DNS describes the structure of resources on the internet. It can provide lots of valuable information about (attacker or target) infrastructure. However, in order to query DNS records, you must already know the exact domains or subdomains to query. When examining unknown infrastructure, this is not practical. On top of that, DNS records can change often, so historical information is lost. Passive DNS databases help solve both of these problems. Farsight Security DNSDB is the largest passive DNS database in the world. With DNSDB, you can answer questions like “How has this network infrastructure changed over time?”, “What other domains and subdomain point (or have pointed to) this IP address?”, “What are the subdomains and resource records for this domain?”
The Domain Name System (DNS) is best known as the way domain names are converted into IP addresses that clients connect to, but there are many other uses for DNS. Read on to learn more.
Recently I analyzed a credential harvesting page with some interesting characteristics that made a great teaching moment. In this post, I’ll go over how I used the developer tools built into Microsoft Edge to examine the credential harvesting page.
certbot utility by the Electronic Fronter Foundation (EFF) can use DNS authentication to obtain, install, and renew free trusted SSL certificates on a variety of webserver configurations, including a nginx reverse proxy.
This configuration can be used on internal and external websites. It is particularly useful in situations where you want to have a trusted certificate for an internal web application without the time, effort, and risks of creating and maintaining your own internal Certificate Authority (CA).
As an example, this guide will explain how to configure nginx with a trusted certificate to act as a reverse proxy in front of a Unifi Controller.
Based on published source code and conversations with the woman behind the Parler dump (donk_enby on Twitter), I can completely explain how the Parler data was acquired, and why it was legal. The story making the rounds on Reddit claiming that she somehow hacked Parler and got admin access is third-hand bad techno-madlibs fiction. What she actually did was reverse-engineer the protocol (API) used by the Parler iOS app to communicate with the website backend.
I was born with cerebral palsy — neurological damage from a lack of oxygen to the brain at birth. Each person with this condition is affected differently, and to varying degrees. Some may have balance issues; others may have mental impairments. For me and many others, cerebral palsy causes muscle spasticity. In my case, my muscles are so tight that my range of motion is very limited. Practically, the biggest impacts for me are not being able to walk without assistance, drive, or write legibly at all.
Despite these challenges, I have a high-paying, stable job in information security for one of the largest medical and pharmaceutical distributors in the world. I am acutely aware of two things: how critical our role is in ensuring that hospitals get the supplies they need during the COVID-19 pandemic, and how privileged I am to still be working during a time when most businesses have been required to close, leading to historic levels of unemployment.
I have lived in Ohio all my life. I have voted in person for nearly every election since I turned 18. The COVID-19 pandemic has changed lives around the world, and has caused many states to conduct voting almost entirely by mail, including Ohio. I have found that Ohio’s process for absentee voting is needlessly difficult or impossible for voters like me. Ohio’s Secretary of State has made exceptions so that people with disabilities are permitted to vote in person at their local county Board of Elections on voting day. However, they risk catching or spreading the virus that way. Some changes are needed to make Ohio’s elections better for everyone, regardless of ability or party affiliation.
If you receive a fraudulent email, can be very useful to send a full forensic copy to an organization that is being spoofed, industry partners, and law enforcement.
When a user clicks forward in a mail client, the client copies the message’s content and attachments to a new message. The original message headers are not included.
In order to send a full forensic sample that includes the original message headers, the original message must be sent as an attachment in a new message. The process for doing this varies by mail client.
Email headers contain very useful information for tracing a message’s origin and troubleshooting its delivery. Email headers are written with the oldest headers at the bottom, and the newest headers at the top. By reading the headers in the correct order, you can see how the message was passed from one mail server to another, and the actions each mail server took along the way.
Most email clients have a function to display a message’s headers. The exact steps depends on the client. In most cases, this requires the desktop version of the client.
I have written extensively about the DMARC email security standard, including publishing a comprehensive guide on how to implement it, with or without additional third party vendors. I also do a little consulting on DMARC deployment best practices. One of those consulting clients uses Proofpoint for their email gateway. They also use Dmarcian, a reasonably priced DMARC report analytics service that also publishes a ton of public content for the good of the community. We were considering moving the client’s DMARC policy from monitor only (p=none) to an enforced state (p=reject) after many hours of steadily improving the SPF and DKIM alignment of their email sources. As I took another look at the aggregate (rua) DMARC data in Dmarcian, I noticed something odd: Dmarcian was getting aggregate reports from all of the expected third party email recipients, like Google, Yahoo, Comcast, and the client’s industry partners, but I didn’t see any reporting from the client’s own Proofpoint gateways.
Emotet is a Trojan designed to steal banking information. It is frequently spread by sending phishing emails to governments, banks, healthcare organizations, and schools. The phishing emails will often claim to be an invoice, with a malicious Microsoft Word document attached. The email may often appear to be from a trusted supplier. Once the attachment or link is opened, the target is prompted to click “Enable content”, which would allow the dropper to install Emotet.
I recently encountered two Emotet dropper samples (0b9ccb04553ba5f1ce784630ef9b2c478ed13a96e89c65dcd9c94205c235ea12 and eff6619aee017ee5d04c539ff12c63a199a1e489660f7156b95e562667393d3c) that would not run correctly in my malware sandbox. I soon found the cause of the problem: the file type had been detected as a generic XML file, rather than what it really is: a Microsoft Word document.