News items for tag security - Koos van den Hout

2021-10-09 A long bitcoin extortion scam
Cybercriminal This time the scammer / fraud / criminal tries using a lot of text to convince victims to pay bitcoins.

Using bitcoin address bc1qtzqgwqe3cd4cnv26vawxvfg3kr09r0jv53p8nw where it shows this one is already known and no money has been lost.

A bit of a sample, showing that the scammer has some imagination and a good grasp of English:
During the pandemic outbreak a lot of providers have faced difficulties in
maintaining a huge number of staff in their offices and so they have decided to
use outsourcing instead.
While working remotely from home, I have got unlimited abilities to access the
user databases.

I can easily decrypt passwords of users, access their chat history and online
traffic with help of cookie-files.
I have decided to analyse users traffic related to adult websites and adult
content.

My spyware functions as a driver. Hence, I can fully control your device and
have access to your microphone, camera, cursor and set of symbols.
Generally speaking, your device is some sort of my remote PC.
Since this spyware is driver-based, then I can constantly update its
signatures, so that no antivirus can detect it.
While digging through your hard drive, I have saved your entire contact list,
social media access, chat history and media files.
Earlier items about bitcoin extortion scams: Earlier, earlier, earlier, earlier, earlier, earlier, earlier (although I think bitcoin is generally a really bad idea and a huge scam)

Update 2021-10-13: As not enough money is coming into this wallet the scammer tries again. Same address, demanding an amount equivalent to $1150 (USA Dollars). As the mail comes from some random ISP in Chili I think the criminal is somewhere else on this planet.

Tags: , ,
2021-10-08 Op het spoor van de scammer/spammer
Cybercriminal Een redelijk standaard valse mail, al bekend bij de fraudehelpdesk: Diverse onderwerpen Klik op “Lees meer” - fraudehelpdesk.nl
   Geachte heer/mevrouw ,
   Er staat een document in uw Berichtenbox van Belastingsamenwerking
   Gemeenten en Waterschappen. Ga naar [1]MijnOverheid om het bericht te
   bekijken. Mogelijk moet u naar aanleiding van dit bericht actie
   ondernemen. Lees het daarom op tijd.
   Met vriendelijke groet,
   MijnOverheid
   Logo Rijksoverheid

   Technisch onderhoud Berichtenbox app
   Vanwege technisch onderhoud is het momenteel niet mogelijk om het
   bericht via de Berichtenbox direct te lezen. Bekijk het bericht daarom
   direct via uw webbrowser.
URL spoor:
  • hxxps://t.co/Fpu3LOuf9Y
  • https://u.nu/SOGTH
  • https://tinee.link/ZJJeb
  • hxxps://ukrijgtterug2020.xyz/
Niet geheel onverwacht is dit domein vandaag geregistreerd:
Domain Name: UKRIJGTTERUG2020.XYZ
Registry Domain ID: D253685109-CNIC
Updated Date: 2021-10-08T10:58:04.0Z
Creation Date: 2021-10-08T10:44:42.0Z
Registry Expiry Date: 2022-10-08T23:59:59.0Z
Site staat achter cloudflare IP adressen. Dus het certificaat zegt ook niet zoveel op https://crt.sh/?id=5375183746 en de achterliggende site reageert op dit moment niet dus ik krijg een mooie cloudflare foutmelding.

Tags: , ,
2021-10-07 Adding security headers to websites I develop and run
As someone interested in security I'm also busy with securing the websites I develop and run. I'm looking at Content-Security-Policy headers and I notice those seem 'easier' for sites that have one task and one source of development like Camp Wireless and somewhat harder for sites that collect pages/scripts/materials over the years like idefix.net.

Although Camp Wireless can have some advertising, which suddenly turns the whole thing around since advertising scripts can load other advertising scripts completely dynamic. Searching for 'google adwords' and 'Content-Security-Policy' gave me Can Content Security Policy be made compatible with Google Analytics and AdSense? and the answer seems to be either "no" or "with a lot of work which you have to keep updating".

Update: I temporarily added a Content-Security-Policy-Report-Only directive to get an idea what kind of problems I will run into (with my own reporting backend). A lot of them. All inline javascript is suddenly a problem. So a 'fully secured' Content Security Policy header is already hard for single task, single source websites, let alone websites with a lot of history in the pages.

Tags: , , ,
2021-09-30 Seeing the expiry of the old LetsEncrypt chain happen
The 'moment of truth' for LetsEncrypt: the end of the validity of the root certificate that was used to kickstart LetsEncrypt before they got their own root certificate in (most) certificate stores.

I notice openssl is still showing the old chain (but not the expired intermediate):
---
Certificate chain
 0 s:CN = koos.idefix.net
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Which is interesting as the ISRG Root X1 is also in the root store. But it's also cross-signed to the DST Root CA.

Checking the verification steps (and not the chain as given out by the server) gives the new path already:
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = koos.idefix.net
verify return:1
This is a subtle but important difference.

Only hours left until the DST Root expires:
$ openssl x509 -in DST_Root_CA_X3.crt -noout -enddate
notAfter=Sep 30 14:01:15 2021 GMT
If services break after 14:01:15 GMT (UTC) today you're not working according to best practices (replacing the certificate chain with every certificate replacement) or you have old clients.

Slight update: I requested a new LetsEncrypt certificate for a service after 14:01:15 GMT (UTC) and it still has the certificate chain with cross-certification to DST Root CA X3:
---
Certificate chain
 0 s:CN = koos.idefix.net
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
The verification steps are as above.

Tags: ,
2021-09-29 Spam/phishing/fraude woningnet
Cybercriminal Het nieuws over de woningmarkt in nederland is blijkbaar ook opgepikt door de fraudeurs die graag mensen geld afhankelijk maken.

Onderstaande uit de inkomende berichten. Keurig alle kenmerken van een poging fraude: urgentie 'binnen 2 weken' en vervelende consequenties als de gebruiker niets doet 'Uw opgebouwde inschrijfduur en eventuele reacties vervallen dan'.

Allemaal vooral tekenen van een poging tot oplichting. Trap hier niet in. Meer informatie bij Diverse onderwepen Klik op “Lees meer” - fraudehelpdesk.nl.
Geachte klant,

Uw inschrijving bij WoningNet

Over 2 weken verloopt uw inschrijving. Uw inschrijving verlengen wij met een
jaar als u de verlenginskosten van

WoningNet-verlengingskosten                                                   

Factuurnummer: SRA-00717113

Wilt u betalen via een doorlopende machtiging? dit kan, nadat u dit jaar nog
via iDEAL betaald heeft. U kunt na de betaling bij overzicht van mijn gegevens
uw betaalwijze veranderen.

Volgend jaar zullen wij dan de verlengingskosten van uw rekening incasseren.
Ook hiervan krijgt u via e-mail een bericht. Meer informatie over betalen van
de verlengingskosten vindt u op onze website.

Uitschrijven

Als u niet binnen 2 weken betaalt, schrijven wij u uit. Uw opgebouwde
inschrijfduur en eventuele reacties vervallen dan.
De url voor de 'WoningNet-verlengingskosten' :
hxxps://t.co/1nuIzIn4KV?amp=1
t.co is de url-verkorter van twitter.

Gaat door naar:
hxxps://0x1.co/WE8FY
Een andere url-verkorter.

Gaat door naar:
hxxps://0mgeving-online.ga/

;; ANSWER SECTION:
0mgeving-online.ga.     3511    IN      A       195.133.40.102
En die reageert op dit moment niet. Opvallend: Er is ook (nog) geen certificaat voor bekend in de CT-logs.

Update: Aparte vermelding nu bij fraudehelpdesk.nl met voorbeeld: Lidmaatschap behouden - Fraudehelpdesk.

Tags: , , ,
2021-09-23 Phishing with error messages
In the phishing mail today:
   -------- Original Message --------

   Subject: Mail delivery failed: returning message to sender

   From: Mail Delivery System
   Date: 9/23/2021 7:09:49 p.m.

   To: koos@[..]



   This message was created automatically by mail delivery software.



   Some recent messages that you sent could not be delivered to one or
   more of its recipients.
   This is a temporary error tha can be corrected.

   Reporting-MTA: dns;[1]click to retry delivery
   Action: failed
   Status: Queued on server
The 'click to retry' was a link to a phishing site. Nicely copied from a standard mailer error message. Too bad the phishing site doesn't work!

Tags: , ,
2021-09-01 Wildcard certificates and zerossl via acme protocol
Encrypt all the things meme I'm personally not a huge fan of wildcard TLS certificates (risks with reuse of the private key) so I didn't try those yet, but based on my experiences with certificates with multiple names with zerossl I got a response: Stephen Harris on Twitter: Do they support wildcards and I just had to try. And it works! I requested a certificate:
        Requested Extensions:
            X509v3 Subject Alternative Name:
                DNS:gosper.idefix.net, DNS:*.gosper.idefix.net
And indeed it worked:
        Issuer: C = AT, O = ZeroSSL, CN = ZeroSSL ECC Domain Secure Site CA
        Validity
            Not Before: Sep  1 00:00:00 2021 GMT
            Not After : Nov 30 23:59:59 2021 GMT
        Subject: CN = gosper.idefix.net
[..]
            X509v3 Subject Alternative Name: 
                DNS:gosper.idefix.net, DNS:*.gosper.idefix.net
So that works too! The choice for gosper.idefix.net is because I already had dns records setup for dns-01 based verification of that name.

Tags: , ,
2021-08-30 Going all the way with zerossl: requesting a certificate with multiple names
Encrypt all the things meme I assumed the free tier of zerossl doesn't allow for certificates with multiple names but I guess I assumed wrong, because I just got issued a certificate with multiple names.

After debugging my earlier issues with zerossl and finding out I forgot the CAA record this time I tried a certificate with the subjectAltName extension in use with more than one name.
$ openssl req -in httprenewable/webserver-devvirtualbookcase.csr -noout -text
[..]
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name:
                DNS:developer.virtualbookcase.com, DNS:perl.virtualbookcase.com
And the certificate dance went fine with dehydrated:
$ ./dehydrated/dehydrated --config /etc/dehydrated/config.zerossl -s httprenewable/webserver-devvirtualbookcase.csr > tmp/certificate.crt
 + Requesting new certificate order from CA...
 + Received 2 authorizations URLs from the CA
 + Handling authorization for developer.virtualbookcase.com
 + Handling authorization for perl.virtualbookcase.com
 + 2 pending challenge(s)
 + Deploying challenge tokens...
 + Responding to challenge for developer.virtualbookcase.com authorization...
 + Challenge is valid!
 + Responding to challenge for perl.virtualbookcase.com authorization...
 + Challenge is valid!
 + Cleaning challenge tokens...
 + Requesting certificate...
 + Order is processing...
 + Checking certificate...
 + Done!
$ openssl x509 -in tmp/certificate.crt -noout -text | less
[..]
            X509v3 Subject Alternative Name:
                DNS:developer.virtualbookcase.com, DNS:perl.virtualbookcase.com
The /etc/dehydrated/config.zerossl has the EAB_KID and EAB_HMAC_KEY values set to the ones associated with my account.

This means zerossl works as a complete secondary certificate issuer and I could switch over completely in case LetsEncrypt isn't available. Choice is good!

Tags: , ,
2021-08-19 Trying zerossl as backup certificate provider
Encrypt all the things meme Based on the recent article Here's another free CA as an alternative to Let's Encrypt! I decided to check my options for having an alternative to LetsEncrypt.

Not because I have or had any problems with LetsEncrypt, but I like having a backup option. So I started with zerossl as option.

Sofar I did the whole registration and certificate request dance purely with the dehydrated client, but that gives an error on a certificate request:
 + Requesting new certificate order from CA...
 + Received 2 authorizations URLs from the CA
 + Handling authorization for developer.virtualbookcase.com
 + Handling authorization for perl.virtualbookcase.com
 + 2 pending challenge(s)
 + Deploying challenge tokens...
 + Responding to challenge for developer.virtualbookcase.com authorization...
 + Challenge is valid!
 + Responding to challenge for perl.virtualbookcase.com authorization...
 + Challenge is valid!
 + Cleaning challenge tokens...
 + Requesting certificate...
 + Order is processing...
ERROR: Order in status invalid
Creating a zerossl account with a webbrowser and setting the EAB_KID and EAB_HMAC_KEY to the values from my zerossl account also doesn't help, that also ends with
$ ./dehydrated/dehydrated --ca zerossl --config /etc/dehydrated/config.zerossl -s httprenewable/webserver-devvirtualbookcase.csr > tmp/certificate.crt
 + Requesting new certificate order from CA...
 + Received 2 authorizations URLs from the CA
 + Handling authorization for developer.virtualbookcase.com
 + Handling authorization for perl.virtualbookcase.com
 + 2 pending challenge(s)
 + Deploying challenge tokens...
 + Responding to challenge for developer.virtualbookcase.com authorization...
 + Challenge is valid!
 + Responding to challenge for perl.virtualbookcase.com authorization...
 + Challenge is valid!
 + Cleaning challenge tokens...
 + Requesting certificate...
 + Order is processing...
ERROR: Order in status invalid
I realized a certificate for multiple names isn't supported by the free tier of zerossl. Removing one of the names from the certificate still made it end up in status 'invalid'.

Also re-creating the account in dehydrated after creating the zerossl account and setting the EAB_KID and EAB_HMAC_KEY variables correctly didn't solve things yet. The same request works fine with LetsEncrypt so the issue is something with dehydrated / zerossl.

Update: Sharing my woes gave a suggestion: Stephen Harris on Twitter: "@khoos You have a CAA record for virtualbookcase.com that might be blocking it." / Twitter and Stephen is absolutely right: I set up CAA records ages ago for all my domains. And the zerossl CAA document I can find absolutely agrees I need to add a CAA record allowing certificates by sectigo.com.

Updated: And after waiting for DNS propagation and trying again I now have a zerossl.com certificate:
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            4e:7b:c8:e9:ad:fd:14:ad:5c:ae:a2:57:fe:45:d9:41
        Signature Algorithm: ecdsa-with-SHA384
        Issuer: C = AT, O = ZeroSSL, CN = ZeroSSL ECC Domain Secure Site CA
        Validity
            Not Before: Aug 19 00:00:00 2021 GMT
            Not After : Nov 17 23:59:59 2021 GMT
        Subject: CN = perl.virtualbookcase.com

Tags: , ,
2021-08-13 Next bitcoin extortion scam
Yet another bitcoin extortion scammer, this time using address 1Gkg3g7GGbsKktkkbgKNfL6MMGZ1xCoGJC. The reports read like she/he has tried it in multiple languages. Until this moment no bitcoins have ended up with the scammer.

Earlier items about bitcoin extortion scams: Earlier, earlier, earlier, earlier, earlier, earlier (although I think bitcoin is generally a really bad idea and a huge scam)

Tags: , ,

IPv6 check

Running test...
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

RSS
Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated by $Id: newstag.cgi,v 1.35 2021/11/09 13:09:49 koos Exp $ in 0.015950 seconds.