ELI5 Cut/Paste free form select with transparent background in MS Paint.

So this has nothing to do with infosec but something I figured I’d post up just in case someone struggled with this like I did for 30 mins when it should take 5 seconds.   Here are the steps that worked for me.

Cut/Paste free form select only into new picture with transparent background in MS Paint (Win 7)  because your too cheap to buy something better.  Me too.
1.  Save cut picture as a .PNG (not JPEG).  Save paste picture as any format.
2.  Open both pictures in MS Paint but separate windows
3.  Resize the picture to roughly what you’ll need once you paste it. See TIP below.
4.  In cut picture
a. Select > Select All
b. Select > Free Form Selection
5. Cut around the image you want to use, trying to get as little of the picture background as desired.
6.  Cut (Ctrl X)
7.  Switch to paste Picture  (Alt+Tab)
8.  Paste (Ctrl V)
9.  IMPORTANT:  you will still see white rectangle, so goto to Selection > Transparent selection directly after pasting, do not hit ENTER until you are happy.
TIP:  Once you have pasted, and again before you hit ENTER to lock it in, you can right click on picture and choose Resize to get proportions correct. While judging your paste picture perspective.

So if you found this on a Google search, I’m just paying it forward all the times that happened to me over the years.


Recover data off encrypted Ubuntu 15.x home directory

OK if you are reading this you probably can’t boot your encrypted HDD AND encrypted home directory Ubuntu OS install and you didn’t backup the data you wanted off it regularly enough to be happy.  So you are currently experiencing a bunch of frustrating dead ends trying to fix it as you search forums and Ubuntu KB for solutions because none of the other people’s experiences\errors exactly match yours.  I can’t judge because I found myself in that very  same situation last week but was eventually able to get my data.  And figured I’d just throw up the steps I documented in case it would help someone else sometime.  The below is kinda the quick and dirty brain dump I had after getting the data and reinstalling, so use at your own risk.

I found and had to combine the instructions at the 2 below links.
1. https://www.howtoforge.com/how-to-recover-data-from-an-encrypted-harddisk-on-boot-failure-with-ubuntu-14.04
2. https://help.ubuntu.com/community/EncryptedPrivateDirectory#Recovering_Your_Data_Manually

sudo fdisk -l
# find the biggest partition or the one suiting your missing home drive location.  For me it was Disk /dev/mapper/ubuntu–vg-root: 461 GiB xxxxxxxx bytes, xxxxxxxxx  sectors

#So first you have to mount the encrypted disk with the full disk encrypted passphrase (not the passphrase for you home folder encryption)
cryptsetup luksOpen /dev/mapper/ubuntu–vg-root /mnt/here
Enter Passphrase
# this is different then the “unlock” phrase used in the first link description, but worked for me.

sudo ecryptfs-recover-private /mnt/here

#gives you successful message and a temp folder location of your data. Example: /tmp/ecryptfs.bAhhoiUzm/
#if you try to get there from the LIVE CD user you get permission denied, do “sudo -i nautilus” and use that GUI filemanager to look at the folder as root.
#.  I got a bunch of GTK-CRITICAL errors in the terminal that launches nautlius but it seemed to work anyway

cd /mnt/here
# in your mount you see 2 files “Access your Private Data” and a “Readme”  You need to show hidden files so you see the .ecryptfs and .private files. took me too long to realize these seemingly simple steps.

Now goto Link 2. and follow those steps under “Recovering your data manually”

Some tips\thoughts on that experience.

# The auto recovery didn’t work for me, kept saying there was a loop
#  In step 8 for “Enable filename encryption: y”  choose yes, I honestly don’t remember if I choose this as an option but decrypting it only worked when I chose this.
# I got a warning that “Based on the contents of [/root/.ecryptfs/sig-cache.txt], it looks like you have never mounted with this key before.  This could mean that you have typed your passphrase wrong.  Would you like to proceed with the mount (yes/no).  Choose yes.

