Ubuntu 13.10 Upgrade - Lessons Learned & VIDMA utility found

A few weeks ago a new release of Ubuntu came out.

Naturally that meant it was update time!

I have been getting pretty good at this now so I though I had it all figured out.

Wrong.

Here you go…documented for your entertainment and my education.

1. Find in RSS feeds that my Ubuntu 13.04 Raring Ringtail install has a Ubuntu 13.10 Saucy Salamander update available.
   ●  Upgrade your PCs, servers, and phones: Ubuntu 13.10 lands tomorrow - Ars Technica
   ●  Ubuntu 13.10 review: The Linux OS of the future remains a year away - Ars Technica
   ●  Ubuntu 13.10 Released - But Is It An Essential Upgrade? - OMG! Ubuntu
   ●  Ubuntu 13.10 Saucy Salamander Review: A Boring Amphibian - Desktop Linux Reviews
   ●  Ubuntu 13.10 (Saucy Salamander) review: Smart Scopes in, Mir out - ZDNet
   ●  Saucy Salamander/Release Notes - Ubuntu Wiki
2. Excitedly start the in-place upgrade of my VirtualBox Ubuntu build.
3. Remembered this time (3rds the charm) that VirtualBox upgrades screw with Ubuntu (and I had recently upgraded to a new VirtualBox release and hadn’t ran my Ubuntu guest since) unless you first disable 3D acceleration in the VM machine settings. So I disabled it, launched the Ubuntu VM and now was able to load the desktop!
   
   At that point I was able to install/upgrade to the latest VirtualBox Extension pack within Ubuntu proper. It ran slow as molasses but got the job done. For some reason I keep forgetting what the correct option clicks to get the Extension pack installer auto-running after I mount the CD/ISO file. I did better this time. For some reason the dialog window prompts aren’t fully intuitive to me as a Windows user.
   1. First, run the installer from the host.
      
   2. Next choose the “Ask what to do” option (I think this is where I get tripped up and select another option incorrectly).
      
   3. Run the auto installer
      
   4. Authenticate and install
      
      ●  How do I install Guest Additions in VirtualBox? - Ask Ubuntu.
      ●  Installing Guest Additions on Ubuntu - VirtualBoxes
4. Once done, I rebooted the system after re-enabling the 3D Acceleration option in the VM settings.
5. From there I continue by using Daniel Benny Simanjuntak’s tip in a previous Ubuntu post comments I did to run the following command from the terminal to start the upgrade process.
        …through terminal one can upgrade as well using the command:
         sudo do-release-upgrade -d
6. Watch with anticipation.
7. Installation failed.
8. What!
9. Try again.
10. Failed again.
11. Read error and log dialogs carefully and figure out I don’t have enough free space on my virtual hard drive. Apparently I set it up for a fixed disk size of about 8 GB.
12. Started simple and ran command “sudo apt-get clean”. I seem to recall I had to do that last time I did an Ubuntu upgrade.
13. That cleaned a bunch of stuff but when I tried to do the upgrade, I still didn’t have enough free space left to perform the upgrade. It eventually became clear that it was time to increase the size of my virtual hard drive. Goody.
14. I tried a number of processes to expand (in place) my VM’s VDI virtual HDD file. None of them seemed to work successfully. It was super frustrating.
15. Found vidma - Virtual Disks Manipulator (tool for resizing VDI). It’s a tiny standalone command line tool for resizing (fixed size) VDI files. It is “Alpha” software but I figured I had little to loose at this point as if this didn’t work, I’d probably be going back to square one anyway.
    1. To make things easy I copied the utility over into the same location of my VDI file.
    2. Opened a command line window in this location
    3. Ran the command “vidma Xplico.vdi 20480” and fed it confirmations as needed. (Actually I  used the even value amount “20000” and resulted in a 19.53 GB expanded drive…not quite 20 GB even which the 20480 figure would have done.)
    4. Watched and waited patiently as it processed the file.
    5. When it was done I relaunched the VM (hurray it came up fine) and using GParted inside the current Ubuntu VM, checked the /dev/sda drive. It was showing the full 19.53 GiB partition. Up from the original 8 GiB.
16. That was part one. Now I had to resize my active partition to incorporate the additional unallocated space that I had created in step 13 with vidma.
17. I shut down the VM and rebooted it after attaching a GParted ISO. This would let me manipulate the internal partition information of my VDI file.
    1. Basically I followed (starting down the page at Step 4 “Expand the partition in the larger virtual disk”) the guide found posted by Eugene over at Trivial Proof: Resizing a VirtualBox Virtual Hard Disk”
    2. Because I had set my Ubuntu drive up with a swap partition, I had to deal with it first as explained in the addendum in that guide.
    3. For some reason I was not able to move the swap partition out of the way as it describes. So I ended up following a tip in the comments from “jayesh” after carefully noting what size it originally was set at.
       
       ”I had an extended partition containing a swap partition between my root partition and unallocated space. So i tried to follow ADDENDUM steps but i was not able to move the extended partition in one step. So, i extended the "extended partition" with unallocated space, then moved the swap partition to the end of this new partition and finally shrink the extended partition to its original size, leaving unallocated space close to my root partition.”
       
       This post guide over at mwpreston.net expands that process in wonderful detail if you want more information before trying: Expanding a Linux disk with gparted (and getting swap out of the way) - mwpreston.net
    4. I then was able to expand the existing (in use partition) to take in (almost) all of the newly created unallocated space.
    5. Whew!
    6. Rebooted and detached the GParted ISO.
    7. My VM guest came up just fine and after another check in the GParted tool, confirmed things were put right again and I now had 18.43 GB of available space.
       
18. Time to retry the Ubuntu 13.10 upgrade!
19. From a terminal session: “sudo do-release-upgrade -d”
20. Let it run forever…do a few reboots…
21. When it is all settled down, I log in and kick the tires a bit, and change the desktop to the charming “Saucy Salamander” image.
    
22. Looked for and updated any pending applications needing updating. Done.
23. Check “Upgrade to Saucy Salamander” off my to-do list.

I would swear I captured a ton of screen shots of the actual VDI expansion and post-GParted partition wrangling work to document what I was doing, but I just can’t find where I put the screen cap files. Despite my best efforts to scour my HDD’s looking for them they just haven’t turned up. If I do later stumble upon them, I’ll update the post accordingly.

The only other “gotcha” I discovered immediately after the upgrade is that my beloved power-button in the top-right bar in Ubuntu 13.04 had been removed.  How do I shut the figgin thing down now?

Apparently I wasn’t the only dolt stumbling over this, post upgrade.

• unity - Why am I not able to shutdown, log-off and restart after an upgrade to Ubuntu 13.10? - Ask Ubuntu

Per that thread, I ended up settling for the “open a terminal, type sudo shutdown -h now, press enter and put the password” shutdown method.

Since that original upgrade to 13.10, I have since ran the Software Updater again to bring it current and I find my familiar shutdown icon is now back. Hurrah!

I hope this helps any Ubuntu noobies out there with the upgrade process if you are running it in VirtualBox.

Previous Ubuntu upgrade posts here on GSD.

• grand stream dreams: Ubuntu 12.10 (Quantal Quetzal) Upgrade
• grand stream dreams: Ubuntu 13.04 (Raring Ringtail) Upgrade..a bit faster this time

--Claus Valca

Read More

ForSec Linkfest - 2013 DST Fallback Edition

FYI…tomorrow morning at 2 AM here in the United States of America it will be time to “fall back” from DST. One more hour of sleep and then it’s weeks of trying to get the body’s timeclock to readjust.

So as you get ready to find all the clocks you need to manually adjust (don’t forget the vehicles!), here is some linkage to distract you from that task. Please note I’ve also sprinkled in some networking items as well to keep you on your toes!

• Wireshark 1.10.3 and 1.8.11 Released - Wireshark website
• Wireshark - Official site Download
• Reviewing Wireshark's Capture Pane (by Tony Fortunato) - LoveMyTool blog
• Using PowerShell to Automate Tracing - MessageAnalyzer blog
• Nmap cheat sheet - HelpNet Security blog - From the notice:
• Counter Hack founder and SANS instructor Ed Skoudis and his team created a helpful cheat sheet for Nmap, which includes notable scripts of the Nmap Scripting Engine, script categories, instructions for scan types, probing options, and more.
• How A Wireless Issue Looks Like a Wired Issue (by Tony Fortunato) - LoveMyTool blog
• NAFT: The Movie - Didier Stevens
• New utility to quickly set the DNS servers of your Internet connection - QuickSetDNS utility from Nir Sofer's workbench.
• On getting Pineappled at Web Directions South - Troy Hunt’s blog
• Disassembling the privacy implications of LinkedIn Intro - Troy Hunt’s blog
• Command-line Forensics of hacked PHP.net - NETRESEC Blog
• iOS apps can be hijacked to show fraudulent content and intercept data - Ars Technica
• Your iPhone knows where you’ve been, puts it on a map - Chron.com’s TechBlog
• What's New in the Prefetch for Windows 8?? - Invoke-IR blog
• Re-Introducing the Vulnerability Search - Journey Into Incident Response blog
• Links - Windows Incident Response blog
• Incident Response Teams are the New (Security) Black - Speaking of Security - The RSA Blog and Podcast
• Red Alert: 10 Computer Security Blogs You Should Follow Today - MakeUseOf blog
• New Security Intelligence Report, new data, new perspectives - Microsoft Malware Protection Center blog
• Meet “badBIOS,” the mysterious Mac and PC malware that jumps airgaps - Ars Technica
• Hacking a Reporter: Writing Malware For Fun and Profit (Part 1 of 3) - SpiderLabs Anterior
• Treasure Hunting with FTK, EnCase, and SQLite Databases - Computer & Digital Forensics at Champlain blog
• Add the CAINE ISO to your E2B drive - RMPrepUSB, Easy2Boot and USB booting

Cheers,

Claus Valca

Read More

CryptoLocker Ransomware Info & Free Prevention Solutions

I work hard to keep our home systems malware-free and safe.

That typically involves talking about good Windows end-user behavior with Alvis and Lavie, letting them know about various breaking threats, running a AV/AM product, installing advanced protection afforded by Microsoft's EMET v 4.0 on our home systems, making sure all Windows and third party browser plugins are kept updated, run backups, etc.

So generally, I don’t worry too much about viruses and malware…but this new CryptoLocker threat does have my nerves extra-edgy.

First, we don’t have 10 bitcoins sitting around to pony up for a decryption. Most home\SOHO Windows users probably don’t either. Note this price has gone up from the previous 2 bitcoin expense.

• CryptoLocker developers charge 10 bitcoins to use new Decryption Service - Bleeping Computer News

Secondly, it seems to work primarily on social-engineering and spear-fishing techniques (for now) to trick a user into opening a payload delivered by email. While I can have pretty good confidence in software defense-in-depth security practices, I never can trust the end-user (myself included) to be 100% dependable in catching this attack. I am my own weakest link.

Lastly, although CryptoLocker primarily targets local drives, it will encrypt any targeted files on a network share if the shared folder is mapped as a drive letter rather than a UNC share. So if one person on a network gets infected, and has mapped drives via drive lettering, that could hose everyone! That’s scary bad.

So the first important step you can take is to educate yourself about the threat itself:

• How To Avoid CryptoLocker Ransomware — Krebs on Security
• CryptoLocker Ransomware Information Guide and FAQ - Bleeping Computer - Probably the current de-facto resource for all technical details on this threat. Updated frequently.
• CryptoLocker Is The Nastiest Malware Ever - Here's What You Can Do - MakeUseOf blog
• Cryptolocker Ransomware: What You Need To Know - Malwarebytes Unpacked
• You’re infected—if you want to see your data again, pay us $300 in Bitcoins - Ars Technica

At home, my immediate response was to deploy a special package maintained by Foolish IT LLC on ALL our personal Windows systems (including my Windows VM’s) that protects against this threat. 

CryptoPrevent - free for personal and commercial deployment - Foolish IT LLC - current version at time of posting is 3.1 but that is certain to change. In both “portable” and installable versions.

Like any AV/AM vs. Security battle, it is a constant arms race of updates so if you go this method, check back frequently for new versions or pay the $ for the auto-updating version.

Just to illustrate the challenge, take a look at these posts from the developer to see how the tool has mutated to keep pace with the threat and customer’s needs.

• CryptoPrevent v2.0 just released with whitelisting capabilities!
• CryptoPrevent v2.1 - I just can't seem to win!
• CryptoPrevent v2.4 just released with internal update feature - please update!
• CryptoPrevent v2.5 - with a powerful new layer of protection introduced!
• CryptoPrevent v2.6 released - my life is consumed by this madness!
• CryptoPrevent v3.0 - Recycle Bin protection and a new optional AUTOMATIC UPDATE service!

For corporate locations, I learned about another solution via Brian Kreb’s post noted above. From that post:

A team of coders and administrators from enterprise consulting firm thirdtier.net have released the CryptoLocker Prevention Kit – a comprehensive set of group policies that can be used to block CryptoLocker infections across a  domain. The set of instructions that accompanies this free toolkit is comprehensive and well documented, and the group policies appear to be quite effective.

Cryptolocker Prevention Kit (updated) - Spiceworks

Get protected now if you are a Windows user. Period. 

It’s not worth dilly-dallying about.

Cheers,

Claus V.

Read More

Linkfest for the SysAdmins

Here is some assorted linkage from the past week or two that might be of interest to the system administrators lurking around.

• US State Governments Can’t Shake IT Woes - IEEE Spectrum - This week in gooberment IT support and deployment silliness. Offered as object lessons for self-improvement.
• HealthCare.gov deferred final security check, could leak personal data - Ars Technica
• The seven deadly sins of HealthCare.gov - Ars Technica
• Can we trust the data brokers who store our most intimate private details? - Ars Technica
• Defrag Tools: #61 - Windows 8.1 - Disk Space, Sysinternals DU and RU - Defrag Tools on Channel 9
• PowerShell: Location, Location, Location - 4sysops
• Download Active Directory Replication Status Tool - Microsoft Download Center
• How to make your USB drive Write-protected under Windows - RMPrepUSB, Easy2Boot and USB booting
• Install Windows 8.1 on Oracle VirtualBox - BetaNews article from Wayne Williams
• Customizing the Windows 8.1 Start Screen? Don’t follow Microsoft’s guidance - Aaron Parker
• Windows 8.1 / Windows Server 2012 R2 - Updated Shell UI changes - Ask the Performance Team blog

Cheers,

Claus Valca

Read More

Microsoft Security Essentials/Defender & PowerShell

Here are some minor tidbits for MSSE I found, as well as some cool tricks you can do against it with PowerShell.

Microsoft may end antivirus updates on XP in April - ZDNet

I’m not surprised to hear this deliberation going on, XP must go and MS can’t be responsible to support an unsupported OS forever. That said, for quite some time to come many home users (particularly), SOHO’s, and corporations may continue to use XP on their systems for some time to come.

While I’m confident other third-party vendors may continue to release AV/AM software that can run and support XP systems, many folks stick with MSSE. Leaving these systems vulnerable and unprotected, particularly if on a network with other Windows systems, seems a situation ripe for exploitation and shenanigans.

