Sunday, September 29, 2013

Links of the Week

Here is a hodge-podge of links that stood out this week.

Tr3Secure Data Collection Script Reloaded - Journey Into Incident Response blog - Corey Harrell has new news and updated on the Tr3Secure Volatile Data Collection Script he developed some time ago.

Tr3Secure Data Collection Script Reloaded - Journey Into Incident Response blog - Corey then follows up with a “real-world” walkthough of the Tr3Secure Volatile Data Collection Script after purposefully a lab pc for the sake of the discussion. It’s one thing to read about what a tool and process can do, it is a real treat to have the author lead a guided walkthough of the tool in action. As always, don’t forget to follow up with a comments reading as well.

plaso - super timeline - from the website “Plaso (plaso langar að safna öllu) is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.”  Spotted via this CDF at Champlain post.

Microsoft Security Essentials: Aiming low? - ZDNet - Larry Seltzer offers some thoughts on Microsoft’s free AV solution. He really doesn’t thrash MSE but does point out that there are many other free alternatives that tend to perform higher. It seems like a pretty reasonable perspective.  FYI, I have been debating making a change from Microsoft Security Essentials to Bitdefender Antivirus Free. Yesterday I uninstalled MSE and replaced it with BAF. The changeover went very smooth. The deciding factor for me was the ongoing poor post-boot performance of my system.  While I don’t have a SSD drive in my laptop, I is running an Intel i7 CPU with 8 GB RAM. After boot, MSE scans on the post boot environment seem to be leading to slower post-boot launch of a number of my applications for a while as processes and files get scanned. Now that I am on BAF, I don’t see those post-boot application hangs. That said, I will continue to primarily recommend MSE to family and friends unless repeated infections indicate a need for the advance protection BAF may provide.

Before moving on from Microsoft Secuirty Essentials and Windows Defender (for Win 8), I thought this post Windows Defender and context menu for file check? (GTranslated) at Borns IT and Windows Blog was very insightful.  Some time ago I posted a number of Windows Defender tweaking tips Advanced Tips for Windows Defender with Windows 8, one of which was how to add a scan with Windows Defender to the context menu list in Win 8.  Born’s acknowledges that is a popular request and go though how it is accomplished. However, as he points out, the way Windows Defender operates, when a file is accessed via the (File) Explorer, Windows Defender already scans it before allowing access. If it is infected then you don’t get to fiddle with it.  Same thing with downloaded files; again pre-scanned by Windows Defender.  So, you can manually scan them again if you want, but know that if you do use Windows Defender in Win 8, it has already scanned the file.

Message Analyzer has Released – A New Beginning and Message Analyzer: Why so different from Network Monitor? - MessageAnalyzer Blog - Final release now public for Microsoft’s network capture analysis tool. I’m not sure it will replace Wireshark, but the approach is a step up from their older Network Monitor capture tool and is at the very minimum a great supplemental network capture tool for packet analysis.

Plugin Activation in Firefox - Mozilla Add-ons Blog - basically in a future version of Firefox, all plugins (except Flash) will become “click-to-activate”. This may or may not be a great thing depending on your security versus convenience perspective.

Wendel's Small Hacking Tricks - Killing Processes from the Microsoft Windows Command Line interface - SpiderLabs Anterior - I’m always looking to find a way to do something without a third-party tool so this is handy information to be familiar with.

Universal USB Installer (also YUMI) USB Flash drive does not boot on EeePC - RMPrepUSB, Easy2Boot and USB booting... blog - This is a pretty esoteric technical post for most folks, however if you are into USB-based system booting, it is interesting.

When setting up Windows 8.1, Microsoft appears to do all it can to shove you to create/use an on-line Microsoft account rather than a local one.  For some folks that might be fine but others (particularly the old-school crowd) will find this process similar to a cattle chute. If you are a thinking cow, it probably isn’t a very pleasant experience. Fortunately, there seem to be a number of outs if you know the game ahead of time.

Group Policy Search Engine Gets Updated - Group Policy Central blog - From that post by Alan Burchill:

“The Group Policy Search Engine is a great web site that has all the different version of Microsoft Group Policy ADMX files that allows you to easily and quickly search for the policy setting. This site is one I use very frequently especially and is a must have bookmark for any Group Policy Administrator.

“Well, Stephanus from Microsoft who maintains the web site has just loaded the Windows 8.1 and Windows Server 2012 R2 policy setting meaning you can now look up all the new policy setting in the latest version of Windows. “

Group Policy Search - site homepage.

Google Static Map Maker: Static Maps on Steroids - noupe - Nice tool to create linkable custom static Google maps rather than using a screen-shot image or a embedded and modifiable one.

Google Static Map Maker - site homepage by Katy Decorah.


--Claus Valca

Saturday, September 28, 2013

More iOS 7 tips and notes

I still haven’t upgraded my iPhone 5 to iOS 7 yet.  So far I have 5 apps that I cannot update as they require iOS 7 to load. None of them are critical.

Neither of the girls in the Valca home have their iPhone 4 units on iOS 7 either.  Alvis did upgrade her iPad to iOS 7 without any drama and her beau just got his new iPhone 5s the other day. It’s kicking fast.

My bro just successfully upgraded his iPhone 5 to iOS 7 today and had no issues so I think I will get him to give me a tour and play on it a bit since we have the same model.

I had planned to do the upgrade this weekend as I expected some patches to come out in the period before the first release and now that was true (current version of post time is iOS 7.0.2).

But now I am reading rumors that an iOS 7.1 build might come out in a few more weeks so I think I will try to hold off the upgrade just a bit longer, especially since once you upgrade you can’t roll back to iOS 6 since Apple killed their signed firmware certificates for it.

So here is a collection of iOS 7 linkage I have grabbed so I can continue to review and pre-study and then refer-back to once I do the jump for some possible tweakage.

Downgrading from iOS 7 to iOS 6: Why Apple won’t let you - ExtremeTech

iOS 7, thoroughly reviewed -Ars Technica

Linkpost | 9.18.2013 -’s TechBlog  - chock full of iPhone 5s/5c news and links!

Death to textures: iOS 6 and iOS 7 compared in pictures -Ars Technica

iOS 7 Review: Pretty Is as Pretty Does - Gizmodo

All The Apps Optimized for iOS 7 - Lifehacker

iOS 7 vs. iOS 6: A Look At The Major Interface Changes - Addictive Tips

iOS 7's Biggest Annoyances (and How to Fix Them) - Lifehacker

New lease on life or death sentence? iOS 7 on the iPhone 4 - Ars Technica

Upgraded to iOS 7? 5 Shiny New Things To Check Out Right Away - MakeUseOf

How to turn off iOS 7 frequent location tracking and increase your privacy - iMore

iOS 7 Smart Multitasking & Background App Refresh Explained - Addictive Tips

Everything You Need to Know About the iOS 7 Upgrade - Kinja

Linkpost | 9.19.2012 -’s TechBlog

Eight things to love about iOS 7 [Updated] -’s TechBlog

Here’s how to prepare for iOS 7 -’s TechBlog

Before and after: The best iOS 7 app redesigns (Updating) - The Next Web

How to access list view in the Calendars app on your iPhone or iPad running iOS 7 - iMore

Lesser Known New Features & Changes In iOS 7 - Addictive TIps

How to disable Control Center access on the iOS 7 Lock screen - iMore

How to delete individual iMessages and texts in iOS 7 - iMore

iOS 7 lock screen bypass flaw discovered, and how to fix it - ZDNet

iPhone 5s Teardown - iFixit

Apple iOS 7 Uses New Multi-path TCP Protocol Extension - Daniel Miessler

Top 10 Secret Features of iOS 7 - Lifehacker

How to bring the bold fonts back to iOS 7 - iMore

iOS 7.0.2 now available, fixes Lock screen passcode bypass - iMore

Apple releases iOS 7.0.2 with fix for Lock screen passcode bypass flaw - 9to5Mac

iOS 7.0.1, iOS 7.0.2, and iOS 7.1 already seeing widespread testing inside Apple - 9to5Mac


--Claus Valca

Saturday, September 14, 2013

PowerShell for ForSec & Incident Response: A Brief Musing

I am a PowerShell noobie and know beyond next to nothing on PowerShell usage.

Not that I’m not trying to get up to speed. 

However it’s a slow climb up that learning mountain with my time being so tight at the moment.

In typical fashion, that hasn’t stopped my brain from chewing on the potential applications for PowerShell once I get more accomplished.

It struck me last week that PowerShell might be a useful tool (in some circumstances with knowledge aforethought of the impact using PowerShell on that system might have) for ForSec and Incident Response efforts. Having the “power” of PowerShell at our disposal once our enterprise goes Win7 on the desktops might allow expanded options where some third-party tools might be a challenge deploying.

So I hit the Google and here is what I found that looked worthy of investigation and additional reading and study.

Note: there were a number of additional websites I found that seemed -- in title at least -- to be applicable. However, I chose not to include them at this time as they seemed pretty new and the material on the (for now)  didn’t seem to be that useful. If they mature and grow, then I will add them in at a later time.

Live Response Using PowerShell - PDF link - SANS Institute Reading Room paper written by Sajeev Nair - August 2013.

Incident Management with PowerShell - video ~45 min - YouTube - Presentation by Matt Johnson & J. Wolfgang Goerlich of MWJ Computing - March 2013

The Power of PowerShell Remoting - SANS Computer Forensics and Incident Response blog - Mike Pilkington

Weekend Scripter: Using PowerShell to Aid in Security Forensics - Hey, Scripting Guy! Blog - Will Steele guest blogger

Use PowerShell to Aid in Security Forensics - Hey, Scripting Guy! Blog

toolsmith: Security Investigations with PowerShell - HolisticInfoSec blog post by Russ McRee

How to find running processes and their port number - Shay Levy - (added to post 09/15/2013) - Embedded in Russ McRee’s post above was a quick reference to this post which has some juicy material for you network guys.

Script Get-NetworkStatistics - netstat -ano with filtering - (added to post 09/15/2013) - Embedded in the comments of Shay Levy’s post was a link to this one as well offered by rambling cookie monster. Whew!

The rambling cookie monster’s site is darn sharp and has these tasty crumbs we can pick up and enjoy:

Tools to Grab Locked Files - Journey Into Incident Response - Corey Harrell - Post mentions “Invoke-NinjaCopy” which is a PowerShell script. More detailed info here: Using PowerShell to Copy NTDS.dit / Registry Hives, Bypass SACL’s / DACL’s / File Locks - clymb3r

Powershell: Forensic Onliners - ldap389 blog. (added to post 09/15/2013) The post itself is great, but there is a reference to other PowerShell material near the top that you might overlook. Hit the whitepaper link below and browse to the section.

You can find a cool onliner that retrieves the events of the Account logon category in this Windows Logon Forensics whitepaper (chapter 6.4. Querying Events). The onliner fetchs the following events which occurred during the past five days:

  • A Kerberos authentication ticket (TGT) was requested.
  • The computer attempted to validate the credentials for an account.

Live forensics: prefetch and powershell - 8bits blog

Parsing Windows Eventlogs in Powershell - ISC Diary

PoshSec (PowerShell Security) - GitHub - (added to post 09/15/2013) - added after great comment tip from J Wolfgang Goerlich.

  • PoshSec Main Repository - GitHub - PoshSec Wiki - per that page:
  • Current Release Features

    This initial project release was based on SANS CSIS 20 Controls to assist an organization securing itself against digital attacks. The purpose of this release is to "baseline" an environment given the stated controls in the CSIS. The release is focused on the following controls:

    • Account Monitoring
    • Inventory of Authorized and Unauthorized Devices
    • Network Baseline

    Account Monitoring

    • accounts that do not expire
    • accounts that expire
    • list all accounts
    • disabled accounts
    • locked out accounts
    • passwords over expired date
    • disabled account access

    Inventory of Authorized and Unauthorized Devices

    • DNS Logging Status
    • Inventory

    Network Baseline

    • open ports


    This project started by Will Steele (@pen_test) and Matt Johnson (@mwjcomputing) has several goals:

    • Publish a PowerShell module to aid people in the use of PowerShell in regards to security.
    • Provide some guidance on how to use PowerShell in the information security space, on both the offensive and defensive side with blog posts and articles.
    • Be a location to obtain links to others using PowerShell in the information security space.
  • Getting Started with PoshSec - PoshSec Wiki.

