Saturday, October 04, 2014

New and Improved Utilities

Network Stuff Found and Updated

Which brings me back to the pretty cool Windows “firewall” application GlassWire. Previously featured via tinyapps.org, I spotted a new review of it that had some fresh examples of its usefulness; illustrating alert event marking for later examination. In one case, it helped a user discover network activity from malware that had gone undetected.

Then in those comments there was a reference to the KDE application KNemo - Network Monitor.

Utilities of Usefulness

  • AOMEI PE Builder - I’m always keeping one eye open on new WinPE building tools and this seems useful for the non-tech crowd who may not be up to taking on a project from the WinBuilder tool or one of the many specialized building sets at reboot.pro. For someone just getting their feet wet, this might be a good place to get started.
  • OPSWAT AppRemover - I keep rediscovering this tool every year or so. It is updated regularly and can aid in the removal of many Supported Applications. Good for a first-pass on a new OEM system.
  • GEGeek Tech Toolkit - Considering the work I do finding and maintaining all the tools and utilities on my own USB stick, this seems like a cheat, but if you are lazy, here you go. Related are the NirLauncher package builder and KLS Soft’s WSCC - Windows System Control Center (also update to version 2.3.0.1 as of Sept 2014).
  • OpenSaveFilesView - NirSoft - new utility that displays files previously opened with the open/save dialog box. More on NirBlog.  Spotted via this Betanews post.
  • FixWin v 2 for Windows 8, Windows 8.1 - The Windows Club - Easy but powerful tool to fix common Windows issues. Use with caution. Similar tool may be (the no longer developed but still available) d7 Free tool from Foolish IT LLC.

Lights, Sound, Action!

Cheers,

Claus Valca

Windows 10 (TP version) it is…

OK, so at first we thought it might be “Win 9” but the TP name is now known to be “Windows 10”.

Why 10? Well speculation continues, but the most logical explanation put forward (which in the InterWeb of things means it must be totally Photo shopped) is that some software coding looks for Win 95/98 versions with a wildcard routine…so Windows 9 might trip it and muck things up worse.

So there you go.

Also for the tinfoil hat wearers out there, be aware that the Windows 10 TP version EULA from Microsoft contains some strong usage/behavior monitoring should you decide to download, install, and accept the privilege of running it.

Windows 10 TP “Privacy Statements” PSA

Windows 10 Technical Preview: Data protection declaration allows Microsoft to collect almost any data (GTranslated) - Caschys Blog.

Want to read it for yourself directly from Microsoft?

Also, if your PC runs into problems, Microsoft will likely examine your system files. If the privacy of your system files is a concern, consider using a different PC. For more info, read our privacy statement.

Data We Collect

Microsoft collects many kinds of information in a variety of ways in order to operate effectively and provide you the best products, services and experiences we can. We may combine this data with information that is linked to your user ID, such as information contained in your Microsoft account.

When you acquire, install and use the Program, Microsoft collects information about you, your devices, applications and networks, and your use of those devices, applications and networks. Examples of data we collect include your name, email address, preferences and interests; browsing, search and file history; phone call and SMS data; device configuration and sensor data; and application usage. For example, when you:

  • install the Program, we may collect information about your device and applications and use it for purposes such as determining or improving compatibility,

  • use voice input features like speech-to-text, we may collect voice information and use it for purposes such as improving speech processing,

  • open a file, we may collect information about the file, the application used to open the file, and how long it takes any use it for purposes such as improving performance, or

  • enter text, we may collect typed characters and use them for purposes such as improving autocomplete and spellcheck features.

The Program contains internet-enabled features and social functionality. When these features are used, they transmit certain standard computer information ("Standard Computer Data") to Microsoft. Standard Computer Data may include information about the Program computing environment such as IP address, network status, operating conditions and information about devices and software used with the Program.

The Program contains internet-enabled features that transmit performance or usage information to Microsoft (“Experience Data”). Experience Data may include information about the Program’s performance and reliability, such as how quickly the Program responds when you click a button or how many problems you experience with the Program. Experience Data may also include information about your use of the Program, such as the features used most often or how frequently you launch programs. Experience Data may be collected through the use of cookies or similar technologies; learn more below.

So, use caution and contemplation before deploying it in a production network/environment with live user-data/files.

Of course, to Microsoft’s favor, that should be part of the “benefit” we get for first-access to their product so they can monitor and improve it for everyone.

Just something to keep in mind.

Moving on…to the Win 10 TP general linkage

Installation Options for Win 10 TP

Command Prompt feature adds in Win 10 TP

Even Deeper Technical Features of Win 10 TP

Start Menu and Related Features of Win 10 TP

I’ve not yet enrolled in the “Insider” program and downloaded the Windows 10 Technical Preview bits yet, but will probably do so and run in a tightly locked down virtualized environment.

However, if the primary feature sets revolve around the Start Menu and don’t deliver some killer kernel-level and OS enhancements, I’m probably not moving off Windows 7 anytime soon after it’s release.  Lavie will probably want it on her Win 8.1 system though…

And so the great Windows OS experiment continues…

Cheers!

Claus Valca

TrueCrypt linkage

tinyapps.org blog has been running a nice series of posts regarding TrueCrypt.

I’ve been using TrueCrypt for some time now (just shy of a year) on my Windows 7 system as at the time it seemed to be the best balance of security and compatibility/recoverability for my needs.

Again, I’m using TrueCrypt whole-disk encryption to protect the data on my laptop in case it is lost by theft or careless user misplacement. Other solutions are out there and they have their own pros/cons.

In the aftermath of the TrueCrypt “collapse” back in May 2014, many have fled TrueCrypt and no longer trust it.

I noted the other day a new TrueCrypt fork called CipherShed via this InfoSec Handlers Diary blog post.

It’s worth being familiar with, but in light of the recent round of postings, I wanted to seek out the opinion of the GSD-respected tinyapps blogger regarding this fork.

I did receive sage wisdom and was kindly pointed to this discussion:

Just a point to consider for now while the Phase II audit process continues…

More resources on TrueCrypt itself

Update April 14, 2014: Phase I of the audit is complete, and report is available. Phase II begins on the formal cryptanalysis.

I’m not a programmer so I’m just watching and listening to the discussions and audits by those professionals who are. I’ll continue to post bits as both projects move forward.

Cheers,

Claus Valca

Firefox Updates, Nirsoft Changes, and Evil Add-Ons

Regular readers may recall a few weeks ago I was beating my head against the desk struggling with Mozilla’s SafeBrowsing changes; particularly when trying to download files from NirSoft.

I’m still not sure why the behavior ceased, but as the FF Extension Guru pointed out in the comments, Nir Sofer had made changes to the software in an attempt to reduce false malware identification rates.

Or it could have been a change buried in one of the rapid-fire Firefox updates released after my original posts:

Regardless, I’ve been able to download all the NirSoft apps I need/want for updating since then with no ill effects.

Also this week, Scott Hanselman found “evil” behavior in a Google Chrome extension he downloaded recently.

It’s another great post on a long-running theme that you can’t automatically trust any browser add-on, be it from Mozilla, Chrome, or IE.

As usual with most Hanselman blog posts, the comments were filled with germane information and additional resources:

And for context, while this can impact you as an individual/private web-browser user, it could also impact enterprise browser deployments if the sysadmin policy allows for end-user installation of add-ons/browsers.

What would be the impact if a “harmless” add-on surreptitiously was serving additional ad content in the background of web-pages? Annoyance and bandwidth impact? Probably, but if that ad content was exploited to serve malware--regardless of the add-on developer’s knowledge or not -- it could have serious implications for the security landscape at your organization!

Just sayin’…

Claus Valca

More Ubuntu Miscellaneous Goodness

So while I was patching my Ubuntu 14.04 build I was more than a bit frustrated (still) with that Unity workspace interface.

Are there other options?

Yes! Indeed!

Worked like a charm and I like much greatly.

While hanging out there at OMG! Ubuntu (sadly I cannot find an RSS site feed), I found a lot of other neat links to waste my time with.

I immediately snagged the new wallpapers and scandalously added them to my Windows 7 wallpaper rotation set. I live on the edge like that.

Last week I also discovered It's F.O.S.S. which had some fun links as well

Cheers,

Claus Valca

Shellshock Patching for little old me here at GSD

So while I do primarily run Windows OS versions here at the GSD micro-ranch, I do have at least one Ubuntu (14.04) virtual machine that I use.

So, it seemed like a Good Idea to go ahead and do some patching.

The very first thing I did was to hit the easy button and just open a terminal prompt and type/execute

sudo apt-get update

Or you could just run the “Software Updater” application.

(Note: it’s good practice to do that regularly, regardless if there is an exploit-de-jour out and about or not!)

Then -- for good measure and a waste of time -- I did this:

sudo apt-get update && sudo apt-get install --only-upgrade bash

Maybe you will want to do this also for cleanup; optional.

sudo apt-get autoremove

Reboot and done; at least until I check back weekly and look for new updates.

References:

Also, for you Apple OS users:

Cheers,

Claus Valca

Shellshock/Bash-bug News and Linkage

Yes, it has been that kind of a week.

