Locking, SMB, SMTP, SPF, CAA, WMIC

  • Electronic Locking. Even more bullsheep technology. Haha. It's just like we've got this ultra expensive security blah blah system. And it's just like the "security fantasy show". But reality is very different. Electronic locking is just like firewalls and other security equipment. It can have many serious issues, plus the true weakness. The incompetent, I couldn't care less, it seems to be working somehow, staff who's responsible for actually operating and configuring it. - Yes, I do value competent people highly. But truth is that well, that doesn't happen too often. - To the point? This morning office building was was totally locked and all access tokens were revoked. The probably happened because the restoration work, which potentially was linked to the annoying network issues was completed. - Therefore the security administration just 'revoked some access tokens'. Including everyone we know in the building. - As example, you can spend million purchasing all the junk the network security provider wants to sell you. But it's utterly meaningless, because the systems will be misconfigured at times so badly, that anyone can access anything and that's totally normal. As we've seen repeatedly over and over again. - Even major telcos do that. I've got that SMTPS authentication / IP range restriction post somewhere. Even in that case, the helpdesk provided a) misinformation b) lies c) and didn't even understand what it was about. d) Security weakening suggestions how to fix the issue (drop encryption). Also the support forum provided p2p support provided e) more lies and misinformation. - That's the current state on customer service and security. It totally and absolutely sucks, over and over again.
  • SMB Loris. Yep, classic server side remote resource consumption attack. Which allows even RPi to bring down beefiest servers available. Legendary and so traditional. No need for massive botnets.
  • Enjoyed SPF policy tuning. So much fun. More fun configuring IIS, Microsoft SMTP MX delivery and let's encyrpt. It seems that the letsencrypt-win-simple misconfigured IIS automatically. When I fixed the configuration, next run misconfigured it again. Then maximum number of registration attempts was reached. Now I've configured the server again correctly and removed rights to misconfigure it. Let's see if it finally works or not. web.config.xml tuning fun. Well, now it works... But that's just like automation is. It does everything automatically, wrong... Even breaking already working configuration. Yeah. Nothing new here either. But it's now all good.
  • It seems that OVH DNS doesn't allow you to set RFC6844 aka CAA records . I'll ask them and let's see what happens. - Naturally, nothing happened. Totally expected result.
  • Wrote several scripts to mass manage user accounts on domain. Not bad at all. Fun stuff, this one didn't this time cause any gray hairs. Yet one thing was once again legendary Microsoft (tm) quality. Using WMIC it's possible to still set that option not to expire passwords. Yep, it would be too smart if only one method could be used to do something. It's always a good idea to combine basic traditional net commands, some WMIC and maybe throw in some PowerShell. Good combination of different technologies gives elite haxxor guru impression and makes things much harder for people not familiar with all of the technologies. I wonder if I could fit in some Python, JavaScript and maybe Visual Basic scripts too? Ssshhtt, that's cool.
  • I also got a strange feeling that a doesn't work well with Outlook (Office 365) SPF validation. Tried several ways to get it to work, and all of those failed. Even if those passed with Postfix and other SMTP servers. Hmm, interesting. Well, ipv4 and ipv6 info worked perfectly as well as include. Maybe they're trying to avoid expensive DNS lookups. Didn't bother to try PTR because it's not a reliable way of identification. I even retried that with specific a:domain and a, and made 100% sure a records are there, but alas. It didn't work. Maybe MS is using some kind of SPF data caching which defies TTL? Who knows. But the point is that it didn't work as expected.