Archive

Author Archive

The Mystery of US sUAS Airspace

Yaacov Apelbaum - sUAS FAA Regulations

If you feel like you are in thick fog and are are struggling to decipher the mysteries of FAA Airspace regulations as they apply to sUAS operations, here is some help. 

The following is a simplified poster version f the current FAA Airspace chart with some additional operational sUAS flight information and rules (click on image for full size).

US sUAS Airspace Chart

As for the operational part, here are my top 10 pointers:

1. Don’t fly over people (§ 107.39)
2. Stay below 400’
3. Maintain a visual line of sight to the aircraft (§ 107.31), unless you have a BVLOS waiver 
4. Don’t fly after sunset (§ 107.29) unless you have an night waiver
6. Don’t fly in inclement weather
6. Be mindful of privacy and the invasive nature of sUAS based photography
7. Get permission before flying over public, private, or commercial spaces
8. Obey the “8 hours bottle to throttle” law
9. Consult and study your area sectional chart before flying
10. Always perform a site survey and physical risk assessment before taking to the air

Safe flying!

© Copyright 2017 Yaacov Apelbaum, All Rights Reserved.

Poor Little Bobby Tables

Yaacov Apelbaum - Little Bobby Tables Crying

We are in the midst of a security review for one of our platforms and have been discussing data input sanitation, so I’ve used the “Little Bobby Tables” cartoon to liven up the text in the SQL Injection chapter. I love this illustration because it is so poignant but when I read it this time, I realized that it was missing something. 

Bobby Tables

The problem is that Mrs. Roberts only tells the school representative about the data sanitation issue. The far bigger problem here is that the school DBA only seems to back up their DB once a year!

© Copyright 2017 Yaacov Apelbaum, All Rights Reserved.

Good day to you!

Khoroshiy den' dlya tebya!

The other day, I got this cryptic email. It read:

 

From: Wayne Millbrand <waynem@icon.co.za>
Date: 03/27/2017 2:23 PM (GMT-05:00)
To: ***
Subject: ***

Good day to you!

I have a rather delicate issue, which touches directly to you. Don’t be surprised how do I learned about you! The fact is that I have got already a second letter from the person, I do not know which asserts that you are fraud involved. He insists, that you forced him transfer funds on your PayPal account under fictional reason. However,with this information he pointed out your private data up to address:

First Last Name
Street Address
Town
State (with capitalization error)
Zip Code

Now he is collecting information and planing to contact the police. I advise you to view the information that he sent to me. I have attached Fine.doc with a copy of all of his messages.

Document was password-protected – 4299

Please explain to me what’s happening.  I hope that all of this is a silly misunderstanding.

Best regards,

Wayne Millbrand

Based on the fake email address and the tell-tale Anguished English, I concluded that this was just another phish. 

I usually delete these emails promptly, but this one had an interesting component to it: it came with a password protected MS Word document. This is somewhat unusual because they typically expect you to just launch the attachment and activate the payload immediately. 

So it appears that the attack strategy was to:

  • Send a threatening email
  • Add some publicly available information about the recipient to make it look genuine
  • Encrypt the document in order to hide the payload from an anti-virus scanner
  • Provide the password in the email to allow the user to open and decrypt the file
  • Activate the payload in the MS Word document and infect the user’s machine

Inside the encrypted Word document, I found the following API declarations, variable names, and this code:

Shell32.dll   ShellExecuteA
Kernel32     GetTempPathA
Kernel32     GetTempFileNameA
URLMon"     URLDownloadToFileA

Dim wyqud As String
Dim zdwie As Long
Dim rufhd As Long
Dim bldos As Integer
Dim mufid () As Byte
Dim kmvbf As Long
Dim dfety As Long
Dim bvjwi As Long
Dim wbdys As Long
Dim dvywi (256) As Byte
Dim wdals As Long
Dim dwiqh As Long

API Declarations and Variables
Yaacov Apelbaum-Document OpenYaacov Apelbaum-Functions

This seems to be a variation on an old theme where as soon as the user opens the file, the routine executes a URL file download from one of these two backup sources: 

h t t p://adenzia.ch/_vti_cnf/bug.gif
h t t p://kingofstreets.de/class/meq.gif

The macro is quite sophisticated, it can even prompt the user to disable their firewall if the download fails. Both GIFs—despite having an appropriate header block and some image content bytes—actually carry the encoded malware.

The macro uses a subroutine to extract the executable binary from the downloaded GIF. It stores the binary in a temp file, appends an “exe” extension to it, and then using the Explorer function ShellExecuteA, executes it in order to install additional malware. In this case, it was ransomware that encrypted the Documents folder. 

Yaacov Apelbaum-Ransomware e

The installed ransomware in action

Interestingly, the first compromised URL used by the malware was website that belongs to Adenzia.ch, a Swiss accounting and corporate services firm that ironically advertises itself as providing “Privacy and secure Data storage” and:

  Accounting services

  Secure financial services

  Data entry from paper to digital

  Scanning paper data to digital

  Archiving data anonymously

Adenzia.ch 2

Adenzia

The before and after the breach Adenzia.ch websites

 

Mafia Scripts

The Kingofstreets.de website

Another noteworthy strategy is that both, the repurposed Swiss Adenzia.ch financial site as well as the second German kingofstreets.de gaming site required a login. This provides an additional layer of security by preventing internet security scanners from tracking down the payload by trying to follow a link to the malware.

From the variable naming convention and the language of the email itself, it seems that the writer is non native English speaker. The metadata from the Word document further supports this and suggest a strong link to a Russian origin. First, the author’s name was preserved as виньда (Vinda) and the company name came up as: SPecialiST RePack. 

SPecialiST RePack Metadata

SPecialiST RePack is a Russian digital publisher that is used for repackaging software.  According to Emsisoft malware database, they are a source of a large number of infected files and products.

SPecialiST RePack

SPecialiST RePack infected content

As far as the unfortunate Adenzia.ch site, it seems that it was breached in the past few months as the Wayback Machine still shows them operational on October 4, 2016.

I’ve tried to contact Adenzia and give them heads up that they need to have a look at their network. As of this date, I haven’t heard back from them. This could be an indication that either the site was a front for malware distribution from the get go or else it is no longer in business and has been abandoned.   

 

© Copyright 2017 Yaacov Apelbaum, All Rights Reserved.

Coincidence or Not?

Coincidence or not

You may have seen this motivational masterpiece. It’s a favorite among performance consultants. 

It goes as follows:

IF

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

THEN:

K N O W L E D G E
11 14 15 23 12 5 4 7 5 96%

AND:

H A R D W O R K
8 1 18 4 23 15 18 11 98%

Both are important, but fall just short of 100%

BUT…

A T T I T U D E
1 20 20 9 20 21 4 5 100%

So the moral of the story is that if you have the right attitude, you will achieve 100 percent of your potential. 

It sure looks great on paper. To test the mystical value of this proposition, I’ve written a short script to first create words that are between 2-12 character long that add up to the value of 100 and then find which of these is found in a dictionary. 

As might be expected, the script generated hundreds of valid words (see the short sample below just for the letter A). It turns out that many of them are not very motivational.

A N E U R I S M
1 20 20 9 20 21 4 5 100%
B O Y C O T T  
1 20 20 9 20 21 4   100%

The problem with all of these leadership gimmicks is that that they fail to understand the fundamentals of human performance, chiefly that nothing in nature functions at 100% efficiency. In actuality, anything that’s operational at the 70 percentile range is outstanding. 

Anyone with doubts should consult Frederick Brooks’ Mythical Man-Month.

Word

Letter Values

Sum

Abrogative

1 + 2 + 18 + 15 + 7 + 1 + 20 + 9 + 22 + 5

100

Acromegaly

1 + 3 + 18 + 15 + 13 + 5 + 7 + 1 + 12 + 25

100

Affectation

1 + 6 + 6 + 5 + 3 + 20 + 1 + 20 + 9 + 15 + 14

100

Alienation

1 + 12 + 9 + 14 + 5 + 1 + 20 + 9 + 15 + 14

100

Anchoritic

1 + 14 + 3 + 8 + 15 + 18 + 9 + 20 + 9 + 3

100

Anglophobia

1 + 14 + 7 + 12 + 15 + 16 + 8 + 15 + 2 + 9 + 1

100

Anorchism

1 + 14 + 15 + 18 + 3 + 8 + 9 + 19 + 13

100

Aryanism

1 + 18 + 25 + 1 + 14 + 9 + 19 + 13

100

Asbestos

1 + 19 + 2 + 5 + 19 + 20 + 15 + 19

100

 

© Copyright 2017 Yaacov Apelbaum, All Rights Reserved.

Only a Math Genius can Solve this Puzzle–Not Really!

 

Yaacov Apelbaum Sumerian mathematic tablet

 

One of the most popular math equation puzzles on social media is interesting because it doesn’t have one correct answer and it illustrates the nature of a solution divergence.

Here is an example.  The following two problems can be solved correctly regardless if we use sum of the digits in the product or product of the sum of digits methods:

11×11=4
22×22=16

But when it comes to the next set of 33×33=? each solution diverges and will yield two different results (see result table bellow for method 1 and 2).

For method 1 (sum of the digits in the product) it is: 33×33=18

33×33=1089 or 1+0+8+9= 18

For method 2 (product of the sum of digits) it is: 33×33=36

(3+3)x(3+3) = (6)x(6)=36

 

Here is a graphic solution for method 2

Yaacov Apelbaum If X and Y than Z

Here are the solution for the first 40 sets for each method.

Method 1

Method 2
11 11 121 4 11 11 4
22 22 484 16 22 22 16
33 33 1089 18 33 33 36
44 44 1936 19 44 44 64
55 55 3025 10 55 55 100
66 66 4356 18 66 66 144
77 77 5929 25 77 77 196
88 88 7744 22 88 88 256
99 99 9801 18 99 99 324
110 110 12100 4 110 110 400
121 121 14641 16 121 121 484
132 132 17424 18 132 132 576
143 143 20449 19 143 143 676
154 154 23716 19 154 154 784
165 165 27225 18 165 165 900
176 176 30976 25 176 176 1024
187 187 34969 31 187 187 1156
198 198 39204 18 198 198 1296
209 209 43681 22 209 209 1444
220 220 48400 16 220 220 1600
231 231 53361 18 231 231 1764
242 242 58564 28 242 242 1936
253 253 64009 19 253 253 2116
264 264 69696 36 264 264 2304
275 275 75625 25 275 275 2500
286 286 81796 31 286 286 2704
297 297 88209 27 297 297 2916
308 308 94864 31 308 308 3136
319 319 101761 16 319 319 3364
330 330 108900 18 330 330 3600
341 341 116281 19 341 341 3844
352 352 123904 19 352 352 4096
363 363 131769 27 363 363 4356
374 374 139876 34 374 374 4624
385 385 148225 22 385 385 4900
396 396 156816 27 396 396 5184
407 407 165649 31 407 407 5476
418 418 174724 25 418 418 5776
429 429 184041 18 429 429 6084
440 440 193600 19 440 440 6400

image

imageimage

It is interesting to note the series growth patterns for each method.  Where in method 1, the values tend to cluster around a range of several values (see pattern for 30K solutions), in method 2 the growth is polynomial.

 

© Copyright 2017 Yaacov Apelbaum, All Rights Reserved.

How many four-sided figures appear in the diagram?

There are a number of these geometric combinometrics problems around.  Here is a complete graphic solution to the one of the more common ones.

Question: How many four-sided figures appear in the diagram below?

  • 10
  • 16
  • 22
  • 25
  • 28

Answer: 25

Yaacov Apelbaum - How many four sided figures

 

© Copyright 2017 Yaacov Apelbaum, All Rights Reserved.

Categories: Algorithm Tags:

Anguished English

February 19, 2016 1 comment

 

Yaacov Apelbaum - Anguished English

“Thy sin’s not accidental, but a trade.” (from Measure For Measure)

Getting bombarded by Phishers is no fun but sometimes these communications offer some comic relief. This posting is dedicated to the anguished English and linguistic jewels they produce. May the tormented ghost of Shakespeare continue to sabotage their exploits.

Here are my top ten favorites:

1. Starting the message in one language and then switching to another as in “Dear Cliente,”

2. Getting subject verb agreement wrong as in “Your account just make…”

3. Poor punctuation as in “Due to concerns, for safety and the integrity…”

4. Nonsense content as in “Most of your date in our database were encrypted…”

5. Poor formatting as in missing a space after a period.that’s right.

6. Wrong capitalization as in “This is the Last reminder…”

7. Poor grammar as in “If this message sent as Junk or Spam, its just an error…”

8. Excessive use of exclamation marks as in “Update Required!!”

9. Poor spelling as in “It has come to out [our] attention that…”

10. Failure to do basic arithmetic accurately as in “$254.99 + $20.00 = $374.99”

 

Yaacov Apelbaum-Anguished English PayPal 1

 

Yaacov Apelbaum-Anguished English PayPal 2

 

Yaacov Apelbaum-Anguished English PayPal 3

 

Yaacov Apelbaum-Anguished English PayPal 4

 

Yaacov Apelbaum-Anguished English PayPal 5

 

Yaacov Apelbaum-Anguished English PayPal 6

 

Yaacov Apelbaum-Anguished English PayPal 7

Yaacov Apelbaum-Anguished English PayPal 10

Yaacov Apelbaum-Anguished English PayPal 8

 

Yaacov Apelbaum-Anguished English PayPal 9

 

© Copyright 2016 Yaacov Apelbaum, All Rights Reserved.

Categories: PayPal, Phishing, Pirates, scam Tags: