Home Blog Page 5

When are when gonna get out of this mess?

Erik Zalitis
-
1
When are when gonna get out of this mess?
This is the party one really CAN wait to get started…

I thought about writing a letter to myself a time now. I got the idea from “God morgon världen” a radio show on Swedish Radio program 1 that runs on Sunday mornings. They had one of their journalists talk to her younger self about the Corona in letter form.

My version is a letter sent back in time to January 2020, before this situation got out of hand. Back then, the worst fear was that that China situation would go bad. So here goes, a letter sent from October 2020 to January 2020. For the sake of this argument: time travel mail exists and my younger self will believe it’s not a prank letter.

Disclaimer: please understand I’m not trying to choose sides here, just showing a little dark humour. You must be able to laugh at everything in order to cope with this madness. Also I’m mostly making fun of the discussion that goes on in media and over the Internet. Please don’t sue! Or be mad! It’s the Corona that’s nasty, not me!

Dear Erik

Worried about IT-security issues, the pending American election or that recession we’ve been talking about since 2017 that never materialized? I have good news: you don’t have to worry anymore. I promise you 20/20 will be remembered best in hind-sight and fondly enjoyed in the far, far future. Here’s some predictions that are 100% accurate due to them already having happened:

Corona – more than just a mediocre beer

What little Coronas made of? Death and nothing nice…

Meet Corona, a friendly and very communicatible (is that a word, or did I make it up?) thing that really gets around. Never lets you down and has no biases against anyone. Clearly a being of this centuary.

You might want to stay clear of this virus, cause, it’s not really something that improves your life.

Enjoy your bunker
So you’re an introvert? Nice! Gotcha covered. In february, the evil child of the Spanish flu will be making its world tour. You don’t get a T-shirt with the dates and the locations, but a reason to stay at home all day long without missing a second of the thrills of pointless meetings, impossible dead lines, irrate customers, broken servers, hacked networks and the results of inefficient planning.

The work day can start, go on an end at any time of the day. Get ready to have little concept the passage of time while looking into screen with messages blinking red and the loudspeaker blaring out bleeps for every ad, important message, expired time warning, social media-message, Teams-notification and e-mail that immediatly calls for your attention. The signal is like Forrest Gump’s chocolate box, you never know what you’ll get. “Ohh… Just a new ad for a set of speakers … or sneakers. Or some Rock’n’roll album”. Next time “Ahhhh. It’s 10 pm and a customer representative reports a possible security incident. Meeeting in 15 minutes… Yikes”.

Stocked up on food, water, toilet paper (Yes, that’s a thing!), power banks, alternative internet connections, spare parts and medication? Good… I’m just saying… No, don’t worry, it’s just a precaution.

It’s not paranoia when it’s out there to get you
Corona is totally fine to have. 80% of all that get it will have little problems going through the ordeal. The other 20% that get problems might end up in the ICU or die. No worries, you’re probably in the 80% group. Wanna bet? Doesn’t matter, because you will be betting your life on it no matter what.

You have to be careful not to meet people or touch any surfaces (the floor counts!) without sanitizing. You might think it’s better to inject the hand sanitizer in your blood stream as a profylactic. But that’s mad, no one would seriously suggest that off course. Unless they’re crazy, sarcastic or maybe both. Which leads me into…

Donald Trump and Joe Biden. I can’t say who is really who, can you?

The US election…
Enjoy the weirdest election year known to our times. It goes like this: a red and a blue team wants the US voters to vote for them. But there is a catch: each voter is only allowed to vote for ONE of them. Otherwise it would be no challenge I guess. And getting people to vote for the correct color means shouting, scaring, tweeting, scandalizing and otherwise causing quite a ruckus. Media, Internet outfits, radio stations and some nice intelligence agencies are all eager to help out. Otherwise the system won’t work they tell me. And maybe that is so. You can choose between two men that each is in the phase of their respective lives that they should be sitting in a rocking chair and tell boring stories to their grand children.

People will be protesting pretty much everything for any reasons. There may also be some bad stuff happening, you have been warned.

On November the 5th we will know who gets to use the white house as their retirement home.

… And stop laughing, in 2022 we get our own election year… It’s going to be interesting…

Coughing… Damn! it’s corona. Time to write your will…
Here’s a chart for your convenience:

Symptom…What you think it is…
Coughing once.Corona.
A celebrity just died.Corona.
A bit of a fever.Corona.
Unable to breathe.Corona.
Broken leg.Corona.
The computer will not start.The GRU just hacked it.
Corona come lately, sweet as can be….

What symptons are there really that may indicate Corona: pretty much everything.
What parts of your body is affected by Corona: every part except the toe nails (pending further scientific research and may be revised later)

Sweden has a system, no one knows how and if it works and that includes us
All countries will lock down, except Sweden. And that’s because we’re smart, crazy, incompetent, have a system, have no clue, want to be the odd one out, the arrow hit that suggestion on the board, just a random choice, very well made scientific study, the witch doctor said “oh .. ah… oh.. a walla-balla-bing-bong”, Tegnell read his party book, the party said so and then drinks were served, cosmic fluke or just a very brilliant decision.

The outcome of Sweden’s and all other countries efforts will be evaluated at a later date, then we’ll assign blame and maybe more blame to all of the countries involved. And all are going to get some… So there… I don’t think anyone is going to be happy with anything that happens right now anywhere in the world. So there are really no winners.

And Sweden, the Corona virus control group of the world, may be either the smartest … or dumbest country in the world when it comes to handling this situation. I really want to know which it is.

BOHICA – Bend over, here it comes again
The summer will see us running out on the fields with reckless abandon. Someone with knowledge comments that the virus does not seem to be seasonal, but no one is listening. Beer (even the Corona brand) flows, bath time – big time!, going on vacation to places with no available hospitals nearby and just chilling in pubs where some tables are kept empty unless someone really wants to sit there.

And then fall arrives and the everything comes back, people, cars and … my Corona… It has quite the knack for it.

Look it’s getting better, man! Big sigh of relief…

Let’s party like it’s 1929...
The recession was waiting for a reason to pop out of its lair, and Corona just gave it one. So here it is, and some industries will be weathering the storm fine whereas other come into a crisis with no end in sight.

Restaurants and other services with high physical attendence will be hit the hardest, but slowly rebound. Whatever the outcome is of this, it’s like to be a watershed moment for all of us.

Hackers at large
Everyone is hacking everything. But that’s nothing new. It seems like hackers are just retargetting us poor fellas that have to sit at home and work. An advice, there’s something called Zoom. Never mind what it is, just don’t use it for anything, ok?

So to sum it up:
The best one can be in 2020 is a stoic, accepting the storm as it arrives, doing whatever he or she can do and then going with whatever comes out of it without regrets.

Yeah, and stocking up on toilet paper, that is always a good thing…

A signage of the times?

Erik Zalitis
-
0
A signage of the times?

How will we remember this time in the future? All eras have their respective stereotypes when it comes to political views, music, hair styles and such things. So what about the new roaring 20s?

The jury is still out on this question, but let me guess that I can at least come up with a suggestion.

Consider this sign in an elevator of a Swedish higher education school:

The text above the arrows read “Keep a recommended distance”. The text below the elevator read “Thanks for your consideration”.

This is a pretty standard sign during Corona-times, as an elevator is a cramped area that can be a problem when it comes to not spreading the virus.

A few days later, some students had amended the sign with this:

The text on the top reads “Warning for gender stereotyping” and the text below reads “Should the men go upwards and the women downwards? Should men be at the front and women have to stand back? Where did LGBTQP and norm-criticism go?”.

This may actually be one thing we remember in the future as it clearly is, well, just a sign(-age) of our time.

Hacking it up!

Erik Zalitis
-
0
Hacking it up!
Five screens trained on the problem of getting all the flags. A snapshop in the middle of the process that lead us to 17th place among 152 competing teams.

I was working from home one Friday as Dnov sent me an email asking for my participation in the FOI 20/20 CTF. I thought about it, and decided to join him and his crack (haha!) squad of elite haxx0rs. A “capture the flag” or CTF is simply a hacking competition, where you work as a team to solve tasks that require you to “hack” something. It does not necessary mean rooting a system, but you have to subvert a service, program or system in order to prove your skills in breaking its security.

FOI – Totalförsvarets forskningsinstitut

FOI is a Swedish governmental organisation tasked with aiding the Swedish armed defence with technology research and support things like disarmamernt and international security. In a typical Swedish manner, doing a lot of things that looks like they’re contradictionary. 🙂

On the 26th of September the 20/20 CTF started with a bang as the virtual doors flung open at 2 pm and we worked until 10 pm that same evening.

Meet 0xDEADBEEF

In the Atrocity archives, supernatural hacker/sysadmin/government agent Bob Howard destroys the content of a hard drive by writing the hexdecimal string DEADBEEF over and over again on all the tracks. This is as far as I know an old hacker joke and it fits. 0xDEADBEEF is also the name of our team. We’re at this moment five guys employed in the IT-security field. So let’s talk about us.

