SSH Vandals?
I had an interesting detect in one of my kippo honeypots last week. Kippo, if you are not familiar with, is a script simulating an ssh server. It is typically configured to allow root logins with weak passwords and can be the source of never ending entertainment as you see confused script kiddies. The honeypot logs key strokes and is able to replay them in "real time".
In this particular case, the attacker logged in, and issues the following commands:
kippo:~# w 06:37:29 up 14 days, 3:53, 1 user, load average: 0.08, 0.02, 0.01 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/0 151.81.3.83 06:37 0.00s 0.00s 0.00s w kippo:~# ps x PID TTY TIME CMD 5673 pts/0 00:00:00 bash 5677 pts/0 00:00:00 ps x kippo:~# kill -9 -1 kippo:~#
-----------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
DigiNotar looses their accreditation for qualified certificates
Next to being a provider of SSL certificates (which most browsers now distrust), DigiNotar also issued so-called "qualified" certificates. These are used to create digital signatures and they are much stricter regulated that the run of the mill SSL and EVSSL certificates we all know from web servers and the like.
OPTA, the Dutch independent post and telecommunication authority - think of them as the regulator- , has terminated [in Dutch] the accreditation of DigiNotar as a certificate provider on Sept 14th, 2011. This pertains to their qualified certificates.
It's probably best to give a very short introduction on what qualified certificates, accredited providers are and why this is so important.
The EU has issued guidelines (Directive 1999/93/EC) that have been translated in local law by member states such as the Netherlands that establish legal value in digital signatures. There are a number of levels of trust in this from the legislators. Typically -local laws differ a bit sometimes, but they all implement the same concept- a digital signature is going to be -by law- equivalent to a manual one. At the lowest level a digital signature can be as little as writing your name under an email, but all remains to be proven in court afterwards. It gets more interesting on the higher levels: if the digital signature is proven to be a qualified digital signature, the equivalence to a manual signature is automatic (i.e. no discussion in court). But it still needs to be proven that the digital signature is in fact qualified. The ultimate level however are qualified digital signatures made with the means provided by an accredited provider. There the proof that the digital signature is qualified is automatic as well as it's done up front (in the audits of the accredited providers).
This all is guided under the ETSI TS 101 456 standard from a more technical point of view. This standard sets the requirements.
Since the means provided by an accredited provider can be used to create digital signatures that are almost only disputable if one proofs fraud, it's to all of us -esp those living or doing business in the EU- of critical importance that there are no rogue qualified certificates out there with our name on it as they carry such a high legal weight.
OPTA reports a timeline that's been mostly public knowledge except for their own actions and the interaction with DigiNotar and their auditors. The report concludes that DigiNotar was not only not acting in accordance to ETSI TS 101 456 on quite a few points, but also breaking the relevant local laws.
OPTA also names PriceWaterhouseCoopers as the (regular) auditors of DigiNotar, but does not go as far as to name them the ones that gave them the apparent clean bill of health on July 27th, 2011: "A number of servers were compromised. The hackers have obtained administrative rights to the outside webservers, the CA server “Relaties-CA” and also to “Public-CA”. Traces of hacker activity started on June 17th and ended on July 22nd". Which was later dramatically proven to be untrue.
OPTA reports there are about 4200 qualified (signing) certificates issued by DigiNotar. These will now have to be contacted by DigiNotar under supervision of OPTA. These certificate holders will have to seek another provider if they have not done so already.
The revocation as an accredited provider, also means that DigiNotar doesn't meet the requirements for their PKIOverheid activities anymore.
--
Swa Frantzen -- Section 66
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
8 months ago