## Pernicious Perl Path Permission Problems

I ran into a situation where I somehow managed to hork up a perl installation by having the temerity to install some perl modules. From them on, invocations of perl by anyone other than root result in disappointment:

Here’s how I fixed it.

## Ashley Madison

I’m in the middle of moving so I’m typing this up on my phone. As you may well be aware, I detest brevity as I loathe all encumbrances upon all opportunities to hear (or read) myself talk (or write). Here’s what you need to know to keep yourself safe.

First, keep this firmly in mind: Just because someone’s name or email address shows up in this breach does NOT mean they cheated on their spouse.

Ashley Madison does not verify a user’s email account when they sign up at all. This means anyone in the world could have entered your email address when they signed up. Now you look guilty.

There are other reasons an account is not necessarily a scarlet letter, even if it really does belong to the purported account holder. The person could have signed up because:
* They were curious and just wanted to look around
* They wanted to cheat but changed their mind.
* They signed up when single and subsequently got married and forgot all about the site. (Or paid for Ashley Madison’s delete account service and clearly did not get their money’s worth)
* They want to protect their identity online so they sign up for every high-profile social networking site that pops up.
* Or, possibly, they could want to cheat on their spouse. Diff’rent strokes and all.

Keep yourself safe

Do not click links in social media which claim to show you whose accounts were breached. Doesn’t matter if the link says your account is listed, your boss’s, a celebrity, or a politician. Scammers looooove throwing up bait like this to trick people into installing viruses or paying money or paying money to install viruses. Steer clear.

To see if your account is listed, visit this website (given my previous paragraph, I understand if you don’t want to click through)

http://haveibeenpwned.com

This is the only website that I trust for this sort of information. The only one.

Now, since this information is sensitive, the author of the site, Troy Hunt, requires you to verify that you own the email address in question before he tells you whether or not you were among the breached Ashley Madison accounts. Click ‘Notify Me’ in the menu and sign up for notifications. Once you have verified your email address the website will let you know privately if you, well, ‘been pwned’.

This is a good practice, in general. I signed up for notifications from haveibeenpwned so if my email address ever shows up in a breach (even one which hasn’t been publicized) I get emailed.

Educate yourself

Here are a couple great articles from information security news sources I trust.

Graham Cluley, a well-respected info sec analyst, has another article.

## 8 Skills to Scuttle ATM Skimmers

It looks like the ATM skimmer creeps have made it to Des Moines.

Worried about ATM security? Good! Here’s how to stay safe:

1. Don’t ignore basic ATM security you already know – be sure you’re in a safe, well-lit area and there aren’t any suspicious people hanging around. Mugging someone is easier and quicker than installing a skimmer.
2. Use familiar ATMs and pay attention to what they look like. Any changes? A new card reader perhaps? That’s a sign that thieves have placed a skimmer there. Contact the bank to see if they’ve fixed/replaced that ATM recently.
3. Try to pull the card reader off. If it comes off in your hand with a quick tug, then congratulations, you have just discovered a skimmer.
4. Same thing with the PIN pad. With your debit card number, the thief still needs your PIN. Whew! Unfortunately the thief has thought of this. They either have a pinhole camera mounted somewhere (probably on the ATM) to videotape your PIN or an overlay on top of the PIN pad which records your PIN as you type it.
5. Cover your hand with your other hand while you type your PIN. This helps foil the cameras.
6. After you type your PIN, rest your whole hand on ALL of the buttons on the PIN pad for a moment. This heats all of the buttons up so the thief can’t use an infrared camera to get your PIN. (Yes, they really can do that, and yes, covering the PIN pad for a few seconds really does help)
7. Periodically check your account balance and transactions online. At least every few days. This way you may catch any fraudulent activity faster. Did thieves get access to your account with a skimmer? Was it an online shopping hack? Who knows! Doesn’t matter, really. Good thing is that you caught it. Talk to your bank and have them back out the fraudulent activity.
8. Finally, if you do discover a problem, do not panic. First, don’t actually use the ATM, even if you yanked the skimmer off. Get the hell out of there ASAP. If you’re on foot, run. If you’re in your car, lock it, roll the windows up, and get the hell away from the ATM. ATM skimming criminals may be lurking nearby to watch their toy. You just broke their toy, so they might be mad. They might resort to simply mugging you. So don’t use the ATM, don’t withdraw any money, and get the hell out of there.

Call the police from a safe distance.

## Does antivirus rain on your antivirus testing?

Suppose you need to test your antivirus software, but you don’t have a virus laying around to test with. How do you get a virus to test with? Sounds dangerous.

Luckily, smarter people than I have already thought of this problem. The solution is the EICAR test file/string. It’s a harmless string that most (almost all) antivirus vendors treat as a virus. The idea is that you can use this file instead of a live virus. If your antivirus alerts on it, you know all is good. If it doesn’t, then your antivirus doesn’t work.

So if you’re doing some security research* and need the EICAR test string you may run into a chicken and egg problem. You need the test string, but every time you download it your antivirus program deletes it right away!

I’ve made a simple dropper. By itself it doesn’t trigger most antivirus programs (props to ALYac, Ad-aware, BitDefender, Emsisoft, F-Secure, GData, MicroWorld-eScan, and nProtect).

The batch file will create a file named eicar.txt in the current directory. Hopefully your antivirus program will immediately alert when the file is created.

Here’s a zip file containing the dropper:

eicar_dropper.zip

And here’s the dropper itself:

* Hacking 🙂

## Manually update a lookup csv in splunk

If you use splunk, you probably use lookups to add handy data to your searches and alerts.

If you use lookups, you have probably run into a situation where you’ve wanted to update a lookup file.

If you’ve wanted to…Okay I’m done with that. Similarly, you’ve probably found the process of googling how to update your csv frustrating as well. Most of the results assume you want to create a process to automatically update a lookup via a saved search. That’s a great idea, and here are some great examples.

But what if I have a simple csv of a few values and I want to update it once? Say I have a CSV with whitelisted DNS servers. I use it to filter out DNS traffic to known-good servers in the search I use to detect rogue traffic.

DescriptionNameserver
OpenDNS208.67.220.220
OpenDNS208.67.222.222
Google DNS8.8.8.8
Google DNS8.8.4.4

So I don’t want to automatically update this thing, I just want to add a row for my home router (whoops!).

How in the hell can I add it? I started looking at Splunk’s documentation and searching around Splunk’s stack-exchange Q&A site. I was preparing some sort of hairy query to combine inputlookup, something to create records out of thin air, and then deduping the results and outputlookup to put it back into the table.

That sucks, especially for a one-off. Okay, so instead, how about I just download the csv file, edit it on my PC, then reupload it? Sounds cumbersome.

Thing is, I didn’t need to think that hard.

We have the Sideview Utils installed. Included is a tool called, handily enough, The Lookup Updater. It lets me just edit the file in the web interface.

Go to the Sideview Utils app within Splunk. In the menu find Tools, then The Lookup Updater. From here you can edit your lookups to your heart’s content.

That’s all I needed to do. Here’s all there is to it:

## Set Internet Options via the registry

I ran into a situation where I needed to remotely set the values in a user’s Internet Options control panel. With all the problems with SSL 2.0 and SSL 3.0 lately, we’ve pushed out configurations to block them. Some of our users have reported problems connecting to business-critical websites which aren’t working with our settings. So I need to remotely check the SSL 3.0 box for them.

To get this done I had two problems:

• What values do I need to store in the registry?
• Where do I store them?

# First, find the keys.

I fired up procmon from Sysinternals and opened up my Internet Options control panel. With some trial and error I was able to narrow the settings i needed to change. The process is to change the settings in my UI (remember to click apply!) and watch the registry changes in procmon. In case you’re looking for exactly the same thing I am, changing the SSL/TLS settings, here’s the key you need:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols

And here are the values you need:

SSL/TLS Version Decimal Hexidecimal
SSL 2.0 8 0x8
SSL 3.0 32 0x20
TLS 1.0 128 0x80
TLS 1.1 512 0x200
TLS 1.2 2048 0x800

This is a bitfield. To get the correct value, you just add up the options you want and then store that value in the registry.

I needed to have SSL 3.0, TLS 1.0, and TLS 1.1 enabled.
$\begin{array}{c} \phantom{+9}32\\ \phantom{+}128\\ \underline{+512}\\ \phantom{+}672\end{array}$

When you store the result in the registry, make sure you enter it in the expected format.

# Second, figure out where to store the values.

Now, just open up the remote registry and find HKEY_CURRENT_USER and and rock and roll!

Okay, going to have to pull some teeth here. The issue is that there really isn’t a HKEY_CURRENT_USER hive. When a user logs on, Windows maps their HKEY_USERS hive onto the HKCU hive. It makes things so much easier. Since we’re not logged on to this system as that user, we don’t get the easy version.

If your users generally have one PC each, you probably will see several short SIDs and a pair of long ones. The long one without “_classes” on the end is your user’s SID. But you can get a user’s SID via powershell to be 100% sure.

So in my case, I’ll need to use HKEY_Users\S-1-5-21-776511741-573735546-682002230-13423.

# Put it all together.

Almost done, I swear. In regedit I connected to the remote computer then browsed to the right user’s HKEY_USERS key (that long SID we found earlier). I browsed to the key I found earlier, Software\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols. Finally, I set the value I calculated, 672 (decimal).

Sites are fixing their SSL settings as fast as they can, so don’t just set something like this and forget it. Periodically test the sites your users require to see if they work with SSL 2.0 and SSL 3.0 disabled. Once they do, you can undo your changes.

## Find .NET version required by your applications

I have a server with Microsoft .NET 1.1 installed and I have no idea why.

Naturally, we’ve lost all records regarding what is installed on that server. We have no idea why an old version of .NET is installed and which applications require the old version. In fact, we have no evidence that the old version is actually required.

So, how can I find out what .NET applications on this server require 1.1 ?

Powershell!

This is what I came up with:

There is a limitation here. This will report the minimum version of the .NET runtime required for each executable and dll, but it will not tell you the maximum allowed. I have no idea how to determine that information from within powershell.

So this is useless, right? In my experience, this will let you rule out the vast majority of your applications. Lots of applications are written to target CLR 2.0 at a minimum, so any application reporting 2.0 or higher should work fine without .NET 1.1. I can rule them out and then focus my further research on the applications which can run on .NET 1.1.