Skip to main content

Posts

Showing posts from 2017

Gonna Get You Sucka

So my 3rd grade daughter writes a note at the beginning of the year (last year). It says "I am coming to get you," and it's just a joke note as a group of the kids are doing this. They're young, 2nd graders, and they do dumb things. Zero tolerance is the policy at the school so she has to write an apology and go visit the principal's office and I had to pick her up from school. She's scared and crying. Another kid also writes a note, a boy, and he gets the third degree too. I looked at her cohort and he was mortified. He was 8.

Today, Alfonso Nevarez a Democrat legislator from Texas [1] makes a similar verbal claim that he is going to "get you" to a fellow legislator. What happens? He gets on CNN and denies it [2].

Apparently we hold our grade school children to a higher standard of behavior? Maybe the standards of behavior are lower in Texas. I won't speak for Texans, but if he were a California rep we'd be asking for his removal.

[1] https…

TLS 1.2 and PCI

As you may know, the payment card industry is moving quickly to adopt TLS 1.2 and get rid of less secure protocols.[1] To this end, Authorizet.Net has turned off TLS.1.2 on its sandbox environment as of April 30, 2017. [2]

The curious part about this change is how it impacts the developer world. We have some older projects built using VS2010 (msbuild) and old web deploy projects. Up until April 30, we could build those with .NET 4 and VS2010. So we happily and blindly did that, until May 1.

Starting May 1 we started to see those pesky communication disconnection errors. Darn, what is that? Well, that's the TLS 1.2 requirement in sandbox. So we apply the fix and discover that .NET 4 does not have the TLS 1.2 enum SecurityProtocolType. Well, double bummer.

When we move on to .NET 4.5.1 to get that SecurityProtocolType.Tls12 we discover that we can no longer use VS2010 msbuild. Why? Because that old VisualStudios can't build .NET 4.5.1. [3] How fun is that?

With one change from a…

Cancer

Looking at a picture of my mother laying in her hospital chair taking her chemo medication makes me think about cyber. Our bodies are a network of connected computers. Blood and lymph are the communication channels that relay information between these computers. The mainframe, of course, is your brain, which is another highly connected network of computers.

When cancer invades it starts by infiltrating a system. The system is homomophic usually, which makes it easier for the cancer (cyber infiltrator) to gain its foothold. Sometimes the infiltrator moves fast and runs through multiple systems wrecking havoc. Yet there are those infiltrators who move slow, learning each system as it goes slowly through the entire system. Nonhodgkins Lymphoma is that slow hacker. That's what my mother has. She's had this for a very long time. Mostly ignored by her "doctors" 8, 12, maybe 30 years ago, finally they see the infiltration and recognize the need to respond.

Once the cancer b…

EzLynx Splunk regex

Looking to extract the EzLynx app and quote IDs from those referrer URLs in splunk?

Use this regex:

^.+(app\.ezlynx\.com).+[qQ]uote[dD]etails\.aspx\?[aA]pp[qQ]uote[iI]d=(?P\d+)(&[aA]pp[iI]d=(?P\d+))?\".*$

I still take coffee as payment.

Password Insecurity

I tried to change my password today on a contractors portal. My password is 20 characters long. It's pretty strong as far as I am concerned. So I enter a new one and what do I get?
The password does not meet the minimum requirements: password length cannot be less than 15 characters and greater than 50 characters and password must have 1 character of each of the following character types: upper case letter, lower case letter, number, symbol. In addition, your new password must be different than the previous 10 passwords, must have at least 4 characters different than your most recent password and cannot be changed more than once in 24 hour period.
That's a long message saying my password is not secure. What is particularly interesting?
must have at least 4 characters different than your most recent password 
Yup, that's the fun statement that says all passwords on this system are reversible. Maybe they use CryptDB [1]? I don't really know, but I highly doubt it. Yet, all…

Whiskey Tango Foxtrot

Today is one of those Whiskey Tango Foxtrot kind of days. I've been tracking a real November Sierra since December, and even reported it. I figured it was a bug, so I submitted it to the security folks. Their response? "We're not the team for this problem." ok.

Now today I see two data points, one weird-o one-timer kind of probe. Yup, for real, a solo IP in the gigabytes of logs that my splunk eats. Yet this IP correlates with another IP that has been on my radar.

So I get out my splunk and pull a "deny" query on this IP. Not only does it generate IPS hits from my desktop, outbound to destination, but I see inbound activity from this IP (also denied, of course).

(2017-03-29T17:56:44) firewall:msg_id="3000-0150" Deny1-Trusted0-External9840tcp2064 [desktop_ip]184.86.92.711276680offset5A2936268642win

Sprint and Asterisks

You can't use an asterisk in your password for sprint.com. Why? Because they use a regular expression test to validate the password field. The regex will fail with an uncaught exception if you put in an asterisk.

There's more though. I've seen so many sites that throw errors because their admins are not on the ball:

external_forgot_password.jsp?INTNAV=TopNav:SignIn:ForgotPassword:1 XMLHttpRequest cannot load https://www.sprint.com/webcontent/config/campaign.config.json. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://mysprint.sprint.com' is therefore not allowed access.
The Access-Control-Allow-Origin header is an easy fix. Why a company like Sprint hasn't gotten around to that is incomprehensible. 
There's more, because sprint.com still uses old-skool sync XMLHttpRequest:
sprint.common_all.js:170 Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end us…

Stealing $92

We cancelled our 401k with Paychex. As someone with money in that 401k I had to move the money out, eventually. First they wanted me to open a new IRA with their 401k management service. I declined.

Then I started to get the bills for keeping my money in their account. $92.50 each month. Since January that's now $277.50 sucked out of my 401k money for the right to sit in an electronic account on a virtual server.

Their justification? It's the $133 401k participation fee (discounted, though).

Ticklish Bijection?

Guys, really?

Lilliputian-Decipher: 75481
Whittles-Glitters: nook
Emulate-Nebula: 8
Cistern-Namer: 13796F14E841CB5
Saner-Recognizes-Ticklish: bijection

I'd never seen the WIM-AUTH fail header, so that was cool to know:
WIMS-AUTH:FAIL;ENG:(5061607094)(102400140)(102420017);RF:JunkEmail;OFR:SpamFilterAuthJ;
At least the upstream spam intercept is smart enough to see it. Too bad it's overly aggressive and some ham gets stuck in the circular file.
Emulate-Nebula: 8
Really? jkfg1wltbzex2nzky3dp4sirze5gljjp
whgm8ngwxklmtgw6max7lbzgbybvtgvx5hy3ubee0pabmmexl9tgw8cbfbeexmmx6ztqbhet7ienl5max3vruxk0kbzaml9bgbmbtmbox8bl6bgmxkxlmbgz

Chinologist named ugpmomqgr

The chinologist is back. (ha ha)

Your jump IP is China Telecom, but, alas, you were defeated by the base64 encoder:

Content-Type: text/html;
charset="gb2312"
Content-Transfer-Encoding: base64

Reply-To: <1518223264 qq.com="">

There's the "qq" again. You sourced it solely in China, which was smart. Fix the config of your content encoder to not use your Locale settings.

Thanks for the save. I blocked their IP so no more of their noise. So much for "infosec," eh?

Outlook Configuration

To read all email in text and be able to extract the mail using mail headers:

> regedit
HCU/Software/Microsoft/Office/16.0/Outlook/Options/Mail
  MinimalHeaderOn = 0 (dword)
  ReadAsPlain = 1 (dword)
  SaveAllMIMENotJustHeaders = 1 (dword)

restart Outlook afterwards, maybe even reboot just for good measure. Now you get to see all of those phishy urls in the emails and you can get all of those embedded image attachments as raw encoded binary when you get the header details on the message.

Put the Message Options button in the hot button task bar so you can quickly get this info.

No more phishy phish from the numbskulls.

I take payment in coffee. It's been a long time since I've had Jamaica Blue Mountain. Just saying.

If you know how to disable the jpeg thumbnail render of attachments, please share on twitter. That's an obvious vector.

from COMPUTER (188.128.5.190)

ok, you guys are making me laugh this morning. I need a good laugh. Was the phishing filter created by BAH as part of PMW130? I wouldn't doubt it. Just as effective.

https://ghostbin.com/paste/5noxu

X-Junkmail-Premium-Raw: score=33/50,refid=2.7.2:2017.3.1.144216:17:33.181,ip=,rules=__HAS_FROM,
 __PHISH_FROM2, FROM_NAME_PHRASE, __SPEAR_FROM_NAME_A, __PHISH_FROM_M,
 __HAS_REPLYTO, __TO_MALFORMED_2, __TO_NO_NAME, __PHISH_SUBJ_PHRASE4, __CT,
 __CTYPE_MULTIPART_ALT, __CTYPE_HAS_BOUNDARY, __CTYPE_MULTIPART, DATE_MISSING,
 __REPLYTO_SAMEAS_FROM_ADDY, __REPLYTO_SAMEAS_FROM_ACC, __REPLYTO_SAMEAS_FROM,
 __UTF8_SUBJ, __REPLYTO_SAMEAS_FROM_DOMAIN, __MIME_TEXT_H2, __ANY_URI,
 __URI_WITH_PATH, __URI_NO_MAILTO, __CP_URI_IN_BODY, __C230066_P5, ECARD_WORD,
 __MULTIPLE_URI_TEXT, __URI_IN_BODY, __HTML_AHREF_TAG, __HAS_HTML,
 BODYTEXTP_SIZE_400_LESS, BODY_SIZE_700_799, BODYTEXTP_SIZE_3000_LESS,
 BODYTEXTH_SIZE_10000_LESS, __MIME_TEXT_H1, __MIME_TEXT_P1, __MIME_HTML,
 __MIME_HTML_ONLY, __URI_NS, BODY_…

USAA Phish

MIJN Security Partner.
Placotiweg 2K
4131 NL Vianen (Netherlands)

You are the proud hoster of alpacasvomhahnerfeld.de, which resolves to 185.41.127.3. This domain is the landing domain for a phishing email targeting USAA members.

