Saturday, August 6, 2016

Google Docs sucks vs Microsoft OneDrive


If you work with many documents Google Docs you quickly become irritated with its fundamental shortcomings.  Moving, copying or deleting many documents really sucks with Google Docs. For this one reason and this reason alone, Google Docs sucks - No multiple file select. This should be a basic feature Google! 



With OneDrive I can select multiple files and perform actions. It's what you would expect. Moreover, I can use the keyboard to select multiple files!



Thursday, August 4, 2016

Phishing Email - Canadian Imperial Bank of Commerce (CIBC) Alert

Phishing Email - Canadian Imperial Bank of Commerce (CIBC) Alert

For the record a recent CIBC phishing email is circulating and is here is for the record, in case it makes it paste your Junk or Spam filter.

What to do? 
Report them mark as Phishing Email not SPAM

Report Phishing
 URLs at Google now as well; 

If you have recievied this email take further action now by click these links

  1. https://www.google.com/safebrowsing/report_phish/?hl=en&url=teti.az
  2. https://www.google.com/safebrowsing/report_phish/?hl=en&url=banknerd.ca


Here is the HTML view of the email 



Here is the email viewed as text


 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
 //banknerd.ca/wp-content/uploads/2010/01/CIBC-2.jpg>; This e-mail has been sent to me@outlook.com by Canadian Imperial Bank of Commerce.  

 

Online Banking CIBC ALERT: Due to an unusual number of failed login attempts, your online banking access has been temporarily suspended.

To restore your account access please click:

Log On to CIBC Online and proceed with the verification process. //teti.az/cbonccverify/index.php> 

IMPORTANT NOTE: If we do not receive the appropriate account verification within 24 hours, you will need to visit a CIBC branch to restore your account access.

Sincerely,
CIBC Online(SM)

 
________________________________

© Copyright Canadian Imperial Bank of Commerce 2016  © 2016 


How to tell this is a Phishing email ?


  1. Convert the email view from HTML to text, check for bad URls.
  2. Hover over all links in email, if it's not from the CIBC.com site then forget it.
  3. The best way is to look at message source, see below.


How to examine Email Message Source ?

Now lets look at message source
  1. Outlook.com->Actions->View Message Source. 
  2. Gmail.com->More (down arrow to top right)->Show original.

For this phony email, well look at the "message header".





At line 21 you have Return-Path: noreply.74123618@baesystems.com
and is the dead give-away since domain is not cibc.com.

Why look at "Return-Path"? When the e-mail is put in the recipient's mailbox, a new mail header is created with the name "Return-Path:" containing the address on the MAIL FROM command. So it's a quick hit to determine authenticity.


Report Phishing Email (not as Spam)

  1. Outlook.com->Junk (at Top)->Phishing Scam
  2. Gmail.com->More (downarrow to top right)->Report Phishing 

Report phishing at Microsoft and government agencies

  1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx

Saturday, July 30, 2016

RegtoText - NEW command-line executable converts Windows Registry file to readable text













RegtoText converts a Registry exported file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
Windows Registry Editor Version 5.00

HKEY_CURRENT_USER\Control Panel\Appearance\New Schemes\4\Sizes\0]
"DisplayName"="@themeui.dll,-2019"
"Flat Menus"=dword:00000000
"Font #0"=hex:f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,00,00,\
  00,00,00,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"Size #0"=hex(b):01,00,00,00,00,00,00,00
"Size #9"=hex(b):00,00,00,00,00,00,00,00
"Color #0"=dword:00c8d0d4
"LegacyName"="@themeui.dll,-854"

into a human readable text file either UTF-8 or ASCII (￵￿ the square would be removed)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
RegtoText Windows Registry Conversion Version 5.00 (sample UTF-8 export)

[HKEY_CURRENT_USER\Control Panel\Appearance\New Schemes\4\Sizes\0]
"DisplayName"="@themeui.dll,-2019"
"Flat Menus"=[REG_DWORD] 0
"Font #0"=[REG_BINARY] ￵￿      ʼ     Tahoma                         
"Size #0"=[REG_QWORD] 1
"Size #9"=[REG_QWORD] 0
"Color #0"=[REG_DWORD] 13160660
"LegacyName"="@themeui.dll,-854"


REGTOTEXT HELP
.FILENAME
RegToText.exe

.SYNOPSIS 
Parses a valid Windows registry exported file (.reg) and translates indecipherable hex and decimal values into a human readable text file.

.PURPOSE
The aim of this command-line executable is to make a human readable registry file. This greatly aids in searching and understanding the Windows Registry, key for developers.

.DESCRIPTION 
RegToText windows console application deciphers unreadable portions of registry file to text. Firstly, it checks for a valid Windows registry file ending with file extension (.reg). Then it validates file header for ""Windows Registry Editor Version 5.00"" for Windows 2000, ME, XP,7, Vista, 8, 8.1, 10+, Server 2003+ or ""REGEDIT4"" for Windows 98, NT 4.0 and Server 2000-. Passing this, the process will begin to translates all the hexadecimal and decimal values into output Unicode text file. Output is written out in 250 line chunks. Upon premature or cancellation, output file will contain up-to the last chunk written out. Output encoding can be UTF-8 or ASCII. Some non-printable characters are cleansed, read ENCODING notes for details. Encoding can drastically affect file output size. 

The following common registry types are translated denoted by “->”;

dword:(DWORD value)  -> [REG_DWORD] textvalue
hex(b):(QWORD value) -> [REG_QWORD] textvalue
hex:(binary value)   -> [REG_BINARY] textvalue
hex(2):(expandable string value) -> [REG_EXPAND_SZ] textvalue
hex(7):(multistring value) -> [REG_MULTI_SZ] textvalue
etc...

.LIMITATIONS
Does not decode Darwin Descriptors, perhaps in future enterprise version. Vote for it.
(a very basic tool is available for download here)

Does not unpack packed GUIDs, perhaps in future enterprise version. Vote for it.
(here's a Powershell script to available for download here)

.REQUIREMENTS
32-bit app which requires .NET Framework 4 Client Profile.


.ENCODING
Null (\x00) characters are translated to spaces for both encodings.  Null (\x00) characters are stripped. Characters outside the ASCII or UTF8 range are stripped. NON-PRINTABLE less than decimal 30 are stripped except for line feed and carriage return for ASCII encoding. UTF8 preserves more of the original source content, but a cost of larger output file size. More importantly, UTF8 encoding will pass allot of unreadable characters and non-printable characters that may cause issues when scrolling large files in text editors. ASCII allows for maximum readability and space savings. Large files over 1G benefit tremendously when loading ACSII text editors for scrolling and searching.

.TEXT EDITORS
Notepad and Notepad++ will not load 1 G+ files. Textpad (memory lim), Notepad Light (upto 2G) and UltraEdit (claims 2^64-1G) will load file over 1G+ files.

.PERFORMANCE 
Tested on 4.25M rows in 18 mins, 24 secs. Processing 921,572 subkeys and 2,344,590 key/value pairs.

.USAGE
RegtoText.exe [/h] [/v] [/s] inputfile.reg [/o:filename.txt] [/e:{UT8F|ASCII}]

.ARGUMENTS
[drive:][path]inputfile.reg            1st argument required
                                       Input registry file. If path omitted, default to current path. 
.FLAGS
(order not important)
/h|/help                               Help
/v|/version                            Version
/s|/silent                             Silent
/l|/license                            License
/e|/encoding:{UTF8|ASCII}              Output encoding. If omitted, default value:'UTF8'.

/o|/output:[drive:][path]filename.txt  Output text file. If omitted, default value:'inputfile.txt

.INPUT
Must be valid exported registry file from REGEDIT.exe ending in .reg

.OUTPUT
Creates a Unicode text file ending in .txt extension. If exists prompt to delete ? No, creates a timestamped file. Hexadecimal and decimal values are decoded using according /e flag.


.EXAMPLE 
regtotext c:\Users\MDC\Documents\myfullregistryBCK.reg /e:ASCII

.AUTHOR 
metadataconsult@gmail.com (Metadata Consulting, ON, CDN) July 30, 2016

.LICENSE
Read Full License Agreement use /l FLAG OR pipe into a text file using 'regtotext /l > RTTLic.txt' to read in Notepad.

Download demo version. Read demo license.

For a commercial licensed version contact metadataconsult@gmail.com



Commercial version sample run on a new Windows 10 Pro install with Office 2016.