Monday, January 30, 2017

Phishing Email - ScotiaBank Online Banking

For the record, here's a recent phishing email faking it's ScotiaBank Online Banking.























The body of the this email in text reveals the rogue link on line 15 - fenc.daewonit.com/baoa/index.php is hosted in Seoul, Korea.


The interesting thing is the email is from hogan.com website which is a legitimate site, but clearly it website has been zombified.


 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
From: Message.069.From.S.c.o.t.i.a_B.a.n.k.ID.0654654654@hogan.com <Message.069.From.S.c.o.t.i.a_B.a.n.k.ID.061778978789886@hogan.com>
Sent: January 30, 2017 5:37 PM
To: xxxxxxxxxxxxx@hotmail.com
Subject: Reminder: Last Notification! (0697)

//click.mail.onedrive.com/?qs=4a5238b3673f348dcb22162d32a60cb3d0e0df71bc28d3c7216a7793fff575a9e35d54e16f7144ce9ff6ec843855eb26416dcd82ee17b30b 
xxxxxxxxxxxx@hotmail.com.
[img]


You are no longer allowed to access your ScotiaBank Online Banking. We had to disable your online access for your security.

This can be because of a recent change in your address or submitting incorrect information during the initial registration process.
Please verify your account within the next 24 hours in order to avoid full online suspension. //click.mail.onedrive.com/?qs=32b26e68be826244f798f60445dfd85de29d309e84058c43d950e053e97cfedf416cf5597446254a50fb196c75dd980151f2da54664bc0a5
Click here <http://fenc.daewonit.com/baoa/index.php> to verify your information and remove the suspension on your account or follow this secure link:
//www2.scotiaonline.scotiabanking.com/online/unsuspend-xxxxxxxxxxxx@hotmail.com-0697837489/auth.bns<http://fenc.daewonit.com/baoa/index.php>

After the secure online verification you will be able to use your account as usual.

2017 (30th of January) Scotiabank Canada

click.mail.onedrive.com/?qs=32b26e68be8262447dac7c9c958b6a8cf15309d26c5595370b292318002995219672f1afb35e65aa6c89234293b2b2ee899e12feee755dd0



Whois Record lookup for fence.faewonit.com
Email
RegistrarDOTNAME KOREA CORP
Registrar Statusok
DatesCreated on 2011-03-07 - Expires on 2017-03-07 - Updated on 2016-03-06
Name Server(s)DNS.MIREENE.COM (has 5,979 domains)
IP Address112.217.208.42 - 1 other site is hosted on this server
IP LocationSeoul - Seoul - Lg Dacom Corporation
ASNAS3786 LGDACOM LG DACOM Corporation, KR (registered Aug 01, 2002)
Domain StatusRegistered And Active Website
Whois History40 records have been archived since 2008-11-11
IP History5 changes on 5 unique IP addresses over 13 years
Registrar History2 registrars with 2 drops
Hosting History9 changes on 6 unique name servers over 12 years
Whois Serverwhois.dotname.co.kr
Website Title대원정보기술입니다.
Server TypeApache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8e-fips-rhel5 PHP/5.3.8
Response Code200
SEO Score44%
Terms81 (Unique: 74, Linked: 59)
Images39 (Alt tags missing: 39)
Links50   (Internal: 50, Outbound: 0)
Whois Record ( last updated on 2016-12-21 )

InPrivate/Incognito Browsing leaves traces on disk with IE/Edge and for Google Chrome still leaves browser history online!

Microsoft IE 

Microsoft describes "InPrivate Browsing" mode as;


"When checking e-mail at an Internet café or shopping for a gift on a family PC, you don't want to leave any trace of specific web browsing activity. InPrivate Browsing in Internet Explorer 8 helps prevent your browsing history, temporary Internet files, form data, cookies, and usernames and passwords from being retained by the browser, leaving no evidence of your browsing or search history

This however, isn't strictly true. Sure, you can delete the history, cookies and even Temporary Internet Files, but what Microsoft has NOT told you is that just like regular mode, EVERY website you visit, whether in "InPrivate" browsing mode or not - is recorded in the index.dat files.

