#PLEASE let it Be known I referenced my take on Polaris for this
Explore tagged Tumblr posts
eggs-can-draw · 2 years ago
Note
Imagine a 7 year old shuichi going up to the (huge) attic one Saturday early afternoon because he was bored and he’s just going through a bunch of boxes and he knocks one over and hears glass break, and rushes over cause he’s nervous he broke something and he pics up a picture and it’s a picture of a blonde lady with light pink eyes holding a toddler with the same blonde hair and light blue eyes, something feels familiar..
After a second of staring he hears foot steps from the entrance, “Shuichi?” Theirs a hint of worry in their voice, and a minute after he sees one of his fathers turn the corner, “petite fleur? What are you doing?! Here here put down the frame and just go stand a bit further..” he turns and grabs a small dust pan near the entrance and starts sweaping up the glass. “Papa I’m really sorry i didn’t mean for it to break” he knows his dad would never be upset with him over an accident but he’s nervous he broke something important. “It’s okay..” he says and he puts the dust pan to the side and turns over the photo that had been face down. “What we’re you looking a-“ he voice suddenly stops and shuichi steps closer to see what’s wrong “papa..?” As he gets closer he sees his dad tearing up at the picture that he is knelling and looking at. “Are you okay..?” As if suddenly remembering his son is there he answer a while wiping his eyes “don’t worry petite fluer..I..I’m alright”
“Who’s the lady in the picture?” The other would be silent for a moment before shifting his body so his back was leaning against a box, and patted the empty spot on the floor next to his, inviting the young child to sit with him, which he slowly does.
“The lady in this photo is my mother, and the little boy she’s holding is me..” this sparked his son’s interest, papa has never really mentioned his parents, or anything really from the before hopes peak time.
“So she’s my grandma?” “That she is” “you’re just a baby in he picture papa!” Papa in question chuckled lightly “yes I am, and you know I look a lot like you when you were a baby” he ruffled his sons hair lightly which got the young boy to giggle.
A comfortable silence feel between them before the smaller of the two voices spoke up. “Was she nice..?” the elder thought for a moment before responding, “she was, even when she was dealing with..hard situations or….fighting monsters, she would always make sure I knew how much she cared for me. She protected me and showed me things, the little things that made life brighter..better..”
“Do you..do you think she would have liked me..?”
“She would have loved you..”
.
.
.
.
“Can you tell me more about her?”
He paused before he ran a hand through his sons hair and said,
“…of course”
A few hours later two pair of foot steps made their way to the attic, they had been looking for their husband and son for an hour now in their big house, and eventually landed one the floor of the attic after seeing the entrance open.
They stand in the entrance looking in at their husband and son fast asleep, their sons head leaned against the side of his fathers arm. Their husbands lap holding his hands and a small stack of photos and a small piece of paper.
“I wonder what they were talking about..hey koto..go grab the camera quick please I have a feeling well all want a picture of this, it seems like a..peaceful moment”
hahahahahahahaa very normal about this
Tumblr media
Sososososo normal about this
21 notes · View notes
jennifersnyderca90 · 8 years ago
Text
Tracing Spam: Diet Pills from Beltway Bandits
Reading junk spam messages isn’t exactly my idea of a good time, but sometimes fun can be had when you take a moment to check who really sent the email. Here’s the simple story of how a recent spam email advertising celebrity “diet pills” was traced back to a Washington, D.C.-area defense contractor that builds tactical communications systems for the U.S. military and intelligence communities.
Your average spam email can contain a great deal of information about the systems used to blast junk email. If you’re lucky, it may even offer insight into the organization that owns the networked resources (computers, mobile devices) which have been hacked for use in sending or relaying junk messages.
Earlier this month, anti-spam activist and expert Ron Guilmette found himself poring over the “headers” for a spam message that set off a curious alert. “Headers” are the usually unseen addressing and routing details that accompany each message. They’re generally unseen because they’re hidden unless you know how and where to look for them.
Let’s take the headers from this particular email — from April 12, 2017 — as an example. To the uninitiated, email headers may seem like an overwhelming dump of information. But there really are only a few things we’re interested in here (Guilmette’s actual email address has been modified to “ronsdomain.example.com” in the otherwise unaltered spam message headers below):
Return-Path: <[email protected]> X-Original-To: [email protected] Delivered-To: [email protected] Received: from host.psttsxserver.com (host.tracesystems.com [72.52.186.80]) by subdomain.ronsdomain.example.com (Postfix) with ESMTP id 5FE083AE87 for <[email protected]>; Wed, 12 Apr 2017 13:37:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gtacs.com; s=default; h=MIME-Version:Content-Type:Date:Message-ID:Subject:To:From: Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; Received: from [186.226.237.238] (port=41986 helo=[127.0.0.1]) by host.psttsxserver.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.87) (envelope-from <[email protected]>) id 1cyP1J-0004K8-OR for [email protected]; Wed, 12 Apr 2017 16:37:42 -0400 From: [email protected] To: [email protected] Subject: Discover The Secret How Movies & Pop Stars Are Still In Shape Message-ID: <[email protected]> X-Priority: 3 Importance: Normal Date: Wed, 12 Apr 2017 22:37:39 +0200 X-Original-Content-Type: multipart/alternative; boundary=”–InfrawareEmailBoundaryDepth1_FD5E8CC5–” MIME-Version: 1.0 X-Mailer: Infraware POLARIS Mobile Mailer v2.5 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname – host.psttsxserver.com X-AntiAbuse: Original Domain – ronsdomain.example.com X-AntiAbuse: Originator/Caller UID/GID – [47 12] / [47 12] X-AntiAbuse: Sender Address Domain – gtacs.com X-Get-Message-Sender-Via: host.psttsxserver.com: authenticated_id: [email protected] X-Authenticated-Sender: host.psttsxserver.com: [email protected]
Celebrities always have to look good and that’s as hard as you might {… snipped…}
In this case, the return address is [email protected]. The other bit to notice is the Internet address and domain referenced in the fourth line, after “Received,” which reads: “from host.psttsxserver.com (host.tracesystems.com [72.52.186.80])”
Gtacs.com belongs to the Trace Systems GTACS Team Portal, a Web site explaining that GTACS is part of the Trace Systems Team, which contracts to provide “a full range of tactical communications systems, systems engineering, integration, installation and technical support services to the Department of Defense (DoD), Department of Homeland Security (DHS), and Intelligence Community customers.” The company lists some of its customers here.
The home page of Trace Systems.
Both Gtacs.com and tracesystems.com say the companies “provide Cybersecurity and Intelligence expertise in support of national security interests: “GTACS is a contract vehicle that will be used by a variety of customers within the scope of C3T systems, equipment, services and data,” the company’s site says. The “C3T” part is military speak for “Command, Control, Communications, and Tactical.”
Passive domain name system (DNS) records maintained by Farsight Security for the Internet address listed in the spam headers — 72.52.186.80 — show that gtacs.com was at one time on that same Internet address along with many domains and subdomains associated with Trace Systems.
It is true that some of an email’s header information can be forged. For example, spammers and their tools can falsify the email address in the “from:” line of the message, as well as in the “reply-to:” portion of the missive. But neither appears to have been forged in this particular piece of pharmacy spam.
The Gtacs.com home page.
I forwarded this spam message back to [email protected], the apparent sender. Receiving no response from Dan after several days, I grew concerned that cybercriminals might be rooting around inside the networks of this defense contractor that does communications for the U.S. military. Clumsy and not terribly bright spammers, but intruders to be sure. So I forwarded the spam message to a Linkedin contact at Trace Systems who does incident response contracting work for the company.
My Linkedin source forwarded the inquiry to a “task lead” at Trace who said he’d been informed gtacs.com wasn’t a Trace Systems domain. Seeking more information in the face of many different facts that support a different conclusion, I escalated the inquiry to Matthew Sodano, a vice president and chief information officer at Trace Systems Inc.
“The domain and site in question is hosted and maintained for us by an outside provider,” Sodano said. “We have alerted them to this issue and they are investigating. The account has been disabled.”
Presumably, the company’s “outside provider” was Power Storm Technologies, the company that apparently owns the servers which sent the unauthorized spam from [email protected]. Power Storm did not return messages seeking comment.
According to Guilmette, whoever Dan is or was at Gtacs.com, he got his account compromised by some fairly inept spammers who evidently did not know or didn’t care that they were inside of a U.S. defense contractor which specializes in custom military-grade communications. Instead, the intruders chose to use those systems in a way almost guaranteed to call attention to the compromised account and hacked servers used to forward the junk email.
“Some…contractor who works for a Vienna, Va. based government/military ‘cybersecurity’ contractor company has apparently lost his outbound email credentials (which are probably useful also for remote login) to a spammer who, I believe, based on the available evidence, is most likely located in Romania,” Guilmette wrote in an email to this author.
Guilmette told KrebsOnSecurity that he’s been tracking this particular pill spammer since Sept. 2015. Asked why he’s so certain the same guy is responsible for this and other specific spams, Guilmette shared that the spammer composes his spam messages with the same telltale HTML “signature” in the hyperlink that forms the bulk of the message: An extremely old version of Microsoft Office.
This spammer apparently didn’t mind spamming Web-based discussion lists. For example, he even sent one of his celebrity diet pill scams to a list maintained by the American Registry for Internet Numbers (ARIN), the regional Internet registry for Canada and the United States. ARIN’s list scrubbed the HTML file that the spammer attached to the message. Clicking the included link to view the scrubbed attachment sent to the ARIN list turns up this page. And if you look near the top of that page, you’ll see something that says:
”  … xmlns:m=”http://schemas.microsoft.com/office/2004/12/omml” …”
“Of course, there are a fair number of regular people who are also still using this ancient MS Office to compose emails, but as far as I can tell, this is the only big-time spammer who is using this at the moment,” Guilmette said. “I’ve got dozens and dozens of spams, all from this same guy, stretching back about 18 months.  They all have the same style and all were composed with “/office/2004/12/”.
Guilmette claims that the same spammers who’ve been sending that ancient Office spam from defense contractors also have been spamming from compromised “Internet of Things” devices, like a hacked video conferencing system based in China. Guilmette says the spammer has been known to send out malicious links in email that use malicious JavaScript exploits to snarf credentials stored on the compromised machine, and he guesses that [email protected] probably opened one of the booby-trapped JavaScript links.
“When and if he finds any, he uses those stolen credentials to send out yet more spam via the mail server of the ‘legit’ company,” Guilmette said. “And because the spams are now coming out of ‘legit’ mail servers belonging to ‘legit’ companies, they never get blocked, by Spamhaus or by any other blacklists.”
We can only hope that the spammer who pulled this off doesn’t ever realize the probable value of this specific set of login credentials that he has managed to make off with, among many others, Guilmette said.
“If he did realize what he has in his hands, I feel sure that the Russians and/or the Chinese would be more than happy to buy those credentials from him, probably reimbursing him more for those than any amount he could hope to make in years of spamming.”
This isn’t the first time a small email oops may have created a big problem for a Washington-area cybersecurity defense contractor. Last month, Defense Point Security — which provides cyber contracting services to the security operations center for DHS’s Immigration and Customs Enforcement (ICE) division — alerted some 200-300 current and former employees that their W-2 tax information was given away to scammers after an employee fell for a phishing scam that spoofed the boss.
Want to know more about how to find and read email headers? This site has a handy reference showing you how to reveal headers on more than two-dozen different email programs, including Outlook, Yahoo!, Hotmail and Gmail. This primer from HowToGeek.com explains what kinds of information you can find in email headers and what they all mean.
from https://krebsonsecurity.com/2017/04/tracing-spam-diet-pills-from-beltway-bandits/
0 notes
amberdscott2 · 8 years ago
Text
Tracing Spam: Diet Pills from Beltway Bandits
Reading junk spam messages isn’t exactly my idea of a good time, but sometimes fun can be had when you take a moment to check who really sent the email. Here’s the simple story of how a recent spam email advertising celebrity “diet pills” was traced back to a Washington, D.C.-area defense contractor that builds tactical communications systems for the U.S. military and intelligence communities.
Your average spam email can contain a great deal of information about the systems used to blast junk email. If you’re lucky, it may even offer insight into the organization that owns the networked resources (computers, mobile devices) which have been hacked for use in sending or relaying junk messages.
Earlier this month, anti-spam activist and expert Ron Guilmette found himself poring over the “headers” for a spam message that set off a curious alert. “Headers” are the usually unseen addressing and routing details that accompany each message. They’re generally unseen because they’re hidden unless you know how and where to look for them.
Let’s take the headers from this particular email — from April 12, 2017 — as an example. To the uninitiated, email headers may seem like an overwhelming dump of information. But there really are only a few things we’re interested in here (Guilmette’s actual email address has been modified to “ronsdomain.example.com” in the otherwise unaltered spam message headers below):
Return-Path: <[email protected]> X-Original-To: [email protected] Delivered-To: [email protected] Received: from host.psttsxserver.com (host.tracesystems.com [72.52.186.80]) by subdomain.ronsdomain.example.com (Postfix) with ESMTP id 5FE083AE87 for <[email protected]>; Wed, 12 Apr 2017 13:37:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gtacs.com; s=default; h=MIME-Version:Content-Type:Date:Message-ID:Subject:To:From: Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; Received: from [186.226.237.238] (port=41986 helo=[127.0.0.1]) by host.psttsxserver.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.87) (envelope-from <[email protected]>) id 1cyP1J-0004K8-OR for [email protected]; Wed, 12 Apr 2017 16:37:42 -0400 From: [email protected] To: [email protected] Subject: Discover The Secret How Movies & Pop Stars Are Still In Shape Message-ID: <[email protected]> X-Priority: 3 Importance: Normal Date: Wed, 12 Apr 2017 22:37:39 +0200 X-Original-Content-Type: multipart/alternative; boundary=”–InfrawareEmailBoundaryDepth1_FD5E8CC5–” MIME-Version: 1.0 X-Mailer: Infraware POLARIS Mobile Mailer v2.5 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname – host.psttsxserver.com X-AntiAbuse: Original Domain – ronsdomain.example.com X-AntiAbuse: Originator/Caller UID/GID – [47 12] / [47 12] X-AntiAbuse: Sender Address Domain – gtacs.com X-Get-Message-Sender-Via: host.psttsxserver.com: authenticated_id: [email protected] X-Authenticated-Sender: host.psttsxserver.com: [email protected]
Celebrities always have to look good and that’s as hard as you might {… snipped…}
In this case, the return address is [email protected]. The other bit to notice is the Internet address and domain referenced in the fourth line, after “Received,” which reads: “from host.psttsxserver.com (host.tracesystems.com [72.52.186.80])”
Gtacs.com belongs to the Trace Systems GTACS Team Portal, a Web site explaining that GTACS is part of the Trace Systems Team, which contracts to provide “a full range of tactical communications systems, systems engineering, integration, installation and technical support services to the Department of Defense (DoD), Department of Homeland Security (DHS), and Intelligence Community customers.” The company lists some of its customers here.
The home page of Trace Systems.
Both Gtacs.com and tracesystems.com say the companies “provide Cybersecurity and Intelligence expertise in support of national security interests: “GTACS is a contract vehicle that will be used by a variety of customers within the scope of C3T systems, equipment, services and data,” the company’s site says. The “C3T” part is military speak for “Command, Control, Communications, and Tactical.”
Passive domain name system (DNS) records maintained by Farsight Security for the Internet address listed in the spam headers — 72.52.186.80 — show that gtacs.com was at one time on that same Internet address along with many domains and subdomains associated with Trace Systems.
It is true that some of an email’s header information can be forged. For example, spammers and their tools can falsify the email address in the “from:” line of the message, as well as in the “reply-to:” portion of the missive. But neither appears to have been forged in this particular piece of pharmacy spam.
The Gtacs.com home page.
I forwarded this spam message back to [email protected], the apparent sender. Receiving no response from Dan after several days, I grew concerned that cybercriminals might be rooting around inside the networks of this defense contractor that does communications for the U.S. military. Clumsy and not terribly bright spammers, but intruders to be sure. So I forwarded the spam message to a Linkedin contact at Trace Systems who does incident response contracting work for the company.
My Linkedin source forwarded the inquiry to a “task lead” at Trace who said he’d been informed gtacs.com wasn’t a Trace Systems domain. Seeking more information in the face of many different facts that support a different conclusion, I escalated the inquiry to Matthew Sodano, a vice president and chief information officer at Trace Systems Inc.
“The domain and site in question is hosted and maintained for us by an outside provider,” Sodano said. “We have alerted them to this issue and they are investigating. The account has been disabled.”
Presumably, the company’s “outside provider” was Power Storm Technologies, the company that apparently owns the servers which sent the unauthorized spam from [email protected]. Power Storm did not return messages seeking comment.
According to Guilmette, whoever Dan is or was at Gtacs.com, he got his account compromised by some fairly inept spammers who evidently did not know or didn’t care that they were inside of a U.S. defense contractor which specializes in custom military-grade communications. Instead, the intruders chose to use those systems in a way almost guaranteed to call attention to the compromised account and hacked servers used to forward the junk email.
“Some…contractor who works for a Vienna, Va. based government/military ‘cybersecurity’ contractor company has apparently lost his outbound email credentials (which are probably useful also for remote login) to a spammer who, I believe, based on the available evidence, is most likely located in Romania,” Guilmette wrote in an email to this author.
Guilmette told KrebsOnSecurity that he’s been tracking this particular pill spammer since Sept. 2015. Asked why he’s so certain the same guy is responsible for this and other specific spams, Guilmette shared that the spammer composes his spam messages with the same telltale HTML “signature” in the hyperlink that forms the bulk of the message: An extremely old version of Microsoft Office.
This spammer apparently didn’t mind spamming Web-based discussion lists. For example, he even sent one of his celebrity diet pill scams to a list maintained by the American Registry for Internet Numbers (ARIN), the regional Internet registry for Canada and the United States. ARIN’s list scrubbed the HTML file that the spammer attached to the message. Clicking the included link to view the scrubbed attachment sent to the ARIN list turns up this page. And if you look near the top of that page, you’ll see something that says:
”  … xmlns:m=”http://schemas.microsoft.com/office/2004/12/omml” …”
“Of course, there are a fair number of regular people who are also still using this ancient MS Office to compose emails, but as far as I can tell, this is the only big-time spammer who is using this at the moment,” Guilmette said. “I’ve got dozens and dozens of spams, all from this same guy, stretching back about 18 months.  They all have the same style and all were composed with “/office/2004/12/”.
Guilmette claims that the same spammers who’ve been sending that ancient Office spam from defense contractors also have been spamming from compromised “Internet of Things” devices, like a hacked video conferencing system based in China. Guilmette says the spammer has been known to send out malicious links in email that use malicious JavaScript exploits to snarf credentials stored on the compromised machine, and he guesses that [email protected] probably opened one of the booby-trapped JavaScript links.
“When and if he finds any, he uses those stolen credentials to send out yet more spam via the mail server of the ‘legit’ company,” Guilmette said. “And because the spams are now coming out of ‘legit’ mail servers belonging to ‘legit’ companies, they never get blocked, by Spamhaus or by any other blacklists.”
We can only hope that the spammer who pulled this off doesn’t ever realize the probable value of this specific set of login credentials that he has managed to make off with, among many others, Guilmette said.
“If he did realize what he has in his hands, I feel sure that the Russians and/or the Chinese would be more than happy to buy those credentials from him, probably reimbursing him more for those than any amount he could hope to make in years of spamming.”
This isn’t the first time a small email oops may have created a big problem for a Washington-area cybersecurity defense contractor. Last month, Defense Point Security — which provides cyber contracting services to the security operations center for DHS’s Immigration and Customs Enforcement (ICE) division — alerted some 200-300 current and former employees that their W-2 tax information was given away to scammers after an employee fell for a phishing scam that spoofed the boss.
Want to know more about how to find and read email headers? This site has a handy reference showing you how to reveal headers on more than two-dozen different email programs, including Outlook, Yahoo!, Hotmail and Gmail. This primer from HowToGeek.com explains what kinds of information you can find in email headers and what they all mean.
from Amber Scott Technology News https://krebsonsecurity.com/2017/04/tracing-spam-diet-pills-from-beltway-bandits/
0 notes