Here is my picks of news and link summaries for the Shellshock/Bash-bug exploit that hit the InterWebs this past week.

Again, like BadUSB, it pays to be familiar with these exploits and trends even if you “think” you are safe in a Windows environment.

Everything you need to know about the Shellshock Bash bug - Troy Hunt’s blog. And to address that “We’re on Windows so we are safe” thought, let me quote directly from Troy’s post above:

All our things are on the Microsoft stack, are we at risk?

Short answer “no”, long answer “yes”. I’ll tackle the easy one first – Bash is not found natively on Windows and whilst there are Bash implementations for Windows, it’s certainly not common and it’s not going to be found on consumer PCs. It’s also not clear if products like win-bash are actually vulnerable to Shellshock in the first place.

The longer answer is that just because you operate in a predominantly Microsoft-centric environment doesn’t mean that you don’t have Bash running on machines servicing other discrete purposes within that environment. When I wrote about Heartbleed, I referenced Nick Craver’s post on moving Stack Overflow towards SSL and referred to this diagram of their infrastructure:

There are non-Microsoft components sitting in front of their Microsoft application stack, components that the traffic needs to pass through before it hits the web servers. These are also components that may have elevated privileges behind the firewall – what’s the impact if Shellshock is exploited on those? It could be significant and that’s the point I’m making here; Shellshock has the potential to impact assets beyond just at-risk Bash implementations when it exists in a broader ecosystem of other machines.

FREE Pluralsight Course: Understanding the Shellshock Bash Bug - Troy Hunt’s blog. Troy offers a free 35+ minute training presentation going over the Shellshock Bash Bug. It should be a great review that everyone in the security or IT administration community should take advantage of.

The anatomy of a Shellshock attack in the wild - Troy Hunt’s blog.

So what harm could be done? Um…plenty.

Even more reading…

Constant Vigilance!

Claus Valca

BadUSB News and Linkage

I first noticed news about BadUSB in late July. A smattering of articles were appearing in my RSS feed.

I read them with curiosity but don’t believe I actively posted anything about them.

However, recent new events and at least one security software counter release that I am aware of (so far) have led me to go back into the RSS feed archives.

At the very basic level, someone using the BadUSB vector would modify (almost any) USB device firmware to execute very low-level code. Detection may be possible, but could be very difficult using current techniques. A common attack code examples used would be a keylogger, replicating network-card behavior for exploitation, and malware delivery.

The initial POC presentation was offered at the Black Hat USA 2014 conference “BadUSB - On Accessories that Turn Evil” by Karsten Nohl and Jakob Lell. Presentation from YouTube below and here.

This appears to be a summary from their website: Turning USB peripherals into BadUSB - Security Research Labs

And here is are the presentation slides.

Nohl and Lell did not release the modified firmware but did provide POC for Android devices.

However, just this past week, a different team did release source code for a BadUSB-like exploit. According to the Wired article linked below, this team did so to get the security community going on developing on detection/protection methods and for the USB standards that allow this exploit to be closed.

Considering the ubiquitous nature of USB devices, this will be no small task.  I expect to see either epoxy filled USB ports experience a fashion revival or even computing hardware (laptops/desktops/etc.) models that come sans USB ports entirely.

Here is some earlier and digestible linkage about the BadUSB concept as a security threat.

My favorite USB brand, Kanguru, has come out with a statement about how their Kanguru Defender line of products isn’t impacted by BadUSB due to digitally signed secure firmware.

My only problem (so far) with these enhanced/encrypted high-security USB devices (like IronKey as well) is that I haven’t seen that you can make them into “bootable” USB devices for use with WinPE/WinFE type of configurations. While they can hold the data very secure, they can’t be used to load a bootable system onto and then “off-line” boot a target system. If anyone knows how to do so with IronKey or Kanguru Defender series device (even if limited to a specific model), please drop a reference/tip in the comments. I’d love to know!

Not to be outdone, one German company, G Data Software, has released a free anti-BadUSB software tool to help protect systems.

According to my reading of the product description, running of the software before inserting a USB device allows it to benchmark the system state and then trigger an alert if a new keyboard device is detected loading when a USB device is connected. Initial access of the device is blocked allowing you to investigate before allowing.

I’ve not seen any “state-side” articles or postings about this software just yet, most all are German sourced but these may be a useful consideration. General consensus is that this is a kind and good first-effort by G DATA developers for basic attacks and that with time and contribution, a more hardened and expanded feature set of solutions could be developed.

So, time to add this threat to the watch-list, even if it isn’t likely to be that common for most folks, yet. For other high-value targets, it might be a nightmare just one seeded USB stick in the parking lot away.

Constant Vigilance!

Claus Valca