vrijdag 30 december 2011

NFI ronselt mensen via sherlock.holmes.nl

Begin deze maand was het nog hip nieuws dat de Britse inlichtingendienst GCHQ mensen probeerde te ronselen door ze een code te laten kraken. Nu blijkt ons eigen NFI er ook zo'n soort strategie op na te houden.

Aangezien deze veroordeeld crimineel ook een project bij het NFI heeft gedaan (gevalletje figuurlijk werkverbod uitdelen, maar zelf lekker de vruchten plukken), zat ik laatst wat in mijn mail conversaties te pluizen. En mijn oog viel op iets grappigs.

Eenmaal dieper gravend in de manier waarop het NFI zijn mail afhandelt kwam ik namelijk bij deze mail server terecht: sherlock.holmes.nl -> 195.169.99.99. Mijn oog viel hier natuurlijk in eerste instantie op omdat het vooral een heel grappig domein is. Daarbij verwacht je van een serieuze instantie als het NFI niet snel dat ze zo'n domein naam gebruiken. Maar niets is minder waar.

Sterker nog, het domein holmes.nl is hét domein van de afdeling Digitale Technologie. En bezoeken we die website: http://www.holmes.nl. Juist! dan komen we op de vacature pagina van het NFI terecht.

Of het geheel serieus bedoeld is weet ik niet, want... zie onderstaande:

Ohja, hier slaat het NFI al zijn gevoelige informatie over misdaden op: https://nlbds.net
De afdeling intelligente data-analyse zoekt blijkbaar ook nog personeel: www.kecida.nl
En verder:
Statistieken: stats.holmes.nl
Downloads: downloads.holmes.nl
Repository: repository.holmes.nl
Verder durf ik niet te kijken. Wil oud en nieuw graag nog buiten kunnen mee maken.

dinsdag 27 december 2011

AnonymouSabu aka Xavier de Leon?

Could you call it remarkable when someone specifically remembers a local root exploit of more than 6 years ago? A local root exploit that doesn't mean any thing at the time of writing. (At least for us...)


It is what catched my eye during this conversation between @anonymouSabu and @mikko. In this tweet anonymouSabu mentions this exploit. Author of the exploit is Xavier de Leon, xavier@tigerteam.se.
The connection between Xavier the Leon has been long suggested and this tweet of anonymouSabu could just be adding value to the smokescreen that keeps him from getting arrested. But for the trained eye, this must be of great value and a serious suggestion pointing towards the identity of anonymouSabu.

But let's never forget anonymouSabu is smart, and aware of this suggestion.

donderdag 22 december 2011

Twitter.com serving wrong certificate

Here's a blog post about twitter serving the wrong certificate on one of its domain. This could be a classic example of a government sniffing username's and passwords with a compromised private key of the domain twitter.com. Although the whole set-up just suggests someone at twitter made a mistake.

The problem is with the domain https://fr.twitter.com. For some reason it popped-up in my time-line yesterday and I was automatically forwarded to it several times. I have no idea why, but apparently I'm not the only one, see the twitter search results: https://twitter.com/#!/search/fr.twitter.com
The domain is providing you with the certificate for the domain twitter.com and not, as it should in this case fr.twitter.com. See below the certificate fr.twitter.com is serving, note the issuer.

I have to mention this wouldn't have been notified by me if the certificate was a wildcard certificate for *.twitter.com because then the certificate would be valid, and I would have probably ignored it.
The domainname fr.twitter.com is resolving to 199.59.149.230, 199.59.149.198 and 199.59.148.82, while twitter.com is resolving to 199.59.148.10, 199.59.148.82 and 199.59.149.230. Both are within the TWITTER-NETWORK. But as we all know, governments can redirect any traffic if they want to.

Another funny thing is this: the ip adres 199.59.149.198 is also hosting this website: itgovportal.net. Visit that website and take a look. Is it just @sfkassab redirecting the traffic of his website?

Let's wait for twitter to respond.

UPDATE:
No response from twitter yet. But I've had a closer look.
There are 4 twitter DNS servers that serve the domains twitter.com and fr.twitter.com.
2 DNS servers (ns1.p34.dynect.net & ns4.p34.dynect.net) serve these records:
Name: twitter.com
Addresses: 199.59.149.230, 199.59.149.198, 199.59.148.82
Aliases: fr.twitter.com

And the other 2 (ns2.p34.dynect.net & ns3.p34.dynect.net) serve:
Name: twitter.com
Addresses: 199.59.148.10, 199.59.148.82, 199.59.149.230
Aliases: fr.twitter.com
That explains the IP difference I saw at first, and had rung my bells.

But then again, twitter shouldn't use that CNAME, because the SSL certificate is only valid for twitter.com. They should have used *.twitter.com instead. Or better delete (or auto forward) the usage of fr.twitter.com.

Another thing: I found out de.twitter.com is also a CNAME. So you would expect it to be country codes, but nl. uk. pl. es.twitter.com are no CNAME's.
de.twitter.com doesn't show up in the search results: https://twitter.com/#!/search/de.twitter.com
Like fr.twitter.com does show up by many users. Strange situation going on here.

The last thing I have to mention is the twitter DNS servers are operated by DynDNS.org. And DynDNS doesn't have such a good reputation regarding privacy, see this blog about that issue.
This basically means we can now link Twitter to DynDNS, FBI to DynDNS, Duqu ( kasperskychk.dyndns.org ) to DynDNS