Monday, November 11, 2013

Links of Note this week

Saturday was a pretty busy day around the Valca home.

I successfully upgraded Lavie’s Windows 8 laptop to Windows 8.1.  More than a few lessons were learned that may get a post later. However suffice it to say that the upgrade went smoothly and the only “damage” was that the custom Dell touchpad settings she had set up were wiped and she had to re-program them again from scratch.

I decided to pull the trigger and update my Windows 7 system’s Internet Explorer browser to IE 11. I could have waited -- and probably should have -- but some new zero-day reports on IE exploits making rounds and IE 11 being in a “release” state convinced me to give it a shot.  I really don’t use IE much on my home system. There is one on-line bill I pay with it -- the rest I use Firefox for as my browser of choice. For some reason this singular utility’s website doesn’t seem to fully render form pages correctly in Mozilla. Chrome does (usually) work but not always so IE it is. Finger’s crossed the IE 11 rendering works.

I really want to upgrade Alvis’s Win 7 IE browser to IE 11 as well as she uses IE a bit more than I do. However I don’t yet dare. Her college campus has a portal page for the students to use in interacting with their professors, to upload assignments, to download material, to take on-line exams, etc. It is horrible. If I upgrade Java (required) to the most current patched level/build. It breaks and nothing on the portal page works. Even in IE Compatibility mode. So I don’t want to run the risk of messing up her school portal interaction with and IE upgrade. Fortunately, she almost only uses IE for that. She is a Chrome browser user and actually has it set as her default Windows browser so we live for it for now.

Lavie’s laptop is already on IE 11 as it came for the ride with Windows 8.1.

I will say that IE 11 launches much faster on my Windows 7 system than IE 10 did. Other than than, I can’t really tell a difference…so I guess that is a good thing.

Here’s the linkage. It’s a hodge-podge this week but fairly thin.

Web Browser News…

What made the IE Zero-Day exploit interesting is that early malware analysis indicates that the payload runs in memory only and does not write itself to disk, making artifact analysis much more challenging. This could be another signal that defense-in-depth supported by NFAT techniques and packet monitoring/logging could be critical in incident detection, response, and analysis.

Speaking of Networking…

Network Throughput Testing Tools - WindowsNetworking.com

When Worlds Collide - wirewatcher - Wonderful post on using ELSA in a SecurityOnion deployment to tear up network activity logs and drill down (leveraging Carbon Black linked to ELSA) to pick apart a remote system’s activity. Neat.

Anatomy of Message Analyzer Analysis - MessageAnalyzer Blog

Update: naft-gfe.py - Didier Stevens

Malware and Incident Response…

Hacking a Reporter: Writing Malware For Fun and Profit (Part 1 of 3) - SpiderLabs Anterior

Hacking a Reporter: Writing Malware For Fun and Profit (Part 2 of 3) - SpiderLabs Anterior

Not just another pretty wrench! (by Casey Mullis) - LoveMyTool has a brief intro to Brett Shavers’ Windows Forensic Environment / (WinFE) project.

CryptoPrevent 4 - Introducing Event Logs and Email Alerts - Foolish IT - This new version has some more features added. If you are using this to defend against the CryptoLocker ransomware, then be sure you are using the latest version and go back often into it and run the “check for updates” feature. It works very smoothly. Once the update is done, you must hit the “Apply” button (and reboot) to apply the updated changes to your system. Or just pony up the $ and get the auto-updating version. It’s still much cheaper than a couple thousand in bitcoins to fix your system after it gets infected.

CryptoLocker Crew Ratchets Up the Ransom — Krebs on Security

CryptoLocker Emergence Connected to Blackhole Exploit Kit Arrest - Security Intelligence Blog at Trend Micro

Cryptolocker: Time to Backup - ThreatTrack Security Labs Blog

For the SysAdmins…

DOWNLOAD: Group Policy Settings Reference for Windows and Windows Server (Including 8.1 & 2013 R2) - Kurt Shintaku's Blog

Out Now: Group Policy Settings spread sheet for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11 - Group Policy Central

Download Group Policy Settings Reference for Windows and Windows Server - Microsoft Download Center

Cheers,

--Claus Valca

2 comments:

Unknown said...

As a physical device you might want to take a look at the Zalman ZM-VE400 2.5 HDD drive enclosure, it's amazing. It emulates a USB HDD and USB optical drive, mounting ISOs from a special folder on the disk.

I have tons of ISOs on mine, and I can even tell the device to hide the HDD part if I want to avoid overwriting it by mistake while booting from the virtual DVD. It also has a write lock setting - and depending on the disk you put in, it has room for any tools you can think of. Did I mention it does AES encryption with a keypad on the device, too? :-)

Claus said...

@ Jasper - Thank you very much for the suggestion and taking time to comment! I've been more than a bit busy these past weeks.

Actually...I do have an older IODD 2501 model that the TinyApps.Org bloggest sent my way more than a few years ago.

Here is my post on it and a follow up one to one of their newer Zalman versions in case you want to be entertained by my silly gushing.

iodd : Multi-boot madness! -GSD Blog post

Zalman ZM-VE series Enclosures: Next-Gen Virtual ODD - GSD Blog post

I still use and depend on it very heavily. It isn't as fancy with the AES/keypad access feature, but it does have a write-lock switch and the firmware updates have allowed me to extend its feature set with partition type better than when it first came out.

I've got it loaded down with all kinds of ISO distros and some more custom WinPE builds I have done over the years. It is indeed super awesome. Mine also supports an eSATA connection so speeds can be pretty spiffy compared to USB 2.0 if a system I am working on has that as a hardware option.

It is kept in my laptop/back-pack bag so when I'm going for a service appointment or extended visit I can carry it with me.

Otherwise I keep most all of my tool-sets (I'm a portable apps junkie) on my Kangaroo USB drive (set to be bootable from a WinPE (8.0) build. That's only because I can stick the USB stick in my jeans coin pocket and not think twice about it going visiting to friends and family in case a question comes up. With the IODD I have a ton more resources at hand with all the ISO's but I have to keep up with the physical device a bit more.

For security, I just keep a TrueCrypt volume on it for storing confidential items. It's easy to make/tear them down at will.

The only think I found a bit aggravating about it is that the 640GB laptop drive I originally got to put it in was just a hair too thick for the case. It fit, but the drive didn't seem to spin right. I downsized to a faster (but smaller) 320 GB drive and it is still doing the trick for its tasks.

It's always fun to hear of another Zalman/IODD/ODD fan. I'm surprised they aren't more common in the IT worlds but for those who know about them, they are an indispensable tool.

Cheers!

--Claus V.