Windows 7 index.dat  locations
C:\Users\\Roaming\Microsoft\Windows\Cookies\index.dat
C:\Users\\Roaming\Microsoft\Windows\Cookies\Low\index.dat
C:\Users\\Local\Microsoft\Windows\History\History.IE5\index.dat
C:\Users\\Local\Microsoft\Windows\History\History.IE5\Low\index.dat
C:\Users\\Local\Microsoft\Windows\History\History.IE5\index.dat\MSHistXXXXXXXXXXX\index.dat
C:\Users\\Local\Microsoft\Windows\History\History.IE5\Low\index.dat\MSHistXXXXXXXXXXX\index.dat
C:\Users\\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
C:\Users\\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5index.dat
C:\Users\\Roaming\Microsoft\Internet Explorer\UserData\index.dat
C:\Users\\Roaming\Microsoft\Internet Explorer\UserData\Low\index.dat



Update Apr 19 2017 Microsoft Edge

The forensic examination of most web browsers has proven that they don't have a provision for storing the details of privately browsed web sessions. Private browsing is provided for a purpose, i.e. privately browsing the web, which is being delivered.
However, in the case of Microsoft Edge even the private browsing isn't as private as it seems. Previous investigations of the browser have resulted in revealing that websites visited in private mode are also stored in the browser’s WebCache file.
\Users\user_name\AppData\Local\Microsoft\Windows\WebCache

Google Chrome

Google Chrome stores history, bookmarks, saved password, thumbnails,etc at "

[Username]\Local Settings\Application Data\Google\Chrome\User Data".

So you can wipe out all browsing traces by deleting this folder.


A new window will open with the incognito icon icon in the corner. You can continue browsing as normal in the other window.

You can also use the keyboard shortcuts Ctrl+Shift+N (Windows, Linux, and Chrome OS) and ?-Shift-N (Mac) to open an incognito window.
Browsing in incognito mode only keeps Google Chrome from storing information about the websites you've visited. The websites you visit may still have records of your visit. Any files saved to your computer will still remain on your computer.For example, if you sign into your Google Account on http://www.google.com while in incognito mode, your subsequent web searches are recorded in your Google Web History. In this case, to prevent your searches from being stored in your Google Account, you'll need to pause your Google Web History tracking.


Update Apr 19 2017

It's gotten very complicated stop your Google Web History Online, because now there are many more options to review.


Stopping your Google Web History Online will apply to normal Google Chrome sessions and Incognito sessions. There are no distinguishing between the two in the preferences.

Step 1

This is your starting point, review all the privacy controls 
https://support.google.com/accounts/topic/7188674?hl=en&ref_topic=6152259       

Step 2


For Stopping Online Web Search History choose
       Delete searches & other activity from your account
using https://support.google.com/accounts/answer/465?hl=en&ref_topic=7188674 


Goto Stop Saving Activity in middle of page

Choose Activity controls link








Step 3

Review this page "Activity Controls" and use slider to the right to pause you Browsing History.



Step 4


Review this for all of your platforms.
Go Back to previous page and scroll to bottom.



Step 5 


Repeat these steps for all platforms

Step 6


Review all privacy setting at Google.
https://support.google.com/accounts/topic/7188674?hl=en&ref_topic=6152259         











Thursday, January 19, 2017

A brief review of Kaspersky's Secure Connection VPN

Start the new year with a bang in productivity with Kasperky Secure Connection.

Get into what most IT and security professionals have been doing for years.
Get into what corporations provide for mobile workforces.
Get into a VPN.

Kapersky released a new product called Secure Connection that has finally made using a VPN a snap for home and independent users, so you can surfing public WIFI spots a easily, securely and
affordably!


What is Kasperky Secure Connection? 

Secure Connection creates a Virtual Private Network (VPN) establishing a virtual point-to-point connection from your device through dedicated connections, virtual tunneling protocols and traffic encryption to a destination VPN server.  

VPN is an encrypted tunnel between your device directly to Kaspersky's VPN servers which allows you to access every website and online service privately and securely.

VPN encrypted tunnel over (through) any WIFI connection

Kasperky Secure Connection is really easy to use. So now when you are at coffee shop office, or at airport catching-up on work, you can safely surf! 


Side Benefit - Hide your real IP address, and surf from another country

The side benefit of a VPN, is your computer's IP address is issued from location of the country you choose. Now all your internet traffic will appear that its coming from that country. Secure Connection allows you to choose you from a slew of destination servers located in countries around the world. There are 18 countries so far to choose from.



So now for example, you can surf @Midnight with Chris Hardwick on Comedy Central (http://www.cc.com/shows/-midnight) and not have videos blocked (this fact is just mentioned as a proof-of-concept versus condoning the behaviour).

Most importantly, you can do testing on your website to check for language handling, performance, penetration testing, etc. from multiple countries easily. 

Price - Amazing at $29.99 USD per year 

The easy of use and performance of Kasperky Secure Connection is truly fantastic and you can't ignore this price.


Ease of Use

Here is the interface and is quite simple.


Stability - Still Analyzing

Well, after I paid for one month and purchased year plan.  I have to say it's been pretty solid.

I did do a ping test for 1/2 hr to Googles DNS server 8.8.8.8 to check for packet loss, there was none. DO NOT DO THIS to Google DNS servers, I got a suspicious traffic prompt for 3 days after that on all Google properties.

Performance - Great

Performance is impressive! I tested from my home WIFI network with little delay to my base speed!


Base Speed test, Kaspersky Secure Connection not enabled.


Speed tests with Kaspersky Secure Connection enabled.

USA VPN Server Speed - http://speedtest.bellaliant.net/

Canadian VPN Server Speed - http://speedtest.bellaliant.net/

List of Countries 



You can surf with your IP appearing from the following countries;


  1. Germany
  2. Russia
  3. Hong Kong
  4. Japan
  5. Denmark
  6. Mexico
  7. France
  8. Ukraine
  9. Spain 
  10. Sweden
  11. Singapore
  12. Czech Republic
  13. United Kingdom
  14. Republic of Ireland
  15. Turkey
  16. U.S.A
  17. Canada
  18. Netherlands
The order as appears in software makes no sense. It also lacks countries in South America and Australia continents.


Activation of License / How to set-up Kaspersky Secure Connection

Activation is a painful, since there was a delay time for subscription to kick in, and you are not informed of that up-front. 

Additionally, you have set-up an account at my.kaspersky.com portal to install activation code add your device.

These are minor inconveniences but but is a not a smooth intuitive experience.

This help guide (with screens-shots) will help you immensely, I found after 


You will see following instructions....this only partial list
  1. Open Kaspersky Secure Connection and choose Subscription in the menu.



    ...

  1. The license will be activated automatically within an hour. Kaspersky Security Connection will show the corresponding notification that all limitations have been removed.




Disable Automatic Renew & Remove your Credit Card info immediately

Digital River has been outsourced to collect funds for Kasperky. Digital River has been hacked before. So
TIP: Remove you credit card info once you have competed the transaction.

VPN Kill Switch

Definitely the only negative I could find with this offering.

The purpose of the VPN Kill Switch is to immediately disconnect the Wi-Fi connection, when the VPN disconnects, so you don't bleed private info. This is not built-into the client. 

I am working one metadataconsult@gmail.com for inquires.


Does not support BitTorrent traffic

Currently, does not support torrent traffic.