Really not sure who is who here among us, but it amuses me to try to figure it out.

dnov
The principal leader of the team. He’s like that white haired old man who likes a good plan coming together in the A-team TV-series. With a broad knowledge in infosecurity, it-security and working with our Swedish defense effort, he is really the right man for the job.

CrashOverride
Ok, so we’re doing A-team references here? This is clearly Mr T. The heavy hitter, who managed to come up with solutions to many different tasks and worked all over the board mostly with cryptograhy and reversing. He has an academic background “in something cyber”. That’s his story, and I’m sticking with it. So there…

StripeCAT
Enough references to the old TV-series, as I really don’t remember it all that well. But StripeCAT is my nome de guerre and I’m a good supporting role, with plenty of experience with web hacking and network (in)security. Know my way around Kali Linux and Burp suite and Metasploit.

FX
Working in the same company as dnov and specializing in webhacking and security analysis.

Zaffner
General profile with experience in a number of different areas.

A journal of sorts… Because, why not?

Saturday, the 26 th of September

10:00 woke up late and spoke to my mother over the phone. Got on an uber to a music store in Järfälla to get my new mixing console. An errant soldering job had swiftly killed the one I had.

12:00 connected the new mixing console and patched the compressor into it. This made it possible to get sound to my rig. A good thing when you’re in a teleconference. Due to Corona, I decided not to go to the location where the others were gathering.

Look at it! It has blinkly lights!!!

Made contact with the team on Slack. CrashOverride offered to come and get me into the building, until I pointed out I’m working from my home.

Thunderbirds are go!

12:30 updated Kali Linux on my main PC as a virtual machine. Also had a real laptop with Kali on standby. “All events random favor the prepared” and all that.

13:00 ordered some food and made sure everything worked. At this time everyone in the team had arrived, with FX being the last to enter the room.

14:00 dnov was frantically smashing the “F5”-key to reload the CTF website, waiting for it to start. And sure enough, the challenges appeared on time.

We all started working. Zaffner took the first flag. Just a few seconds before I did. This is not a good thing, as it meant he missed that I was working on it. But dnov soon started coordinating the challenges so we would not work on the same ones unless cooperating. Doing so would otherwise make us lose valuable time.

The first tasks went down easy.

Who is a good doggie? You are! Yes, you are! (kinda used that joke already in this blog)

I fed a total list of all existing breeds of dogs into Burp suite and solved a very weird flag involving trying to figure out how to get a web app to give out information to some kind of dog collar that a normal user should not be able to get. It worked and I got a good laugh out of it.

The others worked through cryptography and reversing. One task spewed out simple aritmetic questions that had to be solved with in a few seconds. CrashOverride and Dnov quickly wrote a script to do so and the flag was caught.

FX and Zaffner looked into the arguably convoluted mess of a Javascript that held the secret to one of the flags.

I wrote a script to recursivly open encrypted ziparchives, but CrashOverride mistakenly solved it before I was done. Having lost two flags because of the others failed to note that I was on them made me a bit irritated, so I told them in no unclear terms to start keeping track on who is doing what. No more incidents after that, but my outburst probably rendered this choice of emoji representing me on Twitter from dnov:

Hacking while annoyed.. That’s not illegal, is it?

… I find that highly amusing… 🙂

The afternoon went on and we steadily captured the flags. At one point we were ranked as number nine among the 152 competing teams and this energized us even further.

The 90s rave culture never really died. Aciiiiiiiid! I’m still trying to figure out if Dnov choose the emojis on random or if he is trying to tell us something.

The remaining tasks were harder and it was pretty clear that the tasks on the right side of the list were the really hard ones. Each flag gives the team and the member points. The points decrease over time as others solve them as well. So looking on tasks that still have the full score you will see that no one else have been able to solve them either…

What the Sam Hill am I looking at here? Does this require a degree in SCADA protocol analysis? Yes, actually, I does! Who said things should be easy?

In the evening we ordered pizza and the team took a short break.

9 pm The night was looming and we were frantically trying to solve the last challenges. The final minutes had me and CrashOverride fighting with a very obfuscated javascript mess to find a flag.

10 pm All is over and the final score is in. We did quite well, but no prizes coming our way. 17th place, that rocks!

The aftermath

CrashOverride’s graph over all teams. Not bad, not bad at all. But next time, lets go for gold!

So… Did we do it well? Heck, yeah! But we also had fun and learnt a lot along the way. Much obliged.

The good

  • A brand new team that had no problems getting into high gear.
  • We hit the ground running.
  • No real technical problems on our side. Except maybe with Zoom.

The bad

  • Took a while before we started helping each other on a regular basis. At first everyone was focused on their tasks.

