May 2014 Issue 384

MEETING STARTS - 09:30 - MAY 10th
eBook ver.
PDF ver.



Unlike years past we are depending on crowd sourced topics and presenters for main meeting program presentations. As of this time there are no main presentation topics in the queue and no presenters in the queue.

So we will be having just an extended round-table of free form topics.



9 people in all attended the meeting on Saturday, April 12th. One of the 9 attendees was a virtual attendee via Google+ Hangout video chat.

Main Meeting Q&A:
We began last month's meeting with our normal round of questions and announcements. John M was our moderator. Among the questions and announcements:

Bill B -

John M -

Rich T -

Layton F -

Pat S -

Peter W -

Tom J -

John D -

Main Meeting Program:
There was no main meeting program agenda.


This section contains web links & other info related to the club or some of the subjects we discussed during our round table discussions and main presentation.




The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

This bug has existed for at least the past 2 years in OpenSSL.

Most of the attention around the Heartbleed attack has focused on the simplest and most obvious scenario: a malicious client attacking an HTTPS server to steal cookies, private keys, and other secrets. But this isn't the only attack possible: a malicious server can also send bad heartbeat packets to a client that uses OpenSSL and extract data from that client. The TLS heartbeats used in this attack are symmetric: they can be initiated by either the "client" or the "server" in a TLS connection, and both endpoints use the same vulnerable parsing code.





Does your browser pass the SSL certificate revocation test? Visit the GRC website.

Excerpted from the May 2013 Netcraft article:

There are two main technologies for browsers to check the revocation status of a particular certificate: using the Online Certificate Status Protocol (OCSP) or looking up the certificate in a Certificate Revocation List (CRL). OCSP provides revocation information about an individual certificate from an issuing CA, whereas CRLs provide a list of revoked certificates and may be received by clients less frequently. Browser support for the two forms of revocation varies from no checking at all to the use of both methods where necessary.

Firefox does not download CRLs for websites which use the most popular types of SSL certificate (all types of certificate except EV which is usually displayed with a green bar). Without downloading the CRL, Firefox is happy to carry on as usual; letting people visit the website and transfer sensitive personal information relying on a certificate that is no longer valid. In any case even if OCSP were available, by default Firefox will only check the validity of the server's certificate and not attempt to check the entire chain of certificates (again, except for EV certificates).

Mobile browsing now makes up a significant proportion of internet use. Neither Google Chrome on Android nor Safari on iOS present a warning to the user even after being reset. Safari on iOS does not make revocation checks at all except for Extended Validation certificates and did not make requests for the CRL which would have triggered the revocation error message.

Google Chrome, by default, does not make standard revocation checks for non-EV certificates. Google does aggregate a limited number of CRLs and distributes this via its update mechanism but, at least currently, it does not list the certificate in question or indeed any of the other certificates revoked in the same CRL. For the majority of Chrome users with the default settings, as with Firefox, nothing will appear to be amiss.

For the security conscious, Google Chrome does have the option to enable proper revocation checks, but in this case the end result depends on the platform. On Windows, Google Chrome can make use of Microsoft's CryptoAPI to fetch the CRL and it correctly prevents access to the site. However, RSA's CRL is not delivered in the conventional way: instead of providing the CRL in a binary format, it is encoded into a text-based format which is not the accepted standard. Mozilla's NSS — which is used by Firefox on all platforms and by Google Chrome on Linux — does not support the format. On Linux, Google Chrome does make a request for the CRL but cannot process the response and instead carries on as normal.

Microsoft's web browser, Internet Explorer is one of the most secure browsers in this context. It fetches revocation information (with a preference for OCSP, but will fallback to CRLs) for the server's certificate and the rest of the certificate chain.

Along with Internet Explorer, Opera is secure by default: it prevents access to the webpage. Opera checks the entirety of the certificate chain using either OCSP or CRLs where appropriate.

However, even with the most secure browser, the most frequent users of a secure website may be able to continue using a website for weeks or months despite one of the certificates in the chain of trust having been revoked. The CRL used in this case can be cached for up to 6 months, leaving frequent users, who will have a cached copy of the CRL, in the dark about the revocation. Going by previous copies of the CRL, the CRL may have last been generated in January 2013 and valid until July 2013. If that is the case and you have visited any website using the same intermediate certificate your browser will not display any warnings and will behave as if the certificate has not been revoked.


(FREE; Firefox Add-on)

Server Spy indicates what brand of HTTP server (e.g. Apache, IIS, etc.) runs on the visited sites. When a tab is selected, the corresponding server name is shown in the browser's status bar.

Address Bar Info Display:

Address Bar Info

Status Bar Info Display:

Status Bar Info


(FREE; Windows)

Think of CrowdInspect as a merger of Windows Netstat command, GUI, and Crowd Reputation. It checks applications and processes that connect to the network for Code Injection (experimental), whether the application / process has a reputation for being malware, and the reputation of the other end of the network connection.

To avoid unnecessary querying of the above services all results are cached such that no unique process or domain is ever queried more than once for the duration the tool is running.


CrowdInspect is a free community tool for Microsoft Windows systems from CrowdStrike aimed to help alert you to the presence of potential malware that communicates over the network that may exist on your computer. It is a host-based process inspection tool utilizing multiple sources of information, including VirusTotal, Web of Trust (WOT), and Team Cymru's Malware Hash Registry to detect untrusted or malicious network-active processes. CrowdInspect can be used during Incident Response process to rapidly identify potential malicious running processes on a machine.

The tool runs on both 32 bit and 64 bit versions of Windows from XP and above.

Beyond simple network connections, CrowdInspect associates the connection entry with the process that is responsible for that activity. It can display the process name as a simple file name or as as an optional full file path.

In addition to the process name, the entry's process ID number, local port, local IP address, remote port, remote IP address and reverse resolved DNS name of the remote IP address is shown. The tool accommodates both IPv4 and IPv6 addresses.

CrowdInspect records details of any entry that is associated with a remote IP address and maintains a chronological list of these accessed by clicking the "Live/History" toolbar button to switch between the regular live netstat window and the history list window.

Perhaps the most useful aspect of CrowdInspect though is its ability to utilize several sources of information that can be used to determine the reputation of the process using the network connection and the reputation of the domain it is connecting to. This is achieved through the use of the following technologies and services:

Thread Injection Detection

Detection of code injection using custom proprietary code

Many pieces of malware achieve part of their goal by manipulating already running applications and injecting themselves into those processes. Regular antivirus products that only act upon the actual physical file contents would not identify this behavior. CrowdInspect features experimental detection of such behavior and the results of this test on each process can be seen in the “Inject” column.


Multiple antivirus engine analysis results queried by SHA256 file hash

Shown in the "VT" column of the tool are the basic summary results of querying the VirusTotal service against the file in question (actually the SHA256 hash of the file contents). VirusTotal utilizes multiple antivirus engines to analyze submitted files and we query its database to see if the file hash is in the database and if so, how the antivirus engines rated it.

Team Cymru - Malware Hash Repository

Repository of known malware queried by MD5 file hash

Shown in the "MHR" column, Team Cymru maintains a repository of known malware that can be queried given an MD5 hash of the file contents. In this case we are simply querying for a yes/no answer.

Web of Trust

Crowd-sourced domain name reputation system

Shown in the "WOT" column column of the tool are the basic summary results of querying the Web of Trust service against the reverse resolved domain name associated with the remote IP address of the connection's entry


(FREE; Chrome, Firefox, IE, Opera, Safari(beta) Browser Extension)

Surf the web without annoying ads and missleading click to download buttons!

What is Adblock Plus?
Adblock Plus blocks annoying ads on the web. It can block other things, like tracking, as well. With more than 50 million users, it is the world's most popular browser extension. Adblock Plus is an open source project created by Wladimir Palant in 2006. Eyeo was founded in 2011 by Wladimir Palant and Till Faida to make its development sustainable.

How does Adblock Plus work?
Adblock Plus itself has no functionality, in the sense that it does not block anything until it is "told" what to do by its filter lists. These filter lists are essentially an extensive set of rules, which tell Adblock Plus which elements of websites to block. Besides blocking advertisements, filter lists can also be used to block tracking and malware.

Out of the box, two filter lists are enabled:


Block Ads
Adblock Plus blocks all annoying ads on the web by default: video ads on YouTube, Facebook ads, flashy banners, pop-ups, pop-unders and much more.

Simply install Adblock Plus to your browser (it is available for Firefox, Chrome and Opera) or your Android smartphone or tablet and all intrusive ads are automatically removed from any website you visit.

Acceptable Ads
Adblock Plus will always block annoying ads.

Still, many websites rely on advertising revenues so we want to encourage websites to use plain and unobtrusive advertising instead of flashy banners. That's why the Adblock Plus community has established strict guidelines to identify acceptable ads, and Adblock Plus allows these out of the box. You can always disable this feature if you want to block all ads.

Disable Tracking
With every browsing session, there are multiple firms tracking your online activity and browsing history. There are hundreds of ad agencies tracking your every move, but with Adblock Plus you can easily disable all tracking, and browse the web truly anonymously.

According to Stanford University research, the Adblock Plus tracking protection filters are the most efficient of all available tracking protection solutions.

Disable Malware Domains
Slow startup, popups, advertisers hijacking your browser: Those are all signs of your computer being infected by malware. Even worse, computers infected by malware open the doors to all kinds of cyber criminality threats. These infected computers can then be used to sending out spam emails or attacking other computers or servers, stealing passwords, social security numbers, personal documents and credit card information.

Adblock Plus can be configured to block domains known to spread malware, protecting your computer against viruses, Trojan horses, worms, spy- and adware.

Disable Social Media Buttons
Buttons to share content on social media platforms such as Facebook, Twitter, Google Plus and many others are placed on almost every website you visit. Even if you are not clicking them, every website containing these buttons is sending a request to the servers of the social network which can use that information to create a profile based on your browsing habits.

You can use Adblock Plus to remove all social media buttons from every website, making sure that social networks can’t create a profile about you based on the websites you visit.

Typo Protection
As of Adblock Plus for Firefox version 2.3, typo correction is not built-in anymore. If you miss the feature, you can get it back by installing our extension URL Fixer.

Websites containing phishing and other harmful or annoying content are often hosted under misspelled domains and you are at risk of visiting them just by making a small mistake when entering an internet address into your browser. URL Fixer can automatically correct typos in the address bar to protect you from accidentally visiting malicious domains when misspelling an internet address.


Meetings are in the St. Augustine Center (SAC) at Villanova University. These monthly sessions normally meet in Room 110.

VU Map

Enter from the ITHAN AVENUE main gate, then proceed to the upper deck of the 2-level parking garage adjacent to the St. Augustine Center on the Ithan Avenue side of the building. (Click for link to Google Map)

NOTE: additional map & direction links on our website home page -

MLCUG Meetings Schedule Steering Committee Meetings
May 10 TBA
June 14 TBA
July 12 TBA


Editor: John W. Deker, Jr. 2210 Lantern Lane, Lafayette Hill, PA 19444-2211
Produced with HP-P6267C: 2.5GHz 4-Core Q8300, 8GB RAM, 750GB HDD, Windows 7 Professional 64-bit OS, Amaya, LibreOffice Writer, Calibre, Google Chrome, Zimbra Desktop, NotePad++, Directory Opus

Club eMail Server for members only...
Web Page
Publicity Position OPEN!
Villanova Sponsor Prof. Frank Maloney, Dept. of Astronomy


President John Deker 610-828-7897
V.President John Murphy 610-935-4398
Treasurer / Sec John Deker 610-828-7897
Webmaster Peter_Whinnery 610-284-5234
At Large Layton Fireng 610-688-2080
At Large Tom Johnson 610-896-2434
At Large Wendy Emery 215-765-3328
At Large Nelson_Schrock 610-834-0117
Audio Scribe John Murphy 610-935-4398