IBM Security QRadar SOAR

 View Only

  • 1.  Have I Been Pwned

    Posted Wed January 16, 2019 03:38 PM
    Hi have installed the Have I Been Pwned CTS & Function
    The CTS seems to work on test:

    sudo resutil threatservicetest -name "Have I Been Pwned"
    Successfully connected to Have I Been Pwned

    but no Threat found despite I have a positive on a direct check on the site.

    Using the Search Fonction from app Exchange, same issue:

    2019-01-16 20:21:42,430 INFO [decorators] [have_i_been_pwned_get_breaches] StatusMessage: starting...
    2019-01-16 20:21:42,432 INFO [have_i_been_pwned_get_breaches] email_address: abc123@yopmail.com
    2019-01-16 20:21:42,604 WARNING [have_i_been_pwned_get_breaches] Have I Been Pwned returned unexpected status code
    2019-01-16 20:21:42,605 ERROR [decorators] [have_i_been_pwned_get_breaches] FunctionError: Have I Been Pwned returned unexpected status code


    any idea ?

    ------------------------------
    BENOIT ROSTAGNI
    ------------------------------


  • 2.  RE: Have I Been Pwned

    Posted Wed January 16, 2019 05:24 PM
    We are seeing this on our end too. Looking into this and hope to have an answer soon.

    ------------------------------
    Brian Walsh
    ------------------------------

    Original Message


  • 3.  RE: Have I Been Pwned

    Posted Fri January 18, 2019 10:20 AM
    Hi @BENOIT ROSTAGNI,

    It seems the request may have gotten caught up in the net of other abusive traffic to the Have I Been Pwned site. Could you give it another shot?

    ------------------------------
    Brian Walsh
    ------------------------------

    Original Message


  • 4.  RE: Have I Been Pwned

    Posted Fri January 18, 2019 10:32 AM
    Hi @Brian Walsh


    adding abc123@yopmail.com artifact
    CTS logs :
    12019-01-18 15:24:03,932 INFO [threat_webservice] <Request POST /cts/have_i_been_pwned_threat_service HTTP/1.1>
    2019-01-18 15:24:03,933 INFO [threat_webservice] 303 See Other: {"retry_secs": 5, "hits": [], "id": "94e4b260-1b4f-5bb9-b991-84cdd8c34ce4"}
    2019-01-18 15:24:03,983 INFO [threat_webservice] helper: <email.header[threat_lookup_helper] (94e4b260-1b4f-5bb9-b991-84cdd8c34ce4)>, cts_search.have_i_been_pwned_threat_service
    2019-01-18 15:24:04,173 INFO [searcher] No hit information found on email address: abc123@yopmail.com
    2019-01-18 15:24:04,275 INFO [threat_webservice] Lookup complete: <email.header[cts_search.have_i_been_pwned_threat_service] (94e4b260-1b4f-5bb9-b991-84cdd8c34ce4)>, []
    2019-01-18 15:24:09,248 INFO [threat_webservice] <Request GET /cts/have_i_been_pwned_threat_service/94e4b260-1b4f-5bb9-b991-84cdd8c34ce4 HTTP/1.1>
    2019-01-18 15:24:09,248 INFO [threat_webservice] <Request GET /cts/have_i_been_pwned_threat_service/94e4b260-1b4f-5bb9-b991-84cdd8c34ce4 HTTP/1.1>
    2019-01-18 15:24:09,249 INFO [threat_webservice] 200 OK: {"hits": [], "id": "94e4b260-1b4f-5bb9-b991-84cdd8c34ce4"}

    HIT zero ??
    normal answer is
    => Pwned on 15 breached sites and found no pastes (subscribe to search sensitive breaches)

    Function, Look up:
    2019-01-18 15:27:51,979 INFO [actions_component] Event: <have_i_been_pwned_get_breaches[] (id=23, workflow=have_i_been_pwned_search, user=benoit.rostagni@ibm.com) 2019-01-18 15:27:51.874000> Channel: functions.have_i_been_pwned_get_breaches
    2019-01-18 15:27:52,183 INFO [decorators] [have_i_been_pwned_get_breaches] StatusMessage: starting...
    2019-01-18 15:27:52,184 INFO [have_i_been_pwned_get_breaches] email_address: abc123@yopmail.com
    2019-01-18 15:27:52,273 WARNING [have_i_been_pwned_get_breaches] Have I Been Pwned returned unexpected status code
    2019-01-18 15:27:52,274 ERROR [decorators] [have_i_been_pwned_get_breaches] FunctionError: Have I Been Pwned returned unexpected status code

    I tried other email to test and I have always the same results...


    Benoit









    ------------------------------
    BENOIT ROSTAGNI
    ------------------------------

    Original Message


  • 5.  RE: Have I Been Pwned

    Posted Fri January 18, 2019 11:24 AM
    Hi Benoit,

    Could you post the output of this:

    curl https://haveibeenpwned.com/api/v2/breachedaccount/abc123@yopmail.com -H "User-Agent: Resilient HIBP"


    ------------------------------
    Brian Walsh
    ------------------------------

    Original Message


  • 6.  RE: Have I Been Pwned

    Posted Fri January 18, 2019 11:38 AM
    curl https://haveibeenpwned.com/api/v2/breachedaccount/abc123@yopmail.com -H "User-Agent: Resilient HIBP"
     
     
    -bash-4.2$ curl abc123@yopmail.com">https://haveibeenpwned.com/api/v2/breachedaccount/abc123@yopmail.com -H "User-Agent: Resilient HIBP"
    <!DOCTYPE html>
    <head>
    <title>Request Blocked</title>
    <meta charset="UTF-8" />
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
    </head>
    <body>
    <h1>You have been blocked from accessing this resource on Have I Been Pwned.</h1>
    <p>This may be due to violating one or more of <a href="https://haveibeenpwned.com/API/v2#AcceptableUse">the acceptable use terms of the API</a>.</p>
    <p>It may also be due to your traffic patterns being similar to other users who may have violated the acceptable use terms.</p>
    <p>Tips to avoid requests being blocked include:</p>
    <ol>
    <li>Stick well within the published rate limit</li>
    <li>Don't distribute requests over multiple IP addresses in an attempt to circumvent the rate limit</li>
    <li>Only query the email addresses of people who have a reasonable expectation that you should do so</li>
    <li>Avoid prolonged querying of the API over an extended period of time</li>
    </ol>
    <div class="cf-error-details cf-error-1020">
      <h1>Access denied</h1>
      <p>This website is using a security service to protect itself from online attacks.</p>
      <ul class="cferror_details">
        <li>Ray ID: 49b278dcedcf3c59</li>
        <li>Timestamp: 2019-01-18 16:34:58 UTC</li>
        <li>Your IP address: 109.11.34.74</li>
        <li class="XXX_no_wrap_overflow_hidden">Requested URL: haveibeenpwned.com/api/v2/breachedaccount/abc123@yopmail.com </li>
        <li>Error reference number: 1020</li>
        <li>Server ID: FL_19F86</li>
        <li>User-Agent: Resilient HIBP</li>
      </ul>
    </div>
    </body>
    </html>
    -bash-4.2$
     




    Original Message


  • 7.  RE: Have I Been Pwned

    Posted Fri January 18, 2019 12:07 PM
    Your request is getting blocked by the Have I Been Pwned site.

    I have contacted Troy Hunt, a common issue seems to be the request getting sweep up in the net of other abusive traffic on the same network. I will relay your response and see if Troy can provide some more detail from his end. As a tempory fix is this something you are able to test on a different network? I have also asked Troy for any recommended approaches of avoiding this in the future and will relay any information I get back here.

    ------------------------------
    Brian Walsh
    ------------------------------

    Original Message


  • 8.  RE: Have I Been Pwned

    Posted Fri January 18, 2019 12:23 PM
    Hi,
     
    I have test from my Home DSL cnx, IBM VPN, Phone cnx, always the same results : "unexpected status code"
     
    Benoit




    Original Message


  • 9.  RE: Have I Been Pwned

    Posted Mon January 21, 2019 03:53 PM
    Hi Benoit,

    Troy Hunt got back to me and mentioned your request "looks like it got caught up in the net of other abusive traffic on the same network" and to give it another try from the same network now.

    ------------------------------
    Brian Walsh
    ------------------------------

    Original Message


  • 10.  RE: Have I Been Pwned

    Posted Tue January 22, 2019 06:45 PM
    Hi,
     
    Yes, avoid usage of this app when you ar on "public" network from your ISP, or phone data link, they are banned...
    Usually I succeed to make it work from private companies networks.
     
    Benoit




    Original Message