Skip to main content

Posts

Whiskey Tango Foxtrot

Today is one of those Whiskey Tango Foxtrot kind of days. I've been tracking a real November Sierra since December, and even reported it. I figured it was a bug, so I submitted it to the security folks. Their response? "We're not the team for this problem." ok.

Now today I see two data points, one weird-o one-timer kind of probe. Yup, for real, a solo IP in the gigabytes of logs that my splunk eats. Yet this IP correlates with another IP that has been on my radar.

So I get out my splunk and pull a "deny" query on this IP. Not only does it generate IPS hits from my desktop, outbound to destination, but I see inbound activity from this IP (also denied, of course).

(2017-03-29T17:56:44) firewall:msg_id="3000-0150" Deny1-Trusted0-External9840tcp2064 [desktop_ip]184.86.92.711276680offset5A2936268642win
Recent posts

Sprint and Asterisks

You can't use an asterisk in your password for sprint.com. Why? Because they use a regular expression test to validate the password field. The regex will fail with an uncaught exception if you put in an asterisk.

There's more though. I've seen so many sites that throw errors because their admins are not on the ball:

external_forgot_password.jsp?INTNAV=TopNav:SignIn:ForgotPassword:1 XMLHttpRequest cannot load https://www.sprint.com/webcontent/config/campaign.config.json. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://mysprint.sprint.com' is therefore not allowed access.
The Access-Control-Allow-Origin header is an easy fix. Why a company like Sprint hasn't gotten around to that is incomprehensible. 
There's more, because sprint.com still uses old-skool sync XMLHttpRequest:
sprint.common_all.js:170 Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end us…

Stealing $92

We cancelled our 401k with Paychex. As someone with money in that 401k I had to move the money out, eventually. First they wanted me to open a new IRA with their 401k management service. I declined.

Then I started to get the bills for keeping my money in their account. $92.50 each month. Since January that's now $277.50 sucked out of my 401k money for the right to sit in an electronic account on a virtual server.

Their justification? It's the $133 401k participation fee (discounted, though).

Ticklish Bijection?

Guys, really?

Lilliputian-Decipher: 75481
Whittles-Glitters: nook
Emulate-Nebula: 8
Cistern-Namer: 13796F14E841CB5
Saner-Recognizes-Ticklish: bijection

I'd never seen the WIM-AUTH fail header, so that was cool to know:
WIMS-AUTH:FAIL;ENG:(5061607094)(102400140)(102420017);RF:JunkEmail;OFR:SpamFilterAuthJ;
At least the upstream spam intercept is smart enough to see it. Too bad it's overly aggressive and some ham gets stuck in the circular file.
Emulate-Nebula: 8
Really? jkfg1wltbzex2nzky3dp4sirze5gljjp
whgm8ngwxklmtgw6max7lbzgbybvtgvx5hy3ubee0pabmmexl9tgw8cbfbeexmmx6ztqbhet7ienl5max3vruxk0kbzaml9bgbmbtmbox8bl6bgmxkxlmbgz

Chinologist named ugpmomqgr

The chinologist is back. (ha ha)

Your jump IP is China Telecom, but, alas, you were defeated by the base64 encoder:

Content-Type: text/html;
charset="gb2312"
Content-Transfer-Encoding: base64

Reply-To: <1518223264 qq.com="">

There's the "qq" again. You sourced it solely in China, which was smart. Fix the config of your content encoder to not use your Locale settings.

Thanks for the save. I blocked their IP so no more of their noise. So much for "infosec," eh?

Outlook Configuration

To read all email in text and be able to extract the mail using mail headers:

> regedit
HCU/Software/Microsoft/Office/16.0/Outlook/Options/Mail
  MinimalHeaderOn = 0 (dword)
  ReadAsPlain = 1 (dword)
  SaveAllMIMENotJustHeaders = 1 (dword)

restart Outlook afterwards, maybe even reboot just for good measure. Now you get to see all of those phishy urls in the emails and you can get all of those embedded image attachments as raw encoded binary when you get the header details on the message.

Put the Message Options button in the hot button task bar so you can quickly get this info.

No more phishy phish from the numbskulls.

I take payment in coffee. It's been a long time since I've had Jamaica Blue Mountain. Just saying.

If you know how to disable the jpeg thumbnail render of attachments, please share on twitter. That's an obvious vector.

from COMPUTER (188.128.5.190)

ok, you guys are making me laugh this morning. I need a good laugh. Was the phishing filter created by BAH as part of PMW130? I wouldn't doubt it. Just as effective.

https://ghostbin.com/paste/5noxu

X-Junkmail-Premium-Raw: score=33/50,refid=2.7.2:2017.3.1.144216:17:33.181,ip=,rules=__HAS_FROM,
 __PHISH_FROM2, FROM_NAME_PHRASE, __SPEAR_FROM_NAME_A, __PHISH_FROM_M,
 __HAS_REPLYTO, __TO_MALFORMED_2, __TO_NO_NAME, __PHISH_SUBJ_PHRASE4, __CT,
 __CTYPE_MULTIPART_ALT, __CTYPE_HAS_BOUNDARY, __CTYPE_MULTIPART, DATE_MISSING,
 __REPLYTO_SAMEAS_FROM_ADDY, __REPLYTO_SAMEAS_FROM_ACC, __REPLYTO_SAMEAS_FROM,
 __UTF8_SUBJ, __REPLYTO_SAMEAS_FROM_DOMAIN, __MIME_TEXT_H2, __ANY_URI,
 __URI_WITH_PATH, __URI_NO_MAILTO, __CP_URI_IN_BODY, __C230066_P5, ECARD_WORD,
 __MULTIPLE_URI_TEXT, __URI_IN_BODY, __HTML_AHREF_TAG, __HAS_HTML,
 BODYTEXTP_SIZE_400_LESS, BODY_SIZE_700_799, BODYTEXTP_SIZE_3000_LESS,
 BODYTEXTH_SIZE_10000_LESS, __MIME_TEXT_H1, __MIME_TEXT_P1, __MIME_HTML,
 __MIME_HTML_ONLY, __URI_NS, BODY_…

USAA Phish

MIJN Security Partner.
Placotiweg 2K
4131 NL Vianen (Netherlands)

You are the proud hoster of alpacasvomhahnerfeld.de, which resolves to 185.41.127.3. This domain is the landing domain for a phishing email targeting USAA members.

 "Dear Customer,

Your account has been locked due to an update in our security features, we were unable to update your account. For your protection, online access to your account will remain locked until we properly verify your identity.
To re-instate your access, view your account below to start the update process."
Good try. You even go as far as embedding USAA content (usaa.com) into the email. There is even a twitter.com link, of all things. Very good try.
 Farther down in the email you try to distance yourself from pretending to be the USAA:
"USAA means United Services Automobile Association and its insurance, banking, investment and other companies . Banks Member FDIC."
The email "from" is "foi at gkclasses.com" w…

Ahhh 10Gbps

That feeling with you see the green light on the 10Gbps switch?

https://www.youtube.com/watch?v=2zNSgSzhBfM

Then you see the 40 second builds and, wow, all worth the $4k for the upgrades. Builds are mostly time spent downloading source and uploading artifacts. That 2 minute build down to 40 seconds is priceless.