Posts by lansalot

Ah, will you not have a cup of tea father...

My go-to test strings are the Father-Ted favourites, "arse", "feck", "drink" and "girls".

Two of which once popped up in front of some bigwigs I was demoing something to. Wasn't the last two....

water...

Years ago, I re-purposed an old sparc station as a snort IDS. Being on a switched network, and not tapped into any kind of ideal port, it didn't really do anything useful of course. Except for the one day it did detect an unwanted intrusion - the pipe above it burst and electrocuted it.

Alerting left a little to be desired tho - I only found out when I came in to find the console was unreachable.

WIPRO?

All makes sense now....

(Former WIPRO employee here)

hmmm...

It's been my experience - as a former employee - that "WIPRO" and "talent" do not belong in the same sentence.

also, Pervade...

https://www.vice.com/amp/en/article/newd88/this-uk-company-is-making-it-easier-for-private-companies-to-hack-back

"For a fee, one organization will provide a system that detects and can hit back at hackers with its own arsenal of attacks. But this isn't some anonymous group on an underground crime forum. Instead, Pervade Software, a legitimate and public facing information security business based out of Cardiff, Wales, sells a platform designed for private companies to retaliate against hackers with DDoS and other digital attacks."

except..

that it hasn't always updated all clients. I ran a script across a heap of our clients and found a significant number that are not auto-updating.

VERY quick and dirty Powershell detection script here for same, for your remote-admin tool of choice:

https://gist.github.com/lansalot/f0e6dfce85c35ec86cb8489dd27dd4d5

Checks:

- what version is installed (not necessarily the one that's running)

- what version each user is running (for terminal service environments)

- what the minimum and maximum version number found running in the process list is

- highlights whether any vulnerable version was found running

WIPRO and Powershell..

As you may recall, WIPRO had an embarassing "security incident" a year or two ago. I was one of the users on the ground who felt the repercussions - because the miscreants had used Powershell to gain a foothold, they simply blocked Powershell EVERYWHERE to "Improve security".

Apart from of course not being able to run or develop anything any more (hi, automation guy here), I also was blocked from even opening my .ps1 files in notepad, so I couldn't copy the work to an off-domain dev machine and continue the work. Months that took to sort out...

so...

I wonder how the ratio of pass:fail will fluctuate in light of this...

Father Ted for the win

My test strings tend to be Arse, Feck, Girls and Drink.

One of which popped up in front of some Council bigwigs I was demoing to. Hint: It wasn't "girls" or "drink"...

and yet...

We're having major issues with Teams for the last fortnight - users in my team showing as "Unknown User". Our desk tells us they're working with MS to resolve and this isn't just affecting us. Anyone else confirm?

err...

"The comments it generates are short - on the order of tens of words - and aren’t complex enough to incite much reaction"

Have you been on the internet lately?

highly relevant...

https://spectrum.ieee.org/aerospace/aviation/how-the-boeing-737-max-disaster-looks-to-a-software-developer

Oh no...

This will be a sad day when it comes into effect... please, someone pass the tissues.

The IDS comes through..

Years ago, I had a spare SPARC, and being a curious fellow, I decided to deploy Snort on it and leave it running as an IDS. It never detected a single thing (not surprising as I didn't have clearance to run it, and thus it was "internal only" - and on a switched network of course).

Except for one day when it did. It detected water. A pipe above it burst and electrocuted it.

wot?

Still no Powershell GUI dev?

handy..

But here's a crazy idea - all browser manufacturers, why not integrate with VirusTotal as well?

You're downloading the file, calculate the checksum as you're doing so, and at the end - submit it to VirusTotal to see if it's in their database. Present warnings accordingly.

citrix and scvmm

Brought up a new SCVMM server and pushed the updated client out to a few VMs. No issues, no reboot needed. So pushed it out to 3 hosts, each hosting 7 citrix xenapp VMs (so approx 200 users were being served).

The hosts didn't take too kindly to the new client, and promptly blue-screened. However, as the estate wasn't at its most stable at the time, users were conditioned to logging back on again when citrix disappeared. Not a single call came in. So I kept quiet, until now...

aye..

Dell/EMC still very silent on the impact to their ScaleIO product, I notice.. where customer code will definitely be running on VMs etc. The joys of HyperConvergence, eh

well thanks, Dell..

Been waiting for last couple weeks now as to a statement for potential impact for EMCs ScaleIO product, which you resell.

Being HyperConverged, in that the VMs and storage are all on the same boxes, we're expecting a significant performance hit.

ah ha!

"And I could very well have been bitten in a sensitive place, if you know what I mean."

AYE, HE MEANS HIS COCK!

#intentionalPartridge

ooh...

That's some nice changes to protecting me from dodgy callers. Of course, my phone has never been plugged in, but thanks loads for charging me for something that probably doesn't work and I don't need.

Time to shop around I think !

Dear Equifax hackers?

Could you find out if I have PPI, and submit a claim for me automatically? Thanks!

a long time ago...

well, 1984-ish.. in my metalwork class at school, they had a poster on the wall. It was pretty to-the-point.

TWO WAYS TO BLOW YOUR BRAINS OUT

A picture of a fired gun against a head, with brains ejecting out the other side

A picture of a compressor and its hose against a head, with brains ejecting out the other side

You could say the message worked, as I remember it clearly over 30 years later.

profitting from hate?

You read the Daily Mail and such lately? You'd be as well starting with them, at least their content is produced by them, purposely and wilfully.

oops

https://virustotal.com/en/file/035c780a1ece816e9adc4dee06f8484751346a7f70d9ae6d7f627cce27bdfb3f/analysis/

I'd like to hope these are heuristically derived false-positives...

ah, why not give him a shot... Seeing as Trump is going all out on filling the swamp, instead of draining it, he'd fit right in.

even worse..

My friend asked me to look at her dad's PC and dropped it off. He'd left a DVD in the drive, which duly spun into action with lesbian porn.

Opening a beer, I decided to take a well deserved break from my IT investigations. As the can reached my lips, performer #1 crouched above #2 and let loose.... well... a #2.

Beer down, computer off, knocked on door, "sorry, nothing I can do with this one!"

Krebs says not:

https://krebsonsecurity.com/2016/11/did-the-mirai-botnet-really-take-liberia-offline/

A free hip, says it's ransomware...

Fine, you don't advocate hacking back.

Now, it only takes *one* of you to deviate from that, and put a stop to these miscreants. I wouldn't lose much sleep over it in this instance, if it were done properly.

Dear whitehats

Please change all the passwords on those insecure devices to something random.

Thx

Everyone-else

Morning, Microsoft !

Funny you should ask about the whole "trust us" thing.

I've come in to work this morning to find 175 servers out of ~600 that are refusing to install Endpoint Protection AV updates. No known cause as of yet.

I'll keep working on it, but thanks for reminding me we can totally trust you not to screw things up.

Wouldn't cause a problem if they use Deep Freeze...

Unsafe computing practices, plus people with too much access = customers affected.

Nice work indeed...

Still, at least the ransomers know who to target in the future!

I was surprised to find I had a Yahoo account - it looks like it went over when I registered for flickr years ago.

Logged in to find an inbox that was full of nothing but incredibly-obvious spam. So their spam filters suck for sure. Oh, and the page design... it was like a teenagers Myspace page.. :(