Posts made by BraswellJay

@JasGot said in Email phishing attempt against one of our vendors was successful ...:

@BraswellJay said in Email phishing attempt against one of our vendors was successful ...:

One other detail is that both of the spoofed domains that were used in the attack were registered through google on the same day approximately 4 weeks ago which would suggest they were anticipating being able to use us and the vendor in a coordinated attack.

Wow! Good work. That's a dedicated scammer. What was his payday? If you don't mind making the story more fun...

Enough to sting but not crippling to us or the vendor involved.

@JasGot said in Email phishing attempt against one of our vendors was successful ...:

@BraswellJay said in Email phishing attempt against one of our vendors was successful ...:

Subsequently and on the same day, the vendor received another email that he thought was from one of our accountants directing him to ACH to a different (bogus) account.

What makes me also think it was a directed phish attack on your vendor, is that you say the vendor received an e-mail regarding another ACH account number on the same day, but you didn't say the message had any indication it was a follow up or correction to the earlier message.

Thanks everyone for the feedback. It does appear it was on the vendor end but it was a more sophisticated attack that did involve us being fooled as well even though the target was our vendor. From our investigation this is what we believe actually happened:

• Vendor owed us and was going to pay by ACH and requested details. These details were sent to him by our head of finance in an encrypted email which the vendor did receive.
• The attacker then spoofed our accounting team by sending us a phishing email that appeared to come from the vendor (the domain name used against us left an "s" off of the end of the domain name, thus appeared valid to our accounting team) stating that he had not received the ACH info (which the vendor had, this was the attacker phishing us). One of our accountants responded (to the wrong domain) once again giving the correct ACH details.
• At this point the attacker had all he needed to spoof an email that appeared to come from the accountant that had responded to him. The attacker used that info to send a phishing attack email to the vendor which appeared to come from our accountant but using the wrong domain name and contained the attackers ACH info.
• Vendor was fooled by this email and sent payment to the wrong account.
• Vendor ignored (for some reason, don't know why) the fact that when he went to ACH the money the company name appearing on his bank portal as the destination for the payment was not our company name.

One other detail is that both of the spoofed domains that were used in the attack were registered through google on the same day approximately 4 weeks ago which would suggest they were anticipating being able to use us and the vendor in a coordinated attack.

@JasGot said in Email phishing attempt against one of our vendors was successful ...:

@BraswellJay The phish'd e-mail came from another domain, correct?

That's correct.

Our accounting department just let me know that one of our vendors payments to us was apparently hijacked and sent to an account that was not our own. Here are the facts as I have them so far

• Our head of finance sent an encrypted email to the vendor giving them an account of ours to ACH funds to. Vendor states that they did receive this email.

• Subsequently and on the same day, the vendor received another email that he thought was from one of our accountants directing him to ACH to a different (bogus) account.

• Upon closer inspection we can see that this is a phishing email he received. The from field spoofed our domain by replacing the characters "il" with "ll" in one spot and thus was difficult to spot unless looking closely.

• This secondary email, though obviously spoofed, had the correct email signature that we use as a corporate standard for the user that it was impersonating, which gave the email an extra measure of authenticity in the eyes of the vendor.

My question is how likely was this caused by a breach on our network? The thing that is concerning is that the attacker had the correct email signature, though, this could have come from anyone that had ever received an email from us since it is standard what we use. Furthermore from what I have been told (I haven't seen to be able to verify) the phished email was received immediately after the original valid email.

Anything in particular that I should be checking? We are on O365 for our email and so we don't host our own email server.

Had never knew this about one of the founders of Cloudflare ...

https://www.wired.com/story/lee-holloway-devastating-decline-brilliant-young-coder/?utm_source=pocket-newtab

Ok, thanks for the feedback.

Would replacing these APs with ubiquiti ac pro devices result in better performance? Would it be reasonable to expect client connections to be faster with an AP that supports AC?

I've got a secondary site that where I have AC Pro AP's so I can test there and see what I am getting at that site with the different access points.

Thanks.

I've been doing some performance testing on our network and I'm seeing what appears to be significant performance degradation on the wireless network vs wired network. I realize that in most if not all cases wireless will not be as performant as wired but what I am seeing seemed much more significant than expected.

Here is iperf results on wireless:

c:\temp\iperf-3.1.3-win64>iperf3.exe -c 192.168.1.158
Connecting to host 192.168.1.158, port 5201
[  4] local 192.168.1.32 port 54717 connected to 192.168.1.158 port 5201
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-1.00   sec  8.75 MBytes  73.4 Mbits/sec
[  4]   1.00-2.00   sec  8.38 MBytes  70.3 Mbits/sec
[  4]   2.00-3.00   sec  8.25 MBytes  69.2 Mbits/sec
[  4]   3.00-4.00   sec  7.75 MBytes  65.0 Mbits/sec
[  4]   4.00-5.00   sec  7.75 MBytes  64.9 Mbits/sec
[  4]   5.00-6.00   sec  6.50 MBytes  54.6 Mbits/sec
[  4]   6.00-7.00   sec  7.38 MBytes  61.9 Mbits/sec
[  4]   7.00-8.00   sec  7.62 MBytes  64.0 Mbits/sec
[  4]   8.00-9.00   sec  7.62 MBytes  63.9 Mbits/sec
[  4]   9.00-10.00  sec  7.12 MBytes  59.8 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-10.00  sec  77.1 MBytes  64.7 Mbits/sec                  sender
[  4]   0.00-10.00  sec  77.1 MBytes  64.7 Mbits/sec                  receiver

iperf Done.

And here is results on wired:

c:\temp\iperf-3.1.3-win64>iperf3.exe -c 192.168.1.158
Connecting to host 192.168.1.158, port 5201
[  4] local 192.168.1.37 port 56917 connected to 192.168.1.158 port 5201
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-1.00   sec   105 MBytes   879 Mbits/sec
[  4]   1.00-2.00   sec   103 MBytes   861 Mbits/sec
[  4]   2.00-3.00   sec   102 MBytes   860 Mbits/sec
[  4]   3.00-4.00   sec   102 MBytes   855 Mbits/sec
[  4]   4.00-5.00   sec   102 MBytes   860 Mbits/sec
[  4]   5.00-6.00   sec   102 MBytes   859 Mbits/sec
[  4]   6.00-7.00   sec  99.8 MBytes   837 Mbits/sec
[  4]   7.00-8.00   sec   100 MBytes   839 Mbits/sec
[  4]   8.00-9.00   sec  98.6 MBytes   827 Mbits/sec
[  4]   9.00-10.00  sec   104 MBytes   872 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-10.00  sec  1019 MBytes   855 Mbits/sec                  sender
[  4]   0.00-10.00  sec  1019 MBytes   855 Mbits/sec                  receiver

iperf Done.

c:\temp\iperf-3.1.3-win64>

Am I wrong in thinking that the difference shouldn't be that great? These results are representative of what I get at all times of day. I had similar results late last Friday when no one else was here so I don't think it is the result of too many users connected.

We're using Cisco Aeronet 2602 access points.

We have an alarm system in our production plant that has an audible alarm in the plant as well as a security company monitors and has a call out list if the alarm goes off and is not acknowledged in time.

We also have a security guard house at the front of our property that is manned 24/7. We're wanting to see if we can set it up such that if the audible alarm goes off in the plant that the security station will also get an audible alarm. I don't think it is a problem to shoot wireless to the security station and get an IP link to there. The question though is how to propagate the alarm signal over it.

I found this product which I think will do what we want. It looks to be a discrete signal relay over IP :

https://www.controlbyweb.com/webrelay/?gclid=EAIaIQobChMIosyt28rM6AIVE2KGCh0zXg4kEAQYByABEgL6lPD_BwE

Has anyone ever used this product or have something similar? I asked our security company but they don't have any real IP knowledge so they weren't sure what to use but they said that if we can find something that they can input their signal inside the plant and it propagate over IP to the security station then we can do what we want.

Thanks.

@scottalanmiller said in Video Conference equipment to integrate with MS Teams ...:

In general? Or "equipment readily available during the shortage from the COVID crisis?"

We have lots of stuff we like. Most of it is sold out right now.

In general. We have time if we need to get past a shortage.

Does anyone have any recommendations on video conference equipment that integrates with MS Teams. We've got 1 big conference room (seats 15) and a few smaller ones that seat 5-8. I was starting to look at some equipment to handle the audio/video part but just wanted to see if anyone had any experience with a system such as this with MS Teams.

Thanks

@syko24 said in Zerotier on Windows firewall rule question ...:

@BraswellJay - check which firewall profile is selected for your ZeroTier interface. Is it set for public on your computer or the computer you are trying to access?

They are set to work networks on both:

All of the firewall rules are set to apply to all profiles:

I've been playing around with zerotier and I had a question regarding firewall rules on windows 10.

I have found that in addition to the rules that the zerotier installer adds, I have to make a custom inbound rule to allow my zerotier subnet. For instance I have to add the following inbound allow rule in the windows firewall where 10.243.0.0/16 is my zerotier network subnet:

Interestingly, if the clients are both Windows 7 machines then this rule does not appear to be necessary, the Windows 7 machines will communicate with each other without it. However once one of the clients is a windows 10 machine then both clients require this rule, even a Win10<->Win7 connection.

I can't find any documentation to support this so it makes me think I have missed something. Has anyone else observed this behavior with the zerotier client on a windows 10 machine?

We're installing an inventory management system and the vendor is using a RHEL server. They have installed a Samba share to put client installation files to install on windows machines.

I'm not having any issues on a Windows 7 machine but the Windows 10 machines are not able to see the share. It does not allow access. I'm thinking this is some kind of SMB version issue but I'm not familiar with Samba shares from Linux so not 100% sure. I did enable SMB v1 on the windows 10 clients thinking that would be necessary but that did not have any effect.

Does anyone know of anything I could check on the Windows clients so that I can see the share?

Thanks

@Pete-S said in Switch for harsh environment ...:

@BraswellJay What kind of environment and how hot is very hot? How much power over PoE? Managed or unmanaged? L2 or L3? What type of mounting - rack, DIN rail or wall? Do the switches need support for any type of fieldbus (like Ethernet/IP, etherCAT, Profinet)?

