@SwiftOnSecurity's Threads
Have a vendor executable with unknown command-line options? Don’t want to reverse-engineer? Brute force in Windows shell!
:: Extract strings from program
strings.exe program.exe >> strings.txt
:: Run each string as program argument
for /f %a IN (strings.txt) DO “program.exe” %a
:: Extract strings from program
strings.exe program.exe >> strings.txt
:: Run each string as program argument
for /f %a IN (strings.txt) DO “program.exe” %a
Shout-out to Microsoft who definitely doesn’t have hidden undocumented functionality that I have to do this to find.
Among the undocumented flags in Windows Defender MpCmdRun.exe:
-BuildSfc
-ServiceHardening
-SampleHeaderService
-WriteLogsForSvc
-WDEnable
-ReloadEngine
-BuildSfc
-ServiceHardening
-SampleHeaderService
-WriteLogsForSvc
-WDEnable
-ReloadEngine
What you think: “This is a huge software company, anything inexplicable I encounter must be a product decision.”
Reality when talking to product engineer: “Hm nobody’s ever mentioned that before, it’s definitely a bug.”
Reality when talking to product engineer: “Hm nobody’s ever mentioned that before, it’s definitely a bug.”
As someone who started their career in Operations, and now SecOps, it’s definitely interesting to encounter product engineers who want feedback. Like, just basic things that are broken, but they’ll definitely never encounter it in any test environment they have.
It’s also interesting when they talk about the edge cases they have to balance for. Like, this product also has to work on oil derricks over a satellite connection. “We have a customer who’s 15x bigger than you are and we can’t saturate the links.”
Mailing system vendor Pitney Bowes impacted by ransomware on servers that add money to their postage meters (ink stamp envelope printers). Customers are unable to recharge their accounts on the devices. USPS will not be happy.
Fun fact: Postage meters are one of the few devices in the United States effectively able to print US currency. Un-mailed envelopes with valid stamping can be exchanged for cash.
Oh wow this is global
ʸᵒᵘ ᶜᵃⁿ ˢᵗⁱˡˡ ᵘᵖᵈᵃᵗᵉ ᵂⁱⁿ⁷ ᵃⁿᵈ ᵂⁱⁿ⁸ ᵗᵒ ᵂⁱⁿ¹⁰ ᶠᵒʳ ᶠʳᵉᵉ
𝗆𝗂𝖼𝗋𝗈𝗌𝗈𝖿𝗍 𝗍𝗈𝗈𝗄 𝖺𝗇 𝖾𝖺𝗋𝗇𝗂𝗇𝗀𝗌 𝗐𝗋𝗂𝗍𝖾-𝖽𝗈𝗐𝗇 𝗈𝗇 𝗍𝗁𝖾𝗂𝗋 𝗍𝖺𝗑𝖾𝗌 𝗍𝗈 𝗋𝖾𝗉𝗋𝖾𝗌𝖾𝗇𝗍 𝗍𝗁𝖾 𝗏𝖺𝗅𝗎𝖾 𝗈𝖿 𝗀𝗂𝗏𝗂𝗇𝗀 𝖶𝗂𝗇𝟣𝟢 𝖺𝗐𝖺𝗒 𝖿𝗈𝗋 𝖿𝗋𝖾𝖾 𝗍𝗈 𝖾𝗏𝖾𝗋𝗒 𝗎𝗌𝖾𝗋
You ever meet an adult who treats time like they're a teenager?
"$22 for this game? It's only 5 hours."
That's four bucks/hr that's cheaper than skittles at a theater. You paid $1200 for your desktop, enjoy contained anime story arcs, but give developers shit about having a plan?
"$22 for this game? It's only 5 hours."
That's four bucks/hr that's cheaper than skittles at a theater. You paid $1200 for your desktop, enjoy contained anime story arcs, but give developers shit about having a plan?
Games should be shorter and cost more.
This is bait. I post stuff like this because I’m sad and alone.
We have a lot riding on 1909 being a quality release to baseline the entire environment on. I hope Microsoft is focusing on refinement as an absolute priority above all else. We can’t keep doing this firefighting piecemeal stuff with Win10 updates.
If there is an environment blocker with a driver or setting, Microsoft needs to step in to remediate it. There shouldn’t be a unique tool to analyze logs and decode errors. The PC ecosystem can’t suffer a hands-off approach. Many IT admins don’t have the skills being asked.
Perhaps it’s the nature of software developers, but the hands-off approach Microsoft products take to failure is hurting users. If an update fails twice, start a repair. If a component doesn’t load, reinitialize it’s state to default. We are making humans do robot jobs.
It endlessly frustrates me how White Collar crime is treated like some genius tier thing instead of robbing a model home community with no police in it.
Motherfucker I can use Excel too.
Motherfucker I can use Excel too.
“Oh look at me I sold fake assets hurr durr”
Try selling crack and not delivering.
We have this crime shit all backwards.
Try selling crack and not delivering.
We have this crime shit all backwards.
Jacob Wohl committed financial crimes.
Does Jacob Wohl seem like a top-tier criminal talent to you.
Or, really, capable of any talent?
Does Jacob Wohl seem like a top-tier criminal talent to you.
Or, really, capable of any talent?
There are a few styles of Twitter thread, but having an arc is important. Just because Twitter has individual post limitations doesn’t mean you don’t need to create a story. Humans are narrative creatures.
Twitter’s feature isn’t text limitation, it’s beat enforcement. You need to have a beat go through your tweets. Each one tells its own self-contained part of the story and is understandable in isolation.
Note how each tweet in this thread is actually it own story by itself.
Lenovo just released a BIOS update for the P1 where I’m getting substantially better performance in HyperV.
Update your drivers and firmware it matters.
Update your drivers and firmware it matters.
This is also why I recommend business-class refurbs for home purchase. This machine is end of sale but they’re going to keep supporting it. You don’t need a support contract to benefit from the updates. They have to answer to business customers like us.
Large customers can just email product engineers to get shit fixed you never go through customer service ever. Which is why even insignificant things show up in change logs. Someone with power complained. The updates are free.
And remember, auto-negotiation is NOT a cable health check. It could just BARELY support the momentary 100Mbps or 1GbE signaling.
en.wikipedia.org/wiki/Autonegot…
en.wikipedia.org/wiki/Autonegot…
Remember, young professionals: You are entering a world where tech can be rotten by time. This stuff isn’t new anymore. It used to be they’d have to rip up office tech every few years, but now we’ve got cable coming up on 20 years old, sometimes running faster than ever. Example:
A lot of offices have/had VoIP phones. Until recently the ones that ran gigabit were $600+. So everyone was running 100Mbps.
But then IT comes in and replaces the phones and the switches. Now you’re running at 1GbE to the desktop over cable that was NEVER intended for that.
But then IT comes in and replaces the phones and the switches. Now you’re running at 1GbE to the desktop over cable that was NEVER intended for that.
HELL YEAH ZUMWALT
$7 billion per ship and we ordered three ahahahahahaha
THATS 7.5 BILLION DOLLARS
Currently rolling out an extremely... nuanced deployment to thousands of machines in a phase 2. The vendor solution had gaps in its efficacy so I had to build an entire installation audit and remediation layer, with event delivery to Splunk. Finally seeing it at big scale today.
Sometimes you just need months of development and testing across a thousand production systems to make things work smoothly. Absolutely zero of what I discovered would ever surface in a sub-prod environment. And it’s all possible due to event collection.
And here’s the thing: Splunk is just the dashboard for handing this off to Ops. I did pretty much all monitoring/testing with Windows Event Collection on a VM. I opened Event Viewer and wrote XPath queries. And it’s all free. This stuff is built-in to Windows and Group Policy.
Broke: Hacking people to scare them to make news
Woke: Hacking people to encourage good habits to make news
Woke: Hacking people to encourage good habits to make news
You know those hackers that don’t need Bitcoin are the hardest mf out there
Bitcoin was designed by a group of NSA cryptographers hired away from academia and suddenly bored out of their minds anyway
As I’ve frequently had to tell people: I have engineering contacts at Twitter.
Nobody has account support contacts at Twitter. You can DM Jack he doesn’t know either. It’s like a whole other company.
Nobody has account support contacts at Twitter. You can DM Jack he doesn’t know either. It’s like a whole other company.
I’m definitely not re-upping my Twitter Premium subscription next year.
Gonna go back to being one of the proles like you all. Gonna stand in line for my algorithmic timeline scoring where everything I tweet shows up on the 3rd page.
Fun fact:
Corporate network teams are sometimes told to block all network connectivity to Windows Update, so Microsoft purposely doesn’t document the URLs Defender tries to update from after 14 days of failing from normal sources.
Sometimes you have to fight your own customers.
Corporate network teams are sometimes told to block all network connectivity to Windows Update, so Microsoft purposely doesn’t document the URLs Defender tries to update from after 14 days of failing from normal sources.
Sometimes you have to fight your own customers.
Sadly not completely unjustified after the absolutely bonkers madness Microsoft pulled in the DualScan fiasco. Win10 would download gig updates in a completely undocumented way, that they tried to blame on customers not appreciating them enough. Literally brought down our network
IT has natural disasters and they’re named after Microsoft internal feature code names.
Apparently new #DFIR information I just discovered:
Running Defender’s “MpCmdRun.exe -GetFiles” will put MpSupportFiles.cab in the Support directory, which contains Cache_filename_dump-xxxx.bin.
This holds a list of 35,000+ entries of recently-seen PE files on the disk. 👀
Running Defender’s “MpCmdRun.exe -GetFiles” will put MpSupportFiles.cab in the Support directory, which contains Cache_filename_dump-xxxx.bin.
This holds a list of 35,000+ entries of recently-seen PE files on the disk. 👀
Oh, it’s not just PE files, it includes MOF and MSI and INF and binary and other file types too. Its some kind of performance cache for Defender. Unclear the exact reasons it logs something in here.
!!!!! It includes the USN integer for timeline analysis as well. Quite a treat 👀
!!!!! It includes the USN integer for timeline analysis as well. Quite a treat 👀
Note: If -GetFiles doesn’t work for you it may be an older platform version. Find the latest MpCmdRun.exe in C:\ProgramData\Microsoft\Windows Defender\Platform\
NEW: Excel adds Group Policy to block untrusted Microsoft Query files (.iqy, .oqy, .dqy, .rqy) from opening. These files bypass many security controls to allow infection. Policy requires Office365 license.
Security threat: blog.trendmicro.com/trendlabs-secu…
ADMX: microsoft.com/en-us/download…
Security threat: blog.trendmicro.com/trendlabs-secu…
ADMX: microsoft.com/en-us/download…
There’s a second and third policy that also blocks SLK/DBF files in untrusted locations.
As far as I can tell I’m the only person in the world who noticed, Microsoft has no mention of this in their Excel change logs. Unknown when/if this feature was added or if it even works.
As far as I can tell I’m the only person in the world who noticed, Microsoft has no mention of this in their Excel change logs. Unknown when/if this feature was added or if it even works.
I look forward to Microsoft’s detailed documentation in a forthcoming blog post along with a running change log of ADMX modifications.
I don’t want to hear any more about “breaking-up Facebook” until we deal with the 👏trilateral👏canned👏tuna👏price👏fixing👏cartel👏 cbsnews.com/news/starkist-…
Progressives need to keep their eyes on the prize.
Okay y’all wanna know about tuna? Strap in because we’re going on a ride into the biggest subversion of the free market since Mao.
My previous employer had a piece of software that would uninstall Arial if you removed it.
After reboot, all your computer’s interface would be in Arial Italic since it couldn’t find the main Arial file.
All your menus and windows. Nobody knew why this happened until I was hired.
After reboot, all your computer’s interface would be in Arial Italic since it couldn’t find the main Arial file.
All your menus and windows. Nobody knew why this happened until I was hired.
What had happened was a software developer took over the project from another, but didn’t know how to package the software. So they used a Repackager that looked at all the files the software used, and put them in an EXE. This of course included the fonts. The Windows fonts.
So, since the installer included Arial when you installed it, when you UNinstalled it, it removed the Arial font.
Which was the primary font for everything in WinXP.
Users just got used to computers where everything was in Arial Italic.
This is way too stupid for me to make up.
Which was the primary font for everything in WinXP.
Users just got used to computers where everything was in Arial Italic.
This is way too stupid for me to make up.
The secret to using BitCoin is convincing yourself the libertarians were going to melt that iceberg anyway.
Oh no the commies are moving in to flank them
This is a weird Twitter account
Watching a change roll-out across an organization eliminating irrelevant security exclusions is hugely rewarding. Normally these build-up over decades and nobody has the expertise or will to rock the boat to clean them out. Makes hiding by attackers in the noise so much easier.
Now there is a short, evidence-based exclusions list, and we don’t take preemptive requests. Modern security solutions are vastly more adaptive, and vendors only care about reducing support calls from people running Symantec 2003. They can’t be trusted to weigh your risks.
If you see a security exclusion on a server, does your entire team know if it’s legitimate? Do they know why it’s there?
If they saw an attacker change something, would they even notice? Or would it be hidden in the inexplicable cruft of your legacy debt?
If they saw an attacker change something, would they even notice? Or would it be hidden in the inexplicable cruft of your legacy debt?
Meta:
Something I like to tell myself is that a lot of people only get to see the end result of creative processes, where as with my account, I’m pretty shameless in posting half-baked ideas, deleting, and obnoxiously iterating them.
I know this drives a lot of people away, too.
Something I like to tell myself is that a lot of people only get to see the end result of creative processes, where as with my account, I’m pretty shameless in posting half-baked ideas, deleting, and obnoxiously iterating them.
I know this drives a lot of people away, too.
My account has a very large detach rate. I get tons of followers, just unbelievable inflow. But I also have a huge amount of unfollows every time I post. I’ve had easily 800k+ cycle through since 2014 but I’ve only retained 290k. It’s counter-intuitive but that might be success?
By the end of each day, I have my feed culled down to only the most compelling tweets and information. I delete 60%+ of what I post. A significant number of people who read this will have no idea what I’m talking about as they are not active consumers of Twitter.
After threats, Mozilla promises not to protect UK users from spying. gizmodo.co.uk/2019/09/mozill…
Periodic reminder that Britain is a personal rights backwater whose technology policy is run by tabloid newspapers
Note how UK-based publications consider online censorship as "safety" and that privacy is not part of "safety."
Recently learned: Investigators in this area have moved away from “child p*rn” to “child sexual abuse material” (CSAM) to better reflect the severity and not trivialize it. From a friend who works at an Internet firm that deals at global scale with these issues.
The CSAM terminology doesn’t trigger various content filters in messaging and the web for collaboration with partners, and it’s less ambiguous than CP which has way too many name collisions.
I just heard from a contact at another global Internet firm that they use the term CEI, Child Exploitation Imagery.
