Sunday, April 15, 2012

Bits and Pieces: Mini Link Rundown

I probably should be pleased to have crammed in three posts this weekend.

Alas I am not. I’d intended to get one more “biggie” out the door this weekend…aimed for all you sysadmins. I have in mind a “Case of the Unexplained…” type theme on running down some crazy Windows 7 system behavior on a system at the church-house, multi-GB trace file captures, and sundry stuff like chasing a white rabbit down CPU process utilization percentages and disk utilization by process IO type.

I’m back from that chase with lots of notes, but to do it justice, I’ve got to wait till next week.

So let’s just enjoy our company at final call over these late-breaking weekend links. Hopefully they will carry us into the week with some inspiration and a few shiny new utility toys to play with at our desks.

Adobe April 2012 Black Tuesday Update - ISC Diary - In case you missed it, there were a number of critical Adobe patch updates this week

APSB12-08 - Security updates available for Adobe Reader and Acrobat - Adobe Security Bulletin - Updates now to 9.5.1 and 10.1.3. This goes for both the PDF “reader” versions as well as the “full” Acrobat PDF generating software application. Patch!

At the end of last month some Adobe Flash Player updates came out, one feature of which is to now include an “auto-updater” feature for Flash Player (if so selected in the options). That release back on March 29th was 11.2.202.228.

Guess what snuck out of Adobe Friday (the 13th?). Version 11.2.202.233 of Flash Player.

  • 4/13/2012 - Flash Player Update - Adobe Forums
  • Flash Player 11.2, AIR 3.2 - Adobe Release Notes
  • Adobe - Flash Player - Lists your installed version (check page with each browser you use) and a table of the current version for all platforms.
  • Installation problems | Flash Player | Windows - Adobe. I dropped over to this page, then scrolled just a bit lower to the “Install in a firewall proxy server environment” section to grab all of the direct download installer links there.  It’s a one-stop shopping session!  Then I spent some time manually updating my portable browser plugins to all the newest versions. Sheesh. Sadly I’m getting very good at it and have now even crafted a custom batch-file to auto-copy/overwrite the new Flash/Reader version DLL’s to the plugin directories in my browsers to save me time.

If in doubt, try running Qualys BrowserCheck page in each of your web-browsers to check your patch-level or use the Secunia Online Software Inspector (OSI). Either of these tools will help tell you if your browsers are securely patched.

Download just imagex.exe (568k) - TinyApps blog. I LOVE Microsoft’s ImageX.exe imaging tool. It has become second-nature for me to use. If you do a lot of WinPE building and use you probably have already extracted it and keep it handy.  However, if not, TinyApps blog shares a quick tip on getting your hands on it from the WAIK without all the drama of installing the WAIK on your system.

Increase hard disk size in VirtualBox 4.x - TinyApps blog. I know no-one actually creates a virtual hard-drive without first considering (and allocating) all the size they will every need (and then some) before they first get started. Right? TinyApps bloggist has a great walk-though on how to enlarge your drive size without having to mail off for sketchy blue pills. Lots of supporting linkage at the end as well.

Value of Targeted Timeline Analysis in Research - Windows Incident Response blog - Keydet89 provides a great post on the work that goes in towards gaining a better understanding of event timelines and Windows behavior. It’s through detailed work like this that our knowledge gets sharper.

Challenge: What can you do with funky directory names? - ISC Diary post - Mark Baggett warns us to beware those funky file/directory names in Windows! Check out the comments carefully for more feedback. On a related note, the Hexacorn Blog Forensic Riddles posts contain a whole lot more of file-name and directory name tricky shenanigans to be aware of!

NetworkMiner 1.3 Released - NetRecSec has released v1.3 of the amazing (and still free) NetworkMiner NFAT. This release contains a number of new parsing and extraction features. Go get it now! Of course, if you are lucky enough to be able to purchase a copy of the NetworkMiner Professional version -- sadly I’m not ;-( -- that too has been updated and you can get your upgraded version for free from their customer portal with login. Happy upgrading free and pro’s alike!

eXtra Buttons: utility buttons in the title of the window - freeware - clever little utility that adds a few extra option buttons to your Windows windows. The default windows options in the top-right corner are minimize, maximize, and close. This app gives you up to thirteen options for managing your window, including roll-up/unroll the window at the caption bar, minimize to System Tray, transparency effects, and minimize to a predefined box area on your desktop. I don’t usually use windows tweaking utilities, but this one could be very useful for you multi-window-multi-taskers.

Synkron - freeware - Folder synchronization application. Yeah, I hear you. Claus, really? After that super-long roundup of sync/backup apps you recently posted? Just had to add another one? Yep. This one has a pretty intuitive interface and also comes in a Synkron Portable | PortableApps version as well. More details in this older AddictiveTips blog post.

Colasoft Ping Tool - freeware - Colasoft has a great and super-handy ping tool that supports pinging multiple IP addresses as well as useful charting tools for monitoring and analysis.

Anti-virus scanning exclusions - ISC Diary post - Daniel Wesemann kickstarts a discussion on setting exclusions in your AV scanning policies. Some vendors have recommendations on file/folder exclusions to improve system performance. On the other hand, the thought of creating “safe-zones” that could be exploited by malware for APT landing could outweigh the benefits of following the recommendations. Check out the post and the lively comments that follow. Do you even know if/what your own (or your customers’) policies are regarding AV exclusion settings? Worth looking into.

Malware blocks booting - The H Security. News post about a pretty new ransomware attack that hits the MBR discovered by TrendLabs. While the vector itself isn’t necessarily anything new (messing around with the MBR) apparently the combination of using it in a ransomware attack is. Trend Micros also has instructions for removing the infection if you encounter this bad-boy.

And then there was this “bad news getting worse” over the weekend:

Medicaid hack update: 500,000 records and 280,000 SSNs stolen - ZDNet Zero Day blog.  Original post here: Medicaid hacked: over 181,000 records and 25,000 SSNs stolen.

Expect the fallout from this one to be pretty massive. Quoting from Emil Protalinski’s article linked above:

DTS had recently moved the claims records to a new server, which had a configuration error at the password authentication level, allowing hackers to circumvent the security system. DTS says it shut down the affected server, implemented new security measures, is reviewing every server in the state to ensure proper security measures are in place, identified where the breakdown occurred, and has implemented new processes to ensure this type of breach will not happen again.

It was just a year ago we were dealing with a similar mess here in Texas. Although in that case, it seemed to be more an issues of inside IT data mismanagement rather than a hacker attack. 

Hoping the week ahead gets better even though it hasn’t started yet.

Hang tough and remember “Constant Vigilance!”

--Claus V.

No comments: