In 2017, while attempting to get some DRM-enabled video player to work on my Mac, I stumbled upon a hard-coded private key. The corresponding public key was used in a valid and publicly trusted Cisco certificate. This further piqued my interest in the internet PKI, and made me wonder how many private keys I would be able to find. In the months that followed I found and reported many hundreds of certificates of which the private key was compromised. In this post, I want to focus on one particular compromised key. 

Continue reading “A tale of private key reuse” →

A while ago I wrote an article about the lessons learned from protecting the business-critical domain names and DNS of my employer Blendle. It was recently mentioned in an article about an attack on the DNS of security firm Fox-IT:

The weakest link in the chain’ is an overused metaphor in security, but this attack once again shows DNS to be a prime candidate. For advice on how to make your organization’s DNS more secure, I recommend an article by Koen Rouwhorst, who writes about his experience securing the critical DNS of his employer Blendle.

Last month, I went hunting for security bugs in GitHub, a popular platform for sharing and collaborating on code. After spending many hours mapping out GitHub’s infrastructure, and testing for weaknesses without any significant results or leads, I shifted my focus to the service providers. This is a write-up about two of the issues I found, which both have since been addressed.

Continue reading “GitHub bug bounty hunting” →

Hacking Team, the ethically bankrupt Milan-based company that sells surveillance technology to anyone willing to pay, got hacked. The hack was announced in a tweet last Sunday on the firm’s own hacked Twitter account, accompanied with a link to a torrent file for a 400 GB archive comprising internal emails, financial documents and source code.

Continue reading “Dutch police are looking to buy Hacking Team spyware” →

 

Documents from the ICTR-NE (Information and Communications Technology Research – Network Exploitation) organisation at the GCHQ show that it operates a program under the name FLYING PIG that provides analysts with information about secure communications over TLS/SSL. The primary motivation for this program was the increasing use of TLS/SSL by GCHQ targets, according to one of the documents.

The documents, originally published by Brazilian TV program Fantástico in September, provide an insightful look into the program that allows analysts to query the vast repository of metadata about the world’s secure communications. In this article, I describe the program on the basis of some actual screen captures of its interface.

Continue reading “FLYING PIG: GCHQ’s TLS/SSL knowledge base” →

Today, someone pointed me at an article in Belgian newspaper De Standaard in which Karolien Grosemans, a Belgian MP of the New Flemish Alliance (N-VA), claimed the U.S. Army had read one of her emails. In this email she asked an expert for advice on a draft legislation on cyber attacks and security, hence the subject field of the email contained the words “cyberaanvallen” (cyber attacks) and “cyber security”.
Continue reading “No, the U.S. Army did not read the emails of a Belgian MP” →

On Tuesday I found that former Dutch certificate authority DigiNotar, known for its security breach in 2011, was briefly mentioned in a Globo video report about NSA spying on Sunday. I documented the finding in a few tweets and put the four frames (of the same slide) that mentioned the name DigiNotar together in an album. Because the slide was only partly visible I had a difficult time making any sense of it. So, I wrote down what I considered to be plausible:

From the part of the text that is visible I suspect at least NSA’s ‘Flying Pig’ was used in some investigation of the security breach.

Continue reading “No, the NSA was not behind the DigiNotar hack” →