The Devious Netflix Phish That Just Won’t Die

Netflix-Phish-TA

The email hits your inbox with an urgent warning: Your Netflix account has been suspended, due to a problem with your billing information. It offers a link, which takes you to what looks very much like a Netflix landing page. It’s not. Instead, it’s a phishing scam that collects extensive personal data on victims.

More…

Advertisements

Managing the Global Query Block List

Source here. Extremely wordy, but I thought it was interesting how M$ is like, “uh, we can’t really prevent someone from hijacking DNS requests like this, so here’s a block thingy.”

dns_globalqueryblocklist_01

The dynamic update feature of Domain Name System (DNS) makes it possible for DNS client computers to register and dynamically update their resource records with a DNS server whenever a client changes its network address or host name. This reduces the need for manual administration of zone records. This convenience comes at a cost, however, because any authorized client can register any unused host name, even a host name that might have special significance for certain applications. This can allow a malicious user to take over a special name and divert certain types of network traffic to that user’s computer.

Two commonly deployed protocols are particularly vulnerable to this type of takeover: the Web Proxy Automatic Discovery Protocol (WPAD) and the Intra-site Automatic Tunnel Addressing Protocol (ISATAP). Even if a network does not deploy these protocols, clients that are configured to use them are vulnerable to the takeover that DNS dynamic update enables. To help prevent such a takeover, the DNS server role in Windows Server 2008 includes a global query block list that can help prevent a malicious user from taking over DNS names that have special significance.

Most Web browsers use WPAD to locate and apply configuration settings that make it possible for the Web browsers to use a network proxy server. These configuration settings are contained in a file that is located on a server. A browser locates this server by querying a Dynamic Host Configuration Protocol (DHCP) server for the URL of the network’s WPAD server. If this query is not successful, the browser attempts to locate the WPAD server by using standard DNS name-resolution queries.

For example, if the Web browser is running on a Windows-based computer named laptop.acctg.corp.contoso.com, the browser attempts to find the WPAD configuration file by looking for the following URLs:

http://wpad.acctg.corp.contoso.com/wpad.dat
http://wpad.corp.contoso.com/wpad.dat
http://wpad.contoso.com/wpad.dat

When the browser locates the Wpad.dat file at any of these locations, it reads the contents of the file and then configures itself according to the settings in the file.

Unfortunately, you cannot secure this automatic discovery process. Any computer that is registered in a DNS zone with the name wpad can provide a WPAD configuration to clients on the network, even if the file contains settings that cause the clients to use a fake proxy server, for example, to divert the client’s Web browser to counterfeit Web sites. The dynamic update feature of DNS makes it possible for a malicious user to accomplish this without requiring the intervention of a DNS system administrator simply by giving a computer the name wpad and then connecting it to the network. As long as there is no other computer in the zone with the same name, the computer of the malicious user can register its name with the DNS server that is authoritative for its zone and then direct all WPAD queries to itself.

The block list feature that is provided by the DNS server role in Windows Server 2008 helps prevent the takeover of WPAD by ensuring that queries for WPAD servers always fail unless WPAD is excluded from the block list.

ISATAP provides a transition between networks that are based on IP version 4 (IPv4) and networks that are based solely on the newer IP version 6 (IPv6). ISATAP provides this transition by using a tunneling approach to carry IPv6 traffic on an IPv4 infrastructure. In other words, ISATAP encapsulates IPv6 packets with an IPv4 header, which makes it possible for the IPv6 packets to be transmitted through a single ISATAP router from one ISATAP-enabled host to another. This transmission occurs wherever the hosts are located on the network, regardless of whether the hosts are located on an IPv6-enabled subnet or on an IPv4-only network.

ISATAP does not support automatic router discovery. Instead, ISATAP hosts use a potential routers list (PRL) to discover available ISATAP routers. Most commonly, ISATAP hosts construct their PRLs by using DNS to locate a host named isatap on the local domain. For example, if the local domain is corp.contoso.com, an ISATAP-enabled host queries DNS to obtain the IPv4 address of a host named isatap.corp.contoso.com.

Consequently, a malicious user can spoof an ISATAP router in much the same way as a malicious user can spoof a WPAD server: A malicious user can use dynamic update to register the user’s own computer as a counterfeit ISATAP router and then divert traffic between ISATAP-enabled computers on the network. To prevent this, the Windows Server 2008 DNS Server service blocks name resolution of the isatap host name by default.

In its default configuration, the Windows Server 2008 DNS Server service maintains a list of names that, in effect, it ignores when it receives a query to resolve the name in any zone for which the server is authoritative. To accomplish this, the DNS Server service first checks queries against the list. Then, if the leftmost portion of the name matches an entry in the list, the DNS Server service replies to the query as though no resource record existed, even if there is a host (A or AAAA) resource record in the zone for the name. In this way, if a host (A or AAAA) resource record exists in the zone because a host has used dynamic update to register itself with a blocked name, the DNS Server service does not resolve the name.

The block list automatically applies to all zones for which the server is authoritative. For example, if the DNS server is authoritative for contoso.com and for europe.contoso.com, it ignores queries for wpad.contoso.com as well as for wpad.europe.contoso.com. However, the DNS Server service does not ignore queries for names in zones for which it is not authoritative. Specifically, the DNS Server service does not ignore queries that it receives through a forwarder or a stub zone or as a result of normal recursion or forwarding. If the block list causes the DNS Server service to ignore a request for a resource record that does exist in a zone, it logs an event that explains why it did so. This event is logged only once after the DNS server has been restarted to prevent the event log from being flooded by an attempted denial-of-service attack.

Important
All DNS servers that are authoritative for a zone must be running Windows Server 2008, and they must be configured with the same block list to ensure consistent results when clients query for resolution of names in the block list. The block list is a per-server setting and is not replicated between servers.

Because the DNS Server service applies the block list for all resource records, not just host (A or AAAA) resource records, it ignores queries for such resource record types as mail exchanger (MX) and service locator (SRV) resource records. However, because the DNS Server service does not apply the block list to zone names themselves, an administrator can create a zone named wpad.contoso.com, for example, and add host resource records to that zone. In this case, the DNS Server service continues to resolve host names in the wpad.contoso.com zone.

The initial contents of the block list depend on whether WPAD or ISATAP is already deployed when you add the DNS server role to an existing Windows Server 2008 deployment or when you upgrade an earlier version of Windows Server running the DNS Server service. You can use the procedures in this task to view and update the contents of the global query block list as well as to enable or disable the global query block list.

To complete this task, you can perform the following procedures:

View the global query block list
Update the global query block list
Enable or disable the global query block list

This article assumes your DNS zone is set up for Active Directory, and thus, dynamic DNS updates are turned on along with the block list by proxy. You can always create a zone with dynamic updates disabled if needed:

Capture

10 Technological Things You Aren’t Doing Right

636012539682461576-1781975874_SEO-Talent-vs-Technology

  1. You don’t have antivirus software on your phone. You’re getting smarter and locking down your accounts that you use on your desktop/laptop PC, and yet for some reason you’re not doing the same thing on your phone, which you use more often. Phones are just handheld computers with calling capabilities, so why are you being so lazy with securing it? Put Sophos on it. Now. Right now.
  2. You’re not paying attention to your saved credit card and login info and clearing it out. On your PC: Control Panel -> Credential Manager. In Chrome: 3 dots in the top-right corner, Settings -> Advanced, Manage Passwords. If you don’t want someone else to have it, clear it out.
  3. Speaking of – you’re not using Chrome to its fullest potential. 3 dots in the top-right corner, Settings -> Advanced, “Use hardware acceleration when available” damn well better be turned off, unless you enjoy your .gifs and videos not loading. You’re not using enough extensions: Adblock/Adblock for YouTube. Empty New Tab Page. Auto History Wipe.
  4. You don’t change your login information to your router/generally don’t have a damn clue what your router is and how to use/configure it. It’s literally the heart of your home internet capability and you think it’s just some magical box. Change your default logins. Lock down your WiFi. Disable remote administration. If you don’t know how to do any of this, you have succeeded in letting your ISP control your house.
  5. You don’t reboot your electronics when shit breaks. It’s insane to me how “Have you tried restarting?” is probably the most well-known joke people make to IT people and then don’t do it. If it runs on electricity and it stops working and it has the capability to be restarted, you need to do it.
  6. You don’t update your OS on your PC or phone. If you aren’t installing updates, you may as well just let everyone right on in to your shit. Yes, sometimes updates break things and make it look different and change is scary. But you know what’s even more scary? Someone encrypting all your files and demanding BitCoin to unlock them all because you didn’t patch a vulnerability. That’s your fault.
  7. You don’t maintain your PC. You don’t run disk cleanup or CCleaner regularly. You don’t defrag your HDDs. You don’t run anti-malware scans and clean out the remnants of the shady shit you look at. You don’t open up the case and blow the dust out. PCs are like cars, and if you don’t clean them up they’re going to bog down and you’re going to think it’s broken when it’s not. Or, it may actually be broken and require a wipe & reload because you let it get so bad. All of this is preventable, and should be done for something you spent 4-figures on.
  8. You don’t know enough about the technology you use. You have no idea how many times I have to console grown-ass adults because they don’t know how to use the technology they bought. You don’t buy a car you don’t know how to drive, so why are you buying tech you don’t have the first clue about? And don’t give me that “Geek Squad told me I needed it” bullshit, because you should know better in 2017. Read reviews. Research. Ask someone you know who does have a background in technology. Don’t just blindly spend a couple stacks on some new tech that is going to make you look like an idiot, because people like me are going to have to suffer explaining it to you.
  9. You don’t back your data up to somewhere else. If you have something you can’t afford to lose on a device with internet access, you damn well better have it in more than one place. You don’t even have to pay anything these days – use DropBox or Google Drive or something. There is no excuse to lose any of your data, because all of it is able to be replicated somewhere else. Your physical media should be digitized and backed up off-site. Your local data should also be remote. Set up 2-way synchronization so you never have to worry about it. If these words are intimidating, then find someone who can decipher this for you.
  10. You don’t invest in upgrades when you need to. Upgrade your router when it can’t handle the amount of concurrent connections you’re throwing at it. Get more bandwidth for your 4K streams of… Add more RAM, an SSD, or get a completely new machine if you need to. It’s not because the hardware magically decomposes; it’s because what you demand of the hardware can’t handle how fast technology is evolving. It’s the equivalent of standing there yelling at your old dog for not being able to play with you anymore because it’s old. You just look like a jerk – that thing served you well in its prime, but all good things must come to an end and you as an end-user either have the choice to accept your place behind the curve or to upgrade.

    How will you know when to upgrade? When an inanimate object ruins your day.

File Permissions and You: UAC Edition

04fig07

If you’ve ever tried to access a folder (i.e. someone else’s profile in C:\Users) and still get prompted for UAC even though you’re logged in as a domain admin, this is by design and limitation. If the folder is using the built-in security groups for permissions (Administrators), you’re going to get the box, and you’re going to hit continue and it’s then going to go through every file and permanently add your account to the ACL for every file in the folder. Maybe this isn’t a big deal for a small user folder, but on something like a network share that is using DFS-R, this can ruin your day pretty quickly as Windows sets your permissions on every file across the entire file structure.

The quickest way to get your permissions straight is to add your account to a custom security group that does have access, as UAC does not prompt unless it’s trying to use the built-in administrator account. Yes, this can be disabled via registry and local security policy (https://www.virtualizationhowto.com/2015/07/windows-10-edge-opened-builtin-administrator-account/) , but you really shouldn’t be doing that.

An in-depth explanation on how UAC and ACLs work together can be found here: https://support.microsoft.com/en-us/help/950934/when-you-click-continue-for-folder-access-in-windows-explorer–your-us

That being said, a combination of a /r takeown (https://technet.microsoft.com/en-us/library/cc753024(v=ws.11).aspx) & a /t icacls (https://technet.microsoft.com/en-us/library/cc753525(v=ws.11).aspx) is always going to be faster than Windows trying to set permissions. It’s safer as well, as you can generally Ctrl+C the process for those commands and know what all you’ve affected as opposed to hitting continue on the UAC and being forced to cancel it and having your permissions in an inconsistent state requiring you to completely re-do the entire thing. Happy troubleshooting!

Tuesday Windows Security Updates Breaks User Machines: Fix Enclosed

6165-windows

A problem with the way that Microsoft released some of this week’s Patch Tuesday updates caused some users’ PCs and servers to blue screen, hang and/or fail to reboot.

To resolve this, input the following commands in the advanced repair options CLS, and remove every update that’s pending:

Dism /Image:C:\ /Get-Packages
Dism /Image:C:\ /Remove-Package /PackageName:Package_for_KB######

The KB # in question is KB4041691, 2017-10 Delta Update for Windows 10 (1607) and Windows Server 2016, and appears as the following in DISM:

Rollupfix_wrapper~31bf3856ad364e35~amd64~14393.1770.1.6
Rollupfix~31bf3856ad364e35~amd64~14393.1770.1.6
Rollupfix~31bf3856ad364e35~amd64~14393.1715. 1.10

More…