Leaking Your Customer Names and Tracking Numbers

Well, this seems like a big and “major f*ckup”!

A recent Kickstarter campaign has leaked all the names of backer (users that have financially supported the campaign) and all the tracking numbers. The data resides in a public Excel file on MediaFire and has over 1404 entries.

They tried to identify backers that have not yet send in their address and sent out an email to everybody:

Dear all backers,
Thanks for all backers again,have a nice day!

Until now,in addition to the customer did not give us the address,almost all parcels have been sent out,please click the link below to download all information and then queries the back name corresponds to your tracking number.

https://www.mediafire.com/folder/1s[CUT FOR REASONS]8f/Documents

If you can not find your name,please send an email to tell us your backer number or backer UID(sale020@mileseey.com) , we will check it for you.

The link was not working on Sunday, a quick look on the comments shows that other users are having issues with dTape leaking that data:


And there is also a link to the Excel sheet:

kickstarter_001 kickstarter_03

With the tracking numbers you can identify the city the package was sent to, once it is delivered (mine currently is stuck at the customs in Zurich :-))


The campaign owners have not yet responded to critics and neither has Kickstarter.

vulnerability.ch now HSTS preloaded

As of September 8th, 2015 this website has been added to the HSTS preloading list of Google Chrome. I expect Firefox to follow soon. This ensures that all connections from your browser is sent over encrypted HTTP, even when you  try to connect with http://vulnerability.ch.

You can check HSTS-Settings in Chrome under: chrome://net-internals/#hsts

How to add your site to the list

  • Add the following header to your site
    Strict-Transport-Security:max-age=31415926; includeSubDomains; preload
  • Submit your site at “HSTS Preload Submission” and wait.

In Apache’s httpd you can for example add this line to your .htaccess file (on a share server) or in your httpd.conf (private server):

Header set Strict-Transport-Security "max-age=31415926; includeSubDomains; preload" env=HTTPS

This also prevents you from visiting websites, where you would ignore the certificate warning. Chrome no longer allows you that.


Google’s BeyondCorp and some Thoughts

Google Logo in Zurich

One of the big news stories last week was the Wall Street Journal article, reporting that Google has “given up on their internal network” and are moving their business applications to the internet (called BeyondCorp). The reason behind is that they don’t see the internal network as private/protectable anymore. With todays adversaries, malware and general lack of security-awareness of users, they don’t really can justify a private network anymore. Instead they have developed more secure and robust applications, that can be access over the internet from practically any point of the world. However, some important limitations still exist. The connecting device must be under Google’s control, which means that the system cannot be compromised, has to be secured, maintained and in general good health. Once that has been verified, the user can be authorised over a secure connection and be granted access to the application. This is a dream come true. Why run a private network, when all your apps are built with security in mind and you have full control over the devices accessing your services and data?

However, keep in mind that Google is in a very, very unique position. They practically control the whole stack, from the operating system (Android for mobiles, Chrome OS for laptops), the browser (Chrome) with all the security features (e.g. certificate pinning, strong encryption, automatic updates), “the HTTP protocol (SPDY/HTTP2)”, the network layer (Google Fi, Google Fiber, their own dark fiber), their custom built web server software and their unique application architecture and data centers. And if they rely on third-party software (e.g. Mac OS X), they have invested a huge amount of resources in aligning that software to their needs.

I will be eager to keep an eye out, how this works out for Google and the other companies trying to build this. And again, it has its perks. I am just not sure if it is a fit for all companies out there.

PS: I find it funny that the story is being treated as big news. There are presentations available, that show the concept and work as early as 2013 – and the quoted paper was published in 2014.

“You order form:[RANDOM] from 06/05/15 recived;” Attachment Analysis


Today I came across a message, which was rather interesting. The mails were received with different subjects, random company names in them as well as random attachment names. The attachment is a Word document with the “*.doc” extension (never a good sign). Quickly analysing shows that the Word document contains a Marco script, which, when executed, downlods a text file from Pastebin.com.

That file again contains a Macro script that downlods an executable file from an IP, hosted in Russia. That file was up until 8pm CEST undetected by most anti-virus scanners on VirusTotal.com, but is now identified as Dridex, a common information stealing trojan (e.g. also for banking credentials). The downloaded file also changes regularly during the day.

I suggest to delete the message from your inbox and run a scan with a freshly updated anti-virus scanner.

The config seems to be available on this Pastebin: http://pastebin.com/raw.php?i=N54GBRnu


Other research:

Automatic analysis:

Indicator of Compromise:

Command and Control (C&C):


Phishing Gang Forgets Source Code

Hook, Line, Sinker (How I fell for a phishing scam)

Hook, Line, Sinker (How I fell for a phishing scam)

I love to analyse and take apart phishing pages. Such phishing pages are nothing new, you can find them almost daily. I always enjoy poking around and investigating if I find something new, something of interest or just some sort of timestamp to be able to pinpoint the speed a gang has in setting up new phishing pages.

A little while ago, I found a curiously named folder on a phishing page. By poking around and guessing other names, I suddenly was offered a ZIP file, with all the phishing pages source code inside. Quickly analyzing the code, I have seen that the attackers have simple created a send.php file, which reads the form fields and sends an email. Extremely simple, yet very efficient. You don’t need a database, your own mailserver or any other infrastructure. Just use the php-built-in email service.

Another funny thing I noticed was the included “readme.txt” file. The content of the file suggested that some third-party did develop the script for the phishing gang. This is another indication, that phishing has become some sort of “as-a-service” deal.

Just Unzip the file you will find and index.html page, one folder and snd.php file
just Open the send.php and change the Email Address to your address and save it
Then Upload the script and you are good to go....
EASY and fast

Sample: ebbd0bebd9870f2d294db98d99767267 (md5)
Size: 189 KB

Photo by Kenneth Lu, via Flickr.

Hack of the Day: Xing

Hack of the Day – Xing

I have been using Xing for close to eight years. And I have tried the Premium feature for a little while. But luckily my card run out and that solved the hassle ton cancel my account 😉
However, have you every seen this on your front page:

The “Profile Visitors” wall. Whenever somebody views your Xing profile, an entry is shown, sometimes even telling you how that person has found you. And given our deepest desire to know everything, we certainly want to know who those people are. Granted, first-hand contacts like the second from the top I should know and find easily if I remember their names. But what about the other two? Who are they? How are we connected?

To solve that urgent need, several ways are possible. The most easiest one is to go to your own profile page. On top of that, you can see the following bar:


Again, the same people as on the front page and a few more. Now that a look at the source code of your profile page. Search the HTML code for this string: “Visitors to your profile“. And there you have all the names of your five last visitors. Pretty easy!

Another way to discover your “fans” is using a Xing application/web page. Simple browse to “Xing is 10” page (https://tenyears.xing.com/en/), click on “Go to your statistics“, log in and scroll down to “Profile Visitors”. And again, you have the most recent three visitors of your profile. And you can even click their name to view their profile page. Magic 🙂


Creative Commons: Donors Data Leak


A few days ago has the Creative Commons team sent out an email, informing me and some other donors about a data leak that happened on their GitHub repository:

Creative Commons believes in open, frank, and prompt communication with our community, including our donors. We also take your privacy seriously. We are committed to responsibly guarding the personal information you share with us.

In keeping with these principles, we want to tell you about a situation that came to our attention very recently involving your personal information. In 2013, during a migration of files to GitHub, we mistakenly posted an electronic file in a public repository that
contained some donor information. Specifically, the file included the names, addresses, email addresses, and donation amounts of about 2000 individuals who donated to Creative Commons between 2004-2007. The file did not include any credit card or other financial information. When we learned about the problem earlier this week, we immediately and permanently removed it from GitHub. We have no reason to believe anyone other than the individual who called this to our attention found the data, or that anybody misused the data.

We deeply regret this mistake and apologize for its occurrence. If you have any questions about this incident or about CC’s policies relating to collection, maintenance, and protection of your personal information, please contact legal@creativecommons.org.

Thank you for continued support.

Creative Commons

I was not able to identify the precise repository or file yet. However, I am happy that Creative Commons has informed affected users and has removed the file from their repository as soon as they got notified about the leak. So far I also haven’t seen any media attention on the whole leak.

The past years I have always donated to the cause that Creative Commons brings and I am happy how they reacted with this leak.

Zeitgeist Daemon on Xubuntu does not respect your privacy

I toyed around with my Xubuntu, and found the strange named process “Zeitgeist”. What’s this?

“zeitgeist-daemon  is  a  daemon which keeps track of activities on your system (file usage, browser history, calendar events, etc.) and  logs them  into  a  central  database. It does not only create a chronologic register, but also supports tagging  and  can  establish  relationships between activities.”

All this information is provided by external applications which communicate with zeitgeist-daemon over D-Bus. Interested programs can connect with it and request information, insert new items or modify existing information (delete items, add tags, bookmark items and so on).


Uhm – say what?

It’s probably used for Ubuntu search thingy, which does not exist in Xubuntu. Lets take a quick look:

dobin@unreal:~$ ps auxww | grep -i zeitgeist
dobin 20163 0.0 0.0 592172 6352 ? Sl 2013 0:02 zeitgeist-datahub
dobin 20171 0.0 0.0 274500 4148 ? Sl 2013 0:00 /usr/bin/zeitgeist-daemon

dobin@unreal:~$ lsof -p 20163 | grep '/home/dobin' | awk '{print $9;}'

dobin@unreal:~/.local/share/zeitgeist$ sqlite3 activity.sqlite
sqlite> .dump
INSERT INTO "uri" VALUES(586,'file:///home/dobin/Downloads/DexGuard%20Tutorial.rar');
INSERT INTO "text" VALUES(150,'BHUSA09-McDonald-WindowsHeap-PAPER.pdf');
INSERT INTO "text" VALUES(429,'BHUSA09-VelaNava-FavoriteXSS-SLIDES.pdf');
INSERT INTO "uri" VALUES(129,'file:///home/dobin/Workspace/SentinelFirefoxPlugin');
INSERT INTO "uri" VALUES(136,'file:///home/dobin/Workspace/SentinelFirefoxPlugin/1.png');

Seems to be a goldmine for the next forensic investigation!

Where does it come from?

dobin@unreal:~$ pstree
│ ├─lightdm─┬─init─┬─Thunar───2*[{Thunar}]
│ │ │ ├─zeitgeist-daemo───{zeitgeist-daemo}
│ │ │ ├─zeitgeist-datah───10*[{zeitgeist-datah}]
│ │ │ └─zeitgeist-fts─┬─cat
│ │ │ └─{zeitgeist-fts}

Seems to be started from lightdm.

To disable, open /etc/xdg/autostart/zeitgeist-datahub.desktop and set “NoDisplay=false”. Disable with “Session and Startup” in Ubuntu Settings.

Downloadable List of all Swiss Mobile Phone Numbers

This is more of a fun post. I needed a list off all Swiss mobile phone numbers. I created a list for all currently used “area codes” 076-079 and decided to share the text files with anyone. 075 is currently not really used by Swisscom, though it was announced they will start to use the prefix for data-subscription contracts.

All files are 22 MB as GZ-compressed file. The text file itself is around 100 MB in size.

Download Swiss Mobile Phone Numbers


Quick explanation (via Wikipedia):

  • 75 – mobile services: GSM / UMTS – Swisscom
  • 76 – mobile services: GSM / UMTS – Sunrise (with Yallo, Cablecom, talktalk, Lebara)
  • 77 – mobile services: GSM / UMTS – various (M-Budget, Tele2)
  • 78 – mobile services: GSM / UMTS – Orange (with CoopMobile)
  • 79 – mobile services: GSM / UMTS – Swisscom

Why Password Re-Use Is Bad For You

Every now and than, a website on the Internet gets hacked and sensitive data of its users are stolen. Sensitive data can be anything, from your email address, to your birthday, social security number, credit card details or your password (either in hashed, encrypted or plain text form). While all this data is critical to you, the password certainly makes a lot more fun for an attacker.

Imagine you have an email address JonPeter83@vulnerability.ch. On this account you have a fairly strong password, at least 8 characters, with upper and lower case, a number and some symbol, like J0n;Pass. Cool, you are better than many other users on the internet nowadays. Now imagine you are a big fan of Minecraft and are member of a Minecraft fan forum. On there, you also have to have a strong password (min. 8 chars, mix of upper and lower case, numbers, symbols etc.) But now you make the big mistake of re-using your password. And since you have to verify that you are real and not some bot, you have to link your email address to the forum’s account. Nobody sees this you think. But you are wrong. Your email address is stored in the websites database server and any administrator can access it. Or worse, any successful attacker with access to a SQL injection vulnerability can read out the forum’s database content. And with that your email address and your (hopefully) hashed password. Now, most sites still use MD5 or SHA-1 hashing algorithm. Your password now becomes something like that below:

Hash Output
MD5 6e117518d56e0920951b947905cc8c4a
SHA-1 7266ac431d499cd13ac82662ecd637dc22d161d6
SHA-256 c3f1cee4ede03ab989af0977771dbd9e1704bea87b555cdf856c5be834adf43a

Looks much longer and maybe even more secure than your password, right? Well, no. With todays computers and high performance graphic cards, your password can be cracked within seconds. It is possible to generate hundreds of millions of combinations every second and giving the correct alphabet (a-Z, 0-9, special symbols), you do not stand a chance against attackers.



This is why it is so important to have a unique, complex password and to create a new password for every account you have (email, forum, Facebook, Twitter, Tumblr etc.) And do not even think about to create a pattern for your passwords like “9a^u@YEC-EMAIL“, “9a^u@YEC-FACEBOOK“, “9a^u@YEC-FORUMX“. Attackers are not stupid ;-).

A recommended way to do this would be the use of a password manager, which creates complex passwords on the fly and stores them securely on your computer.

If you are a developer or site operator, please make sure you are storing the user’s passwords strongly enough, recommended would be a hashing algorithm like PBKDF2 or bcrypt. Those have the advantage that they take time to calculate (several hundres milliseconds), which makes it nearly impossible to check millions of combinations per second. And of course, make sure your applications does not have any vulnerabilities ;-).