Digital Forensic Case Leads : Flame On! The most sophisticated malware since...the last one, Higher Ed data breach and PowerShell forensics - SANS Computer Forensics and Incident Response blog - (added to post 09/15/2013) - buried near the bottom are these PS gems under the “Good Reads” section:

I suspect that just because there isn’t that much (yet) material in this area, doesn’t mean that PowerShell isn’t a worthwhile supplemental tool in these areas. Powershell is primarily used for system administration tools and tasks, but I bet that with time and development, some clever out-of-the-box thinkers can expand on how it can be leveraged. Particularly if it involves collecting and parsing out registry, activity logs, and file-system data remotely from live systems.

As the Hey, Scripting Guy! Ed Wilson posted in one of the aforementioned links:

RM, the key thing to remember, whether you are doing security forensics, Exchange Server administration, Office automation, or anything between, is that Windows PowerShell is Windows PowerShell is Windows PowerShell. This means that all of the Windows PowerShell best practices still apply. One of those Windows PowerShell best practices is to preserve the object. The object-oriented nature of Windows PowerShell is one of the revolutionary features of the language, and it is a major contributor to its ease-of-use.

Note   When doing any type of computer forensics, a major principle is to avoid making any changes to the system. Therefore, as a crucial first step, you should use a tool such as the Windows Sysinternals utility tool, Disk2vhd, so you can be assured of not changing things like file access times on the original system.

Therefore, in keeping with the object-oriented nature of Windows PowerShell, you want to use techniques that preserve the object for as long as possible.

So my question is this, do any of the ForSec/Incident Response readers of this blog know of any other recommended resources that would be useful to me and others in using PowerShell in these applications?

If you do, please drop a tip/recommendation or even a “sanitized to protect the guilty” case-study example in the comments.


--Claus V.

GSD Saturday Linkfest: IT Crowd and ForSec Folks welcome

News and Links For the ForSec Crowd

Kali Linux 1.0.5 and Software Defined Radio - Kali Linux - new build released with updates and some bells-and-whistles to boot!

Windows 8 / Server 2012 Memory Forensics - Forensic Methods

Inside Windows Rootkits - Forensic Methods

Links - Windows Incident Response blog - Lots of great fresh material here!

Forensic Perspective - Windows Incident Response blog

Tools to Grab Locked Files - Journey Into Incident Response blog - Cory Harrell has a simply amazing post full of tremendous resources worth taking a look into for using to grab locked files.

DOWNLOAD: Microsoft Security Intelligence Report, Volume 14 Windows Application & PDF - Kurt Shintaku's Blog - This is too good to pass up! From Kurt’s post.

The Microsoft Security Intelligence Report Windows application analyzes the threat landscape of exploits, vulnerabilities, and malware using the latest data from hundreds of millions of systems around the world and some of the Internet’s busiest online services.

Readers will find the data, insights, and guidance provided in this report useful in helping them protect their organizations, software, and users.  

Key features of the application include:

  • All content, in one convenient place – includes all 800+ pages of content from Volume 14 of our latest report and is fully searchable.
  • High fidelity charts – Many customers have asked us if they can obtain high resolution versions of the charts. We’ve delivered that in the application and have even included the “save as” functionality so that customers may use them in other applications, such as PowerPoint.
  • Reader friendly – We’ve designed the application with you, the reader in mind. One example of this is the integration of our glossary into the body of a page which appear as mouse-over tool-tips.

Security Intelligence Report (SIR) vol.14 (Windows Application) - - The installable application has 800+ pages of content while the PDF version checks in at 120 pages. Pick you medicine and pucker up.

Other useful Microsoft security and threat response links:

Microsoft Security Essentials Prerelease - Microsoft Download Center - new pre-release version for interested users of MSSE. Released on 09.09.13 so it is very fresh.

(IN)SECURE Magazine issue 39 released - HelpNet Security - Download directly here (PDF link).

News and Links For the IT Crowd

I enjoy the technical and scientific articles I get in my RSS feeds over from the IEEE Spectrum website. It has great material and is terribly technical. Some sadly interesting IT news I’ve seen over there recently tag state IT departments.

A new find this week has been the Microsoft Office Configuration Analyzer Tool

The Microsoft Office Configuration Analyzer Tool (OffCAT) is a program that provides a detailed report of your installed Office programs. This report includes many parameters about your Office program configuration and highlights known problems found when OffCAT scans your computer. For any problems that are listed in the report, you are provided with a link to a public-facing article (usually a Microsoft Knowledge Base article) on the issue so you can read about possible fixes for the problem. If you are a Help Desk professional, you can also save the report to file so that the report can be viewed in the Office Configuration Analyzer Tool on another client where the tool is installed. The Office Configuration Analyzer Tool 1.1 also includes a command-line version that can be used to collect an OffCAT scan without user intervention.

I’ve been playing with it for a while and am amazed at the depth of information and assistance it provides, particularly for many very obscure items.

Spotted over at this 4sysops post FREE: Microsoft OffCAT – Office Configuration Analyzer Tool 1.1

MBSA 2.3 Preview Release Available - Anything about IT - News about a new preview release version of Microsoft Baseline Security Analyzer (note link is to public version 2.2) that supports MS OS’s between XP and Windows 8.1

Windows 8.1 Command Prompt or PowerShell - Anything about IT

PowerShell 4.0 – A first look - 4sysops

How to Know When an Object Was Created and Changed in Active Directory -

When was the Last Password Changed for a User Account in Active Directory -

Office 365 for Nonprofits Organizations - - Microsoft recently announced that they are offering Office 365 for non-profits (including eligible churches). This could be a big deal for many, learn more here.

SysInternals Tools, Windows 8 Training - Microsoft Virtual Academy - Seven video training modules and supporting materials to assist with learning the latest in core SysInternals tools. Check it out! Hat tip to Kurt Shintaku.

Kyle Beckman has posted a great series about Folder Redirection over at 4sysops that I (re)discovered. Lots of good information and tips here.

Create a new Windows Service

Moon Point Support Weblog had a helpful post: Creating a Service for a Windows System

It caught my eye as we are working with a system down in the coal-mines that requires running the core features as applications rather than services which makes security and log-in/account management more than a little bit challenging. Alas, this won’t solve those headaches but it is worth bookmarking and knowing.

How To Create a User-Defined Service - Microsoft Support

How to create a Windows service by using Sc.exe - Microsoft Support

NSSM - the Non-Sucking Service Manager

Virtualization Software Updates

Download VMware Player 6.0 - VMware

VMware woos power users and IT pros with Fusion and Workstation upgrades - Ars Technica

VMware Player 6 Released with Full Windows 8.1 Support - Next of Windows

Oracle VM VirtualBox - Version 4.2.18 released - Oracle

General Application and Utility Updates of Note

UltraVNC VNC - version release 1.1.93 now out.

PeStudio - version release 7.45 now out.

Speccy v1.23 - Piriform - new release.

HWiNFO Portable - version 4.24-2000 - - in what begs another GSD LinkList post, HWiNFO is yet another system hardware info-gathering resource I’ve been playing with. I’ve got more than a few I call up from the bullpen and this one has been added to the pitching stable.

IOBit Driver Booster Free - I confess I was very skeptical when I saw this new application appear. I have a few trusted driver apps to catalog and/or back up existing drivers on a system, and some vendor-specific driver update scanning applications used to update my systems. However, I have generally distained apps that claim to scan for driver updates on Windows systems and tell me what I need. Driver updating can be a dangerous and system-harmful thing if the wrong one is applied. So when I tried with trepidation this application, I found the UI was super clean and easy to navigate, the scan was immediate and dead-on fast, it seemed very accurate (finding only one out of date driver), provides a detailed and comprehensive list of drivers checked and their status, and creates a Restore point before every driver update is installed. It’s so easy I’d recommend it to my non-techy friends and family who I support. Great job IOBit! I’ll be running this one weekly!

SoftPerfect Network Scanner - updated to version 5.5. See Changelog for details.

Wireshark - updated to Stable version 1.10.2 and Old Stable version 1.8.10.

For you crazy WinPE building fans who use WinBuilder, a new version has been released that is much different from the previous version you may be familiar with. At the time of this blog-posting, the site seems to be temporarily down, but here were the applicable links you need to check out. I suspect fans of WinBuilder will fall one one side of the fence or the other; love it or hate it. Particularly with the Java building components.

lessmsi (aka Less Msiérables) · ActiveScott at GitHub - now at version 1.1.3 The download link is a bit hard to find on the page if you aren’t used to GitHub. Look for “1 release" at the top bar just above the purple band and click it to find the compiled binaries in

d7 v10 Just Released! - Computer Technician - Foolish IT LLC.the updated change list is too expansive for me to try to list here. Check it out.

SoundVolumeView - new NirSoft utility - View/change sound levels & save/load sound level profiles on Windows Vista/7/8/2008 - More details in this NirSoft blog post.

Whew!  That post tired me out…or maybe it was the A&M/Alabama game live-streaming on my second monitor.

--Claus Valca

Find that File (on a Windows system) - LinkList

Here is a list of some free fast-file-finder alternatives.

I did a similar one a long time ago but seems time for an update.

  • SwiftSearch - - Just tired this little gem and it truly is rocking fast. Seriously fast. Like make a movie about the need for speed fast. In fact finding this one led me to feel obligated to make this whole post. Spotted via this post FAST! Windows NTFS file search utility - SwiftSearch from Steve Si (of RMPrepUSB/Easy2Boot fame).
  • SearchMyFiles - NirSoft -This is my go-to for searching up files on my personal Windows systems.
  • SMF – Search my Files - The complimentary application I use to SearchMyFiles. Please don’t be confused with the similar names. It has some additional power-lifting features I find useful.
  • UltraSearch - JamSoftware - Nice and Neat little application.
  • Ultra File Search - another great little application.
  • Locate32 - regularly updated and uses an indexing database to help with finding.
  • Everything Search Engine - VoidTools - Another index-based file searching tool.
  • eXpress FreshFiles Finder (XFFF) - Irins - kind of a niche app but I absolutely love it for what it does. It has helped me wonderfully as a sysadmin.
  • Agent Ransack - MythicSoft - “Lite” version that supports boolean expressions, Perl Regex expressions. Comes (like some of the other apps here) in x32 and x64 supported versions.
  • MasterSeeker - another clever little file find utility. See this nice review by AddictiveTips for some of the extra features it has: MasterSeeker Is A Search Tool For Windows With Filters & Regex Support

--Claus V.

iOS 7 - Coming to something near you soon

I hesitated to post this linkfest on iOS 7.

Some of the links are old and some are geeky and not everybody who stops by GSD even has an iPhone/iPad/iWhatever device…and probably could care less.

So please indulge me with the link-dump on iOS 7.  No gushing (yet) shall occur.

I’m personally going to hold off dumping it on my iPhone 5 device for a few weeks until the blog-0-sphere settles down and the dust (and commenting/review/feedback) has been kicked up and spread around.

So this is for reference purposes only.

(And so I can figure out what to do when all the users I support at work with enterprise-issued iPhone 4S devices manually upgrade their devices and then tell me they don’t know how to work them in the new iOS version on Sept 19th.)

Fresh linkage I had saved on iOS 7 (& new iPhone model) news

Older linkage I had saved on iOS 7 news


--Claus Valca

What an MS Update Cycle This Month + others as well


Is it just me? Or has this been a super-challenging MS Update cycle this time ‘round?

At home on our Windows 7/8 systems I must have had scan for updates, install updates, reboot, re-scan for updates, install more updates, reboot, re-scan for updates, install final round of updates a few more times than I can previously recall.

Lots and lots of updates (though that may be partially my fault for leaving Office 2007 on when I installed Office 2010).  I do that for trouble-shooting support as not all my peeps are are on the same version of Office that I would like to be on.

And at work on our XP systems, for some reason we got bit with the MS bug where we successfully install KB2760411 and KB2760588 but after reboot, Windows Update says they still need to be installed! Wow.

Here is more linkage than  you need regarding Microsoft and third-party app updating this month.

First Up: Microsoft Patching Information

Microsoft fixes bad patch detection - ZDNet Zero Day blog

Why all the errors in Microsoft updates lately? - ZDNet Zero Day blog

Update for Outlook 2013 breaks folder pane - ZDNet Zero Day blog

Microsoft botches still more patches in latest Automatic Update - Microsoft windows - InfoWorld

Outlook 2013 Folder Pane Disappears After Installing September 2013 Public Update - Office Sustained Engineering - TechNet Blogs

I’ve actually been holding off running my monthly WSUS Offline Update build until word comes out that these have been resolved.

Microsoft Patch Tuesday, September 2013 - SpiderLabs Anterior - Amusing and helpful patch summary

Lovely tokens and the September 2013 security updates - MSRC blog - details with pretty graphs

Assessing risk for the September 2013 security update - Security Research & Defense blog

Microsoft September 2013 Black Tuesday Overview - ISC Diary post

Next in Line: Adobe (Flash, Shockwave, Air)

Adobe September 2013 Black Tuesday Overview - ISC Diary post

Update Flash, Shockwave ASAP! Adobe also patches Acrobat and Reader - ZDNet Zero Day blog

Adobe, Microsoft Push Critical Security Fixes - Krebs on Security

Chrome Releases: Flash Player Update - Chrome Releases blog

On the Tail End: Oracle’s Java

It's about time: Java update includes tool for blocking drive-by exploits - The Register

Oracle Updates Java - Threatpost

Oracle finally adds whitelisting capabilities to Java - Computerworld

Security of Java takes a dangerous turn for the worse, experts say - Ars Technica

New features aim to shore up Java’s flagging security - Ars Technica

Go Get ‘Em Cowboy!

Hopefully your system is already set to download and process your Microsoft Updates. If not, stop, drop, and roll and get them on now manually if you must.

Adobe Flash may do an auto-updating or not, depending on your installation and settings.  I've not seen Air or Shockwave self-update ever.

Java might offer the update to you…or not.

If in doubt, you should be able to find direct downloads here.

Finally, if you have any doubt at all regarding your update level for these particular applications try one of these options; or even better, run both.

They are really nice and pretty and are often overlooked…like the proverbial girl next door.

However they will hold your hand just as warmly and the kisses are just as sweet!

Stay patched, my friends.


--Claus Valca

iPhone Traffic - ZAP’ed, Security, and Network Tap Tap Tapping

This week brought in a very interesting post from web security/developer Troy Hunt.

 Unearthing the hidden shortcomings in Aussie mobile app security - Troy Hunt’s blog

Please go read then come back.

Interesting isn’t it?

I know most GSD readers probably wouldn’t be surprised to find some of their favorite mobile-apps leak user ids and passwords in plain-text, but for those who don’t know, some do.

Case in point (that has now been reported as fixed!):  Zscaler Research: Mobile App Wall of Shame: ESPN ScoreCenter

Naturally that got me thinking about a common mantras in the For/Sec world; “know your tools” & “verify, verify, verify”.

What I want to do is some benchmarking and analysis of the mobile apps I use on my own iPhone to have a better understanding on what is happening with their network traffic. This would be valuable information to know for general usage, and critical knowledge in case you unknowingly encounter a Wi-Fi Pineapple in the wild or a more complex man-in-the-middle Wi-Fi attack and get your network traffic captured.

One super-easy (and lazy) way I have found is to use ZAP - Zscaler Application Profiler.  From the “About” page link:

About ZAP

Zscaler Application Profiler (ZAP) is web based tool designed to streamline the capture and analysis of HTTP(S) traffic from mobile applications. ZAP is capable of analyzing traffic from both iOS and Android applications and includes the following functionality:

  • Search: View summarized historical results for past scans.
  • Scan: Proxy traffic from a mobile device through the ZAP proxy and the mobile app traffic will be automatically captured and analyzed
  • iPCU: Upload your iOS device configuration file(.deviceinfo) to check risk score of installed application. It will give you overall risk score of your device. The information provided is based on out knowledge base.

ZAP classifies traffic into the following buckets and calculates an overall risk score for the application:

  • Authentication: Username/password sent in clear text or using weak encoding methods.
  • Device Metadata Leakage: Data that can identify an individual device, such as the Unique Device Identifier (UDID).
  • Personally Identifiable Information Leakage: Data that can identify an individual user, such as an email address, phone number or mailing address.
  • Exposed content: Communication with third parties such as advertising or analytics sites.

Zscaler also has a detailed video on this service on their blog: Zscaler Research: Introducing ZAP.

So you can either check their historical report data on apps already researched, you can connect your device to their proxy to do a scan on a new app/version not already captured historically, or even upload your own iOS device config file.

Wow.  Bookmark this resource link now!

However, there may be cases you want to do your own local network traffic capture and analysis…because you like pain and frustration (and hands-on learning perhaps).

Part I - In Which Hardware TAP Options are narrowed down

At work (when & where authorized) we can set up network packet captures either on a specific system or on the LAN using port-SPAN.

At home, I don’t have a managed switch (or dumb hub) that can do that.  I suppose I could buy a USB-NIC (so I can have two wired network ports on my laptop) and then capture traffic temporarily though one of these messy devices (home-built or purchased) but that isn’t quite as elegant as I would prefer.

Or (as the TinyApps bloggist kindly just reminded me) use Cain & Abel.

Instead I decided I'll pick up a specialized device that support a network TAP.  This way I can just hook it in line between my Wi-Fi router and the cable modem and capture everything that passes though. It may not be 100% on packet captures, but I think it will be good enough for my home testing.

So the next question is what device?

I’ve settled on the following options:

The DCSW-1005 model is an attractive basic option. It supports port-mirroring, is USB powered, and has 5-ports. (note only port #1 is mirrored to port #5).  The price is good.  The only “drawback” I see is that it only supports 10/100 speed on the network.  While I seriously doubt I would ever approach over 100 Mbps and cause a bottleneck on my home network…most all my other network equipment is 1000 Mbps capable.  So thinking forward, this could be slightly limiting down the road, or if I am asked by family/friends/associates to do some network troubleshooting on a “true” 1000 Mbps network, or tapping in between two network devices actually running at 1000 Mbps.  So there is that. Also, the buffer memory used by the device in the mirroring process is 256 KB. So if that gets saturated, there is the possibility of dropped packet captures.

The only difference between the DCGS-2005/2005L seems to be the “L” model has a metal cabinet while the other doesn’t. Of course, that option comes with a $20 markup as well.  I’m pretty sure the plastic cabinet would be just fine, but the vanity in me just likes the metal cabinet appearance a bit more. Probably just a bit more durable when tossed around in a go-bag and maybe it might dissipate heat a bit better? This model does support up to 1000 Mbps so there is that benefit since it is (at least $100 more expensive) but the buffer memory is just 104 KB. Hmmm. 

Should I be concerned about overloading either of the devices’ memory buffer when capturing home-network traffic? Probably not but what say you pros?

I did find these pretty basic and older reviews, including one from the guru of network security Richard Bejtlich.  I really didn’t find any more recent reviews of the device so if/when I get my hands on one, you can be assured I’ll have a write-up review.

Part II - In Which Other Alternatives are discovered

So let’s assume that you are already comfortable with network packet captures, installing network software, and making network configuration changes to Wi-Fi devices.

Are there any options to capture iPhone network traffic without going to the trouble and expense of picking up TAP hardware just for that task?


First option is a tool called Paros. It is Java based (I know, I know..) and can assess web application vulnerabilities. The link has a Windows binary that appears back from August 2008.

Here is a nice walkthough on using Paros Sniff Your iPhone's Network Traffic by Jerod Santofrom to give you some introduction to it.

There was a comment on the Paros page providing information to a very current “fork” of Paros: ZAP

(Note: Not to be confused with the Zscaler ZAP service)

OWASP Zed Attack Proxy Project - OWASP -

There are tons of information on that page on this tool:

And here are some quick links on ZAP usage:

Next up, we have Fiddler, a free web debugging proxy from Telerik

Finally, if you are hard-core, just go use Wireshark.

Part III - Resources, References, & Pineapples

Here are some additional links related to all of the above discussions including the Dualcomm products, SPAN/TAP considerations, and the next network device I’m interested in picking up to play with; the Wi-Fi Pineapple.

SPAN Out of the Box (PDF Link) - John He’s Dualcomm Technology PowerPoint presentation at SharkFest 2010. Goes into details about SPAN/TAP considerations and specifics on what DualComm feels makes their product super special. SPAN out of the Box (Blip video)

B-7 (Battaglia) TAPS Demystified (PPT Link) - Samuel Battaglia’s Network Critical PowerPoint presentation at SharkFest 2010.

SPAN Port vs TAP (Video) - Betty DuBois- SharkFest 2009 presentation. PowerPoint presentation here (ZIP).

SPAN Port or TAP? CSO Beware - LoveMyTool blog - Tim O’Neill

Network Monitoring Madness: Poor Man’s Resource Linkfest - GSD blog post from 2010.

Let’s Get For/Sec-Motivated! - GSD blog post from 2011.

The beginners guide to breaking website security with nothing more than a Pineapple - Troy Hunt’s blog.

Your Mac, iPhone or iPad may have left the Apple store with a serious security risk - Troy Hunt’s blog.

Pineapple Surprise! Mixing trusting devices with sneaky Wi-Fi at #wdc13 - Troy Hunt’s blog.

Netgear DS104 4-Port 10/100 Dual Speed Hub with Uplink Button (Amazon link) - recommended to look into as well by TinyApps bloggist who reports he had good experience with it.

CaptureSetup/Ethernet - The Wireshark Wiki

CaptureSetup/WLAN - The Wireshark Wiki


--Claus Valca

Saturday, September 07, 2013

Microrant: Microsoft Security Essentials & File Restore

I’ve been a long time fan of the anti-virus/anti-malware application Microsoft Security Essentials for non-technical family and friends for the following reasons.

  1. It’s free.
  2. The GUI is not “scary” or threatening to civilians.
  3. It plays very well with all Windows OS’s (XP-Win7).
  4. It automatically updates the engine and DAT files as part of the Windows Updates settings.

Since I have been running it on my own personal systems for quite a while, it is super-easy to walk folks through solving most any problems they have without needing to get a remote session to their PC.

Granted, while it has rated low in recent AV-TEST results my confidence it it has remained high enough to continue to use and recommend it to others.  (MSSE rebuttal to those results here.)

However the UI frustrated me today and I am strongly considering switching over to Bitdefender Antivirus Free.

I’ve been running Bitdefender Free on my Win 8 virtual machines for some time and absolutely love it.  The interface is a bit more “geeky” and technical than MSSE and you need to provide/register it with a valid email address. However that also gets you access to a “cloud-based” console to manage and view history on all your Bitdefender free systems that you have registered. That’s kinda handy and useful for geeks like me who use a similar approach at work.

Bitdefender products also get rated high in recent AV-TEST results.

(See also Virus Bulletin summary results.)

Anyway, the rant today is because of the current MSSE handling of potential threats; or to be more accurate, the behavior encountered in the UI when trying to recover from MSSE’s handling of potential threats.

This morning I had downloaded an updated version of Nir Sofer’s IE PassView.  I use this great utility when I am responding to a user’s system where they have forgotten passwords (and didn’t write them down or put them in a digital password manager app). Often they saved the password to “auto-enter” in IE when the browse to the page (yuck but what are you gonna do?). So I can use this tool with their permission to look for and recover the password for them. If I don’t find it there, I try many of the other password tools Nir Sofer has on his site. Usually I get lucky and can recover it.

Only today, when I downloaded the ZIP file package for the application, MSSE kept intercepting the downloaded file and quarantining it as a threat.

No biggie. I’d expect as much since it could be used by others for nefarious purposes.

So I just opened up MSSE, clicked on the “History'” tab, and found it present under the Quarantined items list.

So I did what seemed natural and ticked the checkbox next to the line item, and hit the “Restore” button.

It disappeared out of the list.

I checked back to my download location.  File not there.


So I downloaded the file again from NirSoft.  Again it was intercepted and quarantined. Again I restored it.

Again it disappeared to the netherworlds.

I didn’t see an UAC prompts even though the “Restore” button has a little shield like it should be prompting me for confirmation action.


Clearly “Restore” didn’t restore anything. Nor did it whitelist the file for future downloads.

It wasn’t listed in my “Allowed items” list in MSSE either.


So, non-intuitively, I selected the “All detected items” radio button.

In the list was the file listed several times for all the repeated download attempts.


I clicked on one of those and selected “Allow item”.

A UAC prompt appeared and I said “OK”.

I checked my download location and there was the restored file now.

The item still wasn’t added and listed in the “Allowed items” list.


So (as of today) it appears that in some cases with MSSE, when a file is intercepted and quarantined, and you want to free it from quarantine and restore it;

  1. don’t select it from the quarantine list and “Restore” from there.
  2. select it from the “all detected items” list and “Allow item” from there.

Running iepv.exe didn’t generate any MSSE alerts or warning bells.

Subsequent retries shows that MSSE no longer quarantines downloads of the ZIP file.

So MSSE seems to have been quite good at intercepting the ZIP file for IE Pass View during download, and quite good at making it challenging to “restore” the download file after it had been quarantined. However it also was quite poor about easily allowing me to “whitelist” it. Nor did it complain or protect me (not that I really wanted I to…just saying) from the actual execution and presence of the iepv.exe binary.


This alone isn’t enough reason to jump away from MSSE, however it is one more data-point in my considerations of moving to a different solution on my personal system.

Posting in case anyone else searches the Googles for this particular issue.

--Claus V.

Monday, September 02, 2013

PowerShell Learning Grinds On

My slow effort to learn PowerShell grinds on.

At this stage it isn’t really that anything about learning PowerShell is particularly taxing, I’m just finding it horribly difficult to find the time to commit to the process.

I made it though the first two videos in the Getting Started with PowerShell 3.0 MS Channel 9 series. Took lots of notes in my hand-dandy notebook even, yes I did.

And then two weeks of knock-down cage-match project work hit.

Despite the challenge presented, all is not a total wash. I did find more practical reference material to note for future reference.

List of Free PowerShell eBooks - Jason Hofferle’s post (at his Force Multiplication though IT Automation blog) is several years old now, and I’m sure there may be even more newer free material. (Sounds like a self-challenge for another GSD post topic.) However, if you are just cutting your baby teeth on PowerShell, these seem like great foundational material to gnaw on. I ripped though the links and downloaded every file I could get my hands on and dumped them on both my Kindle and iPhone for lunchtime reading and reference. These coupled with the mobile versions of the Channel 9 PowerShell videos on my iPhone present a great library to get started with. 

Once I chew through these and feel a bit more accomplished, I will look to updated versions of current PowerShell guides. Speaking of…

List of PowerShell Books - Jason Hofferle followed up his previous post with some recommendations of “for purchase” PowerShell books as well. The list looks very good and covers lots of different application areas.

Since these and several other posts I looked up established that Jason has some serious street creds when it came to PowerShell, I dug some more and found these interesting posts that seem to show the practical magic that PowerShell can bring to the table.

That last one led to this great series from Jason on the Hey, Scripting Guy! Blog

Poking around the Hey, Scripting Guy! blog led to these recent finds which are a great help in learning PowerShell as I can relate already to DiskPart so learning how to manipulate it in PowerShell is pretty cool.

Even More Recent Resources

How to Run PowerShell Commands on Remote Computers - How-To Geek blog

CIM Cmdlets – Some Tips & Tricks - Windows PowerShell Blog

Community Tools| Scripting VBScript and PowerShell in 32 / 64 bit Editors; WMI Explorer- Sapien Technologies has some great free community tools for PowerShell use and support.

Enumerate devices on a given subnet – powershell script - Blog of Kliment Andreev

Live Response Using PowerShell (PDF link) - SANS Reading Room whitepaper by Sajeev Nair - August 20, 2013.

PowerShell Reference Post: The Train Cometh Near… GSD blog post because sometimes I’m too lazy to look for the prior link…

--Claus Valca

ForSec Labor Day Blow-out Linkfest

Final link push for the GSD blog before shutting down for the night.

I hope all you ForSec guys and gals have had a restful Labor Day before heading back into the trenches tomorrow.

Here are some links of note to review this week that I picked out.

Richard Bejtlich on His Latest Book, “The Practice of Network Security Monitoring” - M-unition blog

Did It Execute? - M-unition blog post by Mary Singh on incident response.

Anatomy of an ongoing Drive-by-Download campaign - ZScaler ThreatLabZ blog post

Browser Related":

Psst. Your Browser Knows All Your Secrets. - SANS ISC Diary guest post by Sally Vandeven on pulling the crypto keys in a browser.

Cookie Cadger to Identify Cookie Leakage from Applications over An Insecure HTTP Request - Next of Windows

Cookie Cadger - project homepage. From the link:

“Cookie Cadger helps identify information leakage from applications that utilize insecure HTTP GET requests.

“Web providers have started stepping up to the plate since Firesheep was released in 2010. Today, most major websites can provide SSL/TLS during all transactions, preventing cookie data from leaking over wired Ethernet or insecure Wi-Fi. But the fact remains that Firesheep was more of a toy than a tool. Cookie Cadger is the first open-source pen-testing tool ever made for intercepting and replaying specific insecure HTTP GET requests into a browser.

“Cookie Cadger is a graphical utility which harnesses the power of the Wireshark suite and Java to provide a fully cross-platform, entirely open-source utility which can monitor wired Ethernet, insecure Wi-Fi, or load a packet capture file for offline analysis.”

Book stuff - Windows Forensic Environment - Brett Shavers teases us again with brief news he continues to develop a standalone WinPE/FE “one-push” builder. Also he has released an early Kindle version of his X-Ways Forensics Practitioner’s Guide. Finally Brett gives recommendations for some other great ForSec reference books in his post.

Sadly, I am embarrassed to confess that I have just rediscovered the SANS Institute: Reading Room.

It appears their Latest 25 Papers RSS link to the page may have some issues as though I can load it in Firefox, trying to use it in a dedicated RSS reader generates an error that it cannot find actual RSS data on the page. Hmm.

Anyhows…since I just found it (again) there are gazillion (or slightly less) new whitepapers for review and reading.

Here are the ones I picked out that looked interesting to my desk operations:

That last link reminded me of the following particular motivational leadership links I keep handy on my blog sidebar:


--Claus Valca

Admin-Related Links - GSD Linkpost

…and here are some fun links for the SysAdmins in the crowd


The awesomely helpful 4sysops site has some good info posts:

How to enable Group Policy Preferences Logging via the Local Group Policy Editor - Anything about IT blog

FIX: Adobe Flash not working on Windows 8/Internet Explorer 10 running on a Lenovo ThinkPad X1 Carbon Touch - Kurt Shintaku's Blog

For Office 365 folks:

Windows PE boot in BIOS or UEFI mode (Google Translated) - Borns IT and Windows Blog

Redefining what "Never doing that again" means... Troubleshooting with the Windows Sysinternals Tools, Second Edition - Aaron Margosis' Non-Admin, App-Compat and Sysinternals WebLog


--Claus Valca.

Network News & Goodies - Labor Day Edition

Linkfest post on Labor Day. Lots of network goodies here for the GSD fans!

Presented in no particular order…just how they came of the bench tonight.

Viewpoints: OSI Model and APSTNDP - Microsoft’s MessageAnalyzer blog

Wireshark Tutorial Series #2. Tips and tricks used by insiders and veterans - Sniff free or die Wireshark blog

Tools - The Wireshark Wiki - great Super-List of tools and supporting material for Wireshark.

I’ve posted recently quite a gushing rant on TraceWrangler. It is a free (still-Alpha release) no-install tool to help with sanitizing and anonymizing packet trace files. Pretty wicked cool. Jasper Bongertz posted an intro here and touched on some of the issues current tools of this kind have.

I mention it because the Wireshark Wiki Tools page does contain a list of capture file anonymization tools and (sadly) TraceWrangler isn’t on it yet. Somebody with a connection needs to send the Wiki editors some memos…just saying.

TraceWrangler (change log) - now at version Alpha 0.1.3 build 308.

Microsoft Security Advisory (2861855): Updates to Improve Remote Desktop Protocol Network-level Authentication - Microsoft Security TechCenter

Sequence Match View: Identifying Interesting Network Patterns - Microsoft’s MessageAnalyzer blog

How Secure Is Your Smartphone - Check the Packets (by Tony Fortunato) - LoveMyTool blog

The Do's and Do NOT's of using SPAN Ports (by Darragh Delaney) - LoveMyTool blog

NetFort SPAN Port Configurator - freeware - GUI Utility to set Span Ports on Cisco switches…because as you know, using the free Cisco Network Assistant to do so is such a pain.

ZMAP 1.02 released - SANS ISC Diary

ZMap · The Internet Scanner. From the home page:

“ZMap is an open-source network scanner that enables researchers to easily perform Internet-wide network studies. With a single machine and a well provisioned network uplink, ZMap is capable of performing a complete scan of the IPv4 address space in under 45 minutes, approaching the theoretical limit of gigabit Ethernet.

“While ZMap is a powerful tool for researchers, please keep in mind that by running ZMap, you are potentially scanning the ENTIRE IPv4 address space and some users may not appreciate your scanning. We encourage ZMap users to respect requests to stop scanning and to exclude these networks from ongoing scanning.”

“We suggest that users coordinate with local network administrators before performing any scans and we have developed a set of scanning best practices, which we encourage researchers to consider. It should go without saying that researchers should refrain from exploiting vulnerabilities or accessing protected resources, and should comply with any special legal requirements in their jurisdictions.”

While you may not break the Internet as handily as Jen does, you might do bad things to your own. Be sure you are well familiar with the tool before experimenting!

INMAP 6.40 Released - SANS ISC Diary

Nmap Change Log -

Download the Free Nmap Security Scanner for Linux/MAC/UNIX or Windows -

SoftPerfect WiFi Guard - version release to 1.0.3 (Change log)

NetworkTrafficView - NirSoft - version release to 1.76:

  • Added 'Maximum Packet Size' column. For TCP connections that transfers significant amount of data, the value under this column represents the actual MTU.

Wireless Network Watcher - NirSoft - version release to 1.67

  • Updated the internal MAC addresses database.

KiTTY - update to current version release of

60 Seconds on the Wire: A Look at Malicious Traffic (direct PDF Link) - SANS Reading Room whitepaper by Kiel Wadner - August 22, 2013.

Custom Full Packet Capture System - (direct PDF Link) - SANS Reading Room whitepaper by Derek Banks - April 16, 2013.

Updated from another recent GSD post because they seemed apropos here in this as well:

Psst. Your Browser Knows All Your Secrets. - SANS ISC Diary guest post by Sally Vandeven on pulling the crypto keys in a browser.

Cookie Cadger to Identify Cookie Leakage from Applications over An Insecure HTTP Request - Next of Windows

Cookie Cadger - project homepage. From the link:

“Cookie Cadger helps identify information leakage from applications that utilize insecure HTTP GET requests.

“Web providers have started stepping up to the plate since Firesheep was released in 2010. Today, most major websites can provide SSL/TLS during all transactions, preventing cookie data from leaking over wired Ethernet or insecure Wi-Fi. But the fact remains that Firesheep was more of a toy than a tool. Cookie Cadger is the first open-source pen-testing tool ever made for intercepting and replaying specific insecure HTTP GET requests into a browser.

“Cookie Cadger is a graphical utility which harnesses the power of the Wireshark suite and Java to provide a fully cross-platform, entirely open-source utility which can monitor wired Ethernet, insecure Wi-Fi, or load a packet capture file for offline analysis.”


--Claus Valca