News items for tag security - Koos van den Hout

2021-08-13 Next bitcoin extortion scam 2 months ago
Yet another bitcoin extortion scammer, this time using address 1Gkg3g7GGbsKktkkbgKNfL6MMGZ1xCoGJC. The reports read like she/he has tried it in multiple languages. Until this moment no bitcoins have ended up with the scammer.

Earlier items about bitcoin extortion scams: Earlier, earlier, earlier, earlier, earlier, earlier (although I think bitcoin is generally a really bad idea and a huge scam)

Tags: , ,
2021-08-05 Phishing for accounts which expire shortly is extra funny! 2 months ago
Yesterday I switched to a different Internet provider and now the phishing trying to convince me I need to give my account details for the old account to avoid the account being closed is extra funny!

And although they all state they are the kzdoos.xs4all.nl webmail there is no such thing for the abusers to try any login credentials at.

Tags: , ,
2021-07-06 Bitcoin extortion spam showing up on different e-mail addresses 3 months ago
I was digging for leaked addresses in my spambox and found a fast way to find a lot of them: by searching for bitcoin extortion spam. A pattern emerges:
Obviously, I have easily managed to log in to your email account (ambe.at. domain).
Obviously, I have easily managed to log in to your email account (chellinger.org.at. domain).
Obviously, I have easily managed to log in to your email account (eenheld.at. domain).
Obviously, I have easily managed to log in to your email account (owelladjecroecvn.at. domain).
Obviously, I have easily managed to log in to your email account (ubmitwolfn.at. domain).
Obviously, I have easily managed to log in to your email account (ubmitwolf.at. domain).
Obviously, I have easily managed to log in to your email account (ambecomment.at. domain).
Obviously, I have easily managed to log in to your email account (ziggo.nl.at. domain).
Obviously, I have easily managed to log in to your email account (wisecommunications.at. domain).
There is very little spread in buttcoin wallets:
$ grep -h 'bitcoin wallet' * | sort | uniq -c
      2 Here is my bitcoin wallet: 12kieSEdCV4ikxdXXXC23ZsDcNmmKrRmwA (over 16600 dollar received)
     19 Here is my bitcoin wallet: 1665CsfFELrfiiubFZtLsGHGuqbUz1wXcz (over 14300 dollar received)
      1 Here is my bitcoin wallet: 1CYBbByg3eXE9LRUwh6j7ZMtFrJJyFcAcP (over 2400 dollar received)
      3 Here is my bitcoin wallet: 1LjGz2WcECaNpK1ajWcpsPEQFSxrw5DxMM (over 14400 dollar received)
Who says crime doesn't pay? Again, the author has no idea who pays, but likes a filled bitcoin wallet.

This also shows that spammers maintain really old address lists and don't mind adding more addresses by using databreaches or adding or removing letters from e-mail addresses.

Tags: , ,
2021-07-03 Trying a DNSSEC zone signing key (ZSK) rollover 3 months ago
Time to do a zone signing key (ZSK) rollover. That rollover is relatively easy because I don't need to synchronize it with the DS key in the parent zone.

I generated a 'successor' key for camp-wireless.com and set a short-notice publication date. The old ZSK has keytag 02908 and the new one has keytag 25619. There is an overlap of a month in which both keys are seen as valid because caching of DNS answers mean there can be signatures created with the old ZSK in caches.

Generating a signed zone after the validity of the new ZSK has started shows both ZSKs signed as valid. Old and new zone signing key:
; This is a zone-signing key, keyid 2908, for camp-wireless.com.
; Created: 20190704113915 (Thu Jul  4 13:39:15 2019)
; Publish: 20190704113915 (Thu Jul  4 13:39:15 2019)
; Activate: 20190704113915 (Thu Jul  4 13:39:15 2019)
; Inactive: 20210705000000 (Mon Jul  5 02:00:00 2021)
; Delete: 20210805000000 (Thu Aug  5 02:00:00 2021)
camp-wireless.com. IN DNSKEY 256 3 13 lXntnbvQqHy+OSG/2RpHEbcYzeUAB2tFE+d5Us9M07Ndw7TI2DF2TIDx vC3bPomCE2102FJSr8/DnzoRiMHreg==
; This is a zone-signing key, keyid 25619, for camp-wireless.com.
; Created: 20210702115321 (Fri Jul  2 13:53:21 2021)
; Publish: 20210703000000 (Sat Jul  3 02:00:00 2021)
; Activate: 20210705000000 (Mon Jul  5 02:00:00 2021)
camp-wireless.com. IN DNSKEY 256 3 13 kJpmrljuP7PncZij7G1Yn9xngKe1xUpuONG2XAx8AYXu//qXClAbgg3B bmzyeDpFAw2gDRhjQ7f5o20c1QK9OA==
So I generated the key on 2 July 2021, with a set publication date of 3 July 2021. I shortened the prepublication period to avoid problems with other things happening in the near future and today it changed to published. If I generate new signatures again on 5 July 2021 those will use the new key.

DNSSEC is a process with lots of things to get your brains around, and a key rollover is one of those things. A key signing key rollover is even harder because uploading of the public key to the registrar has to be kept synchronized with the published information. That is why I am testing all this on camp-wireless.com where it is not a major problem if something fails.
Read the rest of Trying a DNSSEC zone signing key (ZSK) rollover

Tags: , ,
2021-07-03 Forgot about zigbee2mqtt running with permit_join true and 2 devices joined my zigbee network 3 months ago
I sort of forgot I had zigbee2mqtt running since 18 June and the network enhanced itself with two devices: a 'lidl smart plug' and a 'power supply/relay/dimmer'. The Lidl Silvercrest smart plug (EU, CH, FR, BS, DK) (HG06337) left the network by itself but the Busch-Jaeger Zigbee Light Link power supply/relay/dimmer (6735/6736/6737) was actively reporting and I was able to switch the light on and off.

After resetting it to the state I found it in I tried to remove it from the network (by sending a 'remove' message to zigbee2mqtt) but it came back right away. So I stopped zigbee2mqtt, set permit_join to false and restarted it. After that I gave the 'remove' command again and that worked and it hasn't come back.

Log from zigbee2mqtt with the device id removed:
Zigbee2MQTT:info  2021-07-03 15:59:04: MQTT publish: topic 'zigbee2mqtt/0xd85def11a1004f69', payload '{"brightness_relay":254,"linkquality":33,"state_relay":"OFF"}'
Zigbee2MQTT:info  2021-07-03 15:59:08: Removing '0x****************'
Zigbee2MQTT:info  2021-07-03 15:59:08: Successfully removed 0x****************
Zigbee2MQTT:info  2021-07-03 15:59:08: MQTT publish: topic 'zigbee2mqtt/bridge/log', payload '{"message":"0x****************","type":"device_removed"}'
Zigbee2MQTT:warn  2021-07-03 15:59:08: Device '0x****************' left the network
Zigbee2MQTT:info  2021-07-03 15:59:08: MQTT publish: topic 'zigbee2mqtt/bridge/event', payload '{"data":{"ieee_address":"0x****************"},"type":"device_leave"}'
Zigbee2MQTT:info  2021-07-03 15:59:08: MQTT publish: topic 'zigbee2mqtt/bridge/log', payload '{"message":"left_network","meta":{"friendly_name":"0x****************"},"type":"device_removed"}'
Zigbee2MQTT:warn  2021-07-03 15:59:08: Device '0x****************' left the network
Zigbee2MQTT:info  2021-07-03 15:59:08: MQTT publish: topic 'zigbee2mqtt/bridge/event', payload '{"data":{"ieee_address":"0x****************"},"type":"device_leave"}'
Zigbee2MQTT:info  2021-07-03 15:59:08: MQTT publish: topic 'zigbee2mqtt/bridge/log', payload '{"message":"left_network","meta":{"friendly_name":"0x****************"},"type":"device_removed"}'

Sorry to whoever in the neighbourhood wasn't able to get their new lightswitch/dimmer working with their own hub. It should work now.

I checked the documentation and it's perfectly possible to tell zigbee2mqtt to allow/deny joins (even for a set time) via a message delivered via mqtt: MQTT topics and message structure: zigbee2mqtt/bridge/request/permit_join. I will leave the fixed configuration to joins disabled and will allow a join by hand when there is an actual device to join.

Tags: , ,
2021-06-09 Artikel in Trouw mist heel veel over informatiebeveiliging 4 months ago
Diverse media die ik volg berichtten vanmorgen over een artikel in Trouw: 'Tientallen websites overheid voldoen niet aan veiligheidsrichtlijnen' - nos.nl en ‘Tientallen overheidswebsites zijn onvoldoende beschermd tegen hackers’ - volkskrant.nl.

De aanname in het originele artikel (achter betaalmuur) is dat omdat een website van een overheidsinstantie gebruik maakt van wordpress waar je prima de beheer login pagina kunt vinden deze websites automatisch allemaal kwetsbaar zijn. En voor het gemak wordt dan even de link gelegt met de inbraak bij de gemeente Hof van Twente.

Hiermee worden zo'n hoop stappen overgeslagen in beveiliging en gereduceerd tot 'openbare login dus onveilig'. Ik weet dat wordpress bekend en berucht is om onveiligheden en dat elke wp-login pagina constant geprobeerd wordt en als die er is bruteforce aanvallen krijgt. Deze website draait geen wordpress en ik zie 5-11 pogingen per dag om de wp-login pagina te vinden. Een andere site waar ik de hosting voor verzorg draait wel wordpress en met een heel strak afgesteld filter wat herhaalde login pogingen blokkeert zie ik 500 tot 1300 pogingen per dag om in te loggen. Zo'n login pagina is dus een bekend risico en daar moet iets mee. Daar neem je maatregelen zoals beperkingen van het aantal login pogingen per bron en sterke wachtwoorden. Daarnaast moet dus wordpress zelf goed beheed worden en bij eventuele kwetsbaarheden snel bijgewerkt worden.