 "Dear Customer,

Your account has been locked due to an update in our security features, we were unable to update your account. For your protection, online access to your account will remain locked until we properly verify your identity.
To re-instate your access, view your account below to start the update process."
Good try. You even go as far as embedding USAA content (usaa.com) into the email. There is even a twitter.com link, of all things. Very good try.
 Farther down in the email you try to distance yourself from pretending to be the USAA:
"USAA means United Services Automobile Association and its insurance, banking, investment and other companies . Banks Member FDIC."
The email "from" is "foi at gkclasses.com" w…

Ahhh 10Gbps

That feeling with you see the green light on the 10Gbps switch?

https://www.youtube.com/watch?v=2zNSgSzhBfM

Then you see the 40 second builds and, wow, all worth the $4k for the upgrades. Builds are mostly time spent downloading source and uploading artifacts. That 2 minute build down to 40 seconds is priceless.


Western Digital and IP 78.137.100.54

We have an RX4100 and a DX400 series Sentinel device in two separate networks. Every week I get an IPS hit on 78.137.100.54 for a buffer overflow:

Watchguard IPS Notice

I've ignored this in the past because I couldn't find much information about it. Plus, the IPS is denying it, so I didn't pay much attention to it.

Today, though, I dug a little bit deeper.Turns out 78.137.100.54 is Star Wind, which is a virtual storage software provider (in Germany).

https://www.starwindsoftware.com/

I couldn't find the offending header that was triggering the IPS. We don't track that level of detail in the IPS detection, unfortunately. That would be a nice thing to have.

Why the WD devices are contacting StarWind on a weekly basis is unknown to me. I don't recall any disclosures about that activity when I bought these devices.

We're retiring that RX4100 soon. It's network cards always go offline for no apparent reason. Other IT people have reported a similar experience w…

YMLP vs AWeber

Aweber was easy to block because it had well defined block ranges. They play nice, but at the cost of being easily identified.

YMLP was a little bit harder, but a google search of YMLPUF and you get to see the inside world of their spamming campaigns. Once there, you just lookup smtp15.ymlpsrvr.com and get the netblock of their Belgian servers (185.83.48.0/22). Done.

I still like you guys. I just don't want to get your spam. That German list observer you are using, though, is pretty darn clever. That one I won't share, except to those of the close inner circle.

Haven't found the ad network block for YMLP though, so that's different than AWeber.

Next time, Madison Lee, use gmail instead.

Formerly Known As ...

You know my name. I have a new name now. It's not as cool as Prince's new name, when he changed it. No, it's not cool. It's random:

397970A0A6ACAF240351AC3AFB833ACB

I see you using this. I see where you call home too.


The splunk query for this was another fun exercise in 'rex':

"397970A0A6ACAF240351AC3AFB833ACB"| rex field=_raw ".tcp\s(?\d{0,3}\.\d{0,3}\.\d{0,3}\.\d{0,3})\s(?\d{0,3}\.\d{0,3}\.\d{0,3}\.\d{0,3})." Splunk is so much fun. I bought the next 1 Gig indexer add-on for my splunk. I see you pushing activity and driving my 1 gig threshold out of orbit.

Being able to aggregate logs across disparate sources is a huge advantage. I still have to figure out what to look for, but when I do, then I can quickly see trends.

I've blocked about 99% of advertising in my perimeter. Someone tried to send me some aweber links, which was funny. Those will never work. My family hates that I block advertising because they have to actively search on …

Talking To The Future

We are able to talk to our children, not as they are today, but tomorrow. Google, Microsoft, Alexa and Amazon, whatever search engine out there, the data of the web is being archived in permanence. In 30 years this blog will be searchable as an archive. My children will be able to read it and glimpse into their father's present, a time that is their present.

Today also marks the day that I realized how to do this. How to communicate "privately" with them. Just know that you will be able to communicate, one-way, with your kids by publishing messages to them in a blog. Just keep the blog active.

If you see wacky messages on this blog then you will see me communicating with the future. I know they are reading them.


Knock Knock

There was a girl, her name was Lucy. She was a samurai.


Although, my favorite Deep Purple is Hush: