feature in Firefox (like Chromium) that will allow you to allow/restore the blocked file on a case-by-case basis!  That would seem to be a nice balanced option.

1066133 – Provide a way to override application reputation checks on a per-download basis. - Bugzilla@Mozilla as filed by Wes Kocher

Currently, the only way to bypass the check is to disable the service completely. Would be nice to be able to leave the service enabled, but ignore it for a single download.

Some more thoughts/notes:

While re-attempting the download of PasswordFox after making the change to the “browser.safebrowsing.appRepURL” key, I ran a system trace using ProcessMonitor.

What I found were several of the calls to the local safebrowsing list files.

Per documentation in articles linked above in order to make the malware check process more efficient, the browser first checks individual file signature against a local list of trusted publishers. If passes, file is good, if not, then it proceeds with the online file reputation check.

Depending on your particular Firefox build they may be locate differently. I use a portable version of Firefox and the key local safebrowsing file lists were located under this path:

<drive letter>:<subfolders>\FirefoxPortable\Data\profile\safebrowsing

For Windows (Vista/7/8) users who use an installed version of Firefox I believe the location most likely would be here:

C:\Users\YourUserNameHere\AppData\Local\Mozilla\Firefox\Profiles\safebrowsing

I wondered if possibly something had been corrupted, so I deleted (moved to a diff folder) all the contents, shut down Firefox, confirmed they were still gone, then relaunched Firefox.

They rebuilt after launch but I didn’t see the previously present “classifier.hashkey” file being restored. It was dated from 11/20/2012 so maybe it was a remnant from a previous FF version.

Alas, the file download still was blocked (deleted after download).

qaamcmqt.mzu

What is really silly is that while the x32 bit version of PasswordFox gets blocked…the x64 bit “Waterfox” version is allowed to download with no fuss!

Talk about lack of a consistent reputation/rule policy!

vxfjopie.acj

Back to the ProcessMonitor traces for now…

One final point. I’m focusing on Nir Sofer’s PasswordFox app in this post just because I can replicate the issue/behavior with it.

I don’t think it is in anyway limited to just that file in particular.

To be clear, this is less about that particular application and all about trying to successfully disable the application reputation download protection feature via the documented work-around from Mozilla.

If I do work out anything in terms of a “resolution” to getting the application reputation check feature disabled, I’ll post an update.

Curious…

Claus Valca

Update:

I downloaded the Mozilla Firefox ESR, Portable Edition 31.x and tried it.

It does have the “browser.safebrowsing.appRepURL” key present and the “https://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_API_KEY%” value present by default.

This Firefox version let me download the PasswordFox file with no complaints or blocks at all.

Then I downloaded a fresh install of the Mozilla Firefox, Portable Edition 32.0.1.

It is missing the “browser.safebrowsing.appRepURL” key.

However this Firefox version/download also let me let me download the PasswordFox file with no complaints or blocks at all. Even with that key missing entirely!

Maybe something is corrupt in my “production” Firefox build?

Update 2:

I shut everything down and tried the FF ESR portable version again.  This time (with no changes made) it did block the download of the PasswordFox file. Then I blanked out the required key and the download was allowed just fine. This is a FF 31.x release version. Resetting the key (it auto filled the default URL value in again by itself) and restarting FF ESR enabled the file download to block again.

I dumped my previous test install of FF Portable Edition 32.0.1 and rebuilt it from scratch. It blocked the file download on initial run now (as expected) as malicious.

Again, checking the about:config page finds it is missing the “browser.safebrowsing.appRepURL” key.

This time I manually added the key and the default string and restarted the browser.

The file download was blocked.

I then blanked out the focus string and restarted the browser.

Downloading again found the file still blocked.

I’m now leaning to there being some kind of bug (or feature change) in at least the 32.0.1 Firefox release in terms of that particular key.  Not only is it missing from the 32.0.1 release initially, once you put it in there manually…with the correct default value, and then remove it, and restart and attempt to put the “default” back, it doesn’t recognize/restore it automatically like the FF ESR release does.

Very interesting! So now I’m thinking it likely isn’t just a local problem with my FF profile/package.

Due to my testing, I can also confirm seeing this behavior: 1053645 – Downloads blocked by Application Reputation are retried on a restart - Bugzilla@Mozilla

More technical related discussions at Bugzilla@Mozilla - ”Application Reputation” Bug List

--CV

Monday, September 01, 2014

Network News Nuggets

Yes. I’m in the process of emptying out my “to blog” hopper.

Bear with me. The next several posts will be positively boring as I get them up for future reference.

NetworkMiner 1.6 Released - NETRESEC Blog; drag and drop support, improved email extraction handling, DNS analysis, live sniffing performance improvements, PCAP-over-IP remote sniffing added to the free version.

PCAP or it didn't happen - NETRESEC Blog

Wireshark 1.12 Officially Released! - Sniff free or die. Wireshark download

Wireshark 2 Preview (by Tony Fortunato) - LoveMyTool blog

Wireshark: A Guide to Color My Packets - PDF whitepaper at SANS Institute Infosec Reading Room

The trouble with multiple capture interfaces - Packet Foo

Security Analytics: having fun with Splunk and a packet capture file (pcap) - PDF whitepaper at SANS Institute Infosec Reading Room

Network Forensics Puzzle Contest 2014 Walkthrough - Network Forensics Puzzle Contest

Data vs. Metadata - F-Secure Weblog : News from the Lab

The Routing Wall of Shame - IEEE Spectrum

Small devices needs a large Firewall - PDF whitepaper at SANS Institute Infosec Reading Room

Snort on home routers - what a great idea -ZDNet

ntop - It has been a while since I worked with took, but as of August 13th, version 1.2 was released. Worth checking into.

Top 5 Network Monitoring Tools for Windows 8 / 7 - The Windows Club - Nice and simple list of some networking monitoring tools you may already be familiar with, or not.

Cheers!

--Claus V.

Ransomware News Updates

It has been quite a while since posting on ransomware trends.

Here is a quick roundup collected over the past few weeks.

CryptoPrevent v7.0 Released! - Foolish IT LLC - I really like the new interface of v7.x. It stays simple but can expand with additional more powerful options if needed. I continue to protect all of our home systems with this tool (and the layers of other av/am software as well). I highly recommend it for home users as an added level of prevention.

See also the unrelated Cryptolocker Prevention Kit (updated) from Spiceworks that offers an alternative protection solution. Get the download from here.

Finally, I kindly remind you of CryptoLocker Defense for Sysadmins - EventSentry Blog - new and interesting enterprise-class tool for detection of CryptoLocker threats.

Some rescue possible

FireEye and Fox-IT joined up and have started a free service that may allow some users infected with earlier variants of Cryptolocker to unlock their files at no cost.

So is the ransomware threat gone? Hardly. If not gone, morphing into new variants, all the more dangerous.

Continue to stay protected!

Cheers.

--Claus Valca

PSA: Mind your SOHO Routers!

Just a quick PSA notice -- does your your home router…

  • Have its firmware patched to the most currently available level?
  • Have its default admin password changed to a more secure unique one?
  • Use the strongest security settings possible to the needs you use it for?

If not, you may want to go back and double-check all those things.

“SOHOpelessly BROKEN” hacking contest aims to test home router security - Ars Technica

SOHOplessly Broken - DEFCON 22 Contest

Netis Routers Leave Wide Open Backdoor - Security Intelligence Blog | Trend Micro

Be safe.

--Claus V.

A Better Response; information and ice-cream

The other night near bed-time I asked Lavie to please keep a closer eye on the old bank account.

Within the past month we had some scrumptious DQ Blizzard desserts and had used our bank card.

She regularly does anyway and asked why.

I basically summarized this.

As far as I know, no list of impacted store locations/franchisees has been released publically. We know general information at the state level, but nothing beyond that.

Although there are more than a handful of DQ stores around our immediate area, we always frequent a particular store.

There, the family proprietors are always on site and friendly. They ask about our family; we theirs. We talk about the community, trends seen, and too much work over all.  That personal touch is as refreshing as the dessert menu.

After patiently listening to me, Lavie then said, “Well, that makes sense then.”

Turns out she stopped by their store this week and the proprietor explained that he didn’t want to take our bank card for the ring-up and that for now, the store was operating on “cash-only”.  He assumed Lavie (and his customers) hadn’t heard about the potential data breach and was providing a face-to-face explanation to every one of his customers.

He explained that as far as they knew, their store POS system/network hadn’t been hit, but he could not be 100% sure just yet. They were waiting for additional security audits to be completed before they felt they could return to processing bank cards.

He then proceeded to give Lavie her ordered dessert treat free in gratitude for her continued business; despite her kind objections.

It was a large dipped ice-cream cone and the value to us as customers was priceless.

Time will tell and I do hope their POS mechanisms are found to be safe after the audits are completed. If not, well, that may mean a new set of bank-cards even though the fresh still hasn’t worn off the last ones we got due to the Target fiasco.

And about that Target fiasco.

We used to shop at Target every few weeks.

In the aftermath, we were offered (via press releases in the news) offers of discounts on purchases for a time. And that’s that. Target sends us all kinds of personalized catalogs, special deal offers, etc. but I don’t ever recall getting a personalized type of “our bad” communication directly from them as a customer. We did get some new bank-cards with personalized and friendly service (with a modicum of targeted finger-pointing) from our bank.

The only reason I really knew -- deeply -- what was going on behind the scenes with that particular data breach was that I follow InfoSec news. If I had relied only on media outlet reports, I would be woefully uninformed.

We haven’t shopped at Target since the breach was announced. That’s a big thing. Our shopping patterns have been adjusted; sometimes inconveniently. I’m sure they now have new measures in place, and are doing a lion’s share of work rebuilding their customer confidence levels. Their house is probably filled with layers and layers of security checks, balances, monitoring, and diligent oversight. Lessons learned the painful way. Will we return to shopping there? Probably eventually.

Will we be going back and getting more treats and baskets from our local neighborhood DQ? You bet and maybe even later today!

Will we be paying in cash for a while longer? Probably so.

In this case, even though the breach information is super-thin, the face-to-face communication -- however how embarrassing and business impacting to the proprietor -- signals a personal recognition of sensitivity and concern to us as customers that is priceless.

And in this new age of hack/whack-a-mole, information and communication is everything.

Cheers.

--Claus Valca