December 2022

Facebook links + Former Girlfriend and Scam Weight loss pills

I swear I am working hard this close to Christmas!

But I did accidentally check in my Facebook account and saw a suspicious post that I have seen getting around the my feed.

I have seen posts like this before.  A public post with a couple of dozen people tagged in it.  In this case; one of the people tagged in the post was my (very nice) former girlfriend.

I have seen variations of posts like this with sunglasses and shoes; but this seems to be a new type that hit my news feed.

But this one intrigued me.  The picture looks very convoluted with an image transposed over the other one.  If you look carefully you can see tiled floors and other architecture.  I am guessing the author did this to throw off image matching software that FB might use to match known scams or copywrite images. 

Looking down the Rabbit hole

I am not a security or a web design expert but decided to check out the website.

I suspect it is a Facebook worm of some sorts.  

One thing I didn’t want to do when investigating the website is either triggering off the worm propagation process and make matters even worse.

As a precaution I opened up the link in on my home computer in an incognito page with Noscript running.  Last thing I wanted to do was blow up my work computer by opening a malicious link.

Here is the website in all its glory:

The short link resolved to a fuller domain name and I ran a whois check to find out more.

 

This actually surprised me.  Other scam sites that I have checked with whois usually have domain names registered quite recently.

For instance a phishing email I got the other day – the domain name was only a day old when I looked it up in whois.

Checking out the source code behind the site – the actual HTML code was very neat and tidy.  Nice – I like well formed code.

Other things I noted:

  • All the main menu links will jump to a particular spot on the page.  This will link off to another website where you can enter in contact details like name, address, phone, credit card number etc.  I didn’t go in deeper than this to see the response of putting in fake details as this was out of my depth.
  • There were Chinese characters in the html comments.  This by no means implying that people who write comments in Chinese are dodgy – but seems a unusual a “US Today” website would have foreign language comments in it.

Image searching

The website was filled with “Before and After” images and testimonies on their product.

Using Google Lens I searched some of these images

Our dubious website:

Google Lens came up with:

Google Lens found the image on a Dutch city website to a nutritional consultant Stein van Vida Vitaal.  Our subject name has changed from “Gerald” to “Fred”

One more check for the end of the day was our “Before and After” bikini model photo in the comments:

Google Lens returned an Insider article by Emily DiNuzzo about “Before and After Body image Photos”.

The author of this website actually got the photo off Shutterstock that she referenced (link broken) on the website

Summary

A proper web developer and security expert can probably pull apart this website and explain how the malicious part of it work – but I am not at that level.

One of the biggest risks to security is the component that sits between the computer keyboard and the chair.  

For all the diving into the code, checking domains and looking up reused images over the past half an hour; the biggest thing that stood out to me is the language in the Facebook post:

“I use it. I didn’t change my diet or exercise. Photos before and after use”

It doesn’t seem right.  The post is very vague. 

What did she use? Why isn’t there more details?

If she lost a heap of weight; wouldn’t her language be prouder? 

More descriptive?

Wouldn’t she be showing photos of herself instead of some convoluted photo?

Why is my former girlfriend tagged in this post?  She’s doesn’t have the personality to use questionable diet products.  If the poster is her friend – would she really share something in this manner?  If it was for my former girlfriend – why not send it in a private message or a group chat?

Don’t make hacker’s lives easy.  Think before you click.

How to make Toffee Apples (Dentist’s nightmare)

Our kid had his seventh birthday party coming up.

My wife wanted to invite the whole prep class to his party; with the ulterior motive that all the kids in the class will be invited to at least one party for the year.

The sentiment was nice – but the reality was that we had 40+ kids at a party.

I was given the task of making a gift bags.

I wanted to do something different from the usual gift bags that we get in Australia so after a family discussion we decided this is what will be the base of the gift bags:

  • Pokemon cards (you can buy bulk lots on ebay)
  • A custom Geocache location as a treasure hunt
  • Seed bombs
  • A toffee apple

Dangers of Sugar Napalm

Deep frying and molten sugar scares me.  Any liquid that can be heated up hotter than boiling water in my mind is very dangerous (I was burnt by hot soup when I was a kid)

A good YouTube video had some good safety instructions:

  • Wear long pants and shirt
  • Wear enclosed footwear 
  • Have a large container of water on standby so if you get molten sugar on you; you plunge the affected area in the water as quick as possible
I would also keep kids at a safe distance until an appropriate age to help out.

Recipe

Based off the following video with a few modifications

  • I didn’t use cinnamon hard lollies 
  • Added Raspberry essence   

Ingredients

Makes about 20 small toffee apples

  • 20 small “Snacking” Granny smith apples
  • 850g of white granulated sugar
  • 340ml of water
  • 170g of Glucose syrup 
  • 10 drops of red food colouring
  • 10 drops of Raspberry essence (note this might need to be experimented with depending on the strength of the essence  
  • Sturdy sticks for the handle

 

Method

Night before

  1. Wash the apples in very hot water to remove the wax coating
  2. Push the sticks in the base of the apple and ensure they are solidly in place 
  3. Place in fridge overnight to chill

On the day

1. In a heavy based spotlessly clean saucepan; mix together the sugar, water and syrup. 

Pro tip – put the saucepan on the scales and pour the syrup directly in.  If you measure the syrup out in an individual container – you will be forever struggling with a sticky mess of transferring syrup from one container to another 

2. Stir the contents very well to ensure all the water and sugar is mixed thoroughly together

3. Place pan on medium heat on the stove and bring to the boil.  Cover pan with the lid and allow to boil gently for 5 minutes

4. Uncover the pan and insert the sugar thermometer in the pot.  Boil without stirring until the temperature reaches 138°C (280 F)

This step might take a while as first the water have to boil off.  This is why the temperature will stall at 100°C for a while as the water evaporates.  Once all the water has boiled off – the bubbles will change into lager and slower bubbles.

Don’t leave the pot unattended as the temperature rise will happen without warning.

5. When the temperature reaches 138°C; add in the food colouring and Raspberry extract drops.  Distribute the drops in different locations so it is easier for the boiling sugar to mix through.

6. While waiting for the sugar to reach the correct temperature:

  • Take the apples out of the fridge and dry off the condensation.
  • Prepare some trays to put the finished toffee apples on.

7. Once the temperature reaches the “hard crack” stage of 150°C (300 F); remove the pan from the heat.  Wait a short while for the bubbles to subside.

8. Dip an apple in the sugar syrup and quickly but carefully turn it to get the thinnest coat possible on the apple. Allow the toffee apple to drain the excess liquid off before placing it on the prepared tray.

Whether you go right up to the stick or leave a little gap at the top is the dealer’s choice.  

If the sugar syrup is staring to get too sticky – reheat on the stove again to bring it up to temperature

8. Wait until the toffee is cool (should be quick with cold apples) and enjoy.

Notes

  • I think the kids enjoy it as a novelty of something different.  It also brings back nostalgia memories in the older generation.
  • The recipe scales well.  I did a half recipe as a tester and then to make 40 toffee apples we doubled the recipe.
  • A “Candy” thermometer is indispensable for someone starting off making sugary treats.  Well worth the $20 investment
  • To clean the pot afterwards – fill it up in water and bring it to the boil to remove the stuck sugar
  • Once the toffee apples are cooled down and no longer sticky – bag them up or put them in an air tight container.  They should last a couple of days depending on the temperature and humidity – five days is starting to push it.
  • The Glucose syrup can be substituted with honey – although I haven’t tried
  • You can try different flavourings for the sugar syrup – such as almond, strawberry.  I even saw a “Toffee apple” essence in shop that I brought the Raspberry essence from.

Why can’t Qlik Replicate and Enterprise manager be friends?

A nice quiet evening with the family was interrupted with a critical alert coming through my phone.

Once again server patching had knocked off our Qlik Replicate node.

Logging in I could see that Enterprise manager could not reach one of our nodes with the following error message in the log:

2022-12-15 19:15:40 [ServerDto ] [ERROR] Test connection failed for server:MY_QR_CLUSTER. Message:'Unable to connect to the remote serverA connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond xxx.xxx.xxx.xxx:443'.

I have seen this problem before and it is usually resolved by:

  1. Failing over the QR windows cluster
  2. Restarting the new passive node

Our IT team is aware of the problem and have been researching into a cause and a fix.  Their prevailing theory was that when the cluster gets failed over in server patching – there are some residual connections to the previous active node.

But tonight after multiple failovers and stopping and starting the QR roles – still Enterprise manager couldn’t connect to that QR node.

I did the following checks:

  1. The log repsrv.log log file had no error messages and the service Web UI service was active
  2. From the Enterprise manager; I could ping the QR cluster address and the active node successfully 
  3. From a Chrome session on the Enterprise manager server; I could not get to the QR Web console
  4. From a Chrome session on the QR server; I could get to the QR Web console

A senior IT member joined the troubleshooting call and suggested that we reboot the Enterprise manager server.

So we did and then we couldn’t access Enterprise manager console.

At this point I wanted to quit IT and become a nomad in Mongolia.

Then the senior IT member worked it out.

The Windows server was randomly turning on the Windows Firewall

This was blocking our inbound connections; making the console inaccessible from other locations – except when you were logged onto the server.

This also explains why when this problem previously arise; restarting the server will eventually work because the server group policy will eventually get applied and turn off the Windows firewall. 

Lessons learnt

If you come above this problem in your environment try accessing the QR console from multiple locations:

  • From the Enterprise Manager server
  • From within the QR server with a local address like: https://localhost/attunityreplicate/login/

Good luck