Bitwiper

Long time cybersecurity freak (2010: MS10-015 causes rootkitted XP PC's to crash: isc.sans.edu/diary/MS10015+may)

2025-02-27

@NaMi

Vielleicht sollten sie lesen was @ErikvanStraten zum antworten versuchte (infosec.exchange/@ErikvanStrat).

Unter anderem schrieb Er:
"
Meine Opa war Jude (gebohren 1900). Er hat den Krieg überlebt, seine Familie würde durch Deutsche "Menschen" ermordet.
"

Bitwiper boosted:
Jason Parker (he/they)north@ꩰ.com
2024-09-22

@jann The latter. SMS should never be used as 2FA.

Edit: An example from just today -- youtube.com/watch?v=wVyu7NB7W6

2024-09-15

Maybe it was one file of 440GB?

"Fortinet has admitted that bad actors accessed cloud-hosted data about its customers, but insisted it was a "limited number" of files." theregister.com/2024/09/13/for

Also: "Fortinet has had a bad run of things this year on the security front, including:"

Ahum. About 12 years ago, from kb.cert.org/vuls/id/111708
"Fortigate UTM appliances share the same default CA certificate
...
Acknowledgements
Thanks to Bitwiper for reporting this vulnerability."

An anon user posted the private key in security.nl/posting/322952, while I wrote some details in that page and (in Dutch) in, among other posts in that page, security.nl/posting/327277 .

Cybertruckloads of vulns since then (cvedetails.com/vulnerability-l).

Fortinet is primarily a marketing company; they will never understand security.

#Fortinet #Fortigate #UTM #appliances #MitM #SSLMitM #TLSMitM #infosec

2024-07-17

@feistyduck : _WHY_ are you using an URL-shortening service on Mastodon - of all places on infosec.exchange?!?!

https:⁄⁄buff.ly⁄WTF

What _IS_ your expertise?

#buff_ly #URLShorteners #URL_Shorteners

2024-07-15

@jscalzi : please stop using a http links if websites support https.

By specifying vote.org (or vote.org/ which gives the same result) in a link, or by typing vote.org in the address bar of your browser, there are three possibilities:

1) the browser connects to the _real_ vote.org website;

2) the browser displays a certificate error (never continue in such a case);

3) extemely unlikely (see [1]): the browser connects to a fake website that managed to obtain a valid certificate for the vote.org domain name.

(Note: I used the Unicode '/' character instead of the regular slash char '/' to prevent Mastodon from hiding the protocol).

By default, _none_ of the popular web browsers prevents active (i.e. not passive) criminals from successfully conducting Man-in-the-Middle attacks - if the first connection-attempt uses http.

Most browsers _may_ TRY https first, but an attacker can block that request, forcing the browser to downgrade to http (if the user explicitly requested https, such a downgrade to http will _not_ happen).

Such attacks can be conducted in various ways, such as by using an "evil twin" WiFi access point (bleepingcomputer.com/news/secu) or by manipulating DNS replies to browsers.

Note: the domain "vote.org" is currently _not_ listed in the HSTS preload list (apparently it was removed because of stupidities): hstspreload.org/?domain=vote.o (being listed would _force_ browsers to use https, even if "the user" requested http by tapping on such a link).

See also the unnecessarily poor results in internet.nl/site/vote.org/2883

Unfortunately also @BleepingComputer regularly uses unnecessary http links in their articles.

[1] More info: infosec.exchange/@Bitwiper/112

@adamshostack

#http #https #httpsvshttp#httpvshttps #AitM #MitM #EvilTwin #DNS #DNSAttacks #DV #DomainValidated #DomainValidation #Certificates #TLSCertificates #httpsCertificates #httpsServerCertificates #ServerCertificates #Authentication #Impersonation

2024-07-14

@shaft

Aussi 193.233.203.x

bleepingcomputer.com/news/secu

virustotal.com/gui/ip-address/

11/92 www.paris24tickets[.]com
17/92 paris24tickets[.]com
0/92 liveticketplace[.]com
0/92 www.paris24tickets[.]net
10/92 paris24tickets[.]net

2024-07-14

@shaft

virustotal.com/gui/ip-address/

0/92 gouv.smsjudiciaire[.]com
8/92 gouv.smsredevance[.]com

2024-07-14

These guys are fast (I don't know whether you'll get any merch if you pay - visit at your own risk):

earstaysontrump.com

LE cert (can be seen in virustotal.com/gui/domain/www.)
Not Before: 2024-07-14 17:24:47

Precerts are already visible here: crt.sh/?q=earstaysontrump.com

#Trump #Merch #Butlet #Shooting

2024-07-13
2024-07-13
2024-07-12

@robert_a : Clouflare is primarily a CDN company.

CDN proxy servers
———————————
Cloudflare owns proxy servers in most worldwide networking centers, typically one near you:

you <--> proxy server <--> real server

Their proxy servers (like Fastly) typically cache static comtent.

Advantages:
———————
• Faster speed for you.

• DDoS protection for the actual servers.

Disadvantages for you:
—————————————
• Your browser has an E2EE connection to a Cloudflare proxy server, NOT to the actual server. You have no idea regarding the security of the connection between the Cloudflare proxy server and the actual server, nor how well Cloudflare checks the authenticity of the remote server (even http, a self signed or a revoked certificate might be used without you knowing it).

• You don't know the server's IP address (and therefor you don't know which party hosts it in which country - which may be Russia or China) allowing malicioius servers to "hide" behind Cloudflare IP addresses.

• You can't block Cloudflare IP adresses without experiencing a lot of false positives (one Cloudflare IP adress is used to proxy thousands of servers). Cloudflare IP-addresses for a server often change, making it harder to block anything. This makes CDN's the perfect hiding place for malicious websites.

• Cloudflare has access to HUGE amounts of -unencrypted- internet traffic, which is an ENORMOUS privacy risk.

• As a US company, Cloudflare has to deal with FISA section 702. Three-letter agencies love Cloudflare.

Hosting
—————
In addition, Cloudflare hosts mostly free *.pages.dev and *.workers.dev sites which are abused *A LOT* for malicious purposes. One year ago (it didn't stop, on the contrary): trustwave.com/en-us/resources/

Root cause of rising cybercrime stats
—————————————————————
Cybercriminals can, mostly anonymously, obtain domain names and hire server space. And the get https certificates for free (*). That would not be a big problem if browsers would distinguish between cheap junk on the web and reputable web sites (they don't because that would cause big tech to earn less).

(*) If websites like the following *look* real, how can one possibly know that they're fake? (a few of loads of examples):

• https:⁄⁄formula1-tickets.com
• https:⁄⁄paris24tickets.net
• https:⁄⁄robbiewilliams-tickets.com
• https:⁄⁄page.facebook-guidelines.com
• https:⁄⁄adobe-pdf-online.com
• https:⁄⁄accounts.hetzner.com.do

Internet is criminalizing more every day.

@GossiTheDog @campuscodi

#CloudFlare #Fastly #InfoSec #Cybercrime #FakeSites

Client Info

Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst