All posts by Rafiki Technology

We learned a ton in school, on the job, but also from great technical insights that others shared on various platforms. We are just giving it back and glorifying Jesus Christ, the Inventor of all human beings. Please note that all information shared on or through our site is of good faith and is not intended to cause any harm individuals, groups, organizations, or devices. Just to be clear: you assume all responsibility for anything you do; we are not liable for anything that should go wrong.

AntivirusLittle TipsMalwarePhishingSecurity

Spam Alert: These People Never Get Tired Of Trying To Get You

 

Here is little warning and reminder not to get too comfortable thinking that scammers are gone or that your email spam filter is so good they will never get to you. Here is your wake up call: These people never get tired of trying. They use all sorts of means to disguise themselves including shortening their links by means of “short url” machines like in the case of the above picture.

Spam Email Example

Example of an email that hides a dangerous link behind a tinyurl link under the UPGRADE NOW button.

In fact, I just got right in my inbox one of those messages with a malicious link to some phishing scam hosted on https:// [some_malicious_place] .us.archive.org. But the link that was actually in the big blue button was not pointing there directly. It was disguised behind a https:// tinyurl.com/ [some_extension_goes_here]. It took running the link through Google’s online virus scanner virustotal.com to detect that the final destination of the link is an archive.org-hosted malicious content and site.

So, when you get an email that makes you uncomfortable as to why you are getting it or one that it looks suspicious, you probably are right. It is probably suspicious and dangerous. Get your IT friend look at it or just do not click on any links or attachments in it until you can get it verified by someone who has the tools. If you know how to extract the links without activating them, then do that and report the links if malicious to places like virustotal.com or to your antivirus software so they can include it in their next update. Please note that sometimes the email may come from an address of a person you actually know (after their mailbox was hijacked or is being spoofed).

Google is full of resources on how to tell if the email you are looking at is Spam. Seriously. Just type such a question and you will find a plethora of reputable sites with good examples. Emphasis on reputable. Do not fall for more phishing while trying to detect some.

virustotal.com reveals the actual final destination of a tinyurl or Shortened URL.

This screenshot from virustotal.com details page shows us the final URL the tinyurl link or Shortened URL that was in the phishing email would have led to.

Advertisements
Uncategorized

ICT policy training for Congolese activists held in Goma

Rudi International

In partnership with the Collaboration on International ICT Policy for East and Southern Africa (CIPESA), we brought together human rights activists, journalists, bloggers, lawyers, etc to discuss ICT policy issues in Africa and in the world. A special focus was on the Democratic Republic of Congo (DRC) because we examined the current policies and the way the policy development process is being handled in the DRC.

For two days, it was a good opportunity for journalists and human rights advocates in Goma to be exposed to Internet freedom topics and know how they can be part of the policy discussion. One of the major activities was that participants were able to read the current ICT laws and to compare it with the new proposed ICT laws currently under discussion at the Parliament.

Recommendations were drafted on how the ICT proposal can be improved and have it include issues such as…

View original post 130 more words

What to do when you can't delete a program in Windows
Little TipsMalwareWindows 10 TipsWindows PCWindows Server Tips

How To Manually Uninstall a Stubborn Service in Windows?

There are programs that are not easy to uninstall. Sometimes you can easily uninstall the said programs only to find out that they left a trail of files in C:\Program Files\ or C:\Program Files (86)\ that you then try to manually delete.

If all goes away and leaves your computer alone, great! You do not need this article. This article is for times when the program just won’t go away and reports that there is another system using it or another user currently running the program. If there is no user that you know of and there are not programs you are aware of that are still running the unwanted application:

  1. Try to kill the process in the Applications tab of your Windows Task Manager.
  2. If the problem persists, Check your Services tab of the Windows Task Manager and look for the name of the unwanted application or for anything related to it.
  3. If the application you are uninstalling had a server component, you will find it in the list of Services. (Hint: Sort the list by Name instead of PID you can at least identify the program by name.)
  4. Once you find the problematic service. Right mouse click on it to Stop the service and then try to delete the folder or application you had a hard time deleting.
  5. If that still does not let you remove it, then go ahead and run an elevated command prompt to run sc.exe
  6. The command  sc.exe delete <service name> should help you completely remove or delete the service, where <service name> is the name of the service itself as you see it in the service management console, not of the exe.
  7. Finally try to delete the folder you were attempting to delete from C:\Program Files\ or wherever you had installed the application.
  8. If all none of the above solves the problem, there are certainly other methods out here. Let us know what did the trick for you by commenting below. (Pro Tip: Consider bringing in some of the big guns like the Process Explorer from Microsoft’s SysInternals Utilities).
Uncategorized

defending against EvilOSX, a python RAT with a twist in its tail

I am often torn between sharing such a dangerous tool and just keeping it among the hands of few. But then I think, well, a way to protect yourself and your systems is at least offered here. So, here we go. To use the words of philastokes from APPLEHELPWRITER, “Stay safe, folks!”


Intro
EvilOSX is a malware project hosted on GitHub that offers attackers a highly customisable and extensible attack tool that will work on both past and present versions of macOS. The project can be downloaded by anyone and, should that person choose, be used to compromise the Macs of others.

What particularly interested me about this project was how the customisation afforded to the attacker (i.e., anyone who downloads and builds the project, then deploys it against someone else) makes it difficult for security software like my own DetectX Swift to accurately track it down when it’s installed on a victim’s machine.

In this post we’ll explore EvilOSX’s capabilities, customisations, and detection signatures. We’ll see that our ability to effectively detect EvilOSX will depend very much on the skill of the attacker and the determination of the defender.

For low-skilled attackers, we can predict a reasonably high success rate. However…

View original post 2,321 more words

macbookOS XSecurityUncategorized

When Was The Password Last Changed On This Mac?

In one more of these wonderful scripts that can do crazy things,  philastokes from APPLEWRITERHELPER, has handed you the keys to the kingdom. With this simple script, you can find our the last time the passwords for a set number of users was changed on a Mac running OS. And that right from your Terminal.

Sometimes it can be useful to know when the user’s password was last changed. For example, you might want to enforce a policy of having users (or yourself!) change login passwords after a given period. Alternatively, if you or one of your users is experiencing login difficulties, you might want to check that the password […]

#one liner command line to get last password set times for all users on the mac

# see http://applehelpwriter.com/2018/03/14/6228
echo; echo Password Last Changed:; u=$(dscl . list /Users | egrep -v ‘^_|daemon|nobody’); for i in $u; do printf \\n$i\\t; currentUser=$i;t=$(dscl . read /Users/”$currentUser” | grep -A1 passwordLastSetTime | grep real | awk -F’real>|</real’ ‘{print $2}’); date -j -f %s “$t” 2> /dev/null; done

via how to find when the login password was last changed —

Gmail emails with dots still get to you
GoogleLittle TipsSecurity

Did You Know that Dots Don’t Matter in Gmail Addresses?

Yes, an extra dot in the username part of the email address does not change who gets the email address at Gmail.com. Please be careful to notice that this might not be true of all other email service providers.

For example: john.doe@gmail.com is the same as j.ohndoe@gmail.com or any variation of the position or number of dots before the @ sign. If someone tries to open a new Gmail account with just a dot as a difference between their address and yours, Google will tell them the username already exists.

Caution: if you used Gmail through an organization like school, business, or company, your dots do matter.

More on this in this Gmail help article.

Have you experienced anything that contradicts the above? Please share here in comment.

Local Session Manager
Little TipsNetworkingRDS - Remote Desktop ConnectionWindows Server Tips

How To Find Out All Remote Desktop Logon Sessions That Took Place On Windows Server 2012 R2

The first time I used these logs is when I was running an audit to figure out whether a specific user has recently accessed my server using Remote Desktop Connection.

In order to identify who has recently had a full session remotely running on your server, you: look at the events located at these two places:

Event Viewer > Application and Service logs > Microsoft > Windows > TerminalServices – Local SessionManager > Operational

and

Event Viewer > Application and Service logs > Microsoft > Windows > TerminalServices – RemoteConnectionManager > Operational

To have any events logged in here, you have to at least have these things in place:

  • You must be running the Windows Feature AppServer (Terminal Services Application Server)
  • The specified logs must be enabled.

With these conditions in place, these logs show give you the user names and computer names of all Remote Desktop sessions that have taken place between your computer and other client devices for a certain duration of time. Of course the length of the log depends on the properties you have set for the logs (e.g. Enabled logging, Maximum log size, what to do when maximum event log size is reached, etc.).

Please note that these logs can also be used to diagnose and troubleshoot RDS sessions that disconnect in an apparently random way.

One other place you can check is your Event Viewer > Windows Logs > Security which should have audit log of successful and failed logons if you had activated the “Audit logon events” in Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy snap-in.

Finally, a rather simple way you can go about it is by using the command line as an administrator and typing the following command (more about it at the Windows Command Line reference below):

net user  username | findstr /B /C:"Last logon"

Do you know of any other ways to achieve this audit? Please let us know in the comment section.

Some other useful resources include: