Coronavirus DIY Facemask Test

diy protective mask for coronovirus

In Houston the Coronavirus (COVID-19) response has been quite aggressive. And as the third largest metro area in the US, it should be. I get it. Mostly we are quarantined in place except for grocery store runs and emergency needs. (And we can walk the dog, but that’s about it.)

The paper section in the Walgreens across the street looks like this

Walgreens paper goods in Houston

This led to research on what we could do and turned up two interesting pieces of knowledge about the coronavirus.

A) How long is the coronavirus contagious or viable by surface. As in how long can it be there and still infect you?

  1. plastic = 3 days
  2. Stainless Steel = 3 days
  3. Cardboard = 1 day
  4. Copper = 4 hours
  5. Airborne = 3 hours

They don’t mention wood, which maybe varies by paint, varnish, etc.

Copper is the winner. Cardboard three times better than stainless steel is bizarre as well.

Source: https://apple.news/ATWmOdE4STTmvJCBdURGDTQ

Next up, if you can’t get a mask for when you do go out, how do other materials compare to a medical mask?

Clean vacuum cleaner bags were a close second to surgical masks, but in the end they conclude you can barely breath through them so use two cotton “tea towels.”

Two Cotton Tea Towels are best after a real mask.

Thus began an insomnia driven test to try and create a coronavirus diy mask from a tea towel with no power tools. It started like this:

The real mask before photo

Then the build process using paper as my makeshift mold.

My materials.

The Ghirardelli chocolate and wine are a tip of the hat to my friends in San Francisco on complete lockdown. Those aren’t technically necessary to make the DIY coronavirus mask, although they do help.

Gave myself extra room
Rough initial stencil
Evolution of mask into 3D space with tale

In the above photo the template is overlapping and kind of mushed into the real mask so I could get an idea of the shape of the masks. They are not circular because your face isn’t a flat circle either.

Initial stencil with original mask on top for comparison
Applied to the fabric, then used the fabric to make the second layer via singer iron-on stick tape. You could use pins

Then a whole bunch of adjustments and cuts happened at the fabric level during hand sewing. The SINGER iron stick is a temporary way to hold fabric together, but definitely not strong enough to be a permanent join. But it’ll hold it together long enough for you to stitch it up.

Rough cut comparison of the diy coronavirus mask and the original.

The straps on my version are the edges of the towel because I didn’t have any elastic bands that long, and if people in countries with limited supplies available, the straps seemed more realistic.

A truly rustic looking diy coronavirus mask

It’s hard to tell in the photo above but between the two layers there is a small wire bent to the approximate shape of the bridge of my nose just like the more flexible one that comes on the real masks.

And the final result

My advice? Buy it if you can.

It looks amateurish, I look ridiculous, but it’s waaaaay better than taking the BARTT in SF and wondering if the person coughing is giving you an infection.

Update: I received some questions about what I used for the metal “nose bridge” so I’m adding further details.

For me (easier way below) I go by autozone at the end of a rainy day and pull the broken / discarded windshield wiper blades. If you rip them apart there are two thin, but very sturdy, pieces of metal attached to the rubber part. (they make great tension wrenches.) mine looks like this when sewn in place in between the two layers of the cotton kitchen towel.

DIY Coronavirus Face Mask Nose Bridge

Easier alternative: bend paperclips like this:

For Comparison, Paper Clips vs. Scraps from Wipers
Bend the paper lips twice. This is step 1, then twist.
Overlay the paperclip nose bridge to the length you want
Wrap paperclips in tape to avoid sharp edges.
Wrap them in tape and cut off excess tape
Bend to shape. Actually much easier than my original

Pro tip: when I do a DIY project like this I usually hand sew them using dental floss. Yes “Dental Floss” because it’s always around and stronger than most threads.

hunting botnet attacks and reporting to the host

Cyber Alert Dashboard Example

I like to demystify things for people who aren’t completely tech savvy, hopefully using words that are human readable, although anything having to do with information security (infosec) is going to read a bit geeky. To that end, this is an attempt at a human readable example of the tracking down of an ip address that was attacking our network today. Let’s start with THE FACT that your network admin CAN give you visual open source tools. This is important if you want accountability and awareness. Like this:

Most networks (hopefully) have endpoints that include firewalls and extensive logging And frequently the logs are redundant for verification purposes. Usually the virewalls using tools like OSSEC to help decipher what is going on. We run multiple tools for network monitoring, but my “go to” is ElasticStack (also called an ELK stack) because the whole team can visualize things in Kibana and bring it to our attention if we happen to take 5 minutes off for lunch.

Looking at the wazuh plugin tab in Kibana I noticed an increase in rule id : 31303 which is a Critical NGINX error.

The log file includes this snippet:

Graph of OSSEC Network Security Alerts Over Time
A visual graph from OSSEC visualized by an ElasticStack

When we drill down into the logs in Kibana it parses things out to be a little easier to read. This matters because we need the detail to report the bad ip address.

FROM THE LOGS: SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking

So who is the bad guy? Who owns this IP address? Arin.net answers that for us either with the owner or by pointing you to a different registrar that can tell you the owner. In my situation is was a US based IP address 23.100.232.233

Straight up, most of us in InfoSec actually prefer using the command line because we can filter the data faster that way. If you can't "see" it in a report in my experience it rarely happens. Still, a typical command would be something like this if I wanted to help out my SEO manager prioritize which 404 pages to fix first:
grep '404' /log/file/path/nginx/access.log | sed 's/, /,/g' | awk {'print $7'} | sort | uniq -c | sort -n -r | head -100

Now back to our story of finding the botnet hitting our endpoints. Mr. 23.100.232.233

We go to arin.net. The ARIN URL is: https://search.arin.net/rdap/?query=23.100.232.233 which shows the owner and further delegates.

It goes on to show that the owner is Microsoft.

Source Registry: ARIN
Kind: Org
Full Name: Microsoft Corporation
Handle:
MSFT
Address: One Microsoft Way Redmond WA 98052 United States


And it continues:
To report suspected security issues specific to traffic emanating from Microsoft online services, including the distribution of malicious content or other illicit or illegal material through a Microsoft online service, please submit reports to:* https://cert.microsoft.com.

Perfect! They are telling us exactly how to report the problem to Microsoft. Now we want to be a bit more helpful so let’s try to figure out what it is in more detail. There are many tools, just google “ip address reputation” and you will get something.

We have the data from the logs so let’s try to find out what the attack is. Google for other options, but I picked this one today:

https://www.abuseat.org/lookup.cgi?ip=23.100.232.233

RESULTS OF LOOKUP
23.100.232.233 is listed
This IP address was detected and listed 4146 times in the past 28 days, and 137 times in the past 24 hours. The most recent detection was at Fri May 31 17:35:00 2019 UTC +/- 5 minutes
This IP is infected (or NATting for a computer that is infected) with an botnet that is emitting email spam. The infection is probably necurs.

necurs is also known as: WinNT/Necurs.A, Mal/Necurs-A (Sophos), RTKT_NECURS.SMA (Trend Micro), Trojan.Hosts.5268 (Dr.Web), Trojan.Win32.Genome.aglua (Kaspersky), Trojan.WinNT.Necurs (Ikarus), Win32/SpamTool.Tedroo.AS (ESET)... etc...

Microsoft told us exactly how to report it, so we can go to: https://cert.microsoft.com and enter all of our data with confidence. And they are far more likely to take action having the exact data, logs, and type of attack in detail.

For those of us managing large and numerous websites that are constantly under attack, we have seen a HUGE increase in attacks over the last 10 years.

Y’all, we really are in a cyberware, and while the Navy gets Ships, the Airforce gets Planes, The Army gets the tools they need. But in the US, most of the cyber warfare defense is literally left up to private companies and private individuals who are not part of any organized force nor provided assets to fight the war. Kind of scary, huh?