The ugly

  • The test environment provided by FOI was a bit flaky at times.

The links

CrashOverride’s own write-up (In Swedish):
https://github.com/dansarie/FOI2020CTF/blob/master/README.md

For the love of radio

Erik Zalitis
-
0
For the love of radio
The year was 1994, and as you can clearly see, I had already amassed an impressive amount of audioequipment.

I am not sure, but I believe it was in 1984, when my audio/radio-romance begun. It happened as almost all my life-changing events do by mere coincidence. I went with my mother to an infamous, now defunct, flea market here in Stockholm and bought some antique 8mm movie equipment. Once I got home, I found out it was “double 8”, which I could not use with the films I had. The salesperson was recalcitrant to give me a refund but offered me something else worth the 20$ (200 sek) I had paid for it. Not knowing what to do, I pointed to an old open reel tape recorder. Once I got it home, I got a cheap microphone from an electronics store and set the whole thing up. My first recording was some chirping birds outside the window.

As I got several old vinyl players, cassette desk and an amplifier, I built my first own radio studio and recorded several radio shows with my very uncooperative neighbors, a few kids my age. They mostly did not want to say anything and asked me not to disturb them as they were busy reading comics. I already obsessed with audio and radio, and that never changed. The tapes are long lost, but they were not really that much of a master piece anyway. One of the shows had me shouting “I’m besieged” when I could not keep my brothers from entering my room. Also, I did not know how to pronounce it, as I only seen it in text. So, I shouted “I’m bes-eye-jdged”.

At night I slept with a radio in my bed, listening mostly to Swedish Radio Program 1 (P1). Sometimes the shows could be scary as they dealt with getting old and dying and that was no help with my sleep, that much I can tell you. I also remember tuning into Radio Luxemburg or listening to Swedish community broadcasts from SAF Radio City.

A logo type I made fot the school’s radio station. It was used on the stationary I sent to them with the new jingles and probably ended up in their circular files. Geek points if you can tell which old Amiga game I got some of the graphics from.

In 1991 I enrolled into second upper class school in Sweden (Brännkyrka gymnasium) and they had a couple of older students running a radio station called Radio B.R.I.E. I was hooked and listened every week at Wednesday through a home-built receiver.
Over the years, I tried to join the radio team. At first, they were interested, but I had a habit of being more than just a little bit into doing things my way, while being very energic and not listening to what other people said (I got much better over the years 🙂 ). I believe they eventually didn’t really want me to join after all. But I remained a loyal listener and purveyor of “creative” jingles, made on my Amiga 500. They put some of them on the air, mostly to be nice to me. You, know, those jingles were… to put it mildly… not so good.

In 1994, I saw an ad for a community broadcasting activity for teenagers (and I was one of them, back then!). I joined them three times and every time made a new show that was heard over 95,3 MHz here in Stockholm in Sweden. I did not speak on the first show as I was the audio engineer, a job I loved beyond belief. The second one was the same, with two guys from school that spent most of the time joking and telling rude stories. They interviewed a person talking about Leonardo Davinci but spun out of control when she spoke about his sexual habits. The result was borderline catastrophe and it just had to be put on the air. The third session was just me and some BBS-sysops talking about all the unjustified fear mongering that was going on about our dear BBS:es. The radio studio was shut down that same year.

But at the same time, around February 1994, I was also involved in broadcasts on Radio Sydost 101,1 MHz. This was cut short after a month when they lost their studio due to unpaid dues.

In 1995 another project I had started finally came to fruition. I had long wanted the Swedish federation of young scientists (Förbundet Unga Forskare) to start broadcasts here in Stockholm. And on the 26th of February 1995, it went on the air on 88,9 MHz with the program “Radio Unga Forskare”. We were also one of the first broadcasters in Sweden providing on demand streaming in 1997. Today, this phenomenon still exists, but is now known as a podcast. We used to put out science shows and had a team of scientists and students doing weekly clips that ran on the radio and on the Internet.

Me in the foreground recoding a science show with four of the science team.

In 1995 I took an old essay I wrote as a school project and started spreading it over the bulletin board systems of the day, while adding more text to it. This essay covered audio enginering and community broadcasting here in Sweden. The title of it alluded to the sci-fi book series “The hitchhikers guide to the galaxy” and was thus called “The audio engineer’s guide to the galaxy” (Ljudteknikerns guide till galaxen). For a number of years, it was really popular. But it’s just an archive now, I guess.

This is a story all by itself, but it ended in 2006, as I had no more time and wish to continue. At our height, we had 10-15 persons regularly contributing to keep the station running.

After that, I found my love for listening to radio rekindled as streaming radio was becoming a common thing. Then I bought a CB radio kit and found it to be quite boring as no one really was on the frequencies. 2011 I took the step and finally became a radio amateur (Ham radio). I took up shortwave listening but lost interest as the number of stations dwindled.
During all this time I dreamt about starting a YouTube-channel.

In 2018, a friend tried to get me to start a podcast with him. This DID happen, and as I write this, it’s still running.

Me trying a webinar format on the pod. This was interesting, but we soon went back to just using audio.

The podcast, IT-säkerhetspodden, has been quite a journey. While a fairly popular niche-podcast in itself, it has taught me and Mattias a lot about interviews, audio editing, microphones, writing better texts, meeting people, using social media to get listeners and web site design. Not to mention digital imaging and keeping everything running during half way impossible dead lines.

My podcast cohost (or am I the cohost?) Mattias Jadesköld talking to Matilda Sjöstrand who works at Swedish cyber security company Sentor and who is also involved in a project to protect women from digital violence (Yes, that is real thing!)

In September 2020 I bought the software “Playit live” and setup a real 24/7 radio station with a lot of old Amiga music, professional jingles (Yes, I finally know how to make jingles that don’t suck!) and funny little messages from me.

It runs itself. Unless the computer dies or something really bad happens.

It runs on an old PC located on my balcony. You can listen to it here. It has been a lesson in how to properly format a station with clocks, scheduled, recurrency and Internet streaming.

So I have in some capacity been into nearly all radio there ever was. As a broadcaster, as an avid listener and as an engineer. It should be told, though, that I have never held a paid position in the business.

As I listen to my oldest shows and to what I do today, it is clear I have really improved. Anything else would have been strange, so all those years listening to radio, creating radio and recording the spoken word has really given me something.

On my surgery table: an Amiga 3000

Erik Zalitis
-
0
On my surgery table: an Amiga 3000
Knee deep in the dead… This machine was quite an expericence.

A few days ago, an opportunity came my way: an Amiga 3000 appeared on a retrogroup I often read. I just had to have it. A few days later, I boarded a train to a small city in the middle of Sweden.

Me on the train to somewhere…

The journey was uneventful. It was very nice to meet Mats, the seller, who have a big garage as the ultimate man cave filled with pretty much everything Commodore ever created. At he station on the way home, I came across an old engineer and we spent 1 1/2 hour discussing power distribution, gaspower, nuclear dito and memories from Sweden’s past.

When I came home and hooked everything up, I was met by this.

Ehh… Where’s that hand with the diskette???

I have never seen something like this before. Clicking on either of the “Floppy” buttons lead to the computer asking for a super kickstart.

–“What, isn’t the regular one, you already have enough?”.

Actually, I already had figured it out. This computer requires a kickstart boot rom on disk. Googling on it, revealed this to be true. The first Amiga 3000 had a hardware kickstart boot rom that was incomplete. It wasn’t the old 1.3 or the new 2.04. Rather it was known as Kickstart 1.4 and that’s what is on the screen. It needs to have a file of either 1.3 or 2.04. The hard drive was dead, so it could not supply one. Hence this screen crying for help.

But where to get a super-kickstart disk? Well, Mats the seller had provided me with a diskette he said could boot the system. It didn’t work. So I decided to put it in my Amiga 500 to see if it was ok.

Abort! Aaaaaaargh!!!

I might have been the lamer here, but the antivirus saved me. Trying to scan the disk further revealed that the Saddam Hussein-virus was present as well.. Party on, dudes…

Right. This is a bit problematic. The disk was put in a bio hazard cotainer and will be delivered to SIPRI tomorrow..

The retro group on Facebook delivered the solution after I posted a request for one of those pesky “superkickstart”-disks. Turns out Cloanto sells those as file for AmigaForever. Finally a break through.

I generated the 2.04 disk and inserted it into the computer and it promptly started to boot with it. After that I got the nice boot image.

Who’s a good doggy? You! Yes, you are!

This is where my luck ran out. It just wouldn’t boot. I popped the WB 2.04 disk into the diskdrive. Nothing happened. Giving the keyboard the three finger salute (Ctrl-Amiga-Amiga) did work! Then Workbench started up just fine.

It was pretty soon clear to me what was going on. The diskdrives would happily read any disk that was inserted at the time the computer warm started, but would then never detect when disks were later removed or added.

Googling the problem didn’t help as I came up empty… And that’s where I am right now.

I have not given up, but for now, the work has be postponed, as I have a radio station to setup.

More to come…

The anatomy of an attack

Erik Zalitis
-
2
The anatomy of an attack
The email that started it all. Sounds very legit, but clearly isn’t Hint: hover over the link if you get this mail!

(Updated at 2020-09-19 19:13) – Good news, everyone. bxsmail.com is not responding anymore. Could one hope Telia booted mr Spammer off the net? Probably just a minor setback until he finds a news place to send his crap from. Pyrobee.com is, alas, still up and running. Why, oh why…?

How the journey begun….

On Friday the 11th of September I found an email in my junk mail folder. That in itself is nothing special, but this particular spam stood out. It was in Swedish, without the usual auto-translated mess that those are wellknown for. It simply said (translated from Swedish):

Hi

Thanks for the last time, here are the statistics you wanted. I hope you’ll receive this mail before going home for the day.
<Link to what looks like tillvaxtverket.se, but really sends you to a malicious site>

[I] believe it rather clearly shows what we though from the start and that is that there is a large lack of available talent in the rural communes. The quiestion is what could be done about it on a regional level.

The Swedish original:

From: Magnus notification@bxsmail.com
Sent: den 11 september 2020 21:35
To: Erik Zalitis erik@zalitis.se
Subject: Jag tror det var detta du ville ha

Hej

Hoppas du hinner få mailet innan du går hem idag.

hxxps://tillvaxtverket.se/statistik/vara-undersokningar/kompetensforsorjning/2020-04-24-kompetensforsorjning-i-landsbygder.html

Tror den visar ganska klart det vi trodde från början att det är stor brist på kompetens i de större landsbygdskommunerna.
Frågan är vad man skulle kunna göra åt det regionalt.

/Magnus

I racked my brains trying to remember ever having spoke to someone on Tillväxtverket about something that would warrant this response and came up empty handed. I quickly Googled and what I found made me suspect it was some kind of fraud or spam. I posted my preliminary findings on “Säkerhetsbubblan”, a Facebook group dedicated to IT-security discussions.

At this time I was quite curious about what was going on and started tracing the sending system down. The mailheaders were clear on the matter.

Ok, got it… server.bxsmail.com

The IP was recognized almost immediately by me, as I used to work at Swedish telecom provider Telia back in the day, and sure enough, it was them.

Hallsberg does not sound as a center of cybercriminal activity, especially when…

The post code is easy to put on a map:

A typcial war zone in Sweden. A few day care centers for children and small suburban housing. This is where the hacker roams freely…. or maybe not. Seriously though, it’s probably located on someones home network, directly connected to a consumer Internet broadband connection operated by Telia.

One click on this link and you’re toast…

Let’s take a look on the seemingly innocent email (you should know better now, though):

One-click selling of your identity… Ain’t life grand?

Hovering over the link in the email, shows you where it really goes. The link leading to the Tillväxtverket-site uses an old trick, where the displayed link does not correspond to the one you’re actually are clicking on (Se picture above!).

Weirdly named proxy “Burp suite”, shows exactly what happens over the wire when you click the evil link like there was no tomorrow.

As you ask…
… ye shall receive…

This fake link instead leads to a server for the domain pyrobee.com which is located in Germany. The reply-to address in the mail also points to info@pyrobee.com. The ip-information for this site is as follows.

Details for 78.46.65.196 Decimal: 1311654340 Hostname: host2.sitedns_se ASU 24940 ISP: Hetzner Online GmbH Organization: Hetzner Online GmbH Services None detected Assignment Likely Static IP Blacklist Click to Check Blacklist Status Continent Europe Country: Germany Latitude 51.2993 (51' 17' 57.48" N) Longitude: 9.491 (9' 29' 27.60" E) Geolocation Map Sch Nederland Belgié :BeIÉ que an tadt Niedersac 5 en tschland hijFi B ande b Belgien •de-Éra bourg icardie woje "6dztwo z achodniopomo' dztWO kg ztwo dolnog« tesko

If you somehow doubt they are malicious, note the abuse-link provided in the mail:

Ah.. Mr Bond, that was a bad move, now we know you’re trying to thwart our nefarious plans.

OH!! They have a Facebook presence too… How “I’m just a serious business owner” of you.

Aint nuthing but us chikkuns in here… Sez the fox… The farmer is not amused…

And for my final trick, I going to pull a rabbit out of my hat. Or rather, disclose the identity of the spammer. He seriously has his REAL name on the FaceBook-group above. A fast check shows that he lives in the exact same area and in the same Zipcode as the bxsmail.com-server is located.

This links him to the Pyrobee.com-server AND the bxsmail.com-server. So it’s a wrap then? We’ll see.

What about them servers?

So, back to the server in Sweden, server.bxsmail.com. What is it running? Quite a lot actually.

o O O O O o O O P ort 22 53 80 465 587 2020 2525 3306 8083 Protocol tcp tcp tcp tcp tcp tcp tcp tcp tcp State open open open open open open open open open open open Service ftp smtp domain http smtp smtp x Inupageserver smtp mysql http Version vsftpd 3.02 OpenSSH 7.4 (protocol 2.0) Ex im smtpd 4.93 (unknown banner: get lost) ngvnx Ex im smtpd 4.93 Ex im smtpd 4.93 cbdev cmail smtpd MySQL 5.5.65-MariaD8 ngvnx
An open Mysql-port, a nasty DNS that tells me to get lost and god knows what port 2020 is about. The webserver has little to say:
Did you forget to remove the shrink wrap?

We can go no further as this would constitute an intrusion, and I’m strictly a white hat.

Analysis

Given what we know:

  • The link in the email takes the user clicking on it on a detour to pyrobee.com, a server in Germany, and then automatically bouces the unwary user to Tillväxtverket. This way, it will look legit. This link has, what looks to be a identifier, that is most likely connected to the email-adress the mail was sent to. Thus the Pyrobee.com-server will know who clicked on the link.
  • Most likely this gives the hacker a list of people that clicked on the link and who can now be further investigated and targetted for phishing attacks in the future. Caveat emptor: don’t click the link! (Unless you’re like me, curious and want to see what happens..)
  • It’s impossible to say if this attack was aiming to target Tillväxtverket in any way or capacity, or if they were selected to give the attack itself a semblance of credibility.
  • The server sending the email is barely configured at all and only the services needed to send the emails seem have anything more than just minimal “dial tone”-setup.
  • It’s likely not to be secured in any meaningful matter. I cannot, as I stated, investigate this any further
  • The server in Germany uses a template that teases with stuff like podcasts and a blog, but in reality does not exist. It’s kinda a good thing to remove services featured on the template by default, if you don’t intend to offer them. Looks more serious like that.
  • Real advertising campaigns often work exactly like this, but they generally don’t use badly built servers running on someones home broadband connection and then redirect you to another, barely setup server in Germany. Also, they DO NOT SEND spam that tries to fool you that the message is an answer to a previous discussion with the sender that obviously did not happen.

Time line

2020-08-07 – The domain bxsmail.com was registered. It’s probably around this time the mails started appearing.

2020-09-11 – I noticed the mail, that was sent to my private email address, in my junk folder and started to investigate the matter. Had to stop due to needing to sleep.

2020-09-11 – Asked Telia to shut the server in Sweden (bxsmail) down.

2020-09-12 – Sporadic work in spare time during a trip to another city in Sweden.

2020-09-12 16:12 – completed the report after some questions were asked and then added new stuff I found.

2020-09-12 16:23 – reported Pyrobee.com to their upstream provider’s abuse department.

2020-09-12 17:xx – reported spam to spamcop.

2020-09-13 19:xx – They have now created more domains with servers: ettmoln.com and merkurex.com. Probably not a complete list, but I will update as soon as I learn more… Their weak point is pyrobee.com. Take that down and they will have nothing going on.

2020-09-12 22:31 – The identity of the owner of all the servers has been found. He wrote it on Pyrobee’s FaceBook-page. The name is Magnus, but I will not write his whole name here as to stay within the Swedish law. He lives exactly in the same postal code (zip code) area where the bxsmail.com server is located. I have a hard time believing this… Really takes the cake.

2020-09-14 – Right, I was told by the German abuse-department that they will not process the report unless they can tell the owner about it. That will effectivly send this link to the guy behind all this. Who said life should not be interesting?

Evidence and other material

The spam mail, complete with all headers:
https://erik.zalitis.se/files/spam.txt

Thanks

Malin Ekström for spotting a thing I missed.
The rest of the “Säkerhetsbubblan“-Facebook group for aiding me in my research… You guys and gals rock.

My burp just barfed

Erik Zalitis
-
3
My burp just barfed
Burp suite, as painted by Picasso. Not rare at all amazingly enough and not valued for its intrinsic artistic skills.

Update 2020-09-28: Answer from Burp suite support:

Screen redraw issues have appeared on various Windows versions when custom scaling has been adjusted in the display settings. Have you adjusted the default scaling behavior at all? If so, can you try returning that to the default setting? Additionally, can you try adding the following options to your VMOPTIONS file? This can be found in the installation directory.

1: -Dsun.java2d.noddraw=true
2: -Dsun.java2d.d3d=false
3: -Dswing.useflipBufferStrategy=True
4: -Dsun.java2d.ddforcevram=true
5: -Dsun.java2d.ddblit=false

You can add them in order until the issue disappears or add all of them at once.

https://forum.portswigger.net/thread/gui-graphics-corruption-at-random-intervals-14765ccb

Is it just me, or is this a common thing? It kinda makes my pentesting experience quite dull. The only resolution is to restart the program if you can find out how and then you lose a lot of your progress. Thanks a bunch…

What’s happening here? Well, this problem occurs after a few minutes or hours. The window seems to “break apart” and the different pieces move around as you move your mouse or …. worse… click around.

When you stop the program, it sometimes seems to corrupt the saved file and you could easily lose days of work.

It stopped being funny a long time ago…

Erik Zalitis
-
1
It stopped being funny a long time ago…
Ok, sorry, it is still funny. But the joke is in increasingly getting darker as time goes by.

In the 50s and early 60s mass media were tightly controlled in the US. Movies were regulated under the Hayes code and Television had severe restrictions. A lot of producers tried to work around the problem by using metaphors and innocent-looking euphemisms. Have you ever seen old movies where two lovers go into a room and then you see fotage of trains going into tunnels for a while? Pretty obvious, right? But you couldn’t censor it, as it wasn’t dirty per see..

In 1959 the Twilight Zone made its debut. Created by Rod Serling, it explored love, hate, mystisism, racism, intolerance and inequality in the guise of science fiction. One the most well-known episodes was “The monsters are due on Maple Street”. The whole story starts with a sudden loss of power and as people get more and more scared, they start accusing each other of being behind the whole thing. Friends become enemies and everyone is potentially a spy or a saboteur. It ends with a person getting shot and then we get to see a number of aliens watching from afar. They note how easy it is to destroy the fabric of society and civilization. The realization is that they can use this to destroy the human race without ever having to attack them with real weapon power.

This is probably based on the horrible experiences the Hollywood industry had during the McCarthy-era and the ever lingering threat that was the HUAC. But disguised as just mere science-fiction, Serling’s scathing critisism could easily pass scrutiny by the censors.

But even in societies that are generous with what can be said and written, this is often done to make people think. A seemingly cute story that in reality unmasks the goverment or societal norms, is a very common theme in litterature.

George Orwell does quite the opposite. 1984 has NO such thing as talking in riddles. It clearly exposes the very leadership it seeks to mock and ridicule. Or is that it? I actually get the feeling that the proper emotion at work here is hate, as Orwell was a jilted lover of a communist, who saw what the Soviet union had become without understanding that it is the ineviatable effect of all communism to destroy its own people.

The mysterious leader “big brother” is Stalin in everything but the name. He even has Stalin’s trade mark oppression mustache ™.

Today, we seem to live in a mix of the best and worst of times.

How many have you read/heard/seen? I’m, almost at a 100% here. Is that a good or a bad thing? Does all this make me wiser or more paranoid? Asking for a friend… I’m that friend.

In my opinion, we can scratch many of those above from “where western society is today”. I would say that the most fitting story is “Brave new world” with a few of the elements of “1984” and a small helping of “Fahrenheit 451”.

But they rest… Oh please…

  • Soylent green? NOOOO!!! Come on… Can you say death by Kuru-kuru?
  • Logan’s run. Maybe the “culture of youth/never trust anyone above 30”-theme, but that’s about it.
  • Brazil… Not here, but maybe elsewhere .. at some time..
  • The Matrix… Haha, you wish… I haven’t found the VMWare tools icon in real life yet…
  • Lord of the flies, obviously not. That story can never scale into large groups of society.
  • A handmaid’s tale. May be the only dystopia we’re actually leaving… Thanks!

Then yet again…

  • Animal farm. Yeah, sorta kinda. It was meant as a discussion on how naive people put power hungry manipulators in charge and afterwards never really understod where it went wrong. It might sound strange, but has happened before I have you know.
  • Gattaca, we could be going there some day. I’m looking at you Ancestry.com! … And everyone else who would fancy a global DNA-database.

My mind is an unquiet rambling one. I originally didn’t mean to write this text. I thought that putting this picture as a funny but still tragic epitaph over a world heading into that good night, would be good for a lark. It wasn’t…. And it never will be…

Snowden on privacy

Erik Zalitis
-
0
Snowden on privacy
Thoughts?

Automation joke

Erik Zalitis
-
0
Automation joke
Image may contain: text

Consider this picture above… Good case for automation, but ultimately not appreciated by those that believe manual labor should be a punishment for … well… doing bad stuff.. 🙂

… And here it is in Powershell… Hell yeah!

1...456Page 5 of 6
© Newspaper WordPress Theme by TagDiv