Profile

Cover photo
Harlan Carvey
Works at Dell SecureWorks
Attended Virginia Military Institute
Lived in Monterey, CA
952 followers|442,422 views
AboutPostsPhotosVideos

Stream

Harlan Carvey

Shared publicly  - 
 
Any chance of getting a +Cory Altheide 1:6 action figure any time soon?
1
Cory Altheide's profile photoHarlan Carvey's profile photo
2 comments
 
Well, so is the Stan Lee action figure...it just kind of stands there with a cheesy grin...
Add a comment...

Harlan Carvey

Shared publicly  - 
LEXINGTON — “Here, this one won’t beat you up too much.”
1
Add a comment...

Harlan Carvey

Shared publicly  - 
 
Having one of these, with Metallica's "Whiskey in a jar" on the iPod...
4
Add a comment...
 
Brewed a 1 gal Northern Brewer recipe for a Bavarian hefe tonight.  It was a 45 min boil, at 40 min added 4 oz of honey and 2 t of McCormack Valencia orange zest.  I'll be looking to bottle in about 11 days.

Next up will be a variant of the Northern Brewer 1 gal Dead Ringer IPA recipe, replacing the Centennial hops with Cascade and FF C7, adding fresh grapefruit zest and dry hopping.
5
Add a comment...

Harlan Carvey

commented on a post on Blogger.
Shared publicly  - 
 
Just a quick follow-up...there's no reason to modify your post based on my questions.  They're just questions...stuff I'd look for if I were performing incident response, or stuff I'd recommend that clients look for.  

I think if looking for or at these things aren't something that you do...which is apparent in the blog post...there's nothing wrong with that.  My asking the questions isn't intended to say that there's anything wrong with your post...not at all.  You are from a small business (not far from where I'm located) and this is what you do.  There's nothing wrong with your perspective of the situation, nor with the blog post.
Synopsis From 2015-03-09T20:29:29 until 2015-03-09T20:29:51 automated scans originating from IP address 128.199.200.157.  Scans attempted to exploit the 2014 Shellshock vulnerability (CVE-2014-6271). If successful the command...
1
1
Andre Ross's profile photoFred M's profile photo
 
The information is kind of there but the wording is a bit confusing. I think they meant to say that after defining () { :; }; function in an environment variable, the following code was successfully (or not) executed. etc etc

It appears that IRC server at 216.70.100.172 has been in operation for at least two weeks. The website is legit and based on Word Press. We have notified the owners today.
Add a comment...

Harlan Carvey

Extract brewing  - 
 
Hey, all...

I'm looking for thoughts/input/insight on recipes...right now, I'm doing 1 gal batches, mostly extract (with some specialty grains).  I've been using Northern Brewer recipes, and I'm starting to branch out just a little bit, like getting a base IPA recipe and making small changes (different hops, etc.) to that.  For example, I have a Bavarian hefe recipe that I may try adding honey to, and I ordered an IPA kit that I'll be using as a base, but including different hops, and adding grapefruit zest.

I've been searching around the web for small batch (mostly) extract recipes, and I've hit on a couple of sites, but I wanted to reach out to the folks in this group to see if anyone had any sites they'd care to share, or just general insight.

Thanks
1
Matthew Schouwink's profile photoRodney Blockston's profile photoHarlan Carvey's profile photoLinda Dean's profile photo
7 comments
 
I love this for figuring out new recipes! http://beerrecipes.org
Add a comment...

Harlan Carvey

Shared publicly  - 
After inventing the printing press, mastering the power of flight, and connecting the world through the power of the Internet, it's inspiring to know there is still more human ingenuity out there innovating and giving us life-changing products like a USB-powered rice ball warmer. But our species is a bright bunch a ...
1
Emory Mullis (Win-UFO)'s profile photoHarlan Carvey's profile photoTom Yarrish's profile photo
7 comments
 
I'm aware of what you are trying to do Harlan...
Add a comment...
In his circles
16 people
Have him in circles
952 people
Rev. Joshua Annan's profile photo
Bill Carter's profile photo
Michael Dickinson's profile photo
Jonathan Glass's profile photo
Danielle Stevenson's profile photo
CrossFit Catonsville's profile photo
Louw Smith's profile photo
Ismail Shareef's profile photo
Scott Conaway's profile photo

Harlan Carvey

Shared publicly  - 
 
Moved the grapefruit IPA to secondary for dry hopping. 
2
Add a comment...

Harlan Carvey

Shared publicly  - 
 
Apparently, dogs have a way of sending clear, uncomplicated messages to each other.

http://www.wired.com/2015/03/dog-picky-pooper/

Next time I head into the corporate office, I may have quite a lot to say...
Before your dog picks a place to poop, there's sniffing and wandering, spinning and digging. What's behind his hunt for the elusive fecal bulls eye?
1
Ian Duffy's profile photoHarlan Carvey's profile photo
3 comments
 
Already done.  It's mine, I say...MINE!!  
Add a comment...

Harlan Carvey

Shared publicly  - 
 
+Northern Brewer 1 gal Bavarian hefeweizen recipe, at ~ 12 hrs.  I added 4 oz of honey and 2 t of McCormack Valencia orange zest at 5min (45min boil).  Looking to bottle on 3 Apr.
3
Add a comment...

Harlan Carvey

commented on a post on Blogger.
Shared publicly  - 
 
"The referrer then stars with the standard Shellshock exploit string:"

I'm not sure what this was meant to say or refer to, but what happens then?  The post goes from that statement, right to the exploit payload.  What do the logs look like?  Does the payload execution leave any indicators on the system (files, entries in logs)?

Are there any host-based indicators associated with the RAT, if any (besides the file)?  Does the RAT persist?  If so, how?  

"No damage was sustained by the server from these requests."

I'm not sure I follow.  The exploit seems to have worked, a downloader command was run from memory, and a Perl-based RAT was created on the system.  

Were you intending to say that the scans had been run against the system, but the Shellshock exploit did NOT succeed in this case, and that if it had succeeded, these other things would've happened?
Synopsis From 2015-03-09T20:29:29 until 2015-03-09T20:29:51 automated scans originating from IP address 128.199.200.157.  Scans attempted to exploit the 2014 Shellshock vulnerability (CVE-2014-6271). If successful the command...
1
Jeff McJunkin's profile photo
 
The "() { :;};" line from the original post is the key part, minimized, to trigger Shellshock. Commands after the final ";" will be executed even though it's only supposed to set up a Bash function.

Standard exploit string using curl on Linux: 

curl‐A'(){:;};echo;echo; echo vulnerable' http://vulnerable-site.com/cgi-bin/shellshockable-file.cgi

That sets the user agent, which would be parsed by Bash in a CGI script, to include the original Shellshock test line. The "echo; echo" part is to insert two newlines, so that an HTTP sees the response as normal (after server HTTP headers, there is a blank line).

Whether or not there are indicators depends on logging. Normally, User Agent strings aren't logged, though that command would certainly leave Bash artifacts in memory.

My preferred detection mechanism would probably be network traffic logging + IDS. 
Add a comment...

Harlan Carvey

Shared publicly  - 
 
Is it any wonder that things seem like a mess sometimes, and it's hard to tell what's going on?

From two days ago: http://www.nbcnews.com/storyline/michael-brown-shooting/ferguson-shooting-michael-browns-parents-condemn-attack-police-n322306

From yesterday:  http://www.teaparty.org/family-michael-brown-celebrates-shooting-2-ferguson-police-officers-social-media-88731/

What's the take-away here?  
(Politichicks) - According to PolitiChicks’ sources very close to the Ferguson situation, the family of Michael Brown, the teen who was shot August 9, 2014 in Ferguson apparently has no sympathy for the officers shot in the incident last night. They have taken to social media to express their glee. Others are reporting that these social ...
1
Add a comment...
People
In his circles
16 people
Have him in circles
952 people
Rev. Joshua Annan's profile photo
Bill Carter's profile photo
Michael Dickinson's profile photo
Jonathan Glass's profile photo
Danielle Stevenson's profile photo
CrossFit Catonsville's profile photo
Louw Smith's profile photo
Ismail Shareef's profile photo
Scott Conaway's profile photo
Work
Occupation
DFIR analyst
Employment
  • Dell SecureWorks
    Sr. Researcher, 2013 - present
Places
Map of the places this user has livedMap of the places this user has livedMap of the places this user has lived
Previously
Monterey, CA - Virginia Beach, VA - Naha, Okinawa - Oakton, VA - Gainesville, VA
Links
Contributor to
Story
Introduction
Former Marine officer (2502), DFIR nerd, published author.

Mid-Atlantic Tough Mudder finisher (Wintergreen, 22 Oct 2011) - more of those to come
Bragging rights
No bragging, no whining.
Education
  • Virginia Military Institute
    BSEE, 1885 - 1989
  • Naval Postgraduate School
    MSEE, 1994 - 1996
Basic Information
Gender
Male
Relationship
Married
Other names
Most people don't tell me what they call me to my face