Good luck.

Bash script to send SMTP email

UPDATE: at bottom (1.30.14)

So I’ve transitioned to a new position in San Diego where I’m more support/administration vs. incident handling/intrusion detection, and one of things I’ve recently and in the past have wanted was some sort of way to confirm the SMTP gateway’s for the company your working at are up and processing email from the internet.  Now of course you can telnet to port 25 manually but that’s a pain and the call that “your stuff is down” could come at anytime 24/7.  I’ve googled for a script like this many times over the years but never saw something that would do exactly what I wanted.  In the world of IT getting frustrated enough over and over is usually the only thing that motivates you to get off your azz and script up something yourself.

So I decided to put together a bash script that would send an email with telnet to me through each of the SMTP relays separately.  Also I wanted something I could simply launch from a Putty session to a free RedHat Amazon AWS instance anywhere I was w/o worrying about VPN’ing into work to troubleshoot, this would test the inbound internet connectivity part as well.  I added an if/then statement to allow me the option to include an email address on the command line of the person complaining my gear isn’t working.  So if the x number emails that pop into their inbox with date/time stamp equals the x number of relays the company owns then my servers are up and processing mail and they need to look elsewhere for the trouble.  Script is below in a .txt form, feel free to offer suggestions or share links to your own scripts in the blog comments as this comes with the usual disclaimer of me not being a bash scripting expert and use at your own risk, etc etc.

Script with some comments within the first server’s connection


Random Tips I’ve learned

1. If you are testing/modifying this script try running it with bash -x ./sendtestemail.sh. Helps troubleshoot what’s going on between script and the mail server as the SMTP conversation takes place.
2. Add “TZ=’US/Pacific’; export TZ” w/o quotes to your .bash_profile changing the timezone of your Amazon AWS instance to whatever Timezone your SMTP gateway’s are in.
3. When viewing the script use notepad++ and format the script as Language > S > Shell to better understand what’s going on.

4.  I think amazon is throttling outbound connections on port 25, as I’m having some trouble connecting to the fourth SMTP agent in my script, but I’m seeing no attempts on the FW so sounds like outbound blocks probably to combat SPAM.  So I modified the script with longer sleep times, and uploaded that here.

5. Use and buy JuiceSSH for Android!  I can now auth to the Amazon instance with pub/priv keys and launch the script to whoever is saying my stuff is down from my phone.  Very cool.

Detecting Infection Chain Redirections with custom Netwitness Flex Parser

In my ongoing battle with those who feel they should have their way with the computers I defend, I recently had an idea around detecting a common part of the infection chain.  That term, to me, is the process of exploitation often used in drive by attacks to thwart IP and domain blacklisting along with making attribution harder as the target is often bounced between several IPs/domains in different countries through dynamic DNS techniques.  This certainly makes it hard to determine what IPs/domains are links in that infection chain at any particular moment, and admittedly it is not what my toolset is best suited for.  That’s the job of the many different services who specialize in such things (ex. Malwaredomainlist.com, spamhaus.org, Bluecoat, etc).  My task is to try and detect the techniques and malware bad guys use to get their main task completed: run code of their choice inside my network.  Along that vein, after investigating a recent driveby landing page on a compromised site that it was easily the 3rd time I’ve seen use of an HTML page that incorporated the somewhat depreciated HTML Meta Refresh technique to move the user to the next link in the infection chain.  This made sense to me as once they are able to compromise a wordpress blog, discussion forum site, ftp brute force, etc they often get upload permissions and it is then trivial, or even scriptable to upload a .html file they have saved somewhere to redirect the user with some unsuspecting message like “Loading…”  Here is the example that triggered my thought during that investigation.  In this example a html file was uploaded to the good site http://dropyourtalent.com at /rumyn.html, click pic to make larger.

blacole landing page

Continue reading

RSA Netwitness Investigator Regular Expressions

In the blog post below (here) I talked about my theory to detect DGAs by looking for consecutive consonants in a row within a URL.  However my SNORT rule does not work like I wanted it to.  I thought the rule would look for the HOST: portion of the HTTP header and start the regex match after colon and whitespace. When what it seems to do is trying to match the whole line as one entity including the word HOST, this causes the match to fail if there are ANY vowels in the line vs. only caring if there are x number of consonants in a row before or after a vowel.  So I figured I’d leverage another tool, RSA’s Netwitness network forensics product would work. You can download a home version of the tool here.

Netwitness investigator allows users to use RegEx to filter the packet capture data including of course web surfing.  As I understand it they use the BOOST RegEx engine as opposed to the PCRE engine I’m more familiar with. Either way, there doesn’t seem to be a lot of documentation included with the product around the needed syntax. So I recommend you try just throwing in your regex and see what happens as Investigator will do some sanity checking. Taking my own advice I entered my SNORT regex as a custom drill in the alias.host field (a helpful message from an experienced Netwitness user made me realize I shouldn’t assume readers knew I was using a custom drill for this filter).  As you will quickly learn you need to backslash escape most non alpha-numeric characters until it works.  The pic below shows the error checking where I intentionally left off the backslash escape character in front of the comma in the repetition operator {9,}


Continue reading

What do you do all day?

That’s often the question I get asked by friends and family, and to be honest it’s hard to explain to non-techies so I figured I’d pick out a recent example of a typical malware find and cleanup at work and blog about it.
So it all started in the morning when I opened the daily report I email to myself from the proxy server that flags URL requests in categories I feel are malicious and accessed during the previous 24hrs.  Once blowing past the usual false positives one stood out to me, music.gr (TLD for Greece).  The report does not give full HTTP headers just the hostname so I had to look up the same hit in the proxy’s reporting server to get the time/date/username of the HTTP request.  Then I moved to the SIEM (log manager) to get correlated logs from FWs, netflow, and the parsed raw proxy logs showing all the fields with a start and end time +/- 5 mins.
In doing so I saw obvious bad outbound traffic from the suspect host with what looked like URLs centered around webmail.  This is not surprising as webmail is a significant weak spot in many  corporations, anyway here are some of the logs I was presented with, a bit sanitized.

Continue reading

Security I want around my online banking experience…

UPDATE 3/7/12:  So hitting the banks up on twitter went no where, they didn’t even approve my comments.  I have a good disscussion going on in the “Internet Banking” group on LinkedIn if you want to join.  Next step might be a reddit post or possible emailing some of the bank CSOs directly.  Wish me luck.

5/5/12 I reached out to BofA’s CISO Patrick Gorman and was ignored. Don’t see much point in banging my head against the wall anymore.

Online banking and bill pay are two of the conveniences of the information age. I have memories of seeing my mom paying the monthly bills late at night filling out checks, opening and addressing envelopes, putting on stamps etc. She then of course had to manually balance her checkbook with a calculator. I cringe at the thought of having to spend several hours a month in such a manner, with online banking and bill pay it usually takes me 30 mins to send out the money with little or no writing or mailing. As with many conveniences, however it comes with a risk of potential abuse. Individuals certainly aren’t the only ones being victimized, especially vulnerable are small to medium-sized business who have relatively a lot of money compared to the average Joe Schomo like me and unfortunately for them they are not covered by the FDIC or the bank’s policy. Here’s a Bloomberg article from August last year that goes into several examples of theft and how the banks don’t always reimburse those companies like they do you when your CC is stolen. Bloomberg article

So without further ado here is what I humbly ask from my bank, 3 fairly quick wins that should be implemented as soon as possible. I’ll let you know if I hear anything back from them. I plan on hitting some of the bigger ones up on Twitter and LinkedIn to see if any of that social media mumbo jumbo works for me and my little blog.

Continue reading

Detecting the Bad from the Good…

UPDATE 4/3/12: I worked with Joel Elser on Snort-sigs mailing list to develop the below signature. However there’s been some concern around system resources of Regexing every GET request to the internet.  I’m thinking I might have to adjust the rule to exempt .com and .net TLDs.  Less effective I know but at least it won’t kill the sensor. This technique is probably better for offline static analysis of logs then realtime IDS.  Damballa has two good papers on their work around detecting DGA (Domain generation algos) and how they haven’t gone away now that Conficker is out of the news.  Links
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”WEB-MISC http header with 9 or more consonants”; flow:to_server,established; content:”GET”; http_method; content:”Host: “; http_header; pcre:”/^Host:s[tnrshdlfcmgpwbvkxjyqz0-9]{9,}$/Hi”; metadata:service http; classtype:bad-unknown;)
UPDATE 10/28/12: The above sig does not match unless there are NO vowels in the host header.  Please see an updated post here
In security monitoring it’s your job to use your creativity to design rules and dashboards so you can identify evidence of malicious activity.  In general there are two strategic ways to do this, detect the bad (blacklisting) or detect the good (whitelisting).  It doesn’t take a genius to realize that whitelisting is the more effective strategy overall, although its much harder to implement.  Even so blacklisting is still useful to use for increasing defense in depth.   Speaking about getting creative to detect the bad guys, a recent thought I had is looking for one of the tactics they use to avoid being taken offline.  Namely registering and using a large number of domains so that content filtering and whitehat organizations can’t keep up.  You could see this during the Conficker worm battles, where early versions were programmed to connect to 250 domains a day, and when the Conficker Cabal launched an effort to pre-register those names later worm versions came out in direct response with algorithms for 50,000 domains per day.
The flaw I see in the “I can register more domains, faster then you can” tactic is often the make up of those domains. By their nature they frequently are a collection of puesdo random letters not valid strung together words in your language, like a normal domain.
For Example: (consonants in a row in red)

The startup that didn’t start…

So I have requested Hostgator to rm -rf my VPS for a web application I created called https://mycloudwallet.com after about a year of building and trying to get it to catch on.  Basically I was attempting to be a middle man between consumers and vendors, adding value to both around transaction security and accuracy.  By having users fill out one or more forms on my site with various types of information about them and then picking a text string (called WalletID) that they could give out to vendor’s who I would verify out of band.  This would allow the vendors to check against my site as needed for the updated info behind the WalletID.  So it’s an extra layer of sanity check before shipping a package to an address, sending a targeted email, or perhaps a pwd change request.  All checks could be verified externally (at my site) to whatever the vendor’s transaction technique was (at their website), in case it was being abused.

Continue reading

Detecting emails spoofing your domain using Outlook Rules…

The concern over targeted emails from sophisticated attackers is only increasing after the Aurora attacks, not to mention the latest Google vs. China row, and RSA’s compromise. One technique the attacker’s use to make their targeted email more legitimate is to fake or spoof the email’s from address using the recipient’s own domain, so it is more likely to be opened. The constant message from security about the dangers of email can make opening a spoofed message cause much alarm for the average user, which of course is usually only evident after the message has been opened. Which is quickly followed by the usual questions, why am I getting this email Joe said he didn’t send it? It says I sent it! It’s not in my sent items, am I infected? Spoofing email addresses has a long history of being allowed by the SMTP protocol and many companies currently rely on that “feature” to deliver mail legitimately, think surveys, send this link to a friend, web page forms, mailing lists etc. So it’s not as simple as just blocking everything with an internal domain that comes from the Internet; because it’s not all bad. It’s also made more difficult in how SMTP works, where the MAIL FROM (aka. Smtp from, RFC2821, envelope from) is often is what is evaluated at the mail gateway/server level, but the user will just see the FROM (aka. RFC2822, message from).

Continue reading