Hold tight, the cheapbyte is rustling up a rant, zero trust ha.

 

Office 365 Investigating activity

Office 365 Enterprise 3 Mobility+ Security sounds good based on features but Microsoft has a ways to come on unified logging and searching. I will do my best to make it clear where to look and what you can find. Also note that you might as well look at all three sources to ensure you didn't miss something.  Thanks Microsoft.

Azure logs
https://portal.azure.com/
Azure logs can go back 30 days

Skype
Only show Skype via web browser, it does not log client access

OneDrive
Shows Web access
Show client Sync Engine

Exchange
Client
Web Browser access

Sharepoint
Web browser access

Teams
Shows Application access, lists it as Windows 7 media center

Azure
Portal login

PowerShell Unified log search

You would think this has all the longs, WRONG

You can only seem to go back 15 days even though you can specify 30

This is a favorite PS

param (

    [Parameter(Mandatory=$true)][string]$ip= "41.*",

    [Parameter(Mandatory=$true)][string]$days = $( Read-Host "Days in minus format -10" )

 )

write "IP address" $ip

write " "

write "Days back" $days

write " "

Search-UnifiedAuditLog -StartDate (Get-Date).Adddays($days) -EndDate (Get-Date) -IPAddresses $ip | Out-GridView

Security and Investigation

https://protection.office.com/#/unifiedauditlog

Security  & Investigate can go back 90 days

OneDrive

show details as to copy, delete, modify but not contents

Email

Web changes such as creating a new rule is shown

How to batch lookup host name to IP address

If you use this method, it required Cygwin because Windows doesn't have a host command, otherwise REM for for line with host and unREM the line with ping

Have a text file with the host names. Save the batch file below to hosttoip.bat and execute like this

hosttoip.bat hoststolookup.txt hostoutput.txt


@echo off

setlocal

if "%~1"=="" echo Usage: %0 serverList [outfile]&goto :EOF
if not exist "%~1" echo %~1 does not exist&goto :EOF

set outFile=%~2

if "%~2"=="" set outFile=outfile.txt

if exist "%outFile%" del "%outFile%"

for /f "tokens=*" %%a in ('type "%~1"') do call :PROCESS "%%a"

echo Results in %outFile%

goto :EOF

:PROCESS

set ipAddr=Not found

for /f "tokens=3 delims= " %%r in ('host %~1|find /i "Address"') do set ipAddr=%%r

REM for /f "tokens=4 delims= " %%r in ('ping -n 1 %~1|find /i "Statistics"') do set ipAddr=%%r

echo %~1 %ipAddr% >>"%outFile%"

Positively Remove AVG Search page in Firefox after removing AVG

OK AVG, enough is enough, you are garbage and dead to me. I have spent hours finding your crappy software littered around my computer.

Issue, I install PowerISO and those idiots installed AVG serach tool bar on my machine. Uninstalled it with Malwarebytes, but continued to have an issue where Firefox new tab would give me the blasted AVG search screen, powered by Yahoo.  I Goolged and Googled, others have had the same issue.  OK, cannot believe nobody had the solution.

I kept getting about 5 avg.install* avg.tab*  blah blah installed into my Firefox prefs.js file after I deleted them, where is this coming from? Found the issue, browser component in firefox.

I have Firefox installed on a Windows 7 64Bit machine, regardless, find the Firefox components directory.  Look in there for a file named avg*.js

C:\Program Files (x86)\Mozilla Firefox\browser\components\

bastard file  avgMozXPCOM.js

AVG you suck and can only get money from pairing up with greedy software people who bundle your crap behind the scenes to install on peoples systems.  I shall never use your product, will advise everyone I know to not use AVG, and if I see it installed on any machine, will remove your product with prejudice.

When you have consistent problems, maybe what you are doing needs to change

Has any of these "Security Products" truly improved the security posture of the World?

