Skip to main content

Posts

TLS 1.2 and PCI

As you may know, the payment card industry is moving quickly to adopt TLS 1.2 and get rid of less secure protocols.[1] To this end, Authorizet.Net has turned off TLS.1.2 on its sandbox environment as of April 30, 2017. [2]

The curious part about this change is how it impacts the developer world. We have some older projects built using VS2010 (msbuild) and old web deploy projects. Up until April 30, we could build those with .NET 4 and VS2010. So we happily and blindly did that, until May 1.

Starting May 1 we started to see those pesky communication disconnection errors. Darn, what is that? Well, that's the TLS 1.2 requirement in sandbox. So we apply the fix and discover that .NET 4 does not have the TLS 1.2 enum SecurityProtocolType. Well, double bummer.

When we move on to .NET 4.5.1 to get that SecurityProtocolType.Tls12 we discover that we can no longer use VS2010 msbuild. Why? Because that old VisualStudios can't build .NET 4.5.1. [3] How fun is that?

With one change from a…
Recent posts

Cancer

Looking at a picture of my mother laying in her hospital chair taking her chemo medication makes me think about cyber. Our bodies are a network of connected computers. Blood and lymph are the communication channels that relay information between these computers. The mainframe, of course, is your brain, which is another highly connected network of computers.

When cancer invades it starts by infiltrating a system. The system is homomophic usually, which makes it easier for the cancer (cyber infiltrator) to gain its foothold. Sometimes the infiltrator moves fast and runs through multiple systems wrecking havoc. Yet there are those infiltrators who move slow, learning each system as it goes slowly through the entire system. Nonhodgkins Lymphoma is that slow hacker. That's what my mother has. She's had this for a very long time. Mostly ignored by her "doctors" 8, 12, maybe 30 years ago, finally they see the infiltration and recognize the need to respond.

Once the cancer b…

EzLynx Splunk regex

Looking to extract the EzLynx app and quote IDs from those referrer URLs in splunk?

Use this regex:

^.+(app\.ezlynx\.com).+[qQ]uote[dD]etails\.aspx\?[aA]pp[qQ]uote[iI]d=(?P\d+)(&[aA]pp[iI]d=(?P\d+))?\".*$

I still take coffee as payment.

Password Insecurity

I tried to change my password today on a contractors portal. My password is 20 characters long. It's pretty strong as far as I am concerned. So I enter a new one and what do I get?
The password does not meet the minimum requirements: password length cannot be less than 15 characters and greater than 50 characters and password must have 1 character of each of the following character types: upper case letter, lower case letter, number, symbol. In addition, your new password must be different than the previous 10 passwords, must have at least 4 characters different than your most recent password and cannot be changed more than once in 24 hour period.
That's a long message saying my password is not secure. What is particularly interesting?
must have at least 4 characters different than your most recent password 
Yup, that's the fun statement that says all passwords on this system are reversible. Maybe they use CryptDB [1]? I don't really know, but I highly doubt it. Yet, all…

Whiskey Tango Foxtrot

Today is one of those Whiskey Tango Foxtrot kind of days. I've been tracking a real November Sierra since December, and even reported it. I figured it was a bug, so I submitted it to the security folks. Their response? "We're not the team for this problem." ok.

Now today I see two data points, one weird-o one-timer kind of probe. Yup, for real, a solo IP in the gigabytes of logs that my splunk eats. Yet this IP correlates with another IP that has been on my radar.

So I get out my splunk and pull a "deny" query on this IP. Not only does it generate IPS hits from my desktop, outbound to destination, but I see inbound activity from this IP (also denied, of course).

(2017-03-29T17:56:44) firewall:msg_id="3000-0150" Deny1-Trusted0-External9840tcp2064 [desktop_ip]184.86.92.711276680offset5A2936268642win

Sprint and Asterisks

You can't use an asterisk in your password for sprint.com. Why? Because they use a regular expression test to validate the password field. The regex will fail with an uncaught exception if you put in an asterisk.

There's more though. I've seen so many sites that throw errors because their admins are not on the ball:

external_forgot_password.jsp?INTNAV=TopNav:SignIn:ForgotPassword:1 XMLHttpRequest cannot load https://www.sprint.com/webcontent/config/campaign.config.json. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://mysprint.sprint.com' is therefore not allowed access.
The Access-Control-Allow-Origin header is an easy fix. Why a company like Sprint hasn't gotten around to that is incomprehensible. 
There's more, because sprint.com still uses old-skool sync XMLHttpRequest:
sprint.common_all.js:170 Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end us…

Stealing $92

We cancelled our 401k with Paychex. As someone with money in that 401k I had to move the money out, eventually. First they wanted me to open a new IRA with their 401k management service. I declined.

Then I started to get the bills for keeping my money in their account. $92.50 each month. Since January that's now $277.50 sucked out of my 401k money for the right to sit in an electronic account on a virtual server.

Their justification? It's the $133 401k participation fee (discounted, though).

Ticklish Bijection?

Guys, really?

Lilliputian-Decipher: 75481
Whittles-Glitters: nook
Emulate-Nebula: 8
Cistern-Namer: 13796F14E841CB5
Saner-Recognizes-Ticklish: bijection

I'd never seen the WIM-AUTH fail header, so that was cool to know:
WIMS-AUTH:FAIL;ENG:(5061607094)(102400140)(102420017);RF:JunkEmail;OFR:SpamFilterAuthJ;
At least the upstream spam intercept is smart enough to see it. Too bad it's overly aggressive and some ham gets stuck in the circular file.
Emulate-Nebula: 8
Really? jkfg1wltbzex2nzky3dp4sirze5gljjp
whgm8ngwxklmtgw6max7lbzgbybvtgvx5hy3ubee0pabmmexl9tgw8cbfbeexmmx6ztqbhet7ienl5max3vruxk0kbzaml9bgbmbtmbox8bl6bgmxkxlmbgz

Chinologist named ugpmomqgr

The chinologist is back. (ha ha)

Your jump IP is China Telecom, but, alas, you were defeated by the base64 encoder:

Content-Type: text/html;
charset="gb2312"
Content-Transfer-Encoding: base64

Reply-To: <1518223264 qq.com="">

There's the "qq" again. You sourced it solely in China, which was smart. Fix the config of your content encoder to not use your Locale settings.

Thanks for the save. I blocked their IP so no more of their noise. So much for "infosec," eh?