Thursday, October 30, 2014

Microsoft's URL Shortener (beta) service now at Bitly

I recently been using Bitly to shorten URLs from Microsoft Onedrive, and I noticed today that the shortened URL looked different.

Looks like the Microsoft URL Shortening is now active, in partnership with Bitly which has been rumored for awhile now.

For example, this OneDrive URL 

shortened  to a cute domain of 1drv.ms

For those that don't know, the Bitly default domain name is bit.ly

but this URL works as well.

So its solutions seems to be an URL domain alias.



NY Times uses Bit.ly as well (still working in 2017)


https://nyti.ms/2jHV1mn

https://bit.ly/2jHV1mn
 



17-Jan-17 Update
Microsoft apparently did not like this reverse engineering of its shortening service and now produces this obscure link


https://1drv.ms/i/s!AvOyviiXZJmPlSc1CjtKuwc_gqVu  


But using reverse engineering short links and get 

https://onedrive.live.com/redir?resid=8F99649728BEB2F3!2727&authkey=!ADUKO0q7Bz-CpW4&ithint=photo%2cjpg






From here you can get a Onedrive direct download link for this file, check out my original post on this. If you need to share big files directly, you'll want to read it.





Reverse Engineer Shorted URL
Paste any shortened URL into to get original long URL. 

  1. Link Expander (http://www.linkexpander.com/) gets you a preview of link.



Wednesday, October 29, 2014

Phishing Email - Your Apple ID was just used to download xxx - examined

Sample Phishing Email - Your Apple ID was used to download

Recently the "Your Apple ID was used to download xxx" email has come in many flavors, and if it matches the items below, then there a good chance it's a phishing email. But I'll walk you through a process on how to tell for sure. This crafty email has been making it's way through the big 3 email (google/outlook/yahoo) email spam filters. For a background on phishing email read on wikipedia.

What to do?
Report them, hover over the iforgot.apple.com link (in your email) and match the URL and click on the match link to report them as phishing to Google.

Report Phishing
 URLs at Google now 

If you have recievied this email take further action now by click these links

  1. https://www.google.com/safebrowsing/report_phish/?hl=en&url=www.pharus.com
  2. https://www.google.com/safebrowsing/report_phish/?hl=en&url=aruba.it
  3. https://www.google.com/safebrowsing/report_phish/?hl=en&url=www.sumanakeerthipiriwena.com
  4. https://www.google.com/safebrowsing/report_phish/?hl=en&url=haroldmkingsley.com
  5. https://www.google.com/safebrowsing/report_phish/?hl=en&url=amarturismo.com.br
  6. https://www.google.com/safebrowsing/report_phish/?hl=en&url=www.azizanali.com
  7. https://www.google.com/safebrowsing/report_phish/?hl=en&url=lovingcoco.com
  8. https://www.google.com/safebrowsing/report_phish/?hl=en&url=langkawiswee.com
  9. https://www.google.com/safebrowsing/report_phish/?hl=en&url=tradeajeet.com
  10. https://www.google.com/safebrowsing/report_phish/?hl=en&url=trypromocodes.com 


Subject: Your Apple ID was just used to download Candy Crush Saga or Grudge Match (2014) or "Falls Away" by Childhood or Cado HD $5.99 or Lunar Module 3D or Camera Plus Pro $2.99 or StationDigital $9.99 or Summer Games 3D, v1.2 (4+) $8.99  ... from the App Store on a computer or device that had not previously been associated with that Apple ID. Your receipt No.1145624532


Your Apple ID was just used to download Candy Crush Saga or Grudge Match (2014) or  "Falls Away" by Childhood or Lunar Module 3D or Camera Plus Pro $2.99 or StationDigital $9.99 or Camfrog PRO 6.99$ or Summer Games 3D, v1.2 (4+) $8.99 


If you initiated this download, you can disregard this email. It was only sent to alert you in case you did not initiate the download yourself.

If you did not initiate this download, we recommend that you go to iforgot.apple.com to change your password, then see Apple ID: Tips for protecting the security of your account for further assistance.

Regards,
Apple

How to tell this is a Phishing email ?


  1. Is email is from you to you, then it's phishing.
  2. Hover over all links in email, if it's not from the apple.com site then forget it.

    In above example, all the links and source images seem to be from Apple website except the iforgot.apple.com link.

    You can test this
    in the above example, since I crafted that from source HTML of the phishing email. Try it, hover over links to examine the source URL. Note: I have re-coded iforgot.apple.com to report pharus.com as phishing site to Google.

    In the original phishing email, hovering over iforgot.apple.com pointed to spam site pharus.com or 
    www.sumanakeerthipiriwena.com. The correct link when you hover over iforgot.apple.com should be http://iforgot.apple.com.


    Reading email in Outlook 2013 generated pop-up "Click to follow link"
  3. The best way is to look at message source, see below.

How to examine Email Message Source ?

Now lets look at message source
  1. Outlook.com->Actions->View Message Source. 
  2. Gmail.com->More (down arrow to top right)->Show original.

For this phony email, well look at the top 25 lines of the message, known formally as the "message header".





At line 23 you have Return-Path: hosting.windows@aruba.it
and is suspect because domain was registered in Italy (
.it) and nothing to do with Apple.

A geo location of the ip address confirms it comes from Italy using http://www.ipligence.com/geolocation

Your IP address is 62.149.133.122
City: Soci
Country: Italy
Continent: Europe

Aruba.it is being investigate for a Paypal phishing and has reported links to Italian Mafia.


These are valid return-paths for Apple 

  • Return-Path: do_not_reply@apple.com 
  • Return-Path: bounces@insideicloud.icloud.com 

Why look at "Return-Path"? When the e-mail is put in the recipient's mailbox, a new mail header is created with the name "Return-Path:" containing the address on the MAIL FROM command. So it's a quick hit to determine authenticity.


Report Phishing Email (not as Spam)

  1. Outlook.com->Junk (at Top)->Phishing Scam
  2. Gmail.com->More (downarrow to top right)->Report Phishing 


Report Phishing URLs at Google now 

If you have recievied this email take further action now by click these linksHover over the iforgot.apple.com link and match the URL and click on the match link to report them as phishing to Google.

  1. https://www.google.com/safebrowsing/report_phish/?hl=en&url=www.pharus.com
  2. https://www.google.com/safebrowsing/report_phish/?hl=en&url=aruba.it
  3. https://www.google.com/safebrowsing/report_phish/?hl=en&url=www.sumanakeerthipiriwena.com
  4. https://www.google.com/safebrowsing/report_phish/?hl=en&url=haroldmkingsley.com
  5. https://www.google.com/safebrowsing/report_phish/?hl=en&url=amarturismo.com.br
  6. https://www.google.com/safebrowsing/report_phish/?hl=en&url=www.azizanali.com
  7. https://www.google.com/safebrowsing/report_phish/?hl=en&url=lovingcoco.com
  8. https://www.google.com/safebrowsing/report_phish/?hl=en&url=langkawiswee.com
  9. https://www.google.com/safebrowsing/report_phish/?hl=en&url=tradeajeet.com
  10. https://www.google.com/safebrowsing/report_phish/?hl=en&url=trypromocodes.com
If you don't see your URL here add a comment below.

Report phishing at Microsoft and government agencies

  1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx

Tuesday, October 21, 2014

Setting Microsoft Lync Profile Picture with a custom picture on OneDrive

Need to set Microsoft Lync Profile Picture to a web address of your own custom picture easily? Here's how to use an image located in your  OneDrive and set to be your Lync account "My Picture".




Note: Lync profile pics should be 72 px (w)  by 108px (h) and < 30kb.
In OneDrive, right-click on the picture you are interested in adding to your Lync profile picture, and choose 
Embed. (I know example below is a file, same process)


This will bring up the Embed pop-up.
Highlight and copy the embed HTML code. Paste into text editor.

