2022-07-14 Don't use mifare classic cards for stored value
More than 11 years ago I wrote about the Magna Carta card systems for access / payment and the use of the mifare classic (in Dutch). I found a strong statement on the Magna Carta website back then that using mifare classic for stored value was a really bad idea, since the encryption on the card is broken. It's now 2022 and I read MIFARE Cracking about a company using a mifare classic for stored value which shows the steps from discovering what type of card that company uses to the option of manipulating the stored monetairy value on the card. Found via Travis Goodspeed on twitter - A practical article on cloning a Mifare Classic employee badge to tamper with the snack machine.
2022-07-02 Checking hotel keycard security
For the first time in years I was staying in a hotel again for one night. The key for the hotel was a creditcard sized plastic card so I assumed immediately it was an RFID based card. Years ago I would have needed my linux laptop and the touchatag NFC reader to understand more about the keycard, but we're in some form of the future now, so I used NFC taginfo by NXP on my phone and held the keycard up to the phone. The taginfo app made the happy noise and told me it was an NXP mifare classic card. The app even told me most sectors had a default key of FF:FF:FF:FF:FF:FF. One sector was not accessible due to a different key but with mfoc (Mifare Classic offline cracker) or one of the other attacks on the Mifare classic I could probably get access to that sector. So in theory with something like the proxmark I could clone keycards of other visitors. Or clone the keycard of the cleaning crew which gives a lot more access. Update: A bit of searching finds this: Researchers Find Way to Create Master Keys to Hotels - F-Secure Blog. I don't know if the lock I looked at is the same system as the system in this article.
2022-06-23 It seems someone doesn't like it I write about bitcoin extortion scams
Today I'm seeing bounces of bitcoin scam mail, with about the same text as in the bitcoin extortion scam of about a week ago, but with a different bitcoin wallet. In the body of the mail the claim is that the criminal hacked the mailbox of the victim and can now send as the victim, but this criminal decided to 'get even' with me at the same time and contradict himself by setting the sender address to my e-mail address. So I'm now browsing the bounces and see the bitcoin wallet for this scam is 1Mjt2xobFExdZBGfjTVDcgzJWQxRxoHBdA which hasn't scammed anyone yet. As always: don't fall for these scams. Earlier items about bitcoin extortion scams: Earlier, earlier, earlier, earlier, earlier, earlier, earlier, earlier, earlier (although I think bitcoin is generally a really bad idea and a huge scam)Read the rest of It seems someone doesn't like it I write about bitcoin extortion scams
2022-06-16 Time for some more bitcoin extortion spam
I hadn't seen these in my inbox in English for a while, but here we go again.Hi! You can consider this message as the last warning. We've hacked your system! This information can destroy your reputation once and for all in a matter in minutes. You have the opportunity to prevent irreversible consequences. To do so you need to: Transfer 1200 USD (US dollars) to our Bitcoin wallet. Don't know how to make a transfer? Enter "Buy Bitcoin" into the search box. Our Bitcoin wallet (BTC Wallet): bc1q4r05c7wdazh87ty9x9968e2r90w72rhtq5jl43 After you make the payment, your video and audio recordings will be completely destroyed and you can be 100% sure that we won't bother you again. You have time to think about it and make the transfer - 50 hours!As always: don't fall for these scams. Earlier items about bitcoin extortion scams: Earlier, earlier, earlier, earlier, earlier, earlier, earlier, earlier (although I think bitcoin is generally a really bad idea and a huge scam)
2022-06-08 My interests in electronics and security together: trying some hardware hacking
One of the subject areas I'm interested in at work is hardware security and hardware hacking. After doing things with rfid earlier I'm now looking at low-level electric interfaces. With the earlier hardware challenges in CTF contests in HackTheBox Cyber Apocalypse CTF 2022 - Intergalactic Chase and The HackTheBox & CryptoHack Cyber Apocalypse 2021 I got interested in logic analyzers. Those sounded expensive (but I never actually checked). And then I read this bit: I recently got this 8ch cheap USB-C logic analyzer from AliExpress and the price shown is 5.42 US dollar. That's really cheap! For that price I can buy one and not be too dissapointed when it blows up or fails to give me the joy I hope. So, ordered: one 8 channel logic analyzer and a set of test leads so I can actually clip this to a circuit. The price for me for the logic analyzer circuit is EUR 6.78 including delivery and taxes. For software I learned about PulseView. This hardware has limitations, but for simple decoding of hardware protocols this is a nice start.
2022-06-01 HackTheBox Cyber Apocalypse CTF 2022 - Intergalactic Chase
With a team of people from work we participated in this years HackTheBox Cyber Apocalypse CTF 2022. And while my teammates managed to solve several challenges, some of them with some thinking from me, I personally solved zero challenges. Which was a bit dissapointing. I was especially interested in the hardware hacking challenges because that is a subject I am quite interested in.
Hardware / Space pulsesThis challenge had a .sal file. After I learned about Salea Logic Analyzer in the 2021 HackTheBox Cyber Apocalypse I opened the file in this logic analyzer and started trying to find out what I was looking at. It was a one-channel digital signal. It turned out to have a variable duty cycle, with complete cycles being 255 and a bit milliseconds. I noticed the maximum duty cycle was somewhat less than 50%. I spent a lot of time trying to decode this, mostly thinking in the direction of it being a pulse width encoded signal with probably 4 bits of information per cycle to get 54 characters which seemed reasonable for a flag. But with the assumption that the smallest pulse is the representation of 0000 and the widest pulse is the representation of 1111 I could not get valid data from it, and it was nowhere near decoding a flag. I was sure I was overthinking it somewhere, but couldn't find out where. A while after the CTF I read Writeup] Cyber Apocalypse 2022 — Space Pulse [Hardware] and I obviously made a big "D'Oh!" sound as I was getting to the solution, but indeed overthinking it.
Hardware / Secret CodesWith this challenge I also downloaded a .sal file with two signals: a digital one and an analog one. The digital one stops after the first 'databurst' while the analog one is clearly the 'unpolished' version of the digital signal. I first tried to decode the digital signal as an async serial signal and found nothing. I also tried manchester encoding and also found nothing. Staring and pondering never fixed this. I found a writeup at HTB 2022 Cyber Apocalypse CTF - Hardware - Secret Codes which made me go "D'Oh!" again: it was manchester encoding. BUT (big but) Manchester encoding has 2 changes per bit and I left the bitrate at the same as for the async serial decoder.
2022-03-26 SPF/DKIM/DMARC and mailing lists
One of the founding forms of information exchange and community building on the Internet is the mailing list. A subscriber sends mail to a central mail address and the mail gets redistributed to all members. As this mechanism has been abused by spammers in lots of ways there has been a lot of work in stopping unwanted mail being distributed by mailing lists. There has also been a lot of work in publishing the official way in which outgoing mail from organizations is handled: Sender Policy Framework (SPF), documenting the sources from which e-mail can be send, DomainKeys Identified Mail (DKIM) for signing outgoing mail headers and body and Domain-based Message Authentication, Reporting and Conformance (DMARC) for publishing the policies for mails that fail SPF/DKIM and reporting on those. The way mailing lists forward mail isn't really compatible with SPF and DKIM. There is a 'new' source of mail from the original sender and some headers are changed/added when forwarding it with mailing list software. Yesterday I sent something to a mailing list from an idefix.net address and this morning I see a number of dmarc reports with failures, because the mailing list server isn't authorised to send on behalf of idefix.net. So maybe some people on this mailing list haven't received my reply. In the long run lots of SPF errors from this IP could also hurt its 'reputation score' for outgoing e-mail. Some mailing lists 'fix' this by not allowing domains with strict spf/dmarc policies, others go through interesting adjustments with 'sent on behalf of'. I have no simple solution for this, I see an example of security measures breaking an existing use case, for which adjustments may have to be made. Update: The general approach here seems to be 'sender rewriting'. Recently updated mailing list software should support this. But it depends on the mailing list owner to check the settings and update the software.
2022-03-05 SMTP auth bruteforce attacks seen
In checking recent logs I noticed several tries to find SMTP authentication credentials. Most notably is that anything that vaguely resembles something that might be an SMTP account is tried. Including plussed e-mail addresses and information from SIP urls.Mar 5 14:12:09 gosper saslauthd: : auth failure: [user=8006] [service=smtp] [realm=idefix.net] [mech=pam] [reason=PAM auth error] Mar 5 17:15:00 gosper saslauthd: : auth failure: [user=koos+web] [service=smtp] [realm=idefix.net] [mech=pam] [reason=PAM auth error] Mar 5 18:08:04 gosper saslauthd: : auth failure: [user=belspel] [service=smtp] [realm=idefix.net] [mech=pam] [reason=PAM auth error]
2022-02-25 Fraudepoging "Vergeet niet binnen 2 dagen je belasting te betalen!"
Ook weer een typisch geval van bitcoin afpersing. De tekst is ook hier behoorlijk goed nederlands. Bekend en berucht bij de fraudehelpdesk: Opnieuw afpersmails over bezoek pornosite - fraudehelpdesk.nl.Hallo, hoe gaat het met jou? Ik weet het, het is vervelend om een gesprek te beginnen met slecht nieuws, maar ik kan niet anders. Enkele maanden geleden heb ik toegang gekregen tot je apparaten die je gebruikt om op het internet te browsen. Vervolgens heb ik al je internet activiteiten kunnen traceren. Hieronder kun je lezen hoe ik dit voor elkaar heb gekregen: Allereerst heb ik van hackers de toegang tot meerdere e-mail accounts gekocht (tegenwoordig is dat een fluitje van een cent om dat online te doen). Daarna kon ik heel makkelijk op je e-mail account (email@example.com) inloggen. Een week later heb ik een Trojan virus geïnstalleerd in de besturingssystemen van al de apparaten die je gebruikt om je mails te openen en te lezen. Om eerlijk te zijn ging dat vrij simpel (want je opent de links uit je inbox mails).Het bitcoinadres waar 1790 euro heen mag is 1AJcoDsSGe9teEfzSMicXprJFae7729J5y. Update 2022-02-26: Nog een keer dezelfde spam gezien met bitcoinadres 1AJcoDsSGe9teEfzSMicXprJFae7729J5y en 1DfSBC5xbeswbXingkkf3i6VyQwYb8kYGh.
2022-02-23 Filtering logs to only get relevant reportsItems with tag security before 2022-02-23
I want to know if something goes wrong but with the number of (virtual) servers here at home it is not possible to check all logs constantly. So the main machines use logcheck to find the interesting error messages and the rest gets filtered out. Ideally that leaves no messages, but I do want to know about patterns that indicate attacks so I do get messages constantly about ssh attack attempts and weird nameserver requests or misconfigured nameserver responses. Recently I've been checking the resulting reports again carefully and noticed some more patterns that could be filtered. And I found two misconfigurations that I solved. Normally those misconfigurations would drown in the noise of the log, only to be found if I was looking for something else. Now it started to stand out after filtering out a lot of messages that are to be expected.