I hope that Microsoft continues to provide updated and current definition signatures for at least a period of time after the XP support ends.

Download Microsoft Security Essential - Microsoft Download Center

Meanwhile, over at the Hey, Scripting Guy! Blog, great fun has been reported playing around with Windows PowerShell and finding some neat things that can be done with Windows Defender. (Note: I don’t find a counterpart for the Microsoft Security Essentials application.)

• Exploring the Windows Defender Catalog - Hey, Scripting Guy! Blog
• Use PowerShell to Explore Windows Defender Preferences - Hey, Scripting Guy! Blog
• Use PowerShell to Update Windows Defender Signatures - Hey, Scripting Guy! Blog
• Use PowerShell to See What Windows Defender Detected - Hey, Scripting Guy! Blog
• Weekend Scripter: Use PowerShell to Configure Windows Defender Preferences - Hey, Scripting Guy! Blog

Have fun!

Claus Valca

Read More

Miscellaneous TrueCrypt linkage

I have used TrueCrypt for a long time…but only with TrueCrypt container files that stand alone and are mounted.

Then I branched out and started using full-volume encryption to protect some back-up external USB drive devices.

Recently, I bit the bullet and started using TrueCrypt system-wide encryption to protect my personal home laptop…all system volumes. No worries so far.

Because of that I pay close attention to TrueCrypt news, and here is some linkage, in case you are interested.

Let's audit Truecrypt! - A Few Thoughts on Cryptographic Engineering blog by Matthew Green

New effort to fully audit TrueCrypt raises $16,000+ in a few short weeks - Ars Technica

Is TrueCrypt Audited Yet? - project homepage

How I compiled TrueCrypt 7.1a for Win32 and matched the official binaries - technically heavy-duty and most excellent article by Xavier de Carné de Carnavalet.

Windows 8.1 upgrade: be careful with TrueCrypt - GTranslated - Borns IT and Windows Blog - Basically, if you are using full-system partition encryption with TrueCrypt, the recommendation is to first fully-decrypt and remove TrueCrypt encryption…then apply the Win 8.1 upgrade…then reapply the TrueCrypt full system partition encryption. If not you might hose your system during the upgrade. That’s a bad thing.

Cheers,

Claus Valca

Read More

PowerShell 4.0 and a tiny “gotcha”

I spotted news last week that Microsoft released a new updated version (4.0) of PowerShell.

Download Windows Management Framework 4.0 - Microsoft Download Center

I thought I read and had met all the prerequisites successfully, so I installed away. Only when I checked the installed version it still reported 3.0. Hmmm.

I checked the “Add/Remove” program list and didn’t find the update listed in the Windows components. Strange. And when I tried to reinstall it, it said it was already installed…despite not being listed in the installed components.

What gives.

Long story short, after additional troubleshooting I found out that a required component for PowerShell 4.0 was missing.  WMF 4.0 requires Microsoft .NET Framework 4.5

I thought I had it on already, but turned out I had .NET Framework 4.0. My bad.

So I downloaded the .NET Framework 4.5 from the Microsoft Download Center and got it on my system, then reinstalled WMF 4.0 one more time.

This time it took and a version-check in PowerShell showed the new version was present.

A few days later this issue became pretty common information so you may want to consult this post if you haven’t figured it out yet. It has great technical details.

• WMF 4.0 - Known Issue: Partial Installation without .NET Framework 4.5 - Windows PowerShell Blog

Related:

• PowerTip: Find if Computer has .NET Framework 4.5 - Hey, Scripting Guy! blog

So now what?

• PowerShell 4.0 – A first look - 4sysops - Guest author Jeffery Hicks has a great pre-release review and rundown.

Cheers.

Claus Valca

Read More

New Software Updates + VMware Tools Update fix

The Valca household has survived last week’s torrential rain event. Unfortunately both our vehicles took a hit.

No…no cars were flooded due to poor driving decisions…they stayed high-and-dry…but they did suffer some incidental damage.

My beloved Saturn Ion apparently had material in the catalytic converter come loose and cause a blockage in the exhaust system.  That led to a significant power-loss -- I was only able to nurse it up to 55-60 MPH on the freeway. That’s a life-threatening highway speed here in Texas. I found a new local repair shop that was able to diagnose it (and +1 point for my dad who also guessed that would be the issue). So it awaits a new cat-converter install…and for good measure I’m having the front struts replaced as well as they are OEM and the front suspension is all clunky over road bumps and RR tracks. With almost 200,000 miles on it, I guess it is time.

Meanwhile, I got in Lavie’s car yesterday to borrow it while mine is in the shop. She doesn’t drive it much. It is a 2001 Nissan Altima with barely 43,000 miles on it. All was well until I went to unplug and toss her cell-phone charger on the passenger side foot-well floorboard…and found it full with 1.5” of standing water. Gasp!  Luckily I hadn’t put the car in reverse yet to slosh it out. Bother.  After some extensive wet/dry vac work it was only damp and between a few sunny dry days and some well placed Damp Rid containers I think we will be good. The windshield has some cracks in it that might cause it to not pass this month’s due vehicle safety inspection so the decision was made to schedule a windscreen replacement…which will result in all new weather seals.  The rest of the car was bone-dry so I really don’t think it was a seal that failed. My guess is the torrential rains (appx 3.5 inches in 24 hours) cascading down the windshield may have poured into the fresh-air intake vent under the hood which ran down into the passenger side foot well.  Not sure why it was just that side and not the driver’s as well. Thoughts?

So with one car finishing the air-out process and the other in the shop, it has been a bit stressful. Fortunately family and friends and Boss have been supportive and encouraging…and our older but beloved (and paid for) vehicles will continue to drive on a while longer.

Anyway…enough boring personal stuff…here is small collection of updated software you might want to check out as well as a fix for an aggravating VMware Player problem I ran into this morning after updating the main VMware Player application.

VMware Player Plus - Now updated to version 6.0.1. Note that VMware Player Plus is the $ version for commercial license usage. The free for personal use VMware Player is still around, but you just have to confirm that option during the setup. I prefer to use this VM software platform for my Windows guest clients and VirtualBox for my Linux-based ones.

• Download VMware Player 6.0
• VMware Player 6.0.1 Release Notes

One curious thing about this most recent version that I hadn’t encountered until now.

I had just upgraded to this latest VMware Player (host) software on Windows 7 and then launched an XP client so I could update the VMware Tools as well.

Strangely the Windows XP guest I started up reported it was stuck downloading the tools. On boot up of the VM guest, it offered me the upgrade tools option at the bottom of the window, and when I selected that action button, it popped a dialog window that said "VMware Tools installation cannot be started until the current download finishes." If I go to the VMware host’s menu, it says "Downloading VMware Tools" where it should say Upgrade/Reinstall VMware Tools.

I took matters into my own hands and was able to map the virtual CD ROM in my virtual XP client to the VMWare Tools ISO file for Windows at "C:\Program Files (x86)\VMware\VMware Player\windows.iso" figuring that it was the latest version and came down for the ride when I updated the host client software.

Once "mounted" it auto-started the VMWare Tools setup wizard in the XP guest session which I ran though and installed with no issues. A reboot and it was current in the XP VM.

However....on reboot VMware Player host software still was reporting the upgrade tools option at the bottom of the window, and when I selected that again, it said "VMware Tools installation cannot be started until the current download finishes."

Here's how I cleared it in VMWare Player (based on this forum thread I found and solution offered by John Swanagon).

• Launch VMware Player.
• Click "Player"
• Click "File"
• Click “Player Preferences”.
• Under "Software updates” section.
• Click “Connection Settings”.
• In the “Connection Settings” window, change the proxy from “No proxy” to “Windows proxy settings”.
• Click OK.
• Click OK.
• Open Internet Explorer. (note these IE steps may vary based on your IE version)
• Click "Tools" then select “Internet Options”.
• Click the “Connections” tab.
• Click the “LAN settings” button.
• Confirm/Select the “Automatically detect settings” option.
• Click “OK”.
• Click “OK”.
• Close Internet Explorer.
• Exit VMware Player.
• Run VMware Player as an Administrator.
• Click "Player"
• Click "File"
• Click “Player Preferences”.
• Under "Software updates” section.
• Click “Edit” -> “Preferences”.
• Click “Download All Components Now”.

Additional components for other guest OS systems downloaded and when done, and VMware player re-launched, the message at the bottom of the screen finally was cleared!

Updates: PsExec v2.0, RAMMap v1.3, Sigcheck v2.0  - Sysinternals Site Discussion Blog

Updates: RAMMap v1.32, Sigcheck v2.01 - Sysinternals Site Discussion Blog

New Utility - QuickHash - Foolish IT LLC

OSFMount - updated 10-22-13 - version 1.5.1014.

• Fixed issue with detecting partitions for ImageUSB images
• Windows dynamic disks are now supported
• Fixed issue with mounting via OSFMount command line with "-o rw" option
• Fixed issue with mounting multiple partitions in an image file as writable due to file sharing permissions
• Fixed issue with mounting multiple partitions in an image file from command line
• Drive letters 'A' and 'B' can now be used
• Propagated changes from Imdisk v1.7.5 including some key fixes:
  • Disks with "lost" drive letters can now be removed
  • Notifications hanging on drive creation and removal

I personally prefer to use Olof Lagerkvist’s ImDisk Virtual Disk Driver, also recently updated on 10-25-13 to build version 1.7.6.

Why do I mention that? well the OSFMount utility is based on Olof’s ImDisk software. That’s all.

mozdev.org - newsfox: installation - My favorite Firefox RSS reader is updated to 1.0.8.4.4.  Release notes

Speaking of Mozilla, Firefox was updated to version 25.0 and Thunderbird was updated to 24.1.0

Also, I’ve gone to a 3-monitor setup at home with my laptop. My desk is quite full!

I’m running my primary display from the attached Dell Studio 15 HD laptop display. It is super-sharp and has great resolution.

My secondary display is one of a pair of older Samsung SyncMaster 930B-A displays I got a long time ago as a gift from my brother. Maximum resolution is just 1280x1024 so it looks a bit under-scaled with the other displays but it seems to work great for text which is fine when I am pounding out blog posts. No OEM Win7 x64 bit hardware drivers exist for it either so it’s running the standard Microsoft PnP display driver just fine. The 4:3 ratio (the others are wide-screen format) also makes composing text documents more comfortable.

Since (like most Dell laptops) the laptop can only drive a maximum of two display outputs natively, I’m running this display with a StarTech USB 3.0 to DVI Adapter. I didn’t have any issues getting the drivers installed and the system up and running. It’s a must-have hardware accessory if you are running multiple monitors with a laptop and can’t toss in another hardware card internally.

My third display is a HP Pavilion 22bw 21.5-inch Diagonal IPS LED Backlit Monitor(C4D29AA) that I picked up some time ago on sale at a big-box outlet. Not a lot to say. It is HD and I am running it off the HDMI port on my laptop. Overall it is decent, but I am disappointed in the text-clarity of the display. Watching a video on it is fine, but for extended text-composition on it, it just isn’t as clear as I would prefer.

In good news, under Windows 7 (at least) you can set the ClearType text on a per-monitor basis!

That has helped a bit but the text still doesn’t compare with my primary laptop display.

Cheers!

Claus Valca.

Read More

Forensic News Flashes - New Projects and learning opportunities galore!

It’s late and has been a super-long weekend.

Lavie isn’t too impressed I’m still sitting at my desk working on posts.

In the meantime, I’m commited to getting this last bit of ForSec linkage collected over the past few weeks out the door so you can have fun reviewing it this week.

Those young and crazy pups over at the Computer & Digital Forensics at Champlain program have clearly caught their dean napping. In an interesting series of posts, they attempt to wreak havoc on different hard-drives and then try to put humpty-dumpty back together again.

• Destructed Data Forensics- Part 3
• Data Destruction Forensics- Part 2
• Data Destruction Forensics

MantaRay Forensics - anTech Triage & Analysis System. As far as I can tell, this is the first time I have posted any mention of MantaRay Forensics here at GSD.  Spotted in this C&DF@C post Swimming with MantaRay Forensics

MantaRay was designed to automate processing forensic images, directories and individual files with open source tools. With support for numerous image formats, this tool provides a scalable base to utilize open source and custom exploitation tools. MantaRay was developed by two forensic analysts, Doug Koster and Kevin Murphy.

ForGe Forensic test image generator v1.1 - Git Hub project page. from the Overview description:

ForGe is a tool designed to build computer forensic test images. It was done as a MSc project for the University of Westminster. Its main features include:

• Web browser user interface
• Rapid batch image creation (only NTFS supported)
• Possibility to define a scenario including trivial and hidden items on images
• Variance between images. For example, if ForGe was told to put 10-20 picture files to a directory /holiday and create 10 images, all these images would have random pictures pulled from repository.
• Variance in timestamps. Each trivial and hidden file can be timestamped to a specific time. Each scenario is given a time variance parameter in weeks. If this is set to 0, every image receives an identical timeline. If nonzero, a random amount of weeks up to the maximum set is added to each file on each image
• Can modify timestamps to simulate certain disk actions (move, copy, rename, delete)
• Implements several data hiding methods: Alternate data streams, extension change, file deletion, concatenation of files and file slack space.
• New data hiding methods can be easily implemented. Adding a new file system is also documented.

Developer Hannu Visti goes shares a great post over the features and background of this tool over at Forensic Focus. ForGe – Computer Forensic Test Image Generator.  This could be a really fresh and innovative tool to help with both simulating forensic images for training and drill purposes. Very interesting and well worth the time to check out. It’s beyond my skill set to review and comment on but if any of the ForSec pros out there have any thoughts or comments, please feel free to drop them in the comments here for our community education.

Linkz 4 Free Infosec and IT Training - Journey Into Incident Response - Corey Harrell goes above and beyond with an outstanding listing of trainings, exercises, and learning resources that are ForSec focused and absolutely-friggin-free for the taking!  Corey promises to keep the listing updated so bookmark the page and check back often. I’m particularly interested in the CSIRT-like topics and materials listed like those in the ENISA CERT linkage. I’ve downloaded most all of the PDF versions already to review this week as time allows!

Many of these trainings have supplemental videos and VM’s for download too!

Other specific courses from Corey’s post I’m listing below so I can find them quickly…

• Incident management guide - ENISA CERT
• Tools - ENISA CERT - OMG what a detailed and categorized listing.
• Certified Information Systems Security Professional (CISSP)® Common Body of Knowledge (CBK)® Review - via Open Security Training
• Flow Analysis & Network Hunting - via Open Security Training
• Introduction to Vulnerability Assessment - via Open Security Training
• Introduction to Network Forensics - via Open Security Training
• Offensive, Defensive, and Forensic Techniques for Determining Web User Identity - via Open Security Training
• Utilizing SysInternals Tools for IT Pros course - Microsoft Virtual Academy - Note I think I have already posted this one earlier!

What 'tier 2' & 'tier 3' tools do you load on your forensic workstation(s)? - ForensicKB blog - Lance Mueller has a great list of Tier 2 and Tier 3 apps he considers. I’m pleased to find more than a few in my toolkit already. Note that not all of the software listed here is necessarily free or open-source. More than a few are commercial applications. That’s not at all a bad thing, but just something to be aware of.

 Windows Incident Response: Shell Item Artifacts, Reloaded - Harlan Carvey undertakes some very methodical validation exercises on Windows shell item artifacts. Definitely worth reading.

Meanwhile, from another ForSec guy who appears to never sleep… Brett Shavers has been in a posing frenzy over at his Windows Forensic Environment blog site.

Best publicly available testing of WinFE I’ve seen to date - Windows Forensic Environment (Note post info is good but link in it has been superseded by one found in post below.

Updated link on the Mistype project - Windows Forensic Environment

WinFE - direct link to the article mentioned. I agree, it is a truly fascinating read for WinFE aficionados. I’m coming back to read this one carefully this week.

Mini-WinFE - Windows Forensic Environment - This post has tons and tons of screenshots to illustrate the new Mini-WinFE project as well as an introduction that goes over the project features. Very basically, this specific project (1 of 3 promised for alternative WinFE building) allows you to roll your own WinFE boot disk in a “minimal” configuration with FAU utilities, FTK Imager and support for X-Ways Forensics. Total build time is estimated at 10 minutes from start to media in your hand.

Mini-WinFE is out of beta! - Windows Forensic Environment - See you waited too long! The first link was requesting Beta testers. Now it is released!  Direct project link here via Reboot.pro and extensive Mini-WinFE project documentation from Misty is linked here.

Quick video on building a Mini-WinFE - Windows Forensic Environment - a very short (3:33 min) YouTube video is available on this post page for those who want to check out the building process.

Since we are on a WinFE bender, let’s shift gears slightly and use that excuse to post a link on the WinFE’s kissable cousin for sysadmins who aren’t quite as focused on disk read-only preservation, WinPE.

How to Customize Windows PE Boot Images to Use in Configuration Manager - Chris Nackers Blog. Chris links to this Microsoft TechNet resource How to Customize Windows PE Boot Images to Use in Configuration Manager

New website and project roadmap - DEFT Linux - Computer Forensics live CD - The DEFT development team has put some fresh paint on their website as well as outlined where they plan to head in the coming months. Congratulations to DEFTA President Stefano Fratepietro and all the community and project contributors who have worked hard to make DEFT Linux a premiere Forensic live CD resource! From that post..

Here follows the forthcoming milestones concerning the new versions of DEFT 8, Virtual Appliance and User Manual.

• DEFT Linux 8.1 with relevant news for Mobile Forensics – November 2013
• DEFT 8 VMware Virtual Appliance – late November 2013
• Roadmap of projects supported by donations – December 2013
• DEFT 8 User Manual – February 2014
• Third Italian National Conference DEFTCON 2014  – Polytechnic of Milano, April 11, 2014

Installing VMware Tools on Kali Linux and Some Debugging Basics - SpiderLabs Anterior - Christophe De La Fuente goes to the mat to show some advanced debugging skills in getting VMware Tools onto Kali Linux. As is pointed out in the comments, there are easier ways to do it, but the experience shared of the road taken makes us all a bit wiser. Which this post then led me to discover and add to my RSS feed pile…

Computer Howto's by Lewis Encarnacion - Lewis’s posts are great. Covering not just Windows 7 topics, but also some of the finer points in using and getting comfortable in Kali Linux.

FAU -version 1.3.0.2464 - Speaking of the Forensic Acquisition Utilities (FAU) it seems a new version came out in August 2013. I don’t think I caught that release. The link has a “what’s new” jump as well as the new binary set download link but for the lazy…from that source:

• Volume_dump and DD now recognize drives with BusTypeSata as devices supporting the ATA feature set.  ATA specific attributes are reported for these drives.
• Fixed a problem with the DD --verify option when writing an image to certain to certain drives.  Under certain circumstances the DD --verify option reported a spurious failure even though the reimaging of the target drive succeeded and the cryptographic checksum of the destination drive was in fact identical to the cryptographic checksum source image file or drive.  This problem did not affect the accuracy of the reimaged drive but required that the user to validate the target drive after the imaging process was complete.  Thanks to Suman Beros for reporting this problem.
• When acquiring a physical drive DD now drops the block size down to the device block size when approaching the putative end of the source drive.  Hard drives often misreport their capacity either by over estimating or under estimating the true size.  The only reliable way to image a hard drive is to attempt to acquire beyond the purported end of the drive and see if valid data is returned.  However, we have encountered a few drives that freeze or hang the imaging process if you attempt to read beyond the end of the drive with a block size that is greater than the device block size.  Needless to say, this can be disconcerting when you have already read 1 TiB of data only to have the whole process hang on the last few sectors.  Dropping down to the device block size when approaching the end of a drive should produce more reliable acquisitions.  A disadvantage is that drive acquisition will be slower at the end of the drive.
• Examples have been added to the DD help text which show how to acquire a physical drive.

That’s all for tonight!

Cheers my friends.

Claus Valca

Read More

Security Tidbits

And here are some security related links that caught my fancy this week.

Vulnerabilities Discovered in Global Vessel Tracking Systems - Trend Micro’s Security Intelligence Blog - Super study that sent chills down my spine reading. We take so many critical infrastructure systems for granted. I hear the next block-buster action novel waiting to pounce on this for the storyline.

Cryptolocker Prevention - Foolish IT LLC bloc - information on a new freeware tool to lock down any Windows OS (preventively) to block infection from the Cryptolocker malware/ransomeware. When infection occurs it encrypts personal files then offers to decrypt them for a paid ransom. More details on the utility here: CryptoPrevent. And the attack details courtesy of Ars Technica: You’re infected—if you want to see your data again, pay us $300 in Bitcoins.

Tools for reviewing infected websites - ISC Diary. They listed four and there are some more suggestions in the comment thread. Back in January 2012 I posted this fairly extensive roundup: Interesting Malware in Email Attempt - URL Scanner Links. I’ve not checked recently but hopefully more than a few of these are still active.

Learn By Example - The Hacker Factor Blog - Dr. Neal Krawetz has some wise words and poor examples of a generation that doesn’t seem to see the concern with publically posting tweeted photos of their debit/credit cards online. I’m clueless how someone can be so ill-informed. This is just one example. I see the commercials showing banking apps for smartphones that let people take a photo of a check and deposit it in their account. I also wonder if this is common as well…or even health-coverage ID/Info cards perhaps?  I suspect this is just the tip of the iceberg.

40 inappropriate actions to take against an unlocked PC - Troy Hunt’s blog - As a sysadmin, all I can say is that it is probably a violation of several computer usage agreements in the workplace to walk away from your computing device without first locking the screen to prevent unauthorized access. At the same time, it is probably a violation of additional computer usage agreements in the workplace to tamper with someone else’s computer -- even if they were a bonehead in the first place and left it unlocked. Instead what you need to do is take a photo of their unlocked screen and tweet it to everyone in the workplace. No wait…I just learned by example in the previous post that probably isn’t wise to do either. Never mind. Help us all out and just pull the power-cord out slightly to kill power to the system and make them call the sysadmins when it won’t power back on. No don’t do that either after further consideration. That might kill the system/drive and lead to a charge of wonton destruction of corporate resources; or at the very least prevent someone's unsaved labor of love on the critical TPS reports for the day. That would be bad too. OK…I give up.

Contrary to public claims, Apple can read your iMessages - Ars Technica

Experian Sold Consumer Data to ID Theft Service - Krebs on Security - Seriously, if you can’t trust the data broker companies who hold all your credit and personal financial data history records (and who they sell that data to) then who can you trust with it? Time go start digging out that backyard bunker again. Go read the article. Then get mad.

New effort to fully audit TrueCrypt raises $16,000+ in a few short weeks - Ars Technica

For your security, please email your credit card and driver’s license (and what PCI has to say about that) - Troy Hunt’s blog. See, it’s only a crazy idiotic thing to tweet your CC information if you don’t have a really important reason to do it. If you do it is stupidly insecure. However, if you are a big corporate entity (or govermint agency/official) then you can have something call “a policy” to require your customers to photocopy items critical to establishing and proving your identify and they can do whatever they want…oh, and by the way…please dent them to us via unencrypted email communications because like, nobody can sniff that traffic while it winds it’s way from your laptop to our desks. Sheesh. Needless to say, Troy goes to town on this one and why it is a Bad Thing™.

Please be wise, be patient, and be proactively safe.

Claus Valca

Read More

New or Updated App Linkfest for the week

OK kiddos.  Here is an eclectic roundup of all kinds of freeware software and utility goodies that has been collected these past weeks.

I’m sure you can find something here for the little kid or serious sysadmin in you.

LightZone - Open-source digital darkroom software for Windows/Mac/Linux - free open-source alternative to Adobe LightRoom. Actively developed and supported by a very large community. If you do digital photography, then this is well worth the time to check out. Note that free registration is required to download the software. Spotted via this Noupe blog post LightZone: Totally Free Photo Lab lets you Forget Adobe Lightroom.

The Photographer's Ephemeris - free Win/Mac desktop app versions (AdobeAir based) and for $ supports smartphone/pad devices as well.  This super cool application lets photographers (film/digital) plan outdoor photography shots with natural (sun/moon) lighting conditions in mind.  Basically you provide the time and place and it will show how the light falls on your scene. I can’t believe this is free and I haven’t found it until now!  Spotted via a reference in this amazing Sean Goebel Photography: Timelapse post where Sean explains the techniques used to capture his time-lapse photo video among the observatory telescopes up on Mauna Kea, Hawaii.  Totally worth the time invested to both view the video (it even has lasers!) and read his well composed post.

Inno Setup - jrsoftware - just got a version 5.5.4 release last week. If you do Windows application/software packaging for setup and distribution this might be of interest to you. However, I don’t but it was still of interest to me. I then checked innounp, the Inno Setup Unpacker which is a sourceforge project to see if it was updated. It isn’t quite as current but is at version 0.39 supporting Inno Setup versions 2.0.8 through 5.5.3. Why do I care about innounp you ask?  Well, see I lean heavily on Universal Extractor to unpack various software package files in attempt to make semi-portable versions of them rather than fully installed versions on my system. One of the most popular packagers I run into is Inno Setup. Many developers use the latest versions of Inno Setup.  Jared Breland of Legroom.net created Universal Extractor but it hasn’t been updated in quite some time. Fortunately, what Jared has done is leverage many of the individual unpacker binaries in his application. So if you can find that one of the supported unpacker binaries has been updated, I find I can generally just replace the older version in UE with the newer one and keep up with the times!  So now you see why this is a good tip for you UE users.

InDeep File List Maker: List files & folders in Windows - Link and review via The Windows Club. Interesting little portable app to create listings of files in your Windows systems including removable drives and optical drive media.

Phrozen Windows File Monitor v1.0 - PhrozenSoft Blog - another neat little utility to monitor and select changes in your file system. This is an early version and the developer plans to add additional features moving forward. I really like it and the fact that you can switch between both list and tree-views. Spotted in this BetaNews post review: Phrozen Windows File Monitor lets you watch file system activity in real time. See also this Ghacks blog review: Windows Files Monitor records any file system change in its interface.

That product and those reviews then led me to find PRIMO (version 2.7.3 released Feb 27, 2012). PRIMO was developed to monitor program installs on Windows systems from Win2000, XP, Vista, & 7.

I’ve got lots of freeware utilities to monitor and log system changes, but for now we are keeping the discussion just on utilities that monitor (primarily) folder changes. Accordingly other tools you may want to check out are NirSoft’s FolderChangesView, Brutal Developer’s Directory Monitor, Leelu Soft: Watch 4 Folder 2.3 and Track Folder Changes. Do you have any other recommendations?

Oracle VM VirtualBox - Version 4.3 released on Oct 15, 2013.

• Downloads – Oracle VM VirtualBox
• Changelog – Oracle VM VirtualBox
• What's New in VirtualBox 4.3? - The Fat Bloke Sings
• VirtualBox adds multi-touch, webcam support, and allows users to video-capture sessions - BetaNews

Cheers.

--Claus Valca

Read More

In the SysAdmin Lounge

Tips, trainings and warnings for the sysadmins in IT.

• IT Hiccups of the Week - IEEE Spectrum - Being “good” in IT is really hard. Much harder than people think.
• You may be a victim of software counterfeiting (or not) - MoonPoint support blog
• Defrag Tools: #58 - Sysinternals Streams and Autoruns Example - Defrag Tools Channel 9
• Plan Your Free Online Education at Lifehacker U: Fall Semester 2013 - Lifehacker has a really great roundup and details on free online courses covering a wide range of subject matter…and not just in IT.
• free-programming-books/free-programming-books.md at master · vhf/free-programming-books · GitHub amazing collection of online books and reference materials for programmers. Spotted in this Grab Over 500 Free Programming Books from GitHub post at Lifehacker.
• Students Can Get Microsoft Office 365 For Free - MakeUseOf blog. From the post…

Starting on December 1st, Universities that license Office Education for their faculty and staff can offer students Office 365 ProPlus for free thanks to a new program called Student Advantage. For students at these institutions, that means free access to Word, PowerPoint, Excel, OneNote, Outlook, Access, Publisher, and Lync. While many cheaper alternatives to Office have sprung up, many students still rely on Redmond’s good ol’ productivity tools.

• TRAINING: Utilizing SysInternals Tools for IT Pros - Kurt Shintaku's Blog. From the post…

Microsoft’s Virtual Academy has published a training course specifically for SysInternals Tools, including Process Explorer, ProcessMonitor, PS Tools, PsTools, Autoruns, etc.

Microsoft Premier Field Engineers step through a technical deep dive on utilizing SysInternals tools. This course focuses on key administrative and diagnostic utilities and addresses key insights, and best practices.

• TRAINING: Utilizing SysInternals Tools for IT Pros
  http://www.microsoftvirtualacademy.com/training-courses/utilizing-sysinternals-tools-for-it-pros

• Tracking page file reads and writes - Clint Huffman's Windows Troubleshooting in the Field Blog
• [PowerShell Tip] Using WMIObject to Check Disk Partitions Info and Block Size - Next of Windows
• PowerTip: Use PowerShell to Obtain Disk Image Info - Hey, Scripting Guy! Blog
• The Net Command Line to List Local Users and Groups - Next of Windows
• 10 reasons for using PowerShell ISE instead of the PowerShell console - 4sysops
• Where can I find the USMT return codes and error messages for USMT 5 based migrations ? - just another windows noob ? blog
• Viewing Cached Google Pages from DuckDuckGo - MoonPoint support blog
• Cache (explained) - DuckDuckGo features page
• DuckDuckGo !Bang - DuckDuckGo feature detail page

Cheers

Claus Valca

Read More

Micro Network News linkfest

Just a small collection of network-minded links of interest this week.

Free Network Sniffers, Analyzers and Stumbers - WindowsNetworking.com - I saw some oldies-but-goodies in the list, some new ones (to me), most I was familiar with, and surprisingly missing from the list, Microsoft Message Analyzer. A lot more of the micro-sniffers/NFAT tools out there also got left off but the list seems a bit short to me and misses quite a few more worthy contenders.

Remote Capture with Message Analyzer and Windows 8.1 - MessageAnalyzer blog. Speaking of Message Analyzer, you now can remotely capture traffic with this tool (on supported target systems) without even needing a copy of Message Analyzer installed on them. Neat!  For more info see Using the Network Tracing Features over at TechNet.

Tweaking Wireshark Columns and Decodes - Packet Foo blog

We’re switching to Qt. - Sniff free or die - A development version of Wireshark 1.11.0 has been released that opens the door to using Qt for the user interface library.  The development version has some basic things working, but much of what you love about Wireshark does not. It’s a quick and interesting read.

D-Link Router backdoor vulnerability discovered - TechGeek

D-Link Router Backdoor - Schneier on Security blog

Old D-Link routers with coded backdoor - ISC Diary post

Oh my.

--Claus Valca

Read More

Windows 8.1 Links, links, and more links

Funny thing is I still have a “to-blog” folder filled with additional Windows 8 linkage I’ve collected and never got around to posting.

So I’m leap-frogging over those (for now) and getting this breaking collecting of Windows 8.1 references out.

Lavie’s laptop is the only daily-driver we have around here with Windows 8 on it. Eventually I’ll need to get it updated but there is no immediate rush.

I do have that Windows 8 Enterprise IETester VM I keep around but I also have a Windows 8.1 Preview Enterprise IETester VM as well but I don’t see any benefit to upgrading either one. I’m sure eventually a fully built VM of Win8.1 will be offered at modern.IE (as of the time of this post only the Win8.1 Preview is listed).

So in the meantime, here is the most interesting or useful-looking posts this week on Windows 8.1 now that it has been publically released.

In some subtle order that I can tell…

• Windows 8.1 available free for Windows 8 users - TechBlog
• Windows 8.1: What a difference a year makes - Ars Technica
• Windows 8.1 now available! - Microsoft Blogging Windows
• Download Windows 8.1 Product Guide - Microsoft Download Center
• Windows 8.1: Download the ISO possible - Caschys Blog (GTranslated)
• Download Windows 8.1 ISO with Windows upgrade keys - Caschys Blog (GTranslated)
• Create Windows 8.1 ISO, install with upgrade key and activate - Caschys Blog (GTranslated)
• Windows RT 8.1 update temporarily pulled due to a “situation” - Ars Technica - Note that as far as I can tell, a certain individual of Jersey Shore fame had nothing to do with it.
• What's New In Windows 8.1: Here's Everything You Need To Know - AddictiveTips
• How to upgrade to Windows 8.1 - BetaNews
• How to install Windows 8.1 in VMware Player and Workstation - BetaNews
• Windows 8.1 General Availability: The IT Pro Perspective - Microsoft Springboard Series Blog - Note that this post has links to a number of Microsoft deployment tools that were updated for Windows 8.1 support.
• Download Windows 8.1 Enterprise Evaluation - Microsoft TechNet Evaluation Center
• Download Remote Server Administration Tools for Windows 8.1 - Microsoft Download Center
• INFO: Getting ‘mobile’ versions of web sites after upgrading to Windows 8.1? Just set Compatibility View. - Kurt Shintaku's Blog
• How To Change Right-Click Option (Context) Menu Open Right In Windows 8.1 - Next of Windows
• PSA: Wireless display (Miracast) support is broken on the Surface Pro - Within Windows
• Get a REAL Start button and menu in Windows 8.1 - BetaNews.
• How To Connect A Domain Account to Your Own Microsoft Account in Windows 8 - Next of Windows

Cheers,

Claus Valca

Read More

Microsoft Remote Desktop for iOS

At work we cannot (yet) use Microsoft Remote Desktop for iOS to connect to end-user systems for troubleshooting support.

At home, the Windows versions we have for daily use are “Home” editions and really don’t support Microsoft Remote Desktop sessions…at least not without some clever hacks that I don’t really need or care to implement.

So for now, at work remote control of end user systems from iOS devices remains a dream.

And at home, I find that running TightVNC works super-spiffy and that the Mocha VNC iOS app works just fine to allow me to remote-control our home Windows systems at will from my iPhone 5.

So for now, I really don’t have an environment where I can give the newly acquired/released Microsoft Remote Desktop client for iOS devices a shake. Maybe I’ll see if it can get it going with one of the Win7/8 Enterprise IETester virtual machines I have and use for testing at home.

So, if you are curious, here are some links regarding the subject.

• Microsoft Launches Remote Desktop App for Android and iOS - The Next Web
• Microsoft Remote Desktop App For Android & iOS Available For Download - AddictiveTips
• Microsoft quietly announces new Remote Desktop apps for Android and iOS - BetaNews
• Microsoft to launch new remote desktop apps for iOS, Android - ZDNet

And if you want some interesting background, according to Kurt Shintaku, the app came from iTap via HLW Software Development which had been kicking around for a while, and was bought  by Microsoft.

INFO: Yeah, the Remote Desktop apps for Mac OS X, iOS & Android came from iTap technology acquired from HLW - Kurt Shintaku's Blog

Very interesting…

Claus Valca

Read More

Back to MS-Security Essentials for now…

In the last GSD post, I made note that I had made the change from Microsoft Security Essentials to Bitdefender Antivirus Free.

The installation process went smoothly. Once on my Win 7 x64 bit system seemed a bit “peppier” after reboots.  For the first week or two I really didn’t notice any issues at all.

Then about two-three weeks in to using it I noticed a little notification that I had 15 files quarantined.

Goodness!

A quick review of the log found that I hadn’t succumbed to an onslaught of malware and viruses due to sloppy computing habits.

No. Bitdefender finally got around to scanning my collection of Windows utilities and found it ripe with all kinds of potentially unwanted software applications. Bad stuff.  Things from NirSoft that let me recover passwords and other things from beloved family members’ systems when they forget their system and email and other account passwords -- among other things. Oh my!

Here is what a Bitdefender quarantined file looks like.

Well, we can’t have that!  So I went though the process of un-quarantining them.

And quickly I was done.

Yea!

Only when I went to use one of them, the executable file refused to run!  Blocked!

Nothing I could do could get it running. It was showing “Excluded” but I just couldn’t run it.

To complicate matters, after a reboot (troubleshooting) Bitdefender appeared to be trying to do a pre-Windows clean and file removal too. Hmm. Turns out that while I was working on that issue, it also found a USB stick I carry these tools on as well and had gone to town on the same file sets on it as well. I had removed the USB stick before reboot so it couldn’t find the files it was looking for. Fortunately the system came up no worse for wear despite some fairly scary language, but my attempts to later un-quarantine the files on the USB drive failed horribly and it refused to find/see them when I tried to exclude them.  Right-clicking the quarantined files and trying to restore them wasn’t successful on the USB drive either.

So I figured I would just re-download the handful of them from Nir Sofer’s website, delete my original files on my C: and USB drives, and put them back in.

Except I was met with a very frightening and ugly warning message in my browser that Bitdefender had identified the NirSoft website as a dodgy and dangerous location and didn’t really want me going there. In fairness, on the Bitdefender Free website, if you dig down on the page it does clearly say that the product does the following:

HTTP Scanning - Protects you from scams such as credit card phishing attempts, Bitdefender Antivirus Free Edition scans all the links you access from your browser and blocks them when they prove to be unsafe.

Unfortunately for me, that was the final straw.

So I uninstalled Bitdefender and reinstalled Microsoft Security Essentials.

Then I had to delete the still not really working “excluded/quarantined” files shown above off both my local hard drive and my USB drive. Luckily I could do that once Bitdefender had been removed and the system rebooted.

Then I downloaded all the “lost” files again from their sources. MSSE caught a few of the Nir Soft downloads but they alerted immediately and I was able to restore/exclude them with no fuss and about 30 minutes later had everything put back together again.

So, I must really be unhappy with Bitdefender right?

Well, it was an inconvenience to say the least, but I’m really not bummed out. If Bitdefender were to make some minor changes to their product, it might still win me back. I really, really, really liked the fast speed and light resources it displayed; particularly in that it made my post-boot and Windows login experience must faster and responsive that when using MSSE.

What I would like to see is a better set of options for controlling and enabling/disabling/fine-tuning features in Bitdefender free.  Unless they are there and I’m totally overlooking them…

• I want to be able to disable the HTTP scanning.
• When I restore/exclude a file, I want it to return to full functionality and remain whitelisted for future downloads and execution.
• I want to exclude portable/external drives from scans when I feel like it.
• I would like to know when Bitdefender finds something with a real-time pop-up alert and ask me what I want to do then and there…not let me find out about it later.
• I really would like Bitdefender to warn me at a system shutdown if it has any “pending actions” that it plans to take on the reboot…and let me decide to follow-through with those actions or postpone or cancel that activity.

I guess I just want somewhat more advanced technical control over the operations and fewer headaches putting things back to normal.

Even “basic” MSSE allows me to…

• Disable scanning of removable drives,
• Exclude specific running processes from scans,
• Exclude specific file-types from a scan,
• Exclude specific files and locations from a scan, and,
• not fiddle with monitoring and intercepting HTTP traffic to and from my web browser.

Hopefully future versions of Bitdefender Free can incorporate these items.  If so then I’m game and open to give it another shot.

Until then, I’m sticking with MSSE and continuing to recommend it to my own family and IT-support provided friends…unless they are horribly poor with their computing activity and I have to clean their systems more than a few times in a row…only then will I recommend they go to a more powerful (and less flexible) AV/AM solution, and that would be Bitdefender Free over most of the other free AV/AM offerings for Windows systems.

At least for now….

Possibly related:

• Goodbye Microsoft Security Essentials: Microsoft Now Recommends You Use a Third-Party Antivirus - How To Geek website
• Microsoft (allegedly) Now Recommends You Use a Third-Party Antivirus - BleepingComputer news forum.
• Sensationalist Press Got it WRONG! Microsoft Does Not Recommend Two Antivirus Programs! - Security Garden
• Our commitment to Microsoft antimalware - Microsoft Malware Protection Center Blog

Cheers,

--Claus Valca

Read More

Links of the Week

Here is a hodge-podge of links that stood out this week.

Tr3Secure Data Collection Script Reloaded - Journey Into Incident Response blog - Corey Harrell has new news and updated on the Tr3Secure Volatile Data Collection Script he developed some time ago.

Tr3Secure Data Collection Script Reloaded - Journey Into Incident Response blog - Corey then follows up with a “real-world” walkthough of the Tr3Secure Volatile Data Collection Script after purposefully a lab pc for the sake of the discussion. It’s one thing to read about what a tool and process can do, it is a real treat to have the author lead a guided walkthough of the tool in action. As always, don’t forget to follow up with a comments reading as well.

plaso - super timeline - from the website “Plaso (plaso langar að safna öllu) is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.”  Spotted via this CDF at Champlain post.

Microsoft Security Essentials: Aiming low? - ZDNet - Larry Seltzer offers some thoughts on Microsoft’s free AV solution. He really doesn’t thrash MSE but does point out that there are many other free alternatives that tend to perform higher. It seems like a pretty reasonable perspective.  FYI, I have been debating making a change from Microsoft Security Essentials to Bitdefender Antivirus Free. Yesterday I uninstalled MSE and replaced it with BAF. The changeover went very smooth. The deciding factor for me was the ongoing poor post-boot performance of my system.  While I don’t have a SSD drive in my laptop, I is running an Intel i7 CPU with 8 GB RAM. After boot, MSE scans on the post boot environment seem to be leading to slower post-boot launch of a number of my applications for a while as processes and files get scanned. Now that I am on BAF, I don’t see those post-boot application hangs. That said, I will continue to primarily recommend MSE to family and friends unless repeated infections indicate a need for the advance protection BAF may provide.

Before moving on from Microsoft Secuirty Essentials and Windows Defender (for Win 8), I thought this post Windows Defender and context menu for file check? (GTranslated) at Borns IT and Windows Blog was very insightful.  Some time ago I posted a number of Windows Defender tweaking tips Advanced Tips for Windows Defender with Windows 8, one of which was how to add a scan with Windows Defender to the context menu list in Win 8.  Born’s acknowledges that is a popular request and go though how it is accomplished. However, as he points out, the way Windows Defender operates, when a file is accessed via the (File) Explorer, Windows Defender already scans it before allowing access. If it is infected then you don’t get to fiddle with it.  Same thing with downloaded files; again pre-scanned by Windows Defender.  So, you can manually scan them again if you want, but know that if you do use Windows Defender in Win 8, it has already scanned the file.

Message Analyzer has Released – A New Beginning and Message Analyzer: Why so different from Network Monitor? - MessageAnalyzer Blog - Final release now public for Microsoft’s network capture analysis tool. I’m not sure it will replace Wireshark, but the approach is a step up from their older Network Monitor capture tool and is at the very minimum a great supplemental network capture tool for packet analysis.

Plugin Activation in Firefox - Mozilla Add-ons Blog - basically in a future version of Firefox, all plugins (except Flash) will become “click-to-activate”. This may or may not be a great thing depending on your security versus convenience perspective.

Wendel's Small Hacking Tricks - Killing Processes from the Microsoft Windows Command Line interface - SpiderLabs Anterior - I’m always looking to find a way to do something without a third-party tool so this is handy information to be familiar with.

Universal USB Installer (also YUMI) USB Flash drive does not boot on EeePC - RMPrepUSB, Easy2Boot and USB booting... blog - This is a pretty esoteric technical post for most folks, however if you are into USB-based system booting, it is interesting.

When setting up Windows 8.1, Microsoft appears to do all it can to shove you to create/use an on-line Microsoft account rather than a local one.  For some folks that might be fine but others (particularly the old-school crowd) will find this process similar to a cattle chute. If you are a thinking cow, it probably isn’t a very pleasant experience. Fortunately, there seem to be a number of outs if you know the game ahead of time.

• How To Install Windows 8.1 Without Microsoft Account - Into Windows
• Use Windows 8.1 with a local account instead of a Microsoft account - 4sysops
• How to setup local account in Windows 8.1 - DeDoimedo.com
• Windows 8.1 How To Convert Windows Live Account To Local Account - Next of Windows

Group Policy Search Engine Gets Updated - Group Policy Central blog - From that post by Alan Burchill:

“The Group Policy Search Engine is a great web site that has all the different version of Microsoft Group Policy ADMX files that allows you to easily and quickly search for the policy setting. This site is one I use very frequently especially and is a must have bookmark for any Group Policy Administrator.

“Well, Stephanus from Microsoft who maintains the web site has just loaded the Windows 8.1 and Windows Server 2012 R2 policy setting meaning you can now look up all the new policy setting in the latest version of Windows. “

Group Policy Search - site homepage.

Google Static Map Maker: Static Maps on Steroids - noupe - Nice tool to create linkable custom static Google maps rather than using a screen-shot image or a embedded and modifiable one.

Google Static Map Maker - site homepage by Katy Decorah.

Cheers!

--Claus Valca

Read More