<iframe frameborder="0" height="120" scrolling="no" src="https://onedrive.live.com/embed?cid=8F99649728BEB2F3&resid=8F99649728BEB2F3%212780&authkey=AHGTayWelaWRDMA" width="98"></iframe>
Extract the link, and you will get link look like this:
https://onedrive.live.com/embed?cid=8F99649728BEB2F3&resid=8F99649728BEB2F3%212780&authkey=AHGTayWelaWRDMA
Replace embed? to download? See link below after replace:
https://onedrive.live.com/download?cid=8F99649728BEB2F3&resid=8F99649728BEB2F3%212780&authkey=AHGTayWelaWRDMA
Now you can paste this link into the "Show a picture from a web address" in Lync 2010 or "Show a picture from a website" in Lync 2013 for Windows. Click "Connect to Picture" button will result in connected to picture successfully.

Update get link here at my other post to your profile pic
http://metadataconsulting.blogspot.ca/2017/01/OneDrive-2017-Direct-File-Download-URL-Maker.html

More information at : How to change your Lync profile picture from
Microsoft Support.


Tuesday, October 14, 2014

Microsoft WINDOWS API CODE PACK v1.1 Download

WINDOWS API CODE PACK v1.1 for download 
Surprisingly,  difficult to find the orginal documentation, here's the full original Microsoft Windows API Code Pack v1.1  for download with source, binaries and full documentation. You can get the binaries (dlls) in Nuget but not the documentation.


UNADULTERATED DOWNload




RELEASE OVERVIEW

The major changes v1.1 of the Windows API Code Pack includes:
·         Code clean-up
o    Addressed many FxCop violations and PREfast warnings
o    Various spot-fixes  for improved stability
o    Added String localization preparation
·         Bug Fixes within the Code Pack and Samples
·         New Features
o    PropVariant (Re-designed)
o    Thumbnail Handlers
o    Preview Handlers
o    ShellObjectWatcher
·         New Demos and Sample Applications
·         Visual Studio 2010 Compliance
·         xUnit test coverage
·         Signed assemblies

Sunday, October 12, 2014

Phishing Email - Your Apple ID was used to download Candy Crush, Reset your password

Sample Phishing Email - Your Apple ID was used to download

Recently the "Your Apple ID was used to download xxx" email has come in many flavors, and if it matches the items below, then there a good chance it's a phishing email. But I'll walk you through a process on how to tell for sure. This crafty email has been making it's way through the big 3 email (google/outlook/yahoo) email spam filters. For a background on phishing email read on wikipedia.

What to do?
Report them, hover over the iforgot.apple.com link (in your email) and match the URL and click on the match link to report them as phishing to Google.

Report Phishing
 URLs at Google now 

If you have recievied this email take further action now by click these links

  1. https://www.google.com/safebrowsing/report_phish/?hl=en&url=www.pharus.com
  2. https://www.google.com/safebrowsing/report_phish/?hl=en&url=aruba.it
  3. https://www.google.com/safebrowsing/report_phish/?hl=en&url=www.sumanakeerthipiriwena.com
  4. https://www.google.com/safebrowsing/report_phish/?hl=en&url=haroldmkingsley.com
  5. https://www.google.com/safebrowsing/report_phish/?hl=en&url=amarturismo.com.br
  6. https://www.google.com/safebrowsing/report_phish/?hl=en&url=www.azizanali.com
  7. https://www.google.com/safebrowsing/report_phish/?hl=en&url=lovingcoco.com
  8. https://www.google.com/safebrowsing/report_phish/?hl=en&url=langkawiswee.com
  9. https://www.google.com/safebrowsing/report_phish/?hl=en&url=tradeajeet.com
  10. https://www.google.com/safebrowsing/report_phish/?hl=en&url=trypromocodes.com 


Subject: Your Apple ID was just used to download Candy Crush Saga or Grudge Match (2014) or "Falls Away" by Childhood or Cado HD $5.99 or Lunar Module 3D or Camera Plus Pro $2.99 or StationDigital $9.99 or Summer Games 3D, v1.2 (4+) $8.99  ... from the App Store on a computer or device that had not previously been associated with that Apple ID. Your receipt No.1145624532


Your Apple ID was just used to download Candy Crush Saga or Grudge Match (2014) or  "Falls Away" by Childhood or Lunar Module 3D or Camera Plus Pro $2.99 or StationDigital $9.99 or Camfrog PRO 6.99$ or Summer Games 3D, v1.2 (4+) $8.99 


If you initiated this download, you can disregard this email. It was only sent to alert you in case you did not initiate the download yourself.

If you did not initiate this download, we recommend that you go to iforgot.apple.com to change your password, then see Apple ID: Tips for protecting the security of your account for further assistance.

Regards,
Apple

How to tell this is a Phishing email ?


  1. Is email is from you to you, then it's phishing.
  2. Hover over all links in email, if it's not from the apple.com site then forget it.

    In above example, all the links and source images seem to be from Apple website except the iforgot.apple.com link.

    You can test this
    in the above example, since I crafted that from source HTML of the phishing email. Try it, hover over links to examine the source URL. Note: I have re-coded iforgot.apple.com to report pharus.com as phishing site to Google.

    In the original phishing email, hovering over iforgot.apple.com pointed to spam site pharus.com or 
    www.sumanakeerthipiriwena.com. The correct link when you hover over iforgot.apple.com should be http://iforgot.apple.com.


    Reading email in Outlook 2013 generated pop-up "Click to follow link"
  3. The best way is to look at message source, see below.

How to examine Email Message Source ?

Now lets look at message source
  1. Outlook.com->Actions->View Message Source. 
  2. Gmail.com->More (down arrow to top right)->Show original.

For this phony email, well look at the top 25 lines of the message, known formally as the "message header".





At line 23 you have Return-Path: hosting.windows@aruba.it
and is suspect because domain was registered in Italy (
.it) and nothing to do with Apple.

A geo location of the ip address confirms it comes from Italy using http://www.ipligence.com/geolocation

Your IP address is 62.149.133.122
City: Soci
Country: Italy
Continent: Europe

Aruba.it is being investigate for a Paypal phishing and has reported links to Italian Mafia.


These are valid return-paths for Apple 

  • Return-Path: do_not_reply@apple.com 
  • Return-Path: bounces@insideicloud.icloud.com 

Why look at "Return-Path"? When the e-mail is put in the recipient's mailbox, a new mail header is created with the name "Return-Path:" containing the address on the MAIL FROM command. So it's a quick hit to determine authenticity.


Report Phishing Email (not as Spam)

  1. Outlook.com->Junk (at Top)->Phishing Scam
  2. Gmail.com->More (downarrow to top right)->Report Phishing 


Report Phishing URLs at Google now 

If you have recievied this email take further action now by click these linksHover over the iforgot.apple.com link and match the URL and click on the match link to report them as phishing to Google.

  1. https://www.google.com/safebrowsing/report_phish/?hl=en&url=www.pharus.com
  2. https://www.google.com/safebrowsing/report_phish/?hl=en&url=aruba.it
  3. https://www.google.com/safebrowsing/report_phish/?hl=en&url=www.sumanakeerthipiriwena.com
  4. https://www.google.com/safebrowsing/report_phish/?hl=en&url=haroldmkingsley.com
  5. https://www.google.com/safebrowsing/report_phish/?hl=en&url=amarturismo.com.br
  6. https://www.google.com/safebrowsing/report_phish/?hl=en&url=www.azizanali.com
  7. https://www.google.com/safebrowsing/report_phish/?hl=en&url=lovingcoco.com
  8. https://www.google.com/safebrowsing/report_phish/?hl=en&url=langkawiswee.com
  9. https://www.google.com/safebrowsing/report_phish/?hl=en&url=tradeajeet.com
  10. https://www.google.com/safebrowsing/report_phish/?hl=en&url=trypromocodes.com
If you don't see your URL here add a comment below.

Report phishing at Microsoft and government agencies

  1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx

Friday, October 10, 2014

Locking down Adobe Reader to prevent PDF vulnerabilities, as much as possible

Adobe PDF vulnerabilities rising risk - why?

This was primarily due to increased exploitation of vulnerabilities in Adobe Reader and Adobe Acrobat software, as shown in Figure 2 from (
http://blogs.technet.com/b/mmpc/archive/2013/04/29/the-rise-in-the-exploitation-of-old-pdf-vulnerabilities.aspx)
Figure 2: Computers affected with exploits for document readers and editors
Win32/Pdfjsc virus was the significant contributor to the rise in 4Q12. It is a family of specially crafted PDF files that exploit Adobe Acrobat (Creator) and Adobe Reader vulnerabilities. 

How you get infected? A brief explanation 

1) Adobe Reader, like many other document applications can be scripted for added functionality. 

In the case of Microsoft Office, adding functionality is added via macros using Visual Basic scripting language and now scripting is turned off by default for new installs. (But this has been a long sore spot for Microsoft, and is one of motivations  of moving Office365 into the cloud which prevents all of this. Open a bad document will infecting the "cloud" (ha-choo-d) and not your local machine). Adobe Reader specifically uses Javascript as their "macro" language. Note, this script can run on Mac and Windows, so don't kid your self that Macs are safer.  Also, these scripting vulnerabilities are not limited to two aforementioned companies, they are just the most popular and therefore best payout targets for hackers. OpenOffice uses Basic as their scripting language, Apples' Keynote, Numbers, and Pages use Applescript, and many text editors or IDEs have their own macro language. 

2) Adobe Reader is trusted once installed, so macros can be programmed to bad things in a trusted state

Just the simple act of opening the PDF file could exploit a vulnerability to automatically download malicious code from the internet, and display a decoy PDF file to trick you into believing that nothing wrong has happened. Since Adobe Acrobat, is installed and fully trusted, all the permission have been set in your OS and usually your antivirus and firewall. Moreover, they launch sub-programs that use command line that is trusted to run scripts etc. These downloaded programs "should" be picked-off by the best anti-virus programs, but clearly they are falling behind to the onslaught of these craft payloads.

Again, these donwloaded PDF files contain a JavaScript that executes when the file is opened. The embedded JavaScript may contain malicious instructions, such as commands to download and install other malware. Files that use the Win32/Pdfjsc hack may arrive in the system when a user visits a compromised or malicious webpage, or opens a malicious PDF email attachment.

Upload questionable PDFs to an online drive



An easy solution is to use  Microsoft OneDrive  or   Google Drive and upload the PDF and open it there! Do this for any questionable PDFs. I would recommend doing that with any questionable document such as Word, PowerPoint, Excel, etc.

If your default browser is  Microsoft Internet Explorer you may have do some work to just download a PDF directly to your hard drive, without opening in default Adobe Reader first. Check out this article: http://stopmalvertising.com/security/adobe-reader-lockdown-saving-pdf-files-in-internet-explorer-9-and-10/all-pages.html to do that and it also works for IE 11 as well. 

Additionally, there are "PDF Scanners" you can use to scan for PDF vulnerabilities, see this article (scroll to end for a good list of free software, you have to be technically declined;).

Good News - Stop PDF's running malicious macros
Here's how to lock down Adobe Reader. The first 2 are essential and set a firewall rule to block Adobe Reader completely.

1) Disable Adobe Reader using Javascript - it's a preference!
   
    In Adobe Reader choose Edit->Preferences to get the following window



2) Block PDFs Connecting to external sites in Adobe Reader

While in Preference, select Trust Manager and do 
a) Uncheck "Allow opening of non-PDF file attachments with external applications".
b) In Change Settings, check "Block PDF files access to web sites"  



3) Security (Enhanced) setting turn off "Automatically trust site from my Win/Mac OS security zones". this prevents the demonstrated a social engineering attack, which relies on the “/launch” functionality as described in the PDF specification (ISO PDF 32000-1:2008) under section 12.6.4.5. 



























4)  Multimedia Trust (legacy) setting turn off "Allow multimedia operations", this disables Adobe Flash Player and others from being used (another hugely exploited program, someone seeing a patter here with Adobe ?)





















5) Online Services setting turn off "Always connect when opening documents enabled for live collaboration"





















6) Tracker set to Never




Additional steps to lock down Adobe Reader

1) Add an outbound rule to Adobe Reader in Windows Firewall to block it going to internet. While you are there add an inbound rule as well.


























2) Note Microsoft Windows only allows one active firewall at a time,  This means if your anti-virus solution has a firewall it will overrule MS firewall.  Here's how to set a firewall rule in Kapersky