## Pernicious Perl Path Permission Problems

I ran into a situation where I somehow managed to hork up a perl installation by having the temerity to install some perl modules. From them on, invocations of perl by anyone other than root result in disappointment:

Here’s how I fixed it.

## Waze URI to Navigate to Home or Work

If you are trying to integrate Waze with other Android apps (like Tasker) you will eventually try to launch Waze navigating to an address. Numerous places online show us that these URIs work:

That last example may get you thinking… I know it did for me. What about navigating to the “Home” or “Work” locations that the app set up? Surely you can just type those in as your query and Waze will be smart enough to figure it out, right?

Nope. It looks for a business named “Home” or “Work” nearby. No amount of wrangling could get it to work for me. But since I could open the app up and type Home into the search box I figured that Waze must have some built-in way to figure out if a search string is a Home/Work/Favorite versus something to search on the map for.

## Navigate into downtown Waze

I decompiled the apk and discovered that Waze sends the URI down into a native code function, which makes it harder to reverse engineer. As in, I’m not even going to bother because then I’d have to teach myself assembly. So I cheated. I ran strings  against libwaze.so (native code included in the Android app) to find pieces of strings which may be used to test a supplied URI and found this:

Oh ho ho! Some of these strings are probably used in debugging statements (decode: valid lat %s), and maybe ‘favorite=’ is too. But let’s just try a few things.

Damn. But what about…

Bingo!

It works for your saved ‘Home’ and ‘Work’ locations. It also works for any place you’ve saved as a favorite. Just substitute the name you used. So feel free to set up Tasker tasks to automatically navigate all over the place.

You’re welcome, Internet.

## giant file-rsync+dd+md5sum=no cry

I recently ran into a situation where:

• I transferred a large file (in my case 32GB)
• The md5 at the recipient didn’t match my source file (sadface)
• The source or destination machine did not have rsync installed, but both have md5sum and dd.

Resending the entire 32GB file would be a waste of time. Why not just resend the chunks that failed?

The correct answer in this situation is usually “just use rsync, that’s what it’s for”. But I couldn’t since the target system doesn’t have rsync installed and I couldn’t install it. If you can install rsync at both ends, use it to fix the broken file. Here’s a great example.

You can’t do that? Then do this:

# Giant file-rsync+dd+md5sum=no cry

1. Create a bash/cmd script at each end to break the file into pieces with dd.
2. md5sum each piece at both ends and compare to figure out which chunks are bad
3. transfer the bad chunks from source to target
4. dd the chunks back into the giant file
5. recheck the md5sum of the file to make sure it matches

## Create a bash/cmd script at each end to break the file into pieces

Tip: rename the file to something which doesn’t require escape sequences, especially if your source/target are running different OSes. For example, spaces mean the name has to be enclosed in quotes on Windows and have a backslash prepended on Linux. So get those spaces out of there.

dd  thinks in terms of blocks.

$blocksize \times count = chunk size$

I set the blocksize to 1 megabyte to make the math easier. I want each chunk to be 128MB. The size of the chunk is up to you, but the trade-off is waiting for excess data to transfer versus dealing with more part files. Anyhow, we have bs=1048576 count=128 .

To tell dd  where to start when it’s copying data out of a file, supply the skip option. So the first chunk has skip=0 , the second chunk has skip=128 , the third has skip=256 , and so on. Why?

dd  thinks in terms of blocks.

I usually create an Excel workbook and use fill-down to create the correct skip numbers and then CONCATENATE()  to create the actual dd command lines. Copy and paste them into a text document. Send it to both ends with the correct extensions/permissions/shebang line/etc.

Run the batch/shell script at each end to create corresponding partXXXX files. If you follow my example, the value in the K column shows you where to stop copying; it changes to false at the line where you’ve passed the final dd required.

## md5sum the pieces at each end and compare

Pretty easy; use md5sum  on all of the partXXXX files at each end. Save the output into an md5 file and then get both files in the same place so you can compare.

Using the command line diff  tool will work, but if you have a GUI tool it should make it easier to see which files don’t match. Let’s hope there aren’t many.

## Transfer the bad chunks from source to target

This part should be easy; just send the good chunks from the source to the target to replace the bad chunks. To make sure you haven’t wasted your time, md5sum  the replacement chunks once they reach the destination. Re-retransfer any that don’t match.

## dd the chunks back into the giant file

We will use dd again. Instead of redoing the whole process in reverse, we only need to dd in the fixed chunks.

Either redo your Excel sheet or just find and replace in your target batch/shell script.

The key things here are that the if and of have been swapped, we must add conv=notrunc, and we use seek instead of skip. We swap the input and output files because we’re outputting to the big file. We use conv=notrunc  because by default dd will truncate the destination file at the point where you start writing. We don’t want to destroy the file, so this is important. Finally, when we need to write the destination file anywhere other than the start, we have to use seek  instead of skip .

You only need the lines corresponding to the fixed chunks. So your final batch/shell script might end up looking like this:

## Recheck the md5sum of the file to make sure it matches

You’re all done, assuming it matches. (Cue spooky music)

Hey nevermind, here’s my Excel Workbook. Just use that. That’s what I’m going to do from now on.

I’m in the middle of moving so I’m typing this up on my phone. As you may well be aware, I detest brevity as I loathe all encumbrances upon all opportunities to hear (or read) myself talk (or write). Here’s what you need to know to keep yourself safe.

First, keep this firmly in mind: Just because someone’s name or email address shows up in this breach does NOT mean they cheated on their spouse.

Ashley Madison does not verify a user’s email account when they sign up at all. This means anyone in the world could have entered your email address when they signed up. Now you look guilty.

There are other reasons an account is not necessarily a scarlet letter, even if it really does belong to the purported account holder. The person could have signed up because:
* They were curious and just wanted to look around
* They wanted to cheat but changed their mind.
* They signed up when single and subsequently got married and forgot all about the site. (Or paid for Ashley Madison’s delete account service and clearly did not get their money’s worth)
* They want to protect their identity online so they sign up for every high-profile social networking site that pops up.
* Or, possibly, they could want to cheat on their spouse. Diff’rent strokes and all.

Keep yourself safe

Do not click links in social media which claim to show you whose accounts were breached. Doesn’t matter if the link says your account is listed, your boss’s, a celebrity, or a politician. Scammers looooove throwing up bait like this to trick people into installing viruses or paying money or paying money to install viruses. Steer clear.

To see if your account is listed, visit this website (given my previous paragraph, I understand if you don’t want to click through)

http://haveibeenpwned.com

This is the only website that I trust for this sort of information. The only one.

Now, since this information is sensitive, the author of the site, Troy Hunt, requires you to verify that you own the email address in question before he tells you whether or not you were among the breached Ashley Madison accounts. Click ‘Notify Me’ in the menu and sign up for notifications. Once you have verified your email address the website will let you know privately if you, well, ‘been pwned’.

This is a good practice, in general. I signed up for notifications from haveibeenpwned so if my email address ever shows up in a breach (even one which hasn’t been publicized) I get emailed.

Educate yourself

Here are a couple great articles from information security news sources I trust.

Graham Cluley, a well-respected info sec analyst, has another article.

## Buying the Magnum

So somewhere along the way we all grew up. Part of growing up is not visiting websites named ‘bellybuttonporn.com’ any more. So many of you never saw this. Now seemed as good as any time to copy the old post and images into this blog for our more modern sensibilities. I had to change the links for the comparison cars; they fell victim to linkrot after a model year had passed. At then end I’ll be back with an update. Continue reading Buying the Magnum

## 8 Skills to Scuttle ATM Skimmers

It looks like the ATM skimmer creeps have made it to Des Moines.

Worried about ATM security? Good! Here’s how to stay safe:

1. Don’t ignore basic ATM security you already know – be sure you’re in a safe, well-lit area and there aren’t any suspicious people hanging around. Mugging someone is easier and quicker than installing a skimmer.
2. Use familiar ATMs and pay attention to what they look like. Any changes? A new card reader perhaps? That’s a sign that thieves have placed a skimmer there. Contact the bank to see if they’ve fixed/replaced that ATM recently.
3. Try to pull the card reader off. If it comes off in your hand with a quick tug, then congratulations, you have just discovered a skimmer.
4. Same thing with the PIN pad. With your debit card number, the thief still needs your PIN. Whew! Unfortunately the thief has thought of this. They either have a pinhole camera mounted somewhere (probably on the ATM) to videotape your PIN or an overlay on top of the PIN pad which records your PIN as you type it.
5. Cover your hand with your other hand while you type your PIN. This helps foil the cameras.
6. After you type your PIN, rest your whole hand on ALL of the buttons on the PIN pad for a moment. This heats all of the buttons up so the thief can’t use an infrared camera to get your PIN. (Yes, they really can do that, and yes, covering the PIN pad for a few seconds really does help)
7. Periodically check your account balance and transactions online. At least every few days. This way you may catch any fraudulent activity faster. Did thieves get access to your account with a skimmer? Was it an online shopping hack? Who knows! Doesn’t matter, really. Good thing is that you caught it. Talk to your bank and have them back out the fraudulent activity.
8. Finally, if you do discover a problem, do not panic. First, don’t actually use the ATM, even if you yanked the skimmer off. Get the hell out of there ASAP. If you’re on foot, run. If you’re in your car, lock it, roll the windows up, and get the hell away from the ATM. ATM skimming criminals may be lurking nearby to watch their toy. You just broke their toy, so they might be mad. They might resort to simply mugging you. So don’t use the ATM, don’t withdraw any money, and get the hell out of there.

Call the police from a safe distance.

## Does antivirus rain on your antivirus testing?

Suppose you need to test your antivirus software, but you don’t have a virus laying around to test with. How do you get a virus to test with? Sounds dangerous.

Luckily, smarter people than I have already thought of this problem. The solution is the EICAR test file/string. It’s a harmless string that most (almost all) antivirus vendors treat as a virus. The idea is that you can use this file instead of a live virus. If your antivirus alerts on it, you know all is good. If it doesn’t, then your antivirus doesn’t work.

So if you’re doing some security research* and need the EICAR test string you may run into a chicken and egg problem. You need the test string, but every time you download it your antivirus program deletes it right away!

I’ve made a simple dropper. By itself it doesn’t trigger most antivirus programs (props to ALYac, Ad-aware, BitDefender, Emsisoft, F-Secure, GData, MicroWorld-eScan, and nProtect).

The batch file will create a file named eicar.txt in the current directory. Hopefully your antivirus program will immediately alert when the file is created.

Here’s a zip file containing the dropper:

eicar_dropper.zip

And here’s the dropper itself:

* Hacking 🙂

## Manually update a lookup csv in splunk

If you use splunk, you probably use lookups to add handy data to your searches and alerts.

If you use lookups, you have probably run into a situation where you’ve wanted to update a lookup file.

If you’ve wanted to…Okay I’m done with that. Similarly, you’ve probably found the process of googling how to update your csv frustrating as well. Most of the results assume you want to create a process to automatically update a lookup via a saved search. That’s a great idea, and here are some great examples.

But what if I have a simple csv of a few values and I want to update it once? Say I have a CSV with whitelisted DNS servers. I use it to filter out DNS traffic to known-good servers in the search I use to detect rogue traffic.

DescriptionNameserver
OpenDNS208.67.220.220
OpenDNS208.67.222.222

So I don’t want to automatically update this thing, I just want to add a row for my home router (whoops!).

How in the hell can I add it? I started looking at Splunk’s documentation and searching around Splunk’s stack-exchange Q&A site. I was preparing some sort of hairy query to combine inputlookup, something to create records out of thin air, and then deduping the results and outputlookup to put it back into the table.

That sucks, especially for a one-off. Okay, so instead, how about I just download the csv file, edit it on my PC, then reupload it? Sounds cumbersome.

Thing is, I didn’t need to think that hard.

We have the Sideview Utils installed. Included is a tool called, handily enough, The Lookup Updater. It lets me just edit the file in the web interface.

Go to the Sideview Utils app within Splunk. In the menu find Tools, then The Lookup Updater. From here you can edit your lookups to your heart’s content.

That’s all I needed to do. Here’s all there is to it: