New spam botnet?

I run my own domain name(s) and E-mail servers. It’s not that hard to do, and you should really consider it, instead of handing over your domains and E-mails to some ‘free’ service provider like Google (remember: if something is free, you are the product).

This, of course, means that I can change and tune everything to my liking. For instance, I use ClamAV, SpamAssassin, Spamhaus, SPF, DKIM, DMARC and Sieve to severely cut down on the amount of spam/malware that makes it into my family’s/friends’/own mailboxes. In fact, maybe one or two mails actually make it through the filters on a monthly basis – it’s nice to look at the statistics 😉 I like to auto-blacklist the hosts (hosts.deny) that try to send spam as well.

Interestingly, in the past two weeks I’ve gone from +/- 30K of those blacklisted hosts to over 70K. Considering that those 30K hosts took many months to collect, more than doubling the amount in the span of just two weeks is quite unusual. I dug into the mail logs and discovered the following so far:

  • It’s all individual hosts, doing one attempt only
  • The hosts are located all over the world, although they primarily come from China, Russia, former Soviet block and Brazil
  • Almost 100% of these hosts are already blacklisted on the zen.spamhaus.org list
  • The forged ‘From:’ header follows the same pattern, <randomfirstname>.<randomnumber>@<somedomainname>. Examples are: Summers.6182@pmcvideoproductions.com, Crane.148@florentina.ro
  • Connections appear in batches, but are evenly spaced in time: roughly 5-6 seconds per connection attempt
  • The E-mails contain the usual malware/phishing attempts (Locky, other ransomware).

Seems like a new spam botnet came online.

Posted in DHCP | Comments Off on New spam botnet?

UCD Master’s Programme in Digital Investigation and Forensic Computing

Introduction

Friday August 12th marked the end of my 2-year part-time study at UCD’s M.Sc. in DIFC with me handing in the final paper for the Digital Investigation project. Since my previous employment was as a University College lecturer, I thought I would do a write-up on how I’ve experienced DIFC from my own perspective as an educator, student and professional in this field. Please note that the course content follows the part-time study model (2 years) and my opinions/thoughts might not be indicative of what full-time students experience.

Signing Up

Signing up for DIFC is a multi-stage process, consisting of submitting a request for enrollment accompanied by two qualified references. After being accepted, you need to complete an exam with a follow-up interview. The exam covers a wide variety of IT-related subjects (in my case: anything from programming algorithms to OS memory management to database engineering), and you only get an hour to complete it. Cheating is pointless/impossible: the exam is only handed out at the moment the hour starts, and is immediately followed by the interview. After I had completed the exam, the interviewers called me on Skype to go through the exam questions step-by-step, asking for the answers and my explanation/reasoning. I wouldn’t say the exam is difficult per sé, but it might be advisable to do a refresher course on some of the subjects.

If successful, you’re officially enrolled and you start to receive E-mails on signing up for classes, your UCD account, paying fees, etc. This is where DIFC could certainly improve: particularly for foreign/international students, who are not ‘on-campus’ or have been at UCD before, it can be a bit of mystery where all relevant information is accessible. Perhaps an early online classroom session where you are guided through setting up the most basic stuff would help?

Module & Course Formats

The actual courses are laid out in a quarter/semester form. The starter courses are more entry-level, designed to get everyone up to the same level of knowledge. Progressively, the courses get more difficult and continue to combine and build on the knowledge that was acquired earlier. Particular module/course highlights for me were the IT Law module by TJ McIntyre, the Information Security course parts by Michael Harris and the reverse engineering classes by Dr. Gladyshev:

  • I’ve always been interested in IT Law, and TJ is a particularly engaging lecturer, extremely knowledgeable and was always willing to extensively answer questions that came up. The IT Law module is tough (prepare to write a LOT of papers) but very rewarding and very informative!
  • Michael’s course stood out due to the pentesting theory classes and practical assignment – we were gradually taught about all the types of security issues that can present themselves in web development, and the accompanying assignment consisted of writing pentest report on a virtual environment that we were allowed to pentest in any way we wanted (within reason: don’t break stuff for your fellow students)
  • The reverse engineering was extremely difficult in some ways; despite having some pre-existing knowledge of assembly and seeing good examples during the lectures, it was just hard work implementing the knowledge in practice. The assignment consisted of being given an executable file, individually compiled and unique for each student, that was exhibiting ‘malware behaviour’. During the classes, we were instructed in the basic usage of IDA (Free version) and OLLYDBG to debug executables, but this was somewhat superficial and it took me quite some blood, sweat and tears to finish the actual assignment. On a funnier note, I did figure out how to leverage the information from the provided malware in other, destructive ways, leading me to sending a responsible disclosure to Dr. Gladyshev on a late Friday night 😉

The lessons themselves are simultaneously ‘live’ in the actual classrooms and in an online (AdobeConnect) environment. It makes the part-time and remote students feel ‘part of the classroom’ and connect with the full-time students, which is great! Generally this worked well, but the initial courses suffered a bit from poor video/audio setup. This was partially due to the quality of the technical equipment, partially due to poor internet connectivity. Regardless, this only happened a few times and the quality was generally quite good. Presentations were a combination of theoretical concepts, mixed with practical assignments and discussion, which made for an engaging classroom experience.

Exams & Assessments

On average, 2-4 exams are handed out per course, which are graded American-style: F, D, C, B, A with +’s and -‘s, D being a minimum ‘passing grade’. The exams wildly vary in type (which I consider a good thing!) and size: anything from a short paper to a full-blown pentest report. Although most of DIFC is possible through remote studying, some exams require you to be present – at least two visits to Dublin are required. Notable moments are the on-site exams around December and March, as well as the forensic interview/search & seizure/courtroom workshops. The dates for these required visits are communicated well in advance. Nevertheless, it is highly recommended to still book flights & accomodations as early as you can: Dublin is a popular city and prices can fluctuate strongly, particularly during conference season (as happened with my visit(s)). The last DIFC course module is the Digital Project, where you are required to come up with a practical research project in the field of Digital Forensics. The examinations for this are different; rather than individual assignments, you report on the different milestones of your project: doing a literature study, building a proof of concept, evaluating the results and writing an academic-quality paper.

Summary

The M.Sc. programme is well-worth the one (full-time) or two (part-time) year(s) of your life. Issues over the last two years were non-existent or minor, but they were at least readily explainable and understandable from a practical / logistics / educational point of view (at least in my opinion).  Where I think DIFC could be improved is the communications, course theory and assistance:

  • Getting up to speed as a ‘new’/’new-to-UCD’ student was slow and we had to figure out a lot of things for ourselves.
  • Course theory did not always match the same level of depth as the practical assignment that was connected to it. While not a necessity, it would be good if the assistance (e.g. through the Ph.D. students) for some of the subject matter (reverse engineering – see above) would be more accessible and easier to plan.
  • Scheduling appointments felt very ad-hoc and doing this over E-mail was inefficient, at best – perhaps some centralized method of scheduling could help?

The M.Sc. in Digital Investigation and Forensic Computing truly shines in its hands-on, practical approach and the engaging content and lessons.

Acknowledgements

I would like to thank everyone who’ve helped to make the years at UCD simply awesome:

  • UCD: Pavel, Babak, Mike, TJ, Andy, Mark, Owen, Lee
  • Fellow UCD students & friends: Michel, ‘The Three Dan-s’, Andrea, Bushra, Louw, Andy, Mitchell, Robert
  • Family & friends: Eva, Oscar, Jan, Carla, Hans, Elmer, Toni, my parents
  • Everyone at KPN and the HvA that made it possible for me do this study!

I hope I didn’t forget anyone in this list. If I did: sorry, tell me!

Posted in DHCP | Comments Off on UCD Master’s Programme in Digital Investigation and Forensic Computing

Forged messages in Skype Chat (resolved!)

When I logged into Skype this morning, I received a message from an old colleague/friend I still occassionally chat/lunch with:

...] xxxxxx: http://goo.gl/3RVgvc?32017=[myusername]

Now, obviously I would never click on this (please don’t click on it either!), as it immediately rings several alarm bells. A quick investigation with a URL expander proved my suspicions: it leads to referral spam/survey website.

What struck me as odd, was that this friend ‘knows his stuff’ and would never let himself be tricked into participating in these scams, click on random links, fall victim to trojans/malware, etc.

As soon as he came online, I pointed out out that there might be something wrong with his Skype account. He immediately jumped to action and quickly determined that his system was squeaky clean. Even more importantly, his computer was, in fact, turned off at the time of this message. This left us with three options:

  1. Maybe his Skype-account had been brute-forced? This seemed extremely unlikely, as he uses a randomly generated strong password (everyone should)
  2. LastPass had been compromised. This was also exceedingly unlikely, as this would require an additional strong password and posssession of his Yubikey… (really, he knows his stuff ;))
  3. So, that left us wondering if something was up with Skype…?

He contacted Skype support and the transcript(*) was interesting, to say the least:

 Arlene Joy R: at 8:52:14 - Well actually, no one hacked your account
 Arlene Joy R: at 8:52:27 - Thank you for bringing this to our
                            attention
 Arlene Joy R: at 8:52:49 - we are actually aware of this concern,
                            where links are sent to all of your
                            contacts
 Arlene Joy R: at 8:52:57 - this is the spam virus
 Arlene Joy R: at 8:53:17 - Let me assure you that Skype is already 
                            on top of this situation and we’re doing
                            the best we can to rectify this.
 You:          at 8:53:15 - sorry my computer was turned off at time
                            of spreading
 You:          at 8:53:30 - how can the computer sent links if it
                            is turned off and nobody has my
                            password?
 Arlene Joy R: at 8:54:04 - yes that is correct there are cases that
                            it was sent even if you are not logged
                            in on your computer

This was followed by the Skype Support Engineer giving instructions to unlink all applications to Skype(**), wiping all of Skype’s application and temporary files and the chat history.

Update 1: another friend also reported receiving the same message.

So, does anyone have an idea what’s going on?

Update 2: a Microsoft/Skype engineer contacted me to figure out what was going on.

Apparently this is a known issue with Skype accounts that might have been linked to e.g. old Hotmail-accounts, or a disconnect (no synchronization) between an old Skype password and an MSA password. In short, if your password to one of these old accounts is compromised, it can also be used to login to Skype. Yes, you read that correctly: you can have multiple working passwords for one Skype account/username!

Thanks to Microsoft for contacting me about this. I’m not sure how I feel about the principal possibility to have multiple working passwords for a single Skype account, but at least it’s good to know how to mitigate this issue if you’ve been affected.

TL;DR: If you’ve used Skype for many years, it might be linked to old Microsoft accounts (e.g. Hotmail): make sure you are using strong passwords for those old accounts to prevent malicious logins on Skype as well.

(*) transcripts were cleaned up and reformatted for legibility
(**) Messenger+/MirandaNG: only worked locally and weren’t compromised either

Posted in DHCP | Comments Off on Forged messages in Skype Chat (resolved!)

DHCP Network Solutions

What is this site about?

If you arrived here by accident or curiosity, click here for more information about this website.

What is ‘DHCP’ anyways?

The Dynamic Host Configuration Protocol automatically assigns IP addresses to computer systems on a network, defined in RFC2131. Basic information on getting started with DHCP (the Dynamic Host Configuration Protocol) is available on this website.  For simple use of IPv6 in networks, DHCPv6 is no longer necessary; it can be easier to use RADVD (which employs the ICMPv6 protocol). Of course, one might still use DHCPv6 for specific static assignments etc. Clients ask the network for configuration information, known as Router Discovery, and IPv6 routers will answer with a Router Advertisement packet that contains the appropriate settings. Consequently, you should normally never block ICMP traffic on IPv6 networks.

About me

More information about me and my work is available under the Portfolio tab.

Posted in DHCP | Comments Off on DHCP Network Solutions