Information leaked to Kaspersky Secure Connect


  1. The name of the Wi-Fi network (SSID) to which the computer is connected at the moment when the data is submitted
  2. Information about the date of installation and activation of the software on the computer, the duration of the software installation task, the ID of the installation task result, the ID of the installation task, the full version of the installed software (including the version of the installed software update), the localization language of the software, the name and type of the software, the type of license installed and its validity period, the ID of the partner from whom the license was purchased, the license serial number, the type of software installation on the computer (new installation, upgrade, etc.), the indicator of successful installation or the number of the installation error, the unique ID of the software installation on the computer, the type and ID of the application with which the update is performed, the ID of the update task, and information about the operating system (OS) installed on the computer (including the name, type, and bit count of the OS).
  3. To keep track of the number of users, you agree to automatically provide the following information to the Google Analytics service and to an entrusted third-party service provider of the Rightholder: the name and version of the installed software of the Rightholder, the unique ID of the software installation on the computer, and information about the versions of the operating system installed on the computer and the installed update packages.


Kaspersky Secure Connect Support Forum






Tuesday, January 17, 2017

OneDrive 2017 Direct File Download URL Maker






Microsoft OneDrive Direct File Download URL Maker




<iframe src="https://onedrive.live.com/embed?cid=8F99649728BEB2F3&resid=8F99649728BEB2F3%211010&authkey=AFo8ZQ_-qj84DEQ" width="98" height="120" frameborder="0" scrolling="no"></iframe>  see instructions below, if you don't know how. NOTE : For images there an extra step below.



https://onedrive.live.com/embed?cid=8F99649728BEB2F3&resid=8F99649728BEB2F3%211010&authkey=AFo8ZQ_-qj84DEQ and populate the text-box below. To proceed click "Get Download Link" button.



4. Now, Click on Get Download Link button.


Text-box will be highlighted so you can copy the full link. To copy, right-click and choose  "Copy" or simply (ctrl-c) to copy link. Note: Entire URL is automatic selected for your convenience.





 


How to get a Microsoft OneDrive Embed Code detailed instructions



  1. Goto OneDrive (https://onedrive.live.com/)
  2. Upload you file

  3. Right-click to "Embed" your uploaded file 

  4. Click Generate HTML Button.

  5. Copy and Paste HTML Code to Notepad

  6. Copy the all the embed code ie. <iframe src="https://onedrive.live.com/embed?cid=..." >...</iframe> and paste into  above.
  7. Done!


For Images, you have to do an extra step




  1. Right-click to "Share" your uploaded file

  2. Click Copy button. Updated Jan 01, 2017 API change.


    This will produce a share URL that looks like this, 

    https://1drv.ms/i/s!AvOyviiXZJmPlSc1CjtKuwc_gqVu
  3. Paste share URL into http://linkexpander.com/  or http://www.websiteplanet.com/webtools/redirected/ and copy that URL. 



  4. The resulting Uncovered URL is in the format we need, and look like this.

    https://onedrive.live.com/redir?resid=8F99649728BEB2F3!2727&authkey=!ADUKO0q7Bz-CpW4&ithint=photo%2cjpg
  5. Paste "Uncovered URL" link into 3.1 OneDrive File Embed Link text-box above
    and click 4. "Get Download Link" button above.
  6. Right-click and choose "Select all" and "Copy".
  7. Paste the OneDrive Share Direct Download Link in emails instead.
  8. Done
OR for images only
  1. Updated June 07, 2016 API change!

    Right-click on image and select Embed. The Copy the URL to embed image now gives you direct download URL, but is super long.

    So you do not need to do the above! 

Using OneDrive as a CDN


Bonus : For images, read Using OneDrive as a Content Delivery Network (CDN) plausibility post.

A note about Sharing PDFs

Google Chrome Warning: Very large PDF files do not preview in Chrome
PDF files approx. over 100Mb in size, do not preview in Chrome, and you get a splash page to "For the best experience, open this PDF portfolio in Adobe Acrobat or Adobe Reader"

You have to save the file first then open in Adobe Acrobat/Reader.