Last weekend, Eric Lawrence found that the Amazon Music app, like Zoom, can automatically be launched from web pages without any user interaction. The way this works is through a local web server, accepting HTTP requests from web pages to, for example, instantly launch the Amazon Music app to play a particular song. This bypasses the built-in safety net in browsers that seek confirmation from users before launching an application. The right way to implement this feature is to register and use a custom protocol handler.

Continue reading “Underscoring the “private” in private key” →

In 2017, while attempting to get some DRM-enabled video player to work on my Mac, I stumbled upon a hard-coded private key. The corresponding public key was used in a valid and publicly trusted Cisco certificate. This further piqued my interest in the internet PKI, and made me wonder how many private keys I would be able to find. In the months that followed I found and reported many hundreds of certificates of which the private key was compromised. In this post, I want to focus on one particular compromised key. 

Continue reading “A tale of private key reuse” →

A while ago I wrote an article about the lessons learned from protecting the business-critical domain names and DNS of my employer Blendle. It was recently mentioned in an article about an attack on the DNS of security firm Fox-IT:

The weakest link in the chain’ is an overused metaphor in security, but this attack once again shows DNS to be a prime candidate. For advice on how to make your organization’s DNS more secure, I recommend an article by Koen Rouwhorst, who writes about his experience securing the critical DNS of his employer Blendle.

Last month, I went hunting for security bugs in GitHub, a popular platform for sharing and collaborating on code. After spending many hours mapping out GitHub’s infrastructure, and testing for weaknesses without any significant results or leads, I shifted my focus to the service providers. This is a write-up about two of the issues I found, which both have since been addressed.

Continue reading “GitHub bug bounty hunting” →

Hacking Team, the ethically bankrupt Milan-based company that sells surveillance technology to anyone willing to pay, got hacked. The hack was announced in a tweet last Sunday on the firm’s own hacked Twitter account, accompanied with a link to a torrent file for a 400 GB archive comprising internal emails, financial documents and source code.

Continue reading “Dutch police are looking to buy Hacking Team spyware” →

 

Documents from the ICTR-NE (Information and Communications Technology Research – Network Exploitation) organisation at the GCHQ show that it operates a program under the name FLYING PIG that provides analysts with information about secure communications over TLS/SSL. The primary motivation for this program was the increasing use of TLS/SSL by GCHQ targets, according to one of the documents.

The documents, originally published by Brazilian TV program Fantástico in September, provide an insightful look into the program that allows analysts to query the vast repository of metadata about the world’s secure communications. In this article, I describe the program on the basis of some actual screen captures of its interface.

Continue reading “FLYING PIG: GCHQ’s TLS/SSL knowledge base” →

Today, someone pointed me at an article in Belgian newspaper De Standaard in which Karolien Grosemans, a Belgian MP of the New Flemish Alliance (N-VA), claimed the U.S. Army had read one of her emails. In this email she asked an expert for advice on a draft legislation on cyber attacks and security, hence the subject field of the email contained the words “cyberaanvallen” (cyber attacks) and “cyber security”.
Continue reading “No, the U.S. Army did not read the emails of a Belgian MP” →

On Tuesday I found that former Dutch certificate authority DigiNotar, known for its security breach in 2011, was briefly mentioned in a Globo video report about NSA spying on Sunday. I documented the finding in a few tweets and put the four frames (of the same slide) that mentioned the name DigiNotar together in an album. Because the slide was only partly visible I had a difficult time making any sense of it. So, I wrote down what I considered to be plausible:

From the part of the text that is visible I suspect at least NSA’s ‘Flying Pig’ was used in some investigation of the security breach.

Continue reading “No, the NSA was not behind the DigiNotar hack” →

In recent weeks, there was some fuss about a new agreement between digital book distribution platform eBoekhuis and connected vendors. This agreement obliges vendors to hand over previously-private customer information to anti-piracy group BREIN, should a purchased e-book at some point turn up on the internet (e.g. BitTorrent, Usenet, file-sharing sites). In order to trace a book back to the customer, a transaction code is watermarked into it. When I noticed one of the eBookhuis-connected vendors (i.e. Bol.com) started selling watermarked e-books, I bought one to see what this watermark would look like.

Continue reading “What an e-book watermark looks like” →

Last month the Guardian revealed the details of a GCHQ program called “Mastering the Internet”, aimed at vacuuming up as much internet data as possible. It emerged that the agency was able to tap into and store huge volumes of data drawn from fiber optic cables for up to 30 days. Friday German newspaper Süddeutsche Zeitung published the names (and secret code names) of the companies that have given the GCHQ secret unlimited access to their network of undersea cables.

Continue reading “Why Dutch internet users should be concerned” →