It's a farm area as a general description. Ambient temperature in the summer will be 100-110 degrees F. PoE will be to drive a typical camera, that's what the new installation is for, to support cameras in our farm area. Would prefer managed, L3 as our intent is to VLAN these cameras in a separate subnet.

Mounting I can be flexible at the moment. It will be inside an enclosure so we can adjust the enclosure size to match the switch we get. No extra support beyond standard TCP/UDP/IP type applications.

All we are aiming to accomplish is to add additional security cameras to cover an area that is currently not monitored.

Does anyone have recommendation on a good network switch to use that will be located in a harsh environment. The location will be extremely dusty and very hot especially during summer months. Plan to put in a NEMA enclosure that will have little air flow inside.

Minimum of 12 RJ45 ports with POE capability and 1 SFP port for link back to server room but 16 or 24 RJ45 POE would be better for expected future needs.

Thanks.

@scottalanmiller said in Remote management of employees personal cell phones ...:

@BraswellJay said in Remote management of employees personal cell phones ...:

Our management team has decided that they want to end company issued cell phones and instead provide a monthly stipend for work use of personal phones. As part of that they want to to be able to protect company data on personal phones. Basically they want to wipe company data if the employee leaves the company.

Let's reword this...

Basically they said...

"We want to stop having the right to wipe devices and protect our data."

And then they said "We want to get back the thing we just gave up."

Which do they want, to not pay for the phones, or to control the data? They have to choose.

This was pretty much my thoughts as well so glad to see I'm not out in left field in thinking that way.

I had objected to the whole notion and told them that I wouldn't want to allow the company to control my personal phone and I doubted other employees did either.

But then one of the managers has a brother whose company has some control over his personal phone so I thought maybe the practice was more widespread than I had thought.

Our management team has decided that they want to end company issued cell phones and instead provide a monthly stipend for work use of personal phones. As part of that they want to to be able to protect company data on personal phones. Basically they want to wipe company data if the employee leaves the company.

My first thought is I'm not sure employees are going to want to allow the company to install anything that will control their personal devices. I know I'm not keen on the idea at the moment myself.

For those who may be in similar situation do your employees allow company control of their personal devices? What kinds of issues should I be looking at trying to protect? Email and VPN access jump immediately to mind but are there other considerations as well?

Are there any tools that others have used to accomplish this and what has the experience with them been like?

Thanks

You can do this with voip.ms. Register the 800 number with them and then in the portal you can forward it to a different number. We do that with one of ours at the moment :

Just set the routing of the 800 number to FWD and enter the number to forward to. As far as I know there is no restrictions on what number you can forward to.

@JaredBusch said in voip.ms atlanta2 issues / am I switching my inbound routing to new server correctly ...:

@BraswellJay said in voip.ms atlanta2 issues / am I switching my inbound routing to new server correctly ...:

@JaredBusch said in voip.ms atlanta2 issues / am I switching my inbound routing to new server correctly ...:

@BraswellJay said in voip.ms atlanta2 issues / am I switching my inbound routing to new server correctly ...:

This morning I'm having issues with voip.ms atlanta2 server. It seems to be intermittently going down. I've moved our outbound routing to the washington2 server but I can't seem to get our inbound routing to move from the atlanta2 server to washington2.

I went in to the portal and from the manage DID section I changed the pop from atlanta2 to washington2 but the routing doesn't seem to be changing to the new trunk. Does anyone know if there something else I need to be doing to get my inbound to switch to the new pop?

Did you update your PBX to register to Washington2?

Yes. That is successful and my outbound routing is going out over the new trunk correctly. It's only inbound that is still trying to come in over atlanta2 instead of washington2

New trunk? do you have multiple trunks? Or did you just edit the existing.

disable the trunk in the PBX, apply changes, enable, apply changes.

It's a new trunk. I had one going to atlanta2 which I left intact but added a new one to washington2. I went ahead and disabled the old one to see if that would somehow force it but that didn't have any effect.

I've opened a ticket with voip.ms.

In theory the only change I would need in the portal to change the inbound routing would be the change the POP in the manage DID I think. Is that correct?

This is how my POP reads for that number in the portal now:

It had said Atlanta-2 before I changed this morning.

@JaredBusch said in voip.ms atlanta2 issues / am I switching my inbound routing to new server correctly ...:

@BraswellJay said in voip.ms atlanta2 issues / am I switching my inbound routing to new server correctly ...:

This morning I'm having issues with voip.ms atlanta2 server. It seems to be intermittently going down. I've moved our outbound routing to the washington2 server but I can't seem to get our inbound routing to move from the atlanta2 server to washington2.

I went in to the portal and from the manage DID section I changed the pop from atlanta2 to washington2 but the routing doesn't seem to be changing to the new trunk. Does anyone know if there something else I need to be doing to get my inbound to switch to the new pop?

Did you update your PBX to register to Washington2?

Yes. That is successful and my outbound routing is going out over the new trunk correctly. It's only inbound that is still trying to come in over atlanta2 instead of washington2