Ik denk ook dat sommige van de genoemde websites juist expres voor een externe wordpress gebaseerde site hebben gekozen na een goede risico-afweging. De site kan dan zeer eenvoudig compleet losgekoppeld zijn van de verdere computersystemen van de overheidsdienst waar het om gaat. En gebeurt er iets met die wordpress website dan gooi je die weg en bouwt de site opnieuw op.

Het artikel mist al dit soort overwegingen en nuances. Er wordt nog even een link gelegd naar het slechte wachtwoord wat aan de bron lag van de ransomware aanval op de gemeente Hof van Twente. Maar dat slechte wachtwoord gaf zonder 2e factor toegang tot het interne netwerk van die gemeente via remote desktop. Onbevoegde toegang tot een besturingssysteem middels remote desktop is in veel gevallen een veel groter risico dan beheerrechten op een wordpress site.

Ik vind het een slecht artikel en het is jammer dat diverse andere media het zonder al te kritisch te zijn overnemen.

Voor de goede orde: ook al werk ik in de informatiebeveiliging, dit is mijn persoonlijke opinie en heeft niets te maken met werkgevers.

Tags: ,
2021-06-09 The Electrolama zigbee stick comes in from England: time to pay taxes! 4 months ago
The zigbee stick I ordered for environmental monitoring at home is making its way over here and I received an sms about the duty and tax to be paid for importing it from the United Kingdom. Indeed, since brexit taxes have to be paid.

My first reaction when receiving an sms about a package was to think of malware attempts since that has been in the news recently. So I checked carefully. It's good dpd also sends an e-mail with the same information, and I can check the validity of the links and the source of the e-mail a lot better on a computer.

Tags: , ,
2021-06-03 New (for me) bitcoin extortion spam, quite well-known for others 4 months ago
Cybercriminal New bitcoin extortion spam coming in for wallet 122F3j5EfUKnuKjFY54pCE43C793eVPSTY. I got it in English, but given the reports it was also sent out in at least one other language.

Which means the author has no idea who pays, but just likes a filled bitcoin wallet.

Tags: , ,
2021-06-02 Uncomplicated Firewall (UFW) : don't confuse it or you will be locked out 4 months ago
I am looking at better protection inside my home network since there is a mix of "trusted" and "not so trusted" devices in the house. I consider devices that just need Internet access to talk to some server out there (the well-known "cloud" better known as "Someone else's computer") and are (mostly) black boxes untrusted compared to systems that are installed with a known operating system and where I can control what they can and can't do.

One of the things I wanted to improve are local host-based firewalls. The firewall in the router linux machine is the result of years of fine-tuning and experience so I manage that by hand. But for somewhat standard hosts I want simple firewalls that are easily managed.

I tried ufw, the Uncomplicated Firewall and on the first (test) machine it went fine without a problem. On the second machine where there are already a few active firewall rules managed by fail2ban something hickupped and before I knew it ufw managed to leave me with an unreachable machine.

The error message from ufw-init was something about being unable to initialize firewall rule ufw-track-output and the net result was that the machine became unreachable. I needed console access to get back in again. Removing/purging the ufw package didn't help, after reinstalling it and trying again the same error came up and the system was unreachable again.

It turns out ufw leaves its own rules in iptables/ip6tables active (prefixed with 'ufw') and this confused ufw-init. I tried removing them by hand (lots of work) or with a very small shell script, but in the end rebooting the machine and only reinstalling ufw after that reboot got me back to a normal usable situation.

Tags: , ,
2021-05-31 Ik probeer een oplichtingsmailtje te melden bij ABN-AMRO, maar... 4 months ago
Volgens Phishing en andere fraude melden - ABN AMRO kan ik het doorsturen naar een speciaal daarvoor ingericht adres. Helaas...
   ----- The following addresses had permanent fatal errors -----
<valse-email.at.abnamro.nl>
    (reason: 553-Message filtered. Refer to the Troubleshooting page at)

   ----- Transcript of session follows -----
... while talking to cluster1.eu.messagelabs.com.:
>>> DATA
<<< 553-Message filtered. Refer to the Troubleshooting page at
<<< 553-https://knowledge.broadcom.com/external/article?legacyId
<<< 553 =TECH246726 for more information. (#5.7.1)
554 5.0.0 Service unavailable
Helaas lukt dat niet, want er zit blijkbaar iets te goeie spamfiltering op dat adres.

Tags: , ,

IPv6 check

Running test...
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

RSS
Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated by $Id: newstag.cgi,v 1.34 2020/12/31 15:36:31 koos Exp $ in 0.016285 seconds.