Write for us sponsored posts

Write for Us Sponsored Posts!

To discuss your ideas for contributing please send an email to

netherlandsmark@proton.me

Please include in the subject line: guest post for [website]

And send us the article you’d like to post attached or in the email itself.

 

General Submission Guidelines

What topics can I write about?

We have no limit on which subject you can write about, however some websites retain the last call on accepting a guest post or not, they will all be read before posting by our editors.

What language can I write in?

We accept only posts in english, if you need a post in another language please email us first to discuss in which websites we could accept it in.

However you could write in english and include foreign anchor texts for your links, we do accept it that way.

Can I contribute an edit to an existing post on the site?

Yes you can, tell us which page and which piece of content you’d like to add or edit with your respective edit or addition including your link in that piece of content.

Use Original Content

The content you submit must be unique and not be posted anywhere else on the internet, we’ll check with copyscape your entire article.

Be Free of Errors

Ensure your submission contains no typos or grammatical errors.

Length of Content

Your article must be between 1000 and 3000 words, please stick to this guidelines, any smaller or bigger article will be rejected.

Time it takes to publish

After approval the article takes 2-4 days to be published in your desired website, you’ll be notified via email about the published status of your article.

Links

You can insert up to 3 outbound links in the body of your article.

How to protect your devices with Internet security options

https://gif-do.de/ https://radmueller.net/ https://www.jindowie.com.au/ https://sp3plonsk.pl/ https://saboresaltaneiros.pt/ https://jameslp.com/ https://downerdetectives.es/ https://petloversapparel.com/ https://www.sorreisa-olag.no/ https://izmirajans.com/ https://onestoptenementshop.com/ https://topstyles.us/ https://lancesijan.com/ https://www.wildernesscreations.com/ https://evucan.com/ https://uslua.org/ https://ozanim.com/ https://postroadcountry.com/ https://shiftfinancial.co/ https://lenoxconsulting.com/ https://www.samanthawiraatmaja.com/ https://www.asojersey.com/ https://www.clima-antartis.gr/ https://tinhiep.com/ https://jacquesmonot.com/ https://iamrelocating.com/ https://la-petite-vigne.fr/ https://www.trident.construction/ https://www.apartments-zanjice.com/ https://convittobonghi.edu.it/ https://www.torrinfestatorrinluce.com/ https://www.uesupply.com/ https://www.hospedajewp.com/ https://cfcomposers.org/ https://pongpat.janthai.com/ https://dkamans.com/ https://woodsideillustrations.com/ https://www.epnetwork.eu/ https://inklusion-rostock.de/ https://rainscapeto.ca/ https://www.diamondlightsac.org/ https://sheadumali.com/ https://www.svef.net/ https://sredacenter.ru/ https://www.lesrochesdartense.com/ https://cieairblow.com/ https://davegtravels.com/ https://www.kascogolf.co.kr/ https://plomerisimo.com/ https://softberry.in/ https://www.apartmanyrafael.cz/ https://www.revisori-legali.com/ https://www.fotomasterclass.com/ https://degeschmexico.com/ https://milly.tw/ https://providencejewelrymuseum.com/ https://www.cptriveneto.it/ https://pinmaster.io/ https://www.doneva.nc/ https://hochzeitsfotograf-sergejfalk.de/ https://www.ccgsearch.com/ https://www.bstieler.at/ https://dortmansbros.com/ https://lifepointchurch.com/ https://www.spektrumroznovska.cz/ https://rumblefishadventure.com/ https://kimberlymacdonaldphotography.com/ https://redclaydiary.com/ https://base2edu.com/ https://mbrain.com/ https://schlupfwinkel-weisswasser.de/ https://www.vogelwijkenergiek.nl/ https://www.barbosasp.com/ https://imaginestudio.gr/ https://valeriane.org/ https://fondochiapas.com/ https://rossestateplanning.com/ https://www.finncamp.org/ https://www.christiancolin.com/ https://www.rbbnz.de/ https://reighwalker.com/ http://restaurant.harmonie-freiburg.de/ https://tjsdeligrill.com/ https://herv.be/ https://pablojmusic.com/ https://www.schnullerersatz.de/ https://al-koran.ru/ https://www.ficomleisure.com/ https://dystinguonsnous.com/ https://griffithsdesign.ca/ https://enchordais.gr/ https://aireborn.com/ https://marjorieguindon.com/ https://blogshank.com/ https://foldeak.hu/ https://cactusbrick.org/ https://mbechtel.com/ https://hlth2019.com/ https://financialstockholm.com/ https://adrdri.com/

Malware distribution via Dropbox

I’ve seen a “nice” spam campaign that was very successful from my point of view…

  • First of all, I received this email to my corporate account which passed all of our AV/spam and other filters.
  • That email looked actually not too bad (a bit generic, but voicemail systems are this way ;-)
    Untitled 94
  • The interesting fact was that the link goes to dropbox – which is more and more making an inroad into corporate businesses.
  • The link therefore doesn’t raise any suspicion. It is even served “securely” (read “encrypted”) via https://…
  • Even though our gateway based virus scanner failed to detect it, 13 out of 52 AV engines as part of Virustotal detected it: https://www.virustotal.com/en/file/7637d5df5ce0e300a8a56ccefa37e49228517e8797aecfe439b32a14750de0b8/analysis/
  • I have to say that Dropbox reacted very quickly and took down the link within hours.
    Untitled 93

The source of the email is listed below…

... some lines removed ...
Received: from X-Virus-Scan: V-
X-Note: Spam Tests Failed:
X-Country-Path: INDIA->UNITED STATES
X-Note-Sending-IP: 180.215.31.112
X-Note-Reverse-DNS:
X-Note-Return-Path: countable842@rocajunyent.com
X-Note: User Rule Hits:
X-Note: Global Rule Hits: G327 G328 G329 G330 G334 G335 G346 G445
X-Note: Encrypt Rule Hits:
X-Note: Mail Class: ALLOWEDSENDER
X-Note: Headers Injected
Received: ...removed... with ESMTP id 207187012; Tue, 10 Jun 2014 07:43:15 -0500
Message-ID: <SX5HTCQD.0875474@rocajunyent.com>
Date: Tue, 10 Jun 2014 18:16:17 +0530
From: Voice Mail <voicemail_sender@...removed....com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: <abaumhof@...removed....com>
Subject: voice message from 597-599-7866 for mailbox 607
Return-Path: countable842@rocajunyent.com
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit 

You have received a voice mail message from 597-599-7866
Message length is 00:00:37. Message size is 298 KB.

Download your voicemail message from dropbox service (Dropbox Inc.):

https://www.dropbox.com/meta_dl/eyJzdWJfcGF0aCI6ICIiLCAidGVzdF9saW5r IjogZmFsc2UsICJzZXJ2ZXIiOiAiZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbSIsICJpdGVtX2lk IjogbnVsbCwgImlzX2RpciI6IGZhbHNlLCAidGtleSI6ICIxeWEwMGx3enQ1aWdpOXEifQ/AANAB ss7_JqczoocZG5p_SjA659fq_BNbEs6hyC4CqDuBA?dl=1 

Do Security Incidents hurt your business? Well, not if you are Adobe, it seems.

Brian Krebs published some stats from ThreatMetrix around how quickly users upgrade their browsers once security incidents have been posted. See http://krebsonsecurity.com/2014/05/the-mad-mad-dash-to-update-flash/ for more details.

I have read bits and pieces but the economic impact of having security incidents is a very interesting topic and I think it ranges from breaches/security incidents having zero impact on the business (apart from a temporary drop) and businesses going out of business due to that (Diginotar is an example - http://www.darkreading.com/attacks-breaches/diginotar-hacked-out-of-business/d/d-id/1136356?, or Target’s Ex-CEO as well)

Concluding the data analytics exercise with Flash, the below chart shows the number of devices flash is installed. The data looks at all of the endusers of our 2,500 enterprise customers of ThreatMetrix’s Global Trust Intelligence network representing more than 160 million accounts.

flash_percentage

As you can see that the percentage of flash is very constant at around 62% of the devices and not a single one of Adobe’s security critical severity incident over the last 6 months encouraged enough people to stop using Adobe Flash.

My personal advise: If you haven’t uninstalled Flash, do it now.

eBay user list confirmed non-legit

What we suspected, turned out to be true… Ebay confirmed that the data is not legitimate. This is now also confirmed if you look at the data. We looked at

  • is this email address associated with an ebay account? (worringly, one can easily check this at the ebay site)
  • is this email address known in https://shouldichangemypassword.com/ ?

Out of 12,663 records,

  • only 2,025 emails are registered with eBay and
  • 3,720 emails are known hacked emails according to Should I change my password.

ebay_emailregistered ebay_hackedemail

A first look at the eBay user list for sale (unconfirmed whether its legitimate)

UPDATE: Most likely this list is not legitimate. Too many things don’t add up. I would have loved to see eBay following good security practices and certainly do hope that this is the case for the “real” eBay dump.

According to http://pastebin.com/vmvjGw3N, there exists a full ebay user database dump of 145,312,663 records.

In order to get the database, you need to send 1.4453 BTC (~ 755.27 USD as per coinbase). So far nobody has done this (https://blockchain.info/address/1e4aLP3jKD9wRAcSRNVb7VHbd7KbcdPfA)

The user provided a sample of 12,663 entries from the APAC region. We’ll look at these in this blog.

WARNING: We have no idea whether these users are really from ebay or whether this all is legitimate. Let’s just assume for a moment that it is.

The entries are like: <<NAME>> |pbkdf2_sha256$12000$<<SALT>>$<<VALUE>>|<<EMAIL>>|<<ADDRESS>>|<<PHONE>>|<<DOB>>

The good news is that the password uses PBKDF2 (Password-Based Key Derivation Function 2) with SHA256 as hashing function with a 64 bit salt. That is the standard recommented salt length.

It seems that eBay uses 12,000 iterations for this algorithm. When the standard was written in 2000, the recommended minimum number of iterations was 1000, so this is 12x of that which seems good.

Because of the salt, rainbow tables can’t really used against this, so each password need to be computed individually (the salt per password prevents rainbow tables to be used against all at once).

So overall if this turns out to be legitimate, I think one can honestly say that ebay followed good security practices.

The email, address , phone and date of birth are in there in plain text however.

browser extensions, a better attack vector than drive-by-downloads?

I came across this blog post (locally cached pdf) a couple of days ago of a developer of a Chrome extension who filled the gap after Google dropped support for the RSS reader. His Chrome extension was popular and gained more than 30,000 users.

To cut the long story short, he sold it for a 4 figure amount to someone who then turn his extension into a adware riddled version and updated all 30,000 users.

That seems to be an awful efficient way of infecting a lot of users for very little money. His chrome extension was “Add to Feedly”.

Unfortunately these things occur more and more often. Another example is “Tweet this Page” was taken down by Google due to it starting to hijack google searches. Apparently the developer sold it for $500! (from here)

In both cases, the bad guys talked the authors into selling by making nice claims such as “…they wanted the extension ‘for further development’”.

The funny thing is that Google (who is distributing Chrome) is making around 97% of its revenue from online ads, so it is not surprising that advertising within chrome extensions is neither prohibited nor discouraged.

“…Injected ads are allowed in Chrome extensions, but Google’s policy states that which app the ads are coming from must be clearly disclosed to the user, and they cannot interfere with any native ads or the functionality of the website.” (from here)

For malware authors, hijacking legitimate and good extensions is an outstanding business model. First of all, they know exactly how many potential victims they can buy. Secondly, due to auto-updates they can infect these people nicely and thirdly it takes quite a while for google to remove “non-behaving” extensions from the store.

What is the risk here? or What can a malicious chrome extension do?

Google has automated screening capabilities that will minimize the distribution of malware through chrome extensions. However we all know that malicious actors have tools available to make sure their software is never be found to be malicious. But then again, launching an executable (malicious or not) in a completely transparent way is not so easy.

The much bigger risk is that the chrome extension has full control of the website content, including all form fields. This could mean that a malicious chrome extension can

  • inject any kind of javascript into the website, effectively providing the same functionality as every sophisticated banking trojan out there. Should we call this Zeus-in-the-Extensions ;-)
  • sniff any provided input values into form fields. These could be usernames, password, one-time-password, tokens, email addresses, date of birth, SSN and much more.

Google has already announced that their extension policy is due to change in June 2014 and the new policy will require extensions to serve a single purpose. It would never cross my mind that they do this to vastly increase the number of chrome extensions, but surely only to provide a good service to us.

Oh, they also make it easier to use payment options to extensions. I can already see the topic for a future blog post.

Why metadata matters…

I know this is all over the web right now in the discussion about NSA and their natural hunger to collect whatever they can get their hands on. I don’t want to start a discussion on the legality or the ethnics of this, but the following slide from the EFF makes a very good point and to preserve it for my own good, here it is :)

metadata-1

see https://www.eff.org/deeplinks/2013/06/why-metadata-matters for more details…

Also very relevant is the post by Kieran Healy on “Using Metadata to find Paul Revere” here. A local copy is available here as pdf.

Example of a “well-done” phishing attack

So I got the following email this morning in my inbox which made it happily past our gateway based spam filter and my outlook spam filter.

1

The link is a phishing site (even though it is https:// ;-) – however no phishing filters have it in their list (e.g. google, firefox, microsoft, netcraft…) Clicking on it gets me here

2

Going through the process, they surely collect the hell of a lot of personal information. They also “check” each input values to be correct (e.g. you can’t continue by entering a non-valid credit card number). Looks really nice and clean.

3

4

5,jpg

And very nicely, they will try to log me into Amex straight away, so if I would have given them my “real” credentials, I would have been logged into my account…

7

Wow what a certificate (verified.cm) – CA’s completely broken

Looking at recent hacks, I had a quick look at the SSL certificate from verified.cm and who on earth is signing the certificate below? Oh yes… It is GlobalSign for sure… If we would need another argument why Certificate Authorities are broken, here it is… but then again we knew this for so long and they still exist…

So the SSL certificate for verified.cm has been issued to ssl2968.cloudflare.com. Cloudflare is of course a well-known cloud-based web firewall that is used by many good and shady sites.

This certificate has the following 40 (in words: FOURTY!) Alternative Names. Oh and don’t worry, it is also valid for 4 more years (until Jan 15, 2018). What could possible go wrong with this?

Did I mention that the domain that it was issued to doesn’t even resolve (ssl2968.cloudflare.com)?

Here are the fourty Alternative Names:

  • ssl2968.cloudflare.com
  • *.verified.cm
  • verified.cm
  • *.lynnfieldcommons.com
  • *.seehawaiilive.com
  • *.seaislandshops.com
  • bluesafesolutions.com.au
  • larende.com
  • *.youractivistportal.com
  • *.calligraphyofchina.com
  • seaislandshops.com
  • *.uvioo.com
  • snipjournal.com
  • escortgps.xxx
  • *.larende.com
  • seehawaiilive.com
  • *.snipjournal.com
  • *.prestomarket.com
  • *.themeat.dk
  • *.d2haa.org
  • cargames.org.uk
  • d2haa.org
  • *.templatation.com
  • *.descansogardens.org
  • youractivistportal.com
  • *.bluesafesolutions.com.au
  • tipple.me
  • calligraphyofchina.com
  • *.cargames.org.uk
  • *.tipple.me
  • landisgyr.com
  • prestomarket.org
  • *.prestomarket.org
  • uvioo.com
  • *.escortgps.xxx
  • templatation.com
  • prestomarket.com
  • *.landisgyr.com
  • lynnfieldcommons.com
  • descansogardens.org
  • themeat.dk