Skip to main content

Posts

Showing posts from March, 2017

Whiskey Tango Foxtrot

Today is one of those Whiskey Tango Foxtrot kind of days. I've been tracking a real November Sierra since December, and even reported it. I figured it was a bug, so I submitted it to the security folks. Their response? "We're not the team for this problem." ok. Now today I see two data points, one weird-o one-timer kind of probe. Yup, for real, a solo IP in the gigabytes of logs that my splunk eats. Yet this IP correlates with another IP that has been on my radar. So I get out my splunk and pull a "deny" query on this IP. Not only does it generate IPS hits from my desktop, outbound to destination, but I see inbound activity from this IP (also denied, of course). ( 2017 - 03 - 29T17 : 56 : 44 ) firewall : msg _ id = " 3000 - 0150 " Deny 1 - Trusted 0 - External 9840 tcp 20 64 [desktop_ip] 184 . 86 . 92 . 71 12766 80 offset 5 A 2936268642 win 342 signature _ name = " WEB - CLIENT WScript . Shell Remote Code Execution
Read more

Outlook Configuration

To read all email in text and be able to extract the mail using mail headers: > regedit HCU/Software/Microsoft/Office/16.0/Outlook/Options/Mail   MinimalHeaderOn = 0 (dword)   ReadAsPlain = 1 (dword)   SaveAllMIMENotJustHeaders = 1 (dword) restart Outlook afterwards, maybe even reboot just for good measure. Now you get to see all of those phishy urls in the emails and you can get all of those embedded image attachments as raw encoded binary when you get the header details on the message. Put the Message Options button in the hot button task bar so you can quickly get this info. No more phishy phish from the numbskulls. I take payment in coffee. It's been a long time since I've had Jamaica Blue Mountain. Just saying. If you know how to disable the jpeg thumbnail render of attachments, please share on twitter. That's an obvious vector.
Read more

USAA Phish

MIJN Security Partner. Placotiweg 2K 4131 NL Vianen (Netherlands) You are the proud hoster of alpacasvomhahnerfeld.de, which resolves to 185.41.127.3. This domain is the landing domain for a phishing email targeting USAA members.  "Dear Customer, Your account has been locked due to an update in our security features, we were unable to update your account. For your protection, online access to your account will remain locked until we properly verify your identity. To re-instate your access, view your account below to start the update process." Good try. You even go as far as embedding USAA content (usaa.com) into the email. There is even a twitter.com link, of all things. Very good try.  Farther down in the email you try to distance yourself from pretending to be the USAA: "USAA means United Services Automobile Association and its insurance, banking, investment and other companies . Banks Member FDIC." The email "from" is &qu
Read more