go to sections menu

The Technology blog and podcast

This is for the technology blog and podcast Commentary, articles, and podcasts

header picture for Ingegno theme

You are here: February 2021

Go to Homepage [0], contents or to navigation menu



AR21-039B: MAR-10320115-1.v1 – TEARDROP

We’re going to publish this link to the document AR21-039B: MAR-10320115-1.v1 – TEARDROP which is well documented for people who need to know about this. Its a report from Fire Eye that CISA is providing about the payload teardrop and any associated files. Maybe people who come across this may find it of value while you determine if you’re infected by this attack. Thanks for reading.

Comments (0)

fallout of covid19

This is the article.
https://www.rnz.co.nz/news/business/435877/firms-technical-debt-rising-after-lockdown-rush-for-digital-upgrades-report

So basically this is one of the major things I have been concerned
about since covid appeared though I didn’t imagine this would be a
problem.
I thought security breaches, failures in the tracking systems, the
fact restrictions would collapse most democratic governments, I even
invisioned nuclear war with china under trump, and him still being in
power.
However this could do more damage than a nuke.
So, basically, you’re a business, and suddenly you are locking down
because of covid.
Suddenly you are needing to go digital immediately.
You don’t have time to do your research, you just need to go!

For those allready on the way to assimilation into the borg it just
shoved it forward and probably improved things a bunch.
Its certainly improved a few of my ideas a bunch and adjusted my priorities.
But for those that suddenly had to go, well because of how its panned
out, suddenly they have brought expensive and as its turned out
unneeded software and such.
There are some businesses that going digital right now does not suit
them and they are now stuck with stuff they either have no or little
use for.
For myself I am happy I moved to getting the technology I wanted 3
years back because I can’t get the same stuff.
The only extra thing I have had to do was upgrade and install zoom on
several computers as well as sorting a few new technologies but I only
had to pay for 1 of them and got a bargain for the other.
In my experience as a freelance tester, companies actually got more
flexable in the short term and I hope that this continues.
However this is a problem.
There is no easy way to back out of arrangements you don’t need or never needed.
The only way is to contact the sellers and hope you can get out of it.
This could be the biggest or at least next biggest thing that could
drop proffits in some companies.

Comments (0)

Sans news bites, news for February 5, 2021

There are a few items that caught my attention, one I blogged about here, and another I’m sticking in to news notes for next week’s Security box. You may read the sans news bites by clicking on the link. If there is something that interests you, please let me know.

I see I’m behind on reading, and podcast listening, its the way this past week has gone, but I’m looking to try and catch up. In the meantime, let me know what interests you!

Comments (0)

Latest macOS Big Sur also has SUDO root privilege escalation flaw

This was talked about in the recent Security now, podcast 804, but now we see that Mac is effected. No fix is available yet for Mac, but check this article to learn more.

Recently discovered Linux SUDO privilege escalation vulnerability, CVE-2021-3156 (aka Baron Samedit) also impacts the latest Apple macOS Big Sur with no patch available yet.

Source: Latest macOS Big Sur also has SUDO root privilege escalation flaw

Comments (0)

The Security box, podcast 30: Domain discussion, a talk segment, news, notes and more

Hello everyone! Welcome to the tech podcast as part of 986 the mix entitled The Security Box.

For those who don’t know, this is a weekly show on the Independent channel of the Mix’s suite of servers, and we have multiple ways of listening to the server if you wish. Please go to the Magnatune and independent channel page to learn about it and ways to listen.

The technology blog has had the program up since shortly after the program aired, but I neglected to get the show notes up on the blog which this post will cover here.

Do you not like the RSS because you can’t or you would rather have it on the computer? No problem! Please download the 162.57mb file and I hope you enjoy the show as much as I have bringing it together for you!


Now, without any further ado, let us give you the extensive show notes for this episode and we’ll see you on another edition of the program!


Welcome to podcast 30 of the Security Box. On this security box podcast, the goal is to talk about domains. We’ll talk about what a domain is, how they work, a little bit about the IP system, and some recent news in regards to domains, registration companies, look-alike domains and more. We’ll have news, notes, questions, comments and Michael in Tenessee with a segment to boot.

Domains discussion:

Domains are used instead of an IP address so people can get to web sites quicker. Instead of going to 198.x.x.x to get to my web site, you go to my domain name. You can easily get to the IP of where my domain is located by pinging or trace rooting the domain.

In the following example,, I pinged my domain, and the next line will show my current IP.
Pinging jaredrimer.net [198.37.123.246] with 32 bytes of data:

Since the site is up, I got 4 replies (not shown here) and it returned me back to the prompt. Since multiple domains can live on one IP, just typing the IP in to your browser will not give you the web site you want, and I’ve not been able to figure out how to do this without typing the domain name I want such as jaredrimer.net.

According to the Wikipedia page on domain name system it goes back to the Arpanet days in the 1970’s. The Stanford Research Center (SRI International as its now known) maintained a hosts text file that pointed to different domains in the .edu era which was the first domain system for that time. Elizabeth Feinler developed the first directory on Arpanet. She had to be called during business hours and would manually update it. Jon Postel would also work with her as he was at USC’s Information Sciences Institute as it was known then. Elizabeth came up with the DNS and who is directory as well as basing domains based on the location of the computer. There’s more to this, so read the link to DNS for complete information on this.

Now the fun part. The DNS system and domains were not built with security in mind. With that in mind, Phishing for passwords started in the late 80s and early 90s as we discussed in earlier podcasts. Now, domains can be taken over, phishers and scammers can take domains over by social engineering, sub-domains can be created anywhere in the world, web sites can be taken, and more.

Domains must be registered with companies that can provide services for pointing domains to wherever the owner wishes to go. Rules are in place to make sure that certain domains go in certain locations, material suited for adults are labeled as such by the content creator, and valid accurate information is given whether it is public or not. Icann is responsible for IP allocation as well as rules governing domains as outlined above. Registrars must be accredited for following rules set forth by Icann. There are large companies, small companies, and medium sized companies that may sell domains through their services. One such registrant is Net 4 India. They’re looking to get in trouble for some pretty serious stuff, and you can read more through Icann. I found this when making sure I had the right URL to Icann, for the show notes. While they may not be a registrar if they do not comply with what is asked of them.

One large registrar is named Go Daddy. They’re based here in California, and while they’ve had their issues, they seem to be very credible and honest. People can choose who to have as a registrar, and that is all well and good. Recently, they have helped out with the Solar Winds fiasco that has plagued us since early December, but in November, an article came out saying that they were tricked to have attackers take over domains including the big named site, escro.com. In this case, a site called liquid.com which is part of a network was incorrectly given to an actor who then got access to other document storage. This isn’t the first time Go Daddy has been in the news and the article linked here entitled GoDaddy Employees Used in Attacks on Multiple Cryptocurrency Services should be read for the entire story of this ordeal. I’m sure this can happen to anyone, even if you have two-factor and proper security measures in place. There are items within your account to prohibit transfers without your knowledge, but this can be bypassed by customer service in cases where it may be necessary to do so by law enforcement takedowns or other situations. Besides liquid.com, other sites may have been mentioned within this article which I’m not going to cover in these notes. The article linked here is coming to us from Krebs on Security, and is a great read on its own time.

One of the things we continue to see is phishing, and all kinds of things including what is known as look-alike domains. What is a Look-alike Domain? is the article title. Under “Anatomy of a Look-alike Domain” which is one of many headings within this article, it says:

Domain names act as a map to tell browsers and other applications how to find what we’re looking for. Explaining the full structure of domain names and their hierarchy is more complex than this, yet here are the basics:

There are three bullet points within the article I want to discuss.

  • The top-level domain portion on the far right can identify the location where the domain registrant resides, their organizational purpose, or even the
    industry of the business that registered it. 
  • The second-level domain section is the address name and unique identifier often manipulated to impersonate domains used for legitimate purposes. They
    enable our computers to find the server where a website or email is hosted.
  • A subdomain is a part of the domain that helps registrants organize a website into different sections or categories. Subdomains can also used to create
    look-alike domains. Example: phishlabs.000webhost.com.

According to the article:

The process is inexpensive, and threat actors will see a large return on their investment if they know what they’re doing and move quickly to evade detection.

As discussed earlier, domains can be cheap to buy, and now we’ve got a bigger problem with domains that look like something similar to what you might have seen elsewhere. Take the Apple emails for example. Please check out this article for complete details on this, because it is quite a lot to talk about.

Next week, we’ll talk about the APWG quarter 3 report on Phishing and what criminals are looking for. We’ll also talk about more look-alike domain stuff coming from Phishlabs. For now, if you want to take a peak at the APWG report, APWG Q3 Report: Four Out of Five Criminals Prefer HTTPS and leave your thoughts on it. That article came out in December 2020.

Segments:

Michael in Tennessee is on to talk about Facebook, apps, updating phones and other odds and ends. The segment is roughly 50 minutes long.

News, Notes and more

  • Security Now, podcast 803 talks about a railway in China. I remember hearing something about this, but they were running in flash. I guess the Chinese railway did not know that there was a timebomb in flash where it haulted the railroad for half a day. Good thing I didn’t write or learn flash, seems like it was more of an inaccessibility problem for the disabled with screen readers until elements were made accessible. Time to rid of it, it isn’t useful in today’s environment. Security Now goes in to other agencies that might be effected by flashes demise. Good-bye, Flash.
  • In the same episode, Steve and Leo talk about the ransomware attacks becoming a big problem. We already know that, but according to the episode, actors may deploy a prolonged Distributed Denial of Service attack (ddos) if you don’t pay. This was employed by two ransomware gangs, Suncrypt and Ragnar Locker . Think this is a huge problem now? If I weren’t to pay because I couldn’t afford it, keep my website offline by attacking it until I decided to pay? What else is next?
  • Also in this episode, Steve goes in to great detail from about 47 minutes in, till about 70 minutes in, talking about the Solar Winds breach and the fact that the actors may have started as early as February 2020. They turned off logs when they wanted to do something, turned them back on when they were done, and carefully, painsteakingly, made sure they covered their tracks. Teardrop and raindrop are just two variants of malware that was used. Also disclosed was the fact they removed the malicious DLL’s from Solar Winds in June 2020 after they got their targets. The segment is worth listening to, the episode itself is full of items you might find of interest.
  • Emotet and other gangs have been having their sales shortened with some loss of members. Emotet, NetWalker and TrickBot have taken big blows, but will it be enough? was written by Cyberscoop and International Action Targets Emotet Crimeware are two articles. A third article on this is Sharp Increase in Emotet, Ransomware Droppers should go here because while the gangs are being depleated, this stuff is being used as a backbone to other malware. Researchers are still checking out what is happening, and we’ll see how things go.Read this article linked here, and continue to check out the blog for more.
  • valid.cc is one of many sites shuttered, according to an article written by Krebs on Security. ‘ValidCC,’ a Major Payment Card Bazaar and Looter of E-Commerce Sites, Shuttered is the title of this article.

    ValidCC, a dark web bazaar run by a cybercrime group that for more than six years hacked online merchants and sold stolen payment card data, abruptly closed
    up shop last week. The proprietors of the popular store said their servers were seized as part of a coordinated law enforcement operation designed to disconnect and confiscate its infrastructure.

    There are many types of shops out there that sell card not present data, but most source the data from other criminals in the business. The article is pretty detailed, so check it out.

  • This is some great news, U.K. Arrest in ‘SMS Bandits’ Phishing Service is the article.

    Authorities in the United Kingdom have arrested a 20-year-old man for allegedly operating an online service for sending high-volume phishing campaigns
    via mobile text messages. The service, marketed in the underground under the name “SMS Bandits,” has been responsible for blasting out huge volumes of phishing lures spoofing everything from COVID-19 pandemic relief efforts to PayPal, telecommunications providers and tax revenue agencies.

    If we can slow these guys down, that’s great. Keep up the great work! I just got a message about a package beginning with 1Z that was supposed to be a fed-ex package was delayed. I already know the link is not what it claims to be. I have no packages for delivery at this time. Want to try again?

  • The tax man will be coming around to collect their payments for this past year, but a Krebs on Security Article is talking about ID theft as part of the tax man. The Taxman Cometh for ID Theft Victims is the article, and its time to repeat this again. There are a lot of links within the article, quoting anything here is impossible. Check out the article its worth the read.
  • If solar winds wasn’t talked about enough, an article entitled After SolarWinds breach, lawmakers ask NSA for help in cracking Juniper cold case should be read. The first paragraph says:

    As the U.S. investigation into the SolarWinds hacking campaign grinds on, lawmakers are demanding answers from the National Security Agency about another
    troubling supply chain breach that was disclosed five years ago.

    I’m surprised we’re still interested in that one, but I don’t believe we got any answers on it either.

  • This Week in Security News – Jan. 29, 2021 has tons of stuff here including parents saying yes to more screen time during these times, Sodinokibi is examined, another article on emotet, fake office 365 used for phishing attacks, CEOs are most valuable for phishing, three actively exploited zero-days, Linux is not out of the woods as threats are around for that, and cybercriminals use SMS to send sweepsteaks credit cards and delivery scams. As part of Michael in Tennessee’s segment, I mention this.
  • Going back to January of this year, shell scripts are being used for cloud credentials. The article Malicious Shell Script Steals Cloud Credentials is the article, and maybe its time to bring this up as part of news notes. The subhead says: “In past cryptocurrency mining attacks, malicious shell scrips were typically used as downloaders. However, recent cases show that they now serve other purposes such as stealing sensitive data.” This is definitely worth the read.
  • Parler was shut down some time ago, and a denial of service protection company is giving up IP space belonging to them. In an article DDoS-Guard To Forfeit Internet Space Occupied by Parler we learn why. According to one paragraph written by Brian, it says:

    The pending disruption for DDoS-Guard and Parler comes compliments of Ron Guilmette, a researcher who has made it something of a personal mission to de-platform conspiracy theorist and far-right groups.

    This was definitely a very interesting read.

We hope you enjoyed the program as much as we have bringing it together for you. We know there were a few tech problems, it’ll be worked on. Not sure what is up, but its just strange some times. See you on another edition of the box next time.

Comments (0)

small google hack I created

Hi all.

Time to have some good hacking or tweaking.

For ages edge and me have had a love hate relationship.

Waterfox will not allow me to see basic html in gmail and future
waterfox over a certain version 20.08 just don’t play nice with my system.

Edge does work but on my amd system doesn’t like nvda untill I restart
that on gmail addresses.

So, I created this simple hack.

I found the links which you can do on google for basic and standard
views, then linked them on a domain shortener.

The source for the code is here.

https://support.google.com/mail/answer/15049?hl=en

Copy the links from here then make a shortener service like bitly, or
cutt.us and put any keyword in you want, remembering that this will be
public net access.

for me www.cutt.us/gmaildefault for standard

www.cutt.us/gmailweb for basic.

This isn’t really  much of a hack and I should have done this ages ago
but I decided I couldn’t be bothered horsing around.

From yesterday even with weather internet explorer has become totally
useless, not even microsoft uses it.

The only thing to do is use edge and while that will work with weather
and its ok, I don’t care for edge not even chromium.

If standard edge had a menu I’d go back to legacy but thats not an
option as winaero says its going to be got rid of soon.

This hack is usefull if you need to admin someone’s account in standard
view and want to use the more accessible and easier to use basic.

Yes standard view is supposed to be accessible but I have never bothered
when basic is a lot easier to use.

Of course it goes without saying that I use basic perminantly on my gmail.

Anyway, this is a small banged together fix anyone can do that I put
together in like 5 minutes.

Later all.

Comments (0)

Emotet, Solar Winds, and more: News ending February 1, 2021

Welcome to this past week’s news, and boy has it been interesting. I’m probably behind, and some of this I’ve not yet read, especially the Trend Micro stuff, but I hope that it may be of interest to you.


Emotet and Net Walker have taken hits, and multiple articles cover this. As mentioned in notations from a prior podcast, Emotet looks to be trying to rebuild, but the fact that Netwalker and Trick Bot are mentioned in the same article, makes this interesting.

As we’re learning via podcasts and articles, these things are beginning stages of more sophistocated attacks.

The article Emotet, NetWalker and TrickBot have taken big blows, but will it be enough? is written by Cyber Scoop’s Tim Starks. The good news with all of this is that the Gangs behind these attacks are starting to be broken up by law enforcement, so they’re having a hard time. The problem though, is that Emotet is not what it once was, its still known as the banking trojan, but it isn’t used that way anymnore. Read more about these in this article.

The other two articles talking about Emotet are:

The second article which poses a question is a great question and it was also written by Mr. Starks at Cyberscoop. All have different viewpoints, but they also may say some of the same thing, depending on viewpoint. What do you think of these stories?


This week in security news, news ending January 29th has some stuff written by Trend Micro that I’ve not yet read. It does seem interesting to say the least. One article which I may have to read talks about parents saying yes to screentime during the pandemic. I don’t know what to think about this one, its a mixed bag.

One of the articles in here talks about the Sodinokibi attack. Security Now talked about this as it was known as Ransomware as a Service as well as it being a single entity that made tons of money. It was also covered when the operators said they were going to call it quits, but yet, they changed it to RAS and I guess they haven’t stopped.

Also in this news digest, another article dealing with Emotet. Thats great to see multiple sources covering this and I hope we see more.

Use Office365? Better look for a phishing attack that might end up targint C-suite folks you may know.

If Phishing wasn’t a problem now, CEOs will be a problem if they aren’t careful, accoring to an article in this digest.

There’s plenty more, This Week in Security News – Jan. 29, 2021 is the article by Trend Micro. Guess you better check it out.


Security Now goes in to a big ordeal on Solar Winds updates, long story short, they started setting up shop since February 2020. An article entitled Symantec connects another hacking tool to SolarWinds campaign is a little out dated but there’s more updates coming out all the time from various podcasts. If you haven’t read this, you should, and then start to see what updates there are.


If we haven’t had enough with the riots, I didn’t cover this in prior news but it seems like Russia still can’t keep its nose clean in Russia, Iran and China exploit Capitol Hill riot to push information operations, US intel concludes written by Sean Lyngaas. While I read it some time ago, you’ll see that this will probably not change, and I’m not going to keep this around for news notes for the podcast.



I’ve got more dating back to November, got to figure out whether I want to cover them or get rid of them, but this will be enough for today. Found something you want me to read? Get in touch!

Comments (0)

« Newer Posts

go to sections menu


navigation menu

go to sections menu