LOCUS DEMENTIA

The HP site for buying stuff on their Labor Day Sale is broken. I tried it on other computers and each had the same result. Not sure if HP was able to sell anything on their big sale weekend, but I couldn't buy anything. Funny part was the feedback widget that didn't work. Not only could I not buy anything from HP but I couldn't report the problem I was having. Maybe someone at HP could run this through QA again.

So my 3rd grade daughter writes a note at the beginning of the year (last year). It says "I am coming to get you," and it's just a joke note as a group of the kids are doing this. They're young, 2nd graders, and they do dumb things. Zero tolerance is the policy at the school so she has to write an apology and go visit the principal's office and I had to pick her up from school. She's scared and crying. Another kid also writes a note, a boy, and he gets the third degree too. I looked at her cohort and he was mortified. He was 8. Today, Alfonso Nevarez a Democrat legislator from Texas [1] makes a similar verbal claim that he is going to "get you" to a fellow legislator. What happens? He gets on CNN and denies it [2]. Apparently we hold our grade school children to a higher standard of behavior? Maybe the standards of behavior are lower in Texas. I won't speak for Texans, but if he were a California rep we'd be asking for his removal. [1] ...

As you may know, the payment card industry is moving quickly to adopt TLS 1.2 and get rid of less secure protocols.[1] To this end, Authorizet.Net has turned off TLS.1.2 on its sandbox environment as of April 30, 2017. [2] The curious part about this change is how it impacts the developer world. We have some older projects built using VS2010 (msbuild) and old web deploy projects. Up until April 30, we could build those with .NET 4 and VS2010. So we happily and blindly did that, until May 1. Starting May 1 we started to see those pesky communication disconnection errors. Darn, what is that? Well, that's the TLS 1.2 requirement in sandbox. So we apply the fix and discover that .NET 4 does not have the TLS 1.2 enum SecurityProtocolType. Well, double bummer. When we move on to .NET 4.5.1 to get that SecurityProtocolType.Tls12 we discover that we can no longer use VS2010 msbuild. Why? Because that old VisualStudios can't build .NET 4.5.1. [3] How fun is that? With one change...

Looking at a picture of my mother laying in her hospital chair taking her chemo medication makes me think about cyber. Our bodies are a network of connected computers. Blood and lymph are the communication channels that relay information between these computers. The mainframe, of course, is your brain, which is another highly connected network of computers. When cancer invades it starts by infiltrating a system. The system is homomophic usually, which makes it easier for the cancer (cyber infiltrator) to gain its foothold. Sometimes the infiltrator moves fast and runs through multiple systems wrecking havoc. Yet there are those infiltrators who move slow, learning each system as it goes slowly through the entire system. Nonhodgkins Lymphoma is that slow hacker. That's what my mother has. She's had this for a very long time. Mostly ignored by her "doctors" 8, 12, maybe 30 years ago, finally they see the infiltration and recognize the need to respond. Once the cance...

Looking to extract the EzLynx app and quote IDs from those referrer URLs in splunk? Use this regex: ^.+(app\.ezlynx\.com).+[qQ]uote[dD]etails\.aspx\?[aA]pp[qQ]uote[iI]d=(?P \d+)(&[aA]pp[iI]d=(?P \d+))?\".*$ I still take coffee as payment.

I tried to change my password today on a contractors portal. My password is 20 characters long. It's pretty strong as far as I am concerned. So I enter a new one and what do I get? The password does not meet the minimum requirements: password length cannot be less than 15 characters and greater than 50 characters and password must have 1 character of each of the following character types: upper case letter, lower case letter, number, symbol. In addition, your new password must be different than the previous 10 passwords, must have at least 4 characters different than your most recent password and cannot be changed more than once in 24 hour period. That's a long message saying my password is not secure. What is particularly interesting? must have at least 4 characters different than your most recent password  Yup, that's the fun statement that says all passwords on this system are reversible. Maybe they use CryptDB [1]? I don't really know, but I highly do...

Today is one of those Whiskey Tango Foxtrot kind of days. I've been tracking a real November Sierra since December, and even reported it. I figured it was a bug, so I submitted it to the security folks. Their response? "We're not the team for this problem." ok. Now today I see two data points, one weird-o one-timer kind of probe. Yup, for real, a solo IP in the gigabytes of logs that my splunk eats. Yet this IP correlates with another IP that has been on my radar. So I get out my splunk and pull a "deny" query on this IP. Not only does it generate IPS hits from my desktop, outbound to destination, but I see inbound activity from this IP (also denied, of course). ( 2017 - 03 - 29T17 : 56 : 44 ) firewall : msg _ id = " 3000 - 0150 " Deny 1 - Trusted 0 - External 9840 tcp 20 64 [desktop_ip] 184 . 86 . 92 . 71 12766 80 offset 5 A 2936268642 win 342 signature _ name = " WEB - CLIENT WScript . Shell Remote Code Execution...

To read all email in text and be able to extract the mail using mail headers: > regedit HCU/Software/Microsoft/Office/16.0/Outlook/Options/Mail   MinimalHeaderOn = 0 (dword)   ReadAsPlain = 1 (dword)   SaveAllMIMENotJustHeaders = 1 (dword) restart Outlook afterwards, maybe even reboot just for good measure. Now you get to see all of those phishy urls in the emails and you can get all of those embedded image attachments as raw encoded binary when you get the header details on the message. Put the Message Options button in the hot button task bar so you can quickly get this info. No more phishy phish from the numbskulls. I take payment in coffee. It's been a long time since I've had Jamaica Blue Mountain. Just saying. If you know how to disable the jpeg thumbnail render of attachments, please share on twitter. That's an obvious vector.

MIJN Security Partner. Placotiweg 2K 4131 NL Vianen (Netherlands) You are the proud hoster of alpacasvomhahnerfeld.de, which resolves to 185.41.127.3. This domain is the landing domain for a phishing email targeting USAA members.  "Dear Customer, Your account has been locked due to an update in our security features, we were unable to update your account. For your protection, online access to your account will remain locked until we properly verify your identity. To re-instate your access, view your account below to start the update process." Good try. You even go as far as embedding USAA content (usaa.com) into the email. There is even a twitter.com link, of all things. Very good try.  Farther down in the email you try to distance yourself from pretending to be the USAA: "USAA means United Services Automobile Association and its insurance, banking, investment and other companies . Banks Member FDIC." The email "from" is ...

We have an RX4100 and a DX400 series Sentinel device in two separate networks. Every week I get an IPS hit on 78.137.100.54 for a buffer overflow: Watchguard IPS Notice I've ignored this in the past because I couldn't find much information about it. Plus, the IPS is denying it, so I didn't pay much attention to it. Today, though, I dug a little bit deeper.Turns out 78.137.100.54 is Star Wind, which is a virtual storage software provider (in Germany). https://www.starwindsoftware.com/ I couldn't find the offending header that was triggering the IPS. We don't track that level of detail in the IPS detection, unfortunately. That would be a nice thing to have. Why the WD devices are contacting StarWind on a weekly basis is unknown to me. I don't recall any disclosures about that activity when I bought these devices. We're retiring that RX4100 soon. It's network cards always go offline for no apparent reason. Other IT people have reported a simil...