What's going on?

sync'd every Sunday(ish) via cronjob.

Stop the hack before you see it evolve

OxyContin

    John Oliver had a show regarding OxyContin and how it caused many unfortunate events. Many people fall victim to big pharma just like many people fall victim to simple malicious cyber attack vectors when the intent, of the topic, is positive or pro-active. Vectors include the malicious registration of similar web domains for nafarious purposes AND low-hanging-fruit attacks (skid spraying).

    Cybersquatting (also known as domain squatting), according to the United States federal law known as the Anticybersquatting Consumer Protection Act, is registering, trafficking in, or using an Internet domain name with bad faith intent to profit from the goodwill of a trademark belonging to someone else. The cybersquatter then offers to sell the domain to the person or company who owns a trademark contained within the name at an inflated price.{wiki}

    On the show John (we go by first names now) revealed that he/they/them (his people's people) registered the domain name www.judgeforyourselves.com in an effort to provide premier resources for information on the Sacklet family and the Purdue Pharma bankruptcy.

    Immediately I saw some possibilities for exploitation.

    Domain registration tips:
    -Buy the singular and plural forms
    -Buy common spelling errors associated with it
    -When possible; buy the .com FIRST
    -Buy any OTHER top level domains
    -Secure DNS

    As a good faith effort and to further information security research best practices we have registered judgeforyourselve.com and have awknowledged the registration similarities, via text at top of page, while still allowing direct access to intended website via hyperlinks.

    What have we learned
    -In a single day thousands of vistors have ACCIDENTALY come across our mirrored content
    -We have reinforced our knowledge that some people don't hear the "s" in a .com address.
    -Script kiddies still exist and love to target wordpress website
    

    OxyContin
    "GET /?a=fetch&content={php}die(@md5(HelloThinkCMF)){/php}"

    The website www.judgeforyourselves.com does run on wordpress. Fortunately it is up to date. Go webadmin! Our adventure stops here.

    Not. Even the bad actors mess up with their tools and attack the wrong targets.

    OxyContin

    "We are not running Wordpress so 404 your way somewhere else."

    Depending on how advanced these requests get we may opt to honeypot traffic.

  • A. Buford
  • Aug 10th, 2021

Update: LED workbench / 'laser table'

tableeeeee

    Today, with my youngest son, I finished up soldering the LEDs for the table. It looks pretty awesome. I feel like he really learned a lot from the experience. It's never too early to learn somethig new or old. He said "I like building things" in his 4 year old voice! It made my day. I still have to cover the connections in acrylic. Once that is done I plan to connect them to a Raspberry Pi Zero(W) to automate. It will be beautiful.

    cscp

  • A. Buford
  • Aug 7th, 2021

I passed the Comptia Cloud+ Exam!

ccap

    After studying like crazy for a little over a month I was able to pass the Comptia Cloud+ exam. I am now a Ceritified Comptia Cloud Admin Professional (CCAP) & Secure Cloud Professional (CSCP). Nice! You can do it too. Reach out for advice!.

    cscp

  • A. Buford
  • Aug 7th, 2021

I'm figuring out the Malicious text network.

malicious text services

    After doing some digging and setup I was able to figure out that most of these phone numbers being used are through some type of throw-away text service hosted at https://sms24.info. Domain registration is Private and through GoDaddy. Chances are fake information was used to register the GoDaddy account. AWS DNS.

    The website itself is pretty straight forward. Based on what Country you want your phone number to appear it is located in you are provided a series of phone numbers. Upon clicking a phone number URL for the given 'phone' you are provided a display of inbound messages. ALL OF THEM. You can only imagine the type of malicious activity activity passing through there. I attempted to crawl the pages and scrape data with a script (thank you github) but that was quickly stopped. There is some type of rate limiting imposed. I don't have time for that.

    malicious text services


    Here is a snippet showing verification pin numbers sent via sms. You can get a picture of which companies need to enforce a better policy of how they do automated verification. The frequency at times is obviously a mass auto registration script running. And some are just 'people' who want to save their 'real phone numbers'.

    malicious text services


    Now. The security researcher in me has found that by appending different words to the messages base-url https://sms24.me/en/messages/[insert word here] returns, what appears to be, data NOT for the average user.

    malicious text services


    By using the one of the default Kali Linux Dirbuster wordlists (small 2.3?) we are able to get an idea of how this site is mapped out.

    malicious text services


    No. No. We aren't done yet. there is more!!!!
    When in doubt, regarding malicious intent, look at the bigger picture. Based on how the website is structured (directories, etc.) WE KNOW the data being harvested isn't with the best intent. 'Fullz', warez, serial(s),crack(ing), and contact information harvesting doesn't seem like a legit service. https://sms24.me/sitemap is a nice dump also. Reported.

    malicious text services

  • A. Buford
  • Aug 5th, 2021

Coinbase Phishing? Targeted much?!

You are not the Coinbase

    A obviously malicious text was received on.. i don't care. This is weak already. Going forward I will only post phone numbers along with the malicious intent.

    CoinBaseRed#627488126
    New*IP*Detected. If this is not you, quickly follow steps

    https://case4333-coinbase-us.web.app

    UrL resolves to: ..... I don't care. Reported to FBI for phishing

    What they did right? 
    1. They send the text message to a valid phone number. 
    2. Targeted somebody who has previously used Coinbase.
    What they did wrong
    1. Sent an information security researcher a hyperlink via text, again, and again, and again. 
    2. My keys my coins! (if you get it, you get it). Again, bad target.
    3. The attacker used a new phone number 773-816-2736. It isn't flagged online... YET.
    
    Takeaways
    1. Don't open links to things you don't know. 
    2. Keep mobile devices up to date!!!
                                        

  • A. Buford
  • Aug 3rd, 2021

A LED'd workbench

the led bench

    Ever since I began studying for the Comptia Cloud+ exam I have found myself, very often, making randomness. My latest and greatest is a LED trim (bench). I still need to come up with a fixed power solution as the lights currently are engergized by a TACKlife power supply.

  • A. Buford
  • August 3rd, 2021

LicenseMVR Invalid Mandatory by LAW!!!!!... OH NO!

ISOS not!

    A obviously malicious text was received on Tuesday at 2:39am.

    ISOS not!

    Wait.. another one.

    The bad guys have no desire to let people sleep

    Report#2572947115
    [LicenseMVR] *Invalid

    Mandatory form by law:
    https://t.co/VbsHD1bdrf

    UrL resolves to: https://docs.google.com/forms/d/1yrlFBNpYZL_IHmEqW6SVojFaFiXEIN5zDlsZADI4jFU/viewform?edit_requested=true

    Maybe that was a careless mistake... In the background you can see another Illinois Secretary of State phishing page. ISOS not!

    Now. This page displays a pop-up, in Russian, with a hyper link to another form page. The text reads as;

    To continue, sign in to your account You must be logged in to complete this form. Your answers will be anonymous. Report violations

    Esc key. Tbh. I'll stop here and just report to google. I don't have time to go down this rabbit hole.(cookies etc).

    What they did right? 
    1. They send the text message to a valid phone number. 
    2. The link actually works and forwards to a google form. Then to another form (possibly)
    3. Used language that is not common to region message was sent (when compared to ph# area code)
    What they did wrong
    1. Sent an information security researcher a hyperlink via text, again, and again, and again. 
    2. Is using Google Forms to harvest data
    3. ZERO attack stage to verify users who access page.. Duh! Original link is from url shortener. They may be generating some data.
    4. The attacker is exhausting phone numbers and has began re-use.
    
    Takeaways
    1. The text message attack vector is becoming more targeted and the methods used this time around are less 'noob'
    2. Keep mobile devices up to date!!!
    
    ISOS not!

  • A. Buford
  • Aug 2nd, 2021

Serato | There's a VM for that

the lab

    I finally got the Serato VM working, with very minimal latency, using a remotely connected USB controller on the 'thin client'. Now that I have proven a Serato DJ doesn't need a laptop physically in front of them i'm not sure what is next in the research aspect. Maybe learn more on midi? Unlock Pro Serato features via registry modification for poc? Until then i've decided to connect my old audio gear and listen to clean tunes while work-working.

  • A. Buford
  • July 30th, 2021

News on the Street: BlackMatter Gang IS stepping in for Darkside and REvil

    https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/

    They made a ton of money and changed up names. It creates a situation where various APT tracking groups now have varying information based on their analysis of technics used by each unit.

    "Smart hackers do not keep the same online identity for long. There is no logical advantage after the desired objective is reached" - Said some dude at a security con in 2012 after shutting down a IRC botnet.

    Source: Threatpost, S2w Lab

    And.... it appears Haron = Avaddon (above image). See the similarities with more 'advanced' groups? We do.

  • A. Buford
  • July 29th, 2021

"IBM Report: Cost of a Data Breach Hits Record High During Pandemic"

breach costs

    https://newsroom.ibm.com/2021-07-28-IBM-Report-Cost-of-a-Data-Breach-Hits-Record-High-During-Pandemic#assets_all

    CAMBRIDGE, Mass., July 28, 2021 /PRNewswire/ -- IBM (NYSE: IBM) Security today announced the results of a global study which found that data breaches now cost surveyed companies $4.24 million per incident on average – the highest cost in the 17-year history of the report.

    I guess there is no real surprise in the fact that breaches are now costing more. The pandemic was just some more time for analysts at home to correlate data. The top-tier security appliances will get more expensive as time goes on simply because attackers will get smarter and destory more [complex systems]. Beefing up hardware and signatures isn't cheap!

    The rapid shift to remote operations during the pandemic appears to have led to more expensive data breaches. Breaches cost over $1 million more on average when remote work was indicated as a factor in the event, compared to those in this group without this factor ($4.96 vs. $3.89 million.)

    The shift to remote work, by untrained individuals, does lead to security vulnerabilites that can be exploited. Many end users had to learn to utilize VPN technologies and recognize social engineering tactics... within a few weeks. That's doesn't usually end well. Couple that with the numerous VPN CSVs and you have a bad guy/gals playground

  • A. Buford
  • July 29th, 2021

"Police Are Telling ShotSpotter to Alter Evidence From Gunshot-Detecting AI"

shot spotter

    https://www.vice.com/en/article/qj8xbq/police-are-telling-shotspotter-to-alter-evidence-from-gunshot-detecting-ai

    Prosecutors in Chicago are being forced to withdraw evidence generated by the technology, which led to the police killing of 13-year-old Adam Toledo earlier this year.

    TLDR: Evidence 'tempering' at a data classification level caused data to be dismissed. What I found even more interesting is that SpotShooter does NOT have any type of outside auditing or algorithm testing. They are a company with a sole purpose of tracking 'gunshots' for important situations.

    The company has not allowed any independent testing of its algorithms, and there’s evidence that the claims it makes in marketing materials about accuracy may not be entirely scientific. Over the years, ShotSpotter’s claims about its accuracy have increased, from 80 percent accurate to 90 percent accurate to 97 percent accurate. According to Greene, those numbers aren’t actually calculated by engineers, though.

    Ummm. So, the information used for company statistics, including during marketing, are made up. Chicago is the largest client for their made up marketing pitch

    “Our guarantee was put together by our sales and marketing department, not our engineers,” Greene said.

    https://www.sfexaminer.com/news/courtroom-testimony-reveals-accuracy-of-sf-gunshot-sensors-a-marketing-ploy/

    I'm not going to bother explaining the case-to-data outcomes that Vice already did so well. The main of this post is to showcase the importance of data integrity (chain of custody also?). If data can be altered without audit then the system that outputs 'x' data has confidentiality and integrity issues.

  • A. Buford
  • July 27th, 2021

Sooo did Kaseya pay the ransom or what?!

ran somewhere

    https://gizmodo.com/kaseya-is-making-its-customers-sign-non-disclosure-agre-1847356517

    Kaseya is requiring customers affected by the massive REvil ransomware attack to sign non-disclosure agreements in order to obtain the decryption key, a move that could shroud the incident in further mystery. Although the decryption key will no doubt bring relief to some victims, others are stating that it will have minimal impact.

    An NDA is a good way to make it hard to find out. Word on the [IT] street is they paid $50 million (https://twitter.com/jackhcable/status/1411906687968161792) after several customers had already paid. Ouch!

  • A. Buford
  • July 25th, 2021

"Estonian hacker Pavel Tsurkan pleads guilty for operating a proxy botnet."

    https://securityaffairs.co/wordpress/120483/cyber-crime/proxy-botnet-estonian-hacker.html

    According to court documents, Pavel Tsurkan (33) operated a criminal proxy botnet composed of more than 1,000 devices. The IoT botnet was tracked as the “Russian2015” because it was using the domain Russian2015.ru.

    https://www.justice.gov/usao-ct/us-v-oleg-koshkin-%26-pavel-tsurkan

    On June 16, 2021, PAVEL TSURKAN pleaded guilty in the District of Connecticut to a federal charge related to his role in operating a “crypting” service used to conceal “Kelihos” malware from antivirus software, enabling hackers to systematically infect victim computers around the world with malicious software, including ransomware. Tsurkan pleaded guilty to one count of aiding and abetting unauthorized access to a protected computer, an offense that carries a maximum term of imprisonment of 10 years. Tsurkan is scheduled to be sentenced on October 28, 2021 @ 2pm in Courtroom Two, 450 Main St., Hartford, CT before Judge Michael P. Shea. The U.S. Attorney’s Office press release is attached.

    Case 3:19-cr-00251-MPS | https://www.justice.gov/usao-ct/page/file/1239741/download

    Based on the information set forth in this affidavit, I believe there is probable cause to believe and I do believe that Koshkin and Tsurkan each committed the Target Offenses in the District of Connecticut and elsewhere.
    Moreover, as detailed below, Koshkin was identified as a board member of the company Cloudlife OU along 3. with co-defendant Tsurkan.

    Seems like at one point these two were actually opperating what 'seems like' a legit company since 2016. Pavel and partner maybe became money hungry or were solicited, for illegal activity, due to the nature of their LLC. Regardless. It was wrong. Most recent reporting not submit. Probably because in jail.

    Cloudlife OU

  • A. Buford
  • July 25th, 2021

Il. Secretary of State FAKE at it again

ISOS not!

    Received a text message today from phone number 815-615-2614 that read as follows:

    Office secretary of state(IL):

    DL Details seems to be missing or incorrect

    Follow steps: https://t.co/wMC1usiAwx

    UrL resolves to: https://docs.google.com/forms/d/e/1FAIpQLSe88iCqdgV0FW5PYB03NQRqjC4lq7-WOb-1AVff48kwU3ow0g/viewform

    This is getting pretty boring by now. I think for the threat actors also. Now they are getting super lazy with correct sentences.

    What they did right? 
    1. They send the text message to a valid phone number. 
    2. The link actually works and forwards to a google form.
    What they did wrong
    1. Sent an information security researcher a hyperlink via text, again, and again, and again. 
    2. Is using Google Forms to harvest data
    3. ZERO attack stage to verify users who access page. Self hosted form = more user data
    4. SKIPPED opportunity to drop payload to insecure devices
    
    Takeaways
    1. The text message attack vector is becoming more annoying. Somebody has to be falling for it if it is continuing. Data harvesting at its finest I assume. 
    2. Keep mobile devices up to date!!!
    
    ISOS not!

  • A. Buford
  • July 24th, 2021
Howdy humana

"Thousands of Humana customers have their medical data leaked online by threat actors"

    https://securityaffairs.co/wordpress/120402/data-breach/humana-data-leak.html

    The leak comes more than four months after Humana, the third-largest health insurance company in the US, notified 65,000 of its health plan members about a security breach where “a subcontractor’s employee disclosed medical records to unauthorized individuals” between October 12, 2020, and December 16, 2020. In May, one of the patients affected by the breach filed a lawsuit against the company.

    Related new: https://www.hipaajournal.com/humana-and-cotiviti-facing-class-action-lawsuit-over-63000-record-data-breach/

    On May 26, 2021, a lawsuit was filed in the U.S. District Court for the Western District of Kentucky over the mishandling of Humana insurance plan members’ medical records. Humana had contracted with Cotiviti to handle medical records requests to send to the HHS’ Centers for Medicare and Medicaid Services (CMS). Cotiviti had subcontracted some of the work to Visionary Medical Systems Inc.

    About Visionary Medical Systems Inc : https://www.bloomberg.com/profile/company/4067733Z:US

    Visionary Medical Systems Inc. develops medical software solutions. The Company designs and develops practice management software for medical billing, electronic health record, and management modules to provide point-of-care, for flow sheet snapshots capturing critical patient information, chronic disease tracking, alerts, and reporting mechanisms.

    Out of business

    "CompuGroup Medical to acquire 100% stake in Visionary Healthware Group" : https://www.tmcnet.com/usubmit/2010/09/01/4986799.htm

    Sep 01, 2010 (Datamonitor Financial Deals Tracker via COMTEX) -- CompuGroup Medical AG, a Germany-based provider of software and communications solutions, has entered into an agreement to acquire 100% stakes in American Healthcare Holdings, Inc. (AHH), Visionary Medical Systems, Inc. (VMS) and Visionary RCM, Inc. (VRCM) (collectively, Visionary Healthware Group).

    This will get interesting

    Takeaways
    1. 6,487 individual health records are for sale. The record owners will not be paid.
    2. This new wealth of PII will make identity theft easy for somebody
    3. If you leak the wrong person's information they will sue you. 
    4. I think CompuGroup is being targeted by an APT group. (see MedNetwoRX ransomware attack.)
    
    Questions
    1. What "personal coding business endeavor" was the employee responsibile for the breach attempting to create
    2. Why does everybody get "complimentary membership to Equifax’s credit monitoring and identity theft protection services for two years". Equifax was no better.
    3. Was it technically a CompuGroup breach?
    

  • -A. Buford
  • July 22nd, 2021

Public Minecraft server available @ twitch.buf0rd.com:43499

Minecraft server info

    Decided to make the server fun and free for everyone. Server is backed up very often and malicious IPs are automatically dealt with via a script I put together, then modified, now titled "DropThemTablesDOS". Server available at twitch.buford.com:43499

    Tell your friends and family. Limited to 6 users currently but is elastic

  • -A. Buford
  • July 20th, 2021
Dept of. State

"Rewards for Justice – Reward Offer for Information on Foreign Malicious Cyber Activity Against U.S. Critical Infrastructure "

    https://www.state.gov/rewards-for-justice-reward-offer-for-information-on-foreign-malicious-cyber-activity-against-u-s-critical-infrastructure/

    The U.S. Department of State’s Rewards for Justice (RFJ) program, which is administered by the Diplomatic Security Service, is offering a reward of up to $10 million for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA).

    Certain malicious cyber operations targeting U.S. critical infrastructure may violate the CFAA. Violations of the statute may include transmitting extortion threats as part of ransomware attacks; intentional unauthorized access to a computer or exceeding authorized access and thereby obtaining information from any protected computer; and knowingly causing the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causing damage without authorization to a protected computer. Protected computers include not only U.S. government and financial institution computer systems, but also those used in or affecting interstate or foreign commerce or communication.

    Takeaways
    1. The US Gov will now pay to catch the bad guys
    2. "Since its inception in 1984, the program has paid in excess of $200 million"
    

  • -A. Buford
  • July 19th, 2021

It doesn't take a village to raise a child. It's nice to WFH though.

    The advancements in communications technology over the last decade has made it easier for families and workspaces to be in contact. Covid sure what a big test to that. The virus forced many people to adopt technologies that would normally require manual instruction. Overall, people did well.

    Parents and children, to some extent, were able to inch closer to 'normal' because of video conferencing.

    IMO working from home full time was long overdue. I have always felt strongly that productivity and work ethic were driven by the individual. Not the enviroment. The enviroment when not optimal, in many aspects, is counter productive. Plus, what could possibly beat having a 4 monitor setup - coffee inches away - music, and family all in once place while being the MOST professionally productive version of yourself?!

    nothing

    On this flip side.. seeing each other periodically does help to boost morale in some individuals.

  • -A. Buford
  • July 18th, 2021
minecrafty

Minecraft? There is a package for that | MSCS

    Took lunch time to setup an Ubuntu Server vm for my son so he may again.... play Minecraft. It is easier than you think with mscs.

    Minecraft Server Control Script (MSCS) is a server-management script for UNIX and Linux powered Minecraft servers.

    I've opted to also install and setup openvpn so his remote friends may also join once provided IP/PORT. The VM itself is overkill for the application. 16GB ram. 100GB ssd, 4-threads. That should leave headroom for approx 4-5 players while keeping lag at a minimum.

    Thennnnnn what I did was.. delete it all. So I can livestream and video record it. For You! Live tonight @ 10pm, via Twitch.

  • -A. Buford
  • July 15th, 2021
floor tiles

Raised tiles, because tripping isn't fun

    Decided to lay these 'convenient store style' tiles in the lab/office area. I had enough of tripping over cords and taping down cables. This did the job and I didn't have to even leave the home (Amazon). I am able to finally route all ethernet and usb extensions where I want them, precisely, without the worry of a fall.

  • -A. Buford
  • July 15th, 2021
Truesec Kaseya

How the Kaseya VSA Zero Day Exploit Worked

    https://blog.truesec.com/2021/07/06/kaseya-vsa-zero-day-exploit/

    Very quick, high-level, explanation of a 4 stage exploit chain. I rather not summarize

    Steps
    1. Obtained an authenticated session by abusing a flaw in the authentication logic [CWE-304] in /dl.asp.
    2. Uploaded the revil ransomware (agent.crt) through an unrestricted upload vulnerability [CWE-434] while also bypassing the request forgery protection [CWE-352] in /cgi-bin/KUpload.dll.
    3. Uploaded the ASP payload (screenshot.jpg) in the same fashion as described in 2.
    4. Invoked the payload in screenshot.jpg through a local code injection vulnerability [CWE-94] in userFilterTableRpt.asp.
    5. Created Kaseya procedures to copy file and execute the ransomware.
    6. Executed the procedures.
    7. Removed logs and other forensic evidence.
    
  • July 15th, 2021
CD-RW install

BREAKING NEWS: Burned CD for first time in 10 years

    Tonight I found myself talking apart my son's desktop PC with the intention of installing a rw-cdrom drive. I need to be able to make time-encoded and music CDs for my old Pioneer CDJ 800. I did run into a small hiccup. After completely tearing it down I realized I did not have an additional power adapter. It isn't the most fun taking a computer apart, and putting it back together, after having done ZERO improvements other than a cleaning.

    I ended up piecing parts together from some older laptops ("Don't throw away good tech") I have in the lab. The laptop to be used had a cd-rom drive installed without RW capabilities. Yes, that used to be a thing. I literally had to strip the drive down to the pure functonal parts in order to utilize. If it works it works!!! Now, i'm able to.... burn CDs again.

    CD-RW install
  • July 13th, 2021

A serato via VM

Where a DJ and an IT professional meet. Serato via VM and an audio library via Samba (Network attached Storage)

    Automotive and IT. Saw that coming. The 'DJ world' and IT.... blindsided by that pairing. Long story short; I wanted to know if it was possible to DJ via VM with minimal latency. The answer: YES!!!. I setup a VM instance using QEMU/KVM while utilizing the Windows 10 OS. The rest was pretty straight forward. I setup a SMB share and installed Serato DJ software. The Numark dj/serato controller was connected to the 'thin' laptop. Thin meaning the latest version of Ubuntu with a minimal installation configuration.

    Latency? What latency?! There was none. The more important take away here is that a dj technically doesn't need to leave home to DJ in person at a 'club' or venue. Over a robust VPN the only difference at this point would be visual. That is the next challenge. Uninterrupted, TCP?, audio with a UDP video connection that is syncronized. What does that already?

  • July 13th, 2021

Just a study date with myself

    Today is Tuesday. It is currently 4:15am. I am studying for the Comptia Cloud+ exam. The test is a little over $300 so I have decided to complete the ITProTV videos as many times as possible, prior to subscription expiration, and take the exam early August. Comptia is taking all my monies.

    Also, btw,"Kaseya Patches Zero-Days Used in REvil Attacks"

  • A. Buford
  • July 13th, 2021

Il. Secretary of State or NOT | Don't fall for stupid twice!!!

ISOS not!

    Received a text message today from phone number 312-934-6906 that read as follows:

    *-Illinois-State-Request-* Complete ensuing form to avoid termination of your License: https://t.co/bA8ZD53BAM

    UrL resolves to: https://docs.google.com/forms/d/1S2gL8Llo0ILVPfw6Akox8HC-Z_lALgIuM9ZIbQ-Il_E/viewform?edit_requested=true

    Just as impressive as the Illinoid Dept of Transportation phishing attempt from earlier in the week. Just as flawed also.

    What they did right? 
    1. They send the text message to a valid phone number. 
    2. Phone number does not resolve to voice line
    2. The link actually works and forwards to a google form. 
    
    What they did wrong
    1. Sent an information security researcher a hyperlink via text, again. 
    2. Is using Google Forms to harvest data
    3. ZERO attack stage to verify users who access page. Self hosted form = more user data
    4. SKIPPED opportunity to drop payload to insecure devices
    
    Takeaways
    1. The text message attack vector is becoming more common
    2. Keep mobile devices up to date!!!
    
    ISOS not!

  • A. Buford
  • July 7th, 2021

"Zloader With a New Infection Technique"

Office registry mods again

    https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/

    The malware arrives through a phishing email containing a Microsoft Word document as an attachment. When the document is opened and macros are enabled, the Word document, in turn, downloads and opens another password-protected Microsoft Excel document.

    After downloading the XLS file, the Word VBA reads the cell contents from XLS and creates a new macro for the same XLS file and writes the cell contents to XLS VBA macros as functions.

    Once the macros are written and ready, the Word document sets the policy in the registry to Disable Excel Macro Warning and invokes the malicious macro function from the Excel file. The Excel file now downloads the Zloader payload. The Zloader payload is then executed using rundll32.exe.

    Takeaways
    1. The windows registry is a goldmine
    2. Disable macro execution (when not 100%)
    3. Always enable anti-virus
    

    Back to ITProTV study. I don't intend to pay for another month unless I start to eyeball another cert (post Cloud+)

  • A. Buford
  • July 10th, 2021

IDOT or NOT | Don't fall for stupid!!!

IDOT not!

    Received a text message the other day from phone number 208-931-1666 that read as follows:

    Illinois Department of Transportation (IDOT) Driver License Waiver Validation. Validate your details below: http://bit.ly/3yhd2Od

    There was a 0% chance of their success, because i'm "that dude", but the attack vector is very interesting.

    What they did right? 
    1. They send the text message to a valid phone number. 
    2. Phone number does not resolve to voice line
    2. The link actually works and forwards to a google form. 
    
    What they did wrong
    1. Sent an information security researcher a hyperlink via text
    2. Sprayed. Attacker sent same message to several persons based on recon
    3. Is using Google Forms to harvest data
    4. ZERO attack stage to verify users who access page. Self hosted form = more user data
    5. SKIPPED opportunity to drop payload to insecure devices
    
    Takeaways
    1. Text messages are attack vectors
    2. Do not open urls from mobile phone numbers you do not know
    3. Google Forms is still 'a thing' for attackers
    4. Mobile phones have become the trending spray-and-pray platform
    5. Keep mobile devices up to date!!!
    
    IDOT not!

  • A. Buford
  • July 7th, 2021

"Pro-Trump ‘Gettr’ Social Platform Hacked On Day One"

    https://threatpost.com/trump-gettr-social-media-hacked-day-1/167574/

    Gettr, a social media platform set up by allies of former President Donald Trump, was still wet and squirming when it got hacked – twice.

    The first slap on the rump for the politically conservative platform came in the form of Sonic the Hedgehog-themed porn that flooded it over the Fourth of July holiday weekend, as first reported by Mother Jones. Comments under the platform’s welcome message included pornographic images and GIFs, while users also spammed the platform’s first post with graphic hentai videos and images of Hillary Clinton’s face photoshopped onto a woman’s naked body, according to the outlet.

    Next, on the day of Gettr’s birth, on Sunday, July 4, came the first hack, when the profiles of many prominent members were defaced.

    Takeaways
    1. "hackers posted a database containing what they claimed were 90,000 users’ email addresses, usernames, status, location and more."
    2. "The newborn platform was inundated by Sonic the Hedgehog-themed porn and had prominent users’ profiles defaced."
    3. The platform was not vetted & spun up way too quickly without a decent vuln assesment.
    4. "On the day Gettr launched, security and privacy researchers flagged Gettr’s poorly programmed, bug-ridden API."
    5. Called it. Literally I did. It is 'big deal' target for greyhats and blackhats. 
    

    Now, i'm going back to IT Pro TV before pre-work-dad-mode kicks in for some Cloud+ studying

  • A. Buford
  • July 7th, 2021

It was the 4th of July and..

Fireworks

    Today is a rare Sunday that actually feels like a weekend day. I, professionally, have tomorrow off. I started the day off by updating all my home servers and using some legacy-ish hardware. I attached 2TB additional storage to the Smarthome/AI home/Security server that I was able to repurpose from recently reformatted drives and an idle Mediasonic ProBox. They were originally part of the Plex Media Server build. "Don't throw away old good tech".

    Now, I wasn't very fond of having a script mount the drives when I can have the system process the same at a lower run level. You know... prior to the application needing the drive is being executed. Sadly, that is how I had it. I went ahead and updated the fstab file to satisfy my needs

    nano /etc/fstab
    UUID=7D43-E7F9 /mnt/7D43-E7F9 auto nosuid,nodev,nofail 0
    (added to EOF)

    Upon reboot, drive with UUID 7D43-E7F9, is mounted to /mnt/7D43-E7F9. Nosuid and nodev are optional security measures typically used on public facing systems iirc. Let's see what the rest of the day has in store. It is only 6am so I have approx 1.5 hours until my first child wakes up. Study time.

    cloud+ test
    10:00am| Pi-Hole is working. I am having a hard time remembering my SSH password which I need to update to the most current version.
    PiHole up
    10:12am| Using the right username did help. Pi-Hole updated via pihole -up
    PiHole updated

    Our instance of Pi-Hole is running on a 8gb RaspberryPi. Very much overkill


    10:28am| Family time. We needed a fast CLI way to scrape from Instagram. Decided on Instaloader. Downloaded and installed package from https://instaloader.github.io/. Used python-pip3 viapip3 install instaloader. We will be doing some Greg work today at some point. Groovy!
    instaloader
    instaloader

    3:00pm(ish)| Coding with Greg Buford to get website completed. Done updating the blog for the day.
    family coding
    or so we thought... 4:00pm(ishhh) | Website is currently in dev. Coming soon.
    gregs site

  • A. Buford
  • July 4th, 2021

Keep opportunies within your circle

Tight circles

    About a year ago I came across a Enterprise Helpdesk 70k+/yr job opportunity. I wasn't actively looking for employment at the time but I have a habbit of leaving the door open to growth. Approximately 30 minutes into the AMAZING interview I told the manager that I would not be the perfect fit for the job. She was pretty shocked. I immediately followed up with "I know somebody who would though".

    A year later... a good friend of mine has been working there for a year now. He was promoted to a SOC position within 5 months and is making a cool $85k+. Yes, the hours are LOOOONG!!! sometimes 11 plus hours per day. However, we kept the opportunity within our circle and made it work for somebody.

    His previous job was as an automotive technician making barely $40k/yr while studying for Comptia Certs.

    TLDR; Circles are small but opportunities come from all angles when your circle acts as a unit.

  • A. Buford
  • July 2nd, 2021

Thank you Momma B.. Mom

"New LinkedIn Data Leak Leaves 700 Million Users Exposed"

Linked in Breach

    https://restoreprivacy.com/linkedin-data-leak-700-million-users/

    Data from 700 million LinkedIn users has been put up for sale online, making this one of the largest LinkedIn data leaks to date. After analyzing the data and making contact with the seller, we have updated this article with more information, including how the data was obtained and the possible impact on LinkedIn users. We have also updated the post with LinkedIn’s response.

    Takeaways
    1. 92% of professional data is available
    2. This will allow attackers to better formulate attack vectors.
    3. More email addresses will be added to malicious databases
    4. This is sooo bad. I'm most likely impacted. Leaking of Physical addresses is a pretty big deal.
    Yet, no news coverage. 
    

  • -A. Buford
  • June 30th🤕, 2021

Sybex Comptia Cloud+ Study Guide book completed.

cloud+ test

    Too tired to code anything more interesting to say "yay I finished"

    It took a week and a day to complete the reading material. I get to add this book to the reference materials deck. Now back to ITProTV videos.

  • -A. Buford
  • June 29th📚, 2021

The Final Chapter : Comptia Cloud+.

cloud+ test

    I just reached Chapter 10 of the Sybex book. It reads pretty quick and easy with some Kid Cudi in the background. It's like heaven on earth. Hopefully I am able to finish the text in next day or so. I really want to focus on the video material... and then see what other free materials are available online. I've invested approximately $80 so far in this certification process. The test itself is another $300(ish).

  • -A. Buford
  • June 28th🛡️, 2021

Define new limits for your baseline : Comptia Cloud+.

cloud+ test

    This morning when I decided to call it a quits on reading, before any coffee!, I used the reading-amount-hand-tool to check my progress. In the span of a week I have almost completely finished this book. I'm not really sure what it is about reading another person explain technology that I find so easy to ingest. There was a long period of time where I couldn't finish a 'school required' chapter book. I was always able to consume the latest issue of 2600 or home-printer-printed, 100+ page, Rainbow books.

    TLDR; The brain is interesting. Find material that sparks your interest to perform your best.

  • -A. Buford
  • June 27th PPM!📚, 2021

Stuck on this Comptia Cloud+ book while keeping eyes on crypto.

cloud+ test

    I'm hoping to finish up another 5-10 pages tonight. Tomorrow starts the M-F gig so study time will be limited. Today was a great day with the kids.

  • -A. Buford
  • June 27th PM!📚, 2021