AntiVirus
Data Loss Prevention
AntiMalware
Encryption
IDS/IPS
SIEM

Spam, phishing, malware, identity theft, bank accounts being drained, corporate secrets being revealed continue at an alarming rate, just review the statistics SC Magazine publishes on a monthly basis. So if we continue with more point solutions, I will take the Vegas odds that security issues will pretty much remain the same 5 years from now.  The science of Information Security needs to change, don't try to fix a soar throat by removing the throat.  More focus should be placed on behavior modification techniques because technology will always be compromised due to humanity.

This rant is not finished, I will follow up shortly.

Unusual Network Traffic

I was using Process Hacker and noticed lots of connections in waiting status to low number IP addresses, which seemed unusual because no network apps that I was aware of were running. I started investigating who these IP addresses are and found others have asked the same question without any good answers. So I broke out my tools and figured out exactly what is happening. Kaspersky makes frequent calls to these dnl sites to update AV, KSN etc.  Someone questioned what was being sent because it’s an SSL connection, so I broke the tunnel and captured exactly what it was requesting. I didn’t monitor it for hours on end, but for the time I have watched, it is only performing a GET for updates and diffs. See my screen shot.

Seems like Kaspersky has a bunch of download servers. If you notice, the DNS name resolves twice to the same IP, I suspect it's a load balancing method or fail over method. The IP addresses do not reverse to the host name, I discovered these names when looking inside the encrypted tunnel.
 

host name :  dnl-00.geo.kaspersky.com

address   :  4.28.136.36

host name :  dnl-01.geo.kaspersky.com

address   :  4.28.136.36

host name :  dnl-02.geo.kaspersky.com

address   :  4.28.136.39

host name :  dnl-03.geo.kaspersky.com

address   :  4.28.136.39

host name :  dnl-04.geo.kaspersky.com

address   :  4.28.136.42

host name :  dnl-05.geo.kaspersky.com

address   :  4.28.136.42

host name :  dnl-06.geo.kaspersky.com

address   :  38.124.168.116

host name :  dnl-07.geo.kaspersky.com

address   :  38.124.168.119

host name :  dnl-08.geo.kaspersky.com

address   :  38.124.168.125

host name :  dnl-09.geo.kaspersky.com

address   :  38.117.98.196

host name :  dnl-00.geo.kaspersky.com

address   :  4.28.136.36

host name :  dnl-10.geo.kaspersky.com

address   :  38.117.98.199

host name :  dnl-11.geo.kaspersky.com

address   :  38.117.98.202

host name :  dnl-12.geo.kaspersky.com

address   :  38.117.98.253

host name :  dnl-13.geo.kaspersky.com

address   :  38.124.168.119

host name :  dnl-14.geo.kaspersky.com

address   :  4.28.136.39

host name :  dnl-15.geo.kaspersky.com

address   :  38.124.168.116

host name :  dnl-16.geo.kaspersky.com

address   :  38.117.98.196

host name :  dnl-17.geo.kaspersky.com

address   :  38.117.98.202

host name :  dnl-18.geo.kaspersky.com

address   :  38.117.98.199

host name :  dnl20.geo2.kaspersky.com

alias name:  dnl-19.geo.kaspersky.com

address   :  4.28.136.42

Sincerly,

The Cheapbyte

National federated login; Connect with Facebook, login using Gmail; Vulnerability?

I keep running into web sites with buttons for login or connect with Facebook, Gmail, Amazon etc. This offering really has me worried about how easy it would be to scrape a userID and password for just about any popular site. It would be trivial for a web designer to use the connect with Facebook button, collect your userID/password, then submit it using the developer API. So before you trust a new federated identity method that Facebook wants everyone to use, consider the website you are entrusting your credentials with. How about you stop by my website and login using Facebook, when the fails, I'll ask you to try your Gmail, then Amazon account information, while you are at it, you might as well give me your SSN and PIN. Think about what and who you are entrusting credentials with.