Recent searches

No recent searches

Search options

Not available on photog.social.
photog.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A place for your photos and banter. Photog first is our motto Please refer to the site rules before posting.

Administered by:

Server stats:

246
active users

photog.social: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.4.3

#mitm

0 posts0 participants0 posts today
Replied in thread
Erik van Straten

@pierostrada

Not topping my shortlist in infosec.exchange/@ErikvanStrat, but:

3. Make backups. Multiple, stored at different physical locations.

4. Be prepared for account lockout.

Infosec ExchangeErik van Straten (@ErikvanStraten@infosec.exchange)10.1K Posts, 724 Following, 393 Followers · I BLOCK boosters of Auschwitz Memorial (reason: EN: https://infosec.exchange/@ErikvanStraten/114404158078811047; NL: https://infosec.exchange/@ErikvanStraten/114220546604058265). I may unblock them after some time (if they did not repeat). Independent 60+ Dutch security researcher. I hate injustice, propaganda and discrimination. I try to be as objective as possible. Mission: make the internet a safer place! Primary focus: #impersonation (i.e. when #authentication fails). Infosec: #passkeys #certificates #phishing #MFA #2FA #OTP #TOTP #DMARC #cryptography #PKI #androidPasskeys #accountLockout #ATO #accountTakeOver #privacy #clientSideScanning #CSS #domainNameLaundering #letsEncrypt #DV Other: #Gaza #Ukraine #covidApps #coronaMelder #coronaCheck #vaccination (I took anti-Covid jabs through 2024). Notes: • Don't auto-trust all of this. It may be a spoof, even if "I" say it's not (i.e. my account may be hacked). • Muting users of URL-shorteners (i.e buff.ly) on infosec.exchange.
#WebsiteNames#DomainNames#DotSeparator
Replied in thread
Erik van Straten

@adfichter : I'm trying to warn people for such holes.

Published earlier this month: heise.de/en/news/BSI-and-ANSSI (there of course is a German version as well).

It refers to a recent joint publication (in English) by the German BSI and the French ANSSI titled:

"Remote ldentity Proofing for EUDI Wallet Onboarding: Strengthening Assurance Against Evolving Threats"

(EUDI Wallet = European Digital Identity Wallet aka EDIW aka EUDIW).

It's about the risks of VideoIdent (getting bigger every day, see e.g. theverge.com/report/714402/uk- - not to mention AI).

However, like in their previous publication (PDF: bsi.bund.de/SharedDocs/Downloa) they ignore one HUGE risk: AitM's (Attacker in the Middle).

The unmentioned gaping security hole here are fake websites, where people are being directed to via falsified emails, SMS, chat app messages and possibly QR-codes.

Step 1️⃣:
————
Victim (contacts AitM site as instructed)
|
| "Please give me my EDIW"
v
AitM site: contacts site below and forwards
|
| "Please give me my EDIW"
v
True EDIW identity verification site

Step 2️⃣:
————
Victim
^
| "Please perform VideoIdent"
|
AitM site: forwards
^
| "Please perform VideoIdent"
|
True EDIW identity verification site

Step 3️⃣:
————
Victim
|
| VideoIdent showing victim
v
AitM site: forwards
|
| VideoIdent showing victim
v
True EDIW identity verification site

Step 4️⃣:
————
Victim
^
| "Something went wrong"
|
AitM site: stores victim's EDIW on their device
^
| EDIW
|
True EDIW identity verification site

The same may happen to people who are tricked into *authenticating* using EDIW on AitM websites.

@ellent

heise online · BSI and ANSSI warn against VideoIdent for the EU digital walletBy Stefan Krempl
#EDIW#EUDIW#AitM
Daniel Böhmer

Hey @hetzner I just registered as customer and clicked a virtual server on your site. The whole process was seamless and unbelievably quick! 👍

When setting up an OS image could you please display the #SSH server key in the Hetzner console? I couldn’t find it anywhere and reddit.com/r/hetzner/comments/ reads like others have the same problem, too.

I try really hard not to skip host key checking and eventually booted Ubuntu Live ISO and read my SSH host key manually.

#MITM#hostkey
Replied in thread
Kevin Karhan :verified:

@VXShare @StarkRG @jay @vildis @vxunderground OFC, if their corporate firewall didn't blocklist your domain, most #MITM-based "#NetworkSecurity" solutions and "#EndpointProtection" will checksum files and instantly yeet them into the shadow realm.

  • Researchers should OFC only run those said malware only for research purposes and on #airgapped, sanctioned systems but they need to get their hands on them in the first place.

And lets be honest: Like with chemistry and medicine, one wants to have a supplier that isn't shady af but actually transparent.

  • The "alternative" would be to go into some "dark corners" and risk getting something else entirely.
Insecurity Princess 🌈💖🔥

"If your reports don't feel safe, they won't tell you" — This is one of the clearest and most important pieces of advice I've heard for managers.

It's a perfect illustration of the "monster in the middle dilemma for navigating both social and organizational/authoritative power dynamics as a manager. Power dynamics are the monster in the middle — and if a manager doesn't actively work to mitigate that, they will fail to operate effectively as a manager.

It's not something anyone can fix or prevent, it's an inevitable, inescapable aspect of the management threat model.
#mitm

Kevin Karhan :verified:

@neil OFC it isn't technically feasible wothout #MITM'ing every connection and even then if people do proper #E2EE they can still do nefarious shit.

  • The problem are what people do to other people, not that they use the Internet for it!
Erik van Straten

Public key cryptografie voor leken

Het is een beetje behelpen met "ASCII graphics", maar in security.nl/posting/884482/Pub probeer ik, ook aan minder digitaal vaardigen, uit te leggen hoe asymmetrische cryptografie werkt.

Doe er uw voordeel mee, want deze techniek is een belangrijk fundament van de steeds verder digtaliserende maatschappij.

U leert hoe een digitale handtekening werkt en wat een digitaal certificaat is.

Veel te weinig mensen begrijpen dat goed, en dat bemoeilijkt een fatsoenlijke discussie over deze technieken enorm.

Big tech is de lachende derde: zij maximaliseren hun winsten terwijl alle risico's voor uw rekening komen.

#BigTechIsEvil#GoogleIsEvil#DVcerts
*
Erik van Straten

"Franse overheid voert phishingtest uit op 2,5 miljoen leerlingen"
security.nl/posting/881630/Fra

KRANKZINNIG!

Het is meestal onmogelijk om nepberichten (e-mail, SMS, ChatApp, social media en papieren post - zie plaatje) betrouwbaar van echte te kunnen onderscheiden.

Tegen phishing en vooral nepwebsites is echter prima iets te doen, zoals ik vandaag nogmaals beschreef in security.nl/posting/881655.

(Big Tech en luie websitebeheerders willen dat niet, dus is en blijft het een enorm gevecht).

#Phishing#NepWebsites#DV
Replied in thread
Erik van Straten

@aral :

I don't want to pay a cent. Neither donate, nor via taxes.

infosec.exchange/@ErikvanStrat

@TheDutchChief @EUCommission @letsencrypt @nlnet

Infosec ExchangeErik van Straten (@ErikvanStraten@infosec.exchange)Attached: 1 image @aral@mastodon.ar.al : most Let's Encrypt (and other Domain Validated) certificates are issued to junk- or plain criminal websites. They're the ultimate manifestation of evil big tech. They were introduced to encrypt the "last mile" because Internet Service Providers were replacing ads in webpages and, in the other direction, inserting fake clicks. DV has destroyed the internet. People loose their ebank savings and companies get ransomwared; phishing is dead simple. EDIW/EUDIW will become an identity fraud disaster (because of AitM phishing atracks). Even the name "Let's Encrypt" is wrong for a CSP: nobody needs a certificate to encrypt a connection. The primary purpose of a certificate is AUTHENTICATION (of the owner of the private key, in this case the website). However, for human beings, just a domain name simply does not provide reliable identification information. It renders impersonation a peace of cake. Decent online authentication is HARD. Get used to it instead of denying it. REASONS/EXAMPLES 🔹 Troy Hunt fell in the DV trap: https://infosec.exchange/@ErikvanStraten/114222237036021070 🔹 Google (and Troy Hunt!) killed non-DV certs (for profit) because of the stripe.com PoC. Now Chrome does not give you any more info than what Google argumented: https://infosec.exchange/@ErikvanStraten/114224682101772569 🔹 https:⧸⧸cancel-google.com/captcha was live yesterday: https://infosec.exchange/@ErikvanStraten/114224264440704546 🔹 Stop phishing proposal: https://infosec.exchange/@ErikvanStraten/113079966331873386 🔹 Lots of reasons why LE sucks: https://infosec.exchange/@ErikvanStraten/112914047006977222 (corrected link 09:20 UTC) 🔹 This website stopped registering junk .bond domain names, probably because there were too many every day (the last page I found): https://newly-registered-domains.abtdomain.com/2024-08-15-bond-newly-registered-domains-part-1/. However, this gang is still active, open the RELATIONS tab in https://www.virustotal.com/gui/ip-address/13.248.197.209/relations. You have to multiply the number of LE certs by approx. 5 because they also register subdomains and don't use wildcard certs. Source: https://www.bleepingcomputer.com/news/security/revolver-rabbit-gang-registers-500-000-domains-for-malware-campaigns/ @EUCommission@ec.social-network.europa.eu @letsencrypt @nlnet@nlnet.nl #Authentication #Impersonation #Spoofing #Phishing #DV #GoogleIsEvil #BigTechIsEvil #Certificates #httpsVShttp #AitM #MitM #FakeWebsites #CloudflareIsEvil #bond #dotBond #Spam #Infosec #Ransomware #Banks #CloudflareIsEvil #FakeWebsites
#Authentication#Impersonation#Spoofing
Replied in thread
*
Erik van Straten

@aral : most Let's Encrypt (and other Domain Validated) certificates are issued to junk- or plain criminal websites.

They're the ultimate manifestation of evil big tech.

They were introduced to encrypt the "last mile" because Internet Service Providers were replacing ads in webpages and, in the other direction, inserting fake clicks.

DV has destroyed the internet. People loose their ebank savings and companies get ransomwared; phishing is dead simple. EDIW/EUDIW will become an identity fraud disaster (because of AitM phishing atracks).

Even the name "Let's Encrypt" is wrong for a CSP: nobody needs a certificate to encrypt a connection. The primary purpose of a certificate is AUTHENTICATION (of the owner of the private key, in this case the website).

However, for human beings, just a domain name simply does not provide reliable identification information. It renders impersonation a peace of cake.

Decent online authentication is HARD. Get used to it instead of denying it.

REASONS/EXAMPLES

🔹 Troy Hunt fell in the DV trap: infosec.exchange/@ErikvanStrat

🔹 Google (and Troy Hunt!) killed non-DV certs (for profit) because of the stripe.com PoC. Now Chrome does not give you any more info than what Google argumented: infosec.exchange/@ErikvanStrat

🔹 https:⧸⧸cancel-google.com/captcha was live yesterday: infosec.exchange/@ErikvanStrat

🔹 Stop phishing proposal: infosec.exchange/@ErikvanStrat

🔹 Lots of reasons why LE sucks:
infosec.exchange/@ErikvanStrat (corrected link 09:20 UTC)

🔹 This website stopped registering junk .bond domain names, probably because there were too many every day (the last page I found): newly-registered-domains.abtdo. However, this gang is still active, open the RELATIONS tab in virustotal.com/gui/ip-address/. You have to multiply the number of LE certs by approx. 5 because they also register subdomains and don't use wildcard certs. Source: bleepingcomputer.com/news/secu

@EUCommission @letsencrypt @nlnet

#Authentication#Impersonation#Spoofing
Replied in thread
*
Erik van Straten

@troyhunt : if we open a website that we've never visited before, we need browsers to show us all available details about that website, and warn us if such details are not available.

We also need better (readable) certificates identifying the responsible / accountable party for a website.

We have been lied to that anonymous DV certificates are a good idea *also* for websites we need to trust. It's a hoax.

Important: certificates never directly warrant the trustworthyness of a website. They're about authenticity, which includes knowing who the owner is and in which country they are located. This helps ensuring that you can sue them (or not, if in e.g. Russia) which *indirectly* makes better identifiable websites more reliable.

More info in infosec.exchange/@ErikvanStrat (see also crt.sh/?Identity=mailchimp-sso).

Note: most people do not understand certificates, like @BjornW in mastodon.social/@BjornW/114064:

@letsencrypt offers certificates to encrypt the traffic between a website & your browser.

2x wrong.

A TLS v1.3 connection is encrypted before the website sends their certificate, which is used only for *authentication* of the website (using a digital signature over unguessable secret TLS connection parameters). A cert binds the domain name to a public key, and the website proves possession of the associated private key.

However, for people a domain name simply does not suffice for reliable identification. People need more info in the certificate and it should be shown to them when it changes.

Will you please help me get this topic seriously on the public agenda?

Edited 09:15 UTC to add: tap "Alt" in the images for details.

#DVcerts#Authentication#Impersonation
Replied in thread
Erik van Straten

@0xF21D wrote: "[...] something we technically knew was going on before but didn't consciously consider a threat, until now."

I've been warning for CDN's like Cloudflare and Fastly (and cloud providers in general) for a long time.

Here's a recent toot (in Dutch, the "translate" button should do the job): infosec.exchange/@ErikvanStrat.

If you trust Google to translate it (guaranteed NOT error-free, it *may* work in other browsers than Chrome): infosec-exchange.translate.goo

P.S. Fastly knows your infosec.exchange login credentials.

@malanalysis

Infosec ExchangeErik van Straten (@ErikvanStraten@infosec.exchange)Attached: 1 image Risico Cloudflare (+Trump) 🌦️ Achter Cloudflare Steeds meer websites zitten "achter" het Amerikaanse bedrijf Cloudflare. Stel u opent https://pvv.nl (let op, daar staat https:// vóór, Mastodon verstopt dat) in uw browser: browser <-1-> Cloudflare <-2-> https://pvv.nl ⛓️‍💥 Géén E2EE Bij zeer veel websites (https://pvv.nl is een voorbeeld) is er sprake van twee *verschillende* verbindingen, dus beslist geen E2EE = End-to-End-Encryption (voor zover dat überhaupt nog wat zegt als de "echte" een cloud-server van Google, Microsoft of Amazon is). 🕋 CDN's Cloudflare, een CDN (Content Delivery Network), heeft een wereldomspannend netwerk met "tunnel"-servers in computercentra van de meeste internetproviders. Waarschijnlijk ook bij u "om de hoek". 🔥 DDoS-aanvallen Dat is werkt uitstekend tegen DDoS (Distributed Denial of Service) aanvallen. Ook zorgen CDN's voor veel snellere communicatie (mede doordat plaatjes e.d. op een web van servers "gecached" worden) - ook als de "echte" server aan de andere kant van de wereld staan. 🚨 Nadelen Maar dit is NIET zonder prijs! Cloudflare kan namelijk *meekijken* in zeer veel "versleuteld" netwerkverkeer (en dat zelfs, desgewenst, wijzigen). 🚦 Nee, niet *u* Ook kunnen Cloudflare-klanten allerlei regels instellen waar bezoekers aan moeten voldoen, en hen als "ongewenst" bezoek blokkeren (ook *criminele* klanten maken veelvuldig gebruik van deze mogelijkheid, o.a. om te voorkómen dat de makers van virusscanners nepwebsites op kwaadaardige inhoud kunnen checken). Aanvulling 14:39: { zo kan ik, met Firefox Focus onder Android, https://cidi.nl *niet* openen, ik zie dan een pagina waarin o.a. staat "Even geduld, de website van Centrum Informatie en Documentatie Israël (CIDI) is aan het verifiëren of de verbinding veilig is. Please unblock challenges.cloudflare.com to proceed." } 😎 Men In Black Omdat Cloudflare een (tevens) in de VS gevestigd bedrijf is, moeten zij voldoen aan de Amerikaanse FISA section 702 wetgeving. Dat betekent dat hen opgedragen kan worden om internetverkeer te monitoren, en zij daar een zwijgplicht over hebben. Terwijl Amerikanen al minder privacy-rechten hebben dan Europeanen, hebben *niet*-Amerikanen *nul* privacyrechten volgens genoemde FISA wet. 🔓 Knip Dat https-verbindingen via Cloudflare niet E2EE zijn, blijkt uit onderstaand plaatje (dat vast méér mensen wel eens gezien hebben). 📜 Certificaten en foutmeldingen Dat plaatje kan, zonder certificaatfoutmeldingen, ALLEEN bestaan als Cloudflare een geldig authenticerend website-certificaat (een soort paspoort) heeft voor, in dit geval, https://bleepingcomputer.com - en dat hébben ze. Voor MILJOENEN websites. 🛃 MitM Cloudflare (maar ook anderen, zoals Fastly) zijn een MitM (Man in the Middle). 🤔 De tweede verbinding? Uw browser heeft, grotendeels transparant, een E2EE-verbinding met een Cloudflare server. U heeft géén idee wat voor soort verbinding Cloudflare met de werkelijke website heeft (is dat überhaupt https, en een veilige variant daarvan? Wat doet Cloudflare als het certificaat van de website verlopen is? Etc). 👽 AitM En zodra een MitM kwaadaardig wordt, noemen we het een AitM (A van Attacker of Adversary). 🗽 Trump Als Trump Cloudflare opdraagt om geen diensten meer aan NL of EU te leveren, werkt hier HELEMAAL NIETS MEER en dondert onze economie als een kaartenhuis in elkaar. 🃏 DV-certs Dat Cloudflare een website-certificaat voor bijvoorbeeld https://vvd.nl of https://cidi.nl heeft verkregen, zou vreemd moeten zijn. Dit is echter een peuleschil "dankzij" DV (Domain Validated) certificaten (het lievelingetje van Google) die het internet steeds onveiliger maken en waar ook onze overheid "voor gevallen is" (zie https://infosec.exchange/@ErikvanStraten/114032329847123742). 😱 Nepwebsites Maar dit is nog niet alles: steeds meer criminele nepwebsites *verstoppen* zich achter Cloudflare, waar zijzelf (crimineel) geld aan verdient. Zie bijvoorbeeld https://security.nl/posting/876655 (of kijk eens in het "RELATIONS" tabblad van https://www.virustotal.com/gui/ip-address/188.114.96.0/relations en druk enkele keren op •••). #Risico #Economie #Cloudflare #Fastly #CDN #AitM #MitM #FISASection702 #FISA #ThreeLetterAgencies #Trump #Sbowden #E2EE #InfoSec #VVD #PVV #CIDI #VT #VirusTotal #DVCerts #DV #OV #EV #QWAC #CyberCrime #NepWebsites #FakeWebsites
#Cloudflare#MitM#AitM
Continued thread
*
Kevin Karhan :verified:

@torproject same with #obfs4 bridges: there is no option to say like ports=80,443 or similar, which makes it cumbersome to get said bridges.

And trying to get places to #DontBlockTor that criminalize the use of #Tor is foolish at best.

#germany#hosters#tos
*
Delta Chat

Isn't it poetic and ironic that out of all possible time lines we are in one where #securejoin #openpgp protocols on top of the existing #email protocols offer the arguably most solidly scaling, useable, world-wide federated end-to-end encrypted messaging reality, safe against compromised #mitm servers? Hundreds of billions spend to create "the email successor" and here we are in 2025 .... #interoperable #email and #cryptography as the tortoise looking at Achilles through the back mirror :)

Live feeds
About