[conspire] Well, that's interesting, or ... "Ain't that special?"

Michael Paoli Michael.Paoli at cal.berkeley.edu
Sat May 29 14:01:49 PDT 2021

Well, that's interesting, or ... "Ain't that special?"

So SANS NewsBites - definitely not the worst information out there,
whatever, still get it in my "inbox" typically skim the Subject: header,
sometimes (but not so commonly) actually skim the email itself - well,
did this time, bit 'o Subject caught my attention ... relevant
(for some contexts ... VMware vSphere client ...)
and legit ... skimmed some more ... one other item caught my attention
... Fortinet: FBI Flash Alert: APT Group Exploiting Fortinet Vulnerabilities

So was starting to (validate and) prepare to pass along some reference  
bits.  "Same" is also on-line
So had located that, but ... Fortinet totally missing from the web version
... what the heck, content seems to otherwise pretty much match.
So, start doing some searches - recent stuff about Fortinet - having to do
with security or mention of FBI - quite a bit of mention - even what  
looks like
PDF copy of some FBI bulletin - but nothin' linking back to FBI site.
Bit odd that.  Start lookin' for stuff going back to some more-or-less
official FBI or US government site or account or mention.  Trail mostly
sees to go back to an FBI tweet on Twitter.
Is that US FBI's account on twitter?
$ curl -I https://www.fbi.gov/twitter
HTTP/2 302
date: Sat, 29 May 2021 19:41:22 GMT
content-type: text/plain; charset=utf-8
content-length: 23
location: https://twitter.com/FBI
... okay, seems likely -
@FBI ... found it
... dang it Twitter, no, I don't want some friggin' huge chunk 'o HTML
to embed, I just want the a dang URL - geez .... dig through that goop ...
this seems to get 'ya there:
Okay ...
Find more information on the Internet Crime Complaint Center's website  
at http://ow.ly/Gon150EX9kR.
but the http://ow.ly/Gon150EX9kR in the tweet - the URL for that text is
something totally different, it links to:
Well ain't that special?
Look at page source - Gon150EX9kR isn't even in there,
Javascript up the wazoo - string seems likely constructed from all that
code - maybe some tracking or whatever - but why all the obfuscation?
Well, ow.ly takes no connections on TCP port 80 ... nor 443.  Really, why
would the FBI put out some URL like that, and who/what the hell is ow.ly ?
And why is US government stuff going to various semi-random country code
TLDs that aren't even .us - but other countries - or countries that sold
off their short TLD instead because, well, money.
Well ... whois ...
Hootsuite Media ... yeah, that doesn't sound like the secure and assured
way to get to a US Government web site.
So ...
Internet Crime Complaint Center ... search to find that ...
They've got a search thingy right on their page.  Wonderful
Search Fortinet
0 results
What the hell - false alarm that got retracted, or a bogus alert?
Let's see, what about ...
And the actual link domain t.co ... REDACTED FOR PRIVACY ... uh huh.
Well, whatever ... see where that goes to ...
Okay, an actual alert regarding Fortinet:

Well, okay, would seem to be legit, but ... way to flub the message folks:
o put it in email that's also (at least generally supposed to be) on
   "equivalent" web page ... but then don't have it on the web page - or
   "disappear" it from there and say nothing of it.  I mean if you screwed up
   you print retraction/correction and mention it's updated, you don't just
   "disappear it"
o if you're major US government agency why put out a communication on an
   alert that's presumably important enough to be bothering to put out an
   alert on and give a domain that is highly unclear what it is and beyond
   that doesn't even respond - and obfuscate by showing one domain, and
   linking to a completely and totally different domain (or is that Twitter's
   doing - but regardless - for US government announcement, far from great).
o mention legit site where it is - domain's mere 7 characters, only 3 if we
   don't include the .gov, but give the whole damn long official name, but
   don't give the URL to site itself, instead have it through some redirector
   stuff from who the hell knows and most wouldn't recognize the name of -
   and for good measure hide whois info on the domain to be sure nobody knows
   who you're referring folks to go off and deal with, oh yeah, and add yet
   another layer of very dubious obfuscation - with the displayed domain and
   path vs. that linked to being totally different.

Yep ... way to give folks tons of confidence in your messaging ... yeah,
don't do that!

Reminds me all too much of when, e.g. financial institutions,
health care providers, etc. do stupid stuff in their messaging - like
insecure unsigned email with http URLs and/or using domains that are "vanity"
domains or shortcuts or whatever, that are in no was easily traced to be
legitimate for the company/provider, and "of course" the email wants you to
"click here" for something important.  And triple bad if they want you to
login before even getting you to a clearly legit secured known domain.

A.k.a. how not to securely and assuredly do one's security messaging securely.

More information about the conspire mailing list