A brief post about enabling Samba file share encryption on your TrueNAS CORE-based file server.
I’m running a TrueNAS-based file server (version 12) for the purpose of data safekeeping, and only recently did I decide to look into whether the system is, by default, encrypting data sent and received via Samba file shares. I had a suspicion that encryption of SMB connections wasn’t enabled by default. Investigation time! 💻🔍👀
The first thing I did when looking into this was to run a packet capture on the machine accessing SMB shares hosted on my file server. In brief, I found that—indeed—TrueNAS was not sending (or accepting) encrypted file data. By means of scrutinizing the data captured by Wireshark on the client machine (running Windows 10 version 20H2), I found that I was able to see plaintext SMB packets to and from the file server. NOTE: I would typically post a screenshot of my findings for this sort of thing but, since some of the data I was previewing is sensitive, I’ve decided to forego redaction and review of it in this case. I’m sorry for not providing an example of what to look for in this part.
An additional diagnostic step that I took was to see what the Samba server running on the TrueNAS machine was seeing for client connections. Running the smbstatuscommand on the file server resulted in the following:
From server-side: no encryption in use on active SMB connections ☹
I was also curious to see what particular Samba client version that my machine was using for these connections. I found a quick PowerShell applet, Get-SMBconnection, which gives you a summary of open SMB connections made from the computer:
The output I received from the Get-SMBconnection PowerShell applet. I was required to run this in an elevated (“admin”) PowerShell session for the applet to run without issue. The Dialect column contains the Samba client version in use for the given share.
This PowerShell applet shows the active SMB connections in use on the machine: the server and share name, the user name and credential used for the connection, the version of the Samba client in use for the given share (listed in the “dialect” column), and the number of file transfers conducted for said file share.
With the Samba client version now known (in this case, version 3.1.1), I briefly researched Microsoft’s documentation repository to see if I could find a quick answer about what sort of encryption options are supported by the Samba client on my Windows 10 machine. A page from the Windows Server knowledge base turned up which discusses encryption with Windows Server-based SMB shares. Of note, however, was the upcoming support for AES 256-based encryption in Windows Server 2022 and Windows 11, but also a note that there’s existing support for AES-128 for SMB-based file shares. I felt it was safe to presume that this meant Windows 10 supported AES-128 for SMB connections. While this page did discuss what sort of SMB encryption was supported at the time, it’s targeted more to configuration of file shares on Windows Server. Let’s move on.
At this point, I decided to go directly to the Samba settings within TrueNAS to see what, if any, sort of fine-grained settings might be available. (click on Services on the panel’s left-side menu, then on the next page click the pencil icon to the right of the SMB item; click the Advanced Options button on the bottom of the SMB settings page to access the Auxiliary Parameters field)
TrueNAS’ SMB service settings page, with the available advanced settings exposed.
While I didn’t immediately find a particular setting for SMB file encryption, I did notice the Auxiliary Parameters field on the bottom of the advanced settings section, leading me to believe that I could input custom Samba server parameters from the web interface. A quick glance at the TrueNAS CORE documentation page for SMB shares confirmed my suspicions: the Auxiliary Parameters field is exactly for that!
TrueNAS CORE documentation snippet: you may insert smb.conf parameters here!
I won’t duplicate the documentation page’s verbiage here, but the parameter prescribed in the smb encrypt section is smb encrypt = <setting>. The options available are:
default or enabled
desired
required
off
The documentation for smb encrypt also states that these encryption parameters can be set globally (as in, for all shares handled by the SMB service) or per-share. In my case, I’m looking for to require encryption on some particular shares, and to enable “opportunistic” encryption for other shares where it would be nice to have, but not necessary.
I inserted the desired option for encryption as a “global” option to encourage SMB clients to use encrypted connections.And for SMB shares with sensitive data, I use the required parameter for connection encryption.
A reboot of the server later (just to make sure I cleared out any weird bugs that may have occurred while testing my settings), I re-opened my SMB shares to establish connections—and it worked!
Output from running smbstatus after applying the encryption settings – success!
And, just to independently confirm, I started up Wireshark again to see what I could find:
Secrets on the wire 👍
A note about understanding risk
Considering the sensitivity of the data and the fact that the Samba traffic is being transmitted on a trusted internal network, I don’t feel that the use of SMB encryption is bolstering my security posture by a significant amount. I do believe it’s wise, though, to implement security in depth—it’s just one more thing that will frustrate an adversary when they find their way into said network. And the extra “peace of mind” is always nice to have.
As local news outlets contract, it creates opportunities for outlets that often have the appearance of traditional local news outlets, to move in and sow misinformation in a variety of ways.
Phil Napoli, public policy professor, Duke University
At first glance, the site “360NewsLasVegas[.]com” raises suspicions about its legitimacy with respect to journalism and I quickly recalled multiplerecentarticles discussing a potential vulnerability associated with an individual’s likelihood to place more trust in a “local” news source versus a mainstream or national-level source of news. This site’s domain and title indicate that it is a local-focused news site for its readers, and thus may fit the profile of these aforementioned misinformation campaigns.
A quick lookup of the site’s domain name found that it’s registered through GoDaddy and was created in May 2018. Additionally, a reverse lookup of the domain name found that the hosting source of the site, too, is maintained by GoDaddy (IP address: 198.71.233.184).
A review of the site’s HTML code finds that it operates on an instance of WordPress:
WordPress version 5.5.3 is the most recent release at the time of this writing
At this point, there aren’t any strong indicators that this site is part of a foreign-operated misinformation campaign. One item of interest on the site is the prominent Facebook “button” located on the site’s right sidebar, which links the user to a “360Daily[.]net” Facebook page (link to archive.org mirror). Side note: 360Daily[.]net, created in 2017 per the domain’s whois data, is also registered at GoDaddy and shares both the same whois data and host IP address. Something of interest about this link, though, is that the page indicated in the URL: “Newsmaxtvvegas.”
A quick once-over of the linked Facebook page leads me to believe that both the page and the 360NewsLasVegas[.]com and 360Daily[.]net pages are all linked to Newsmax Media.
Linked Facebook page and header video
Stillframe of header video with Rob Lauer, author of posts on 360Daily[.]net/360NewsLasVegas[.]com
One additional detail noticed about the 360NewsLasVegas[.]com posts was that all of the examined posts on the site list Rob Lauer as the author. An image search for “rob lauer vegas” yielded two top-ranked results including an image of the individual, connecting the identity of the anchor seen in the Facebook page’s header video to the author listed on the aforementioned news articles/posts. Also, these image results also include a stillframe from what appears to be a NewsmaxTV broadcast or stream, including Rob Lauer as the anchor.
Top image results from DuckDuckGo[.]com
Perhaps this discovered site isn’t some foreign-run misinformation operation after all, or at least that’s the feeling I have after this more in-depth research. I wouldn’t consider this a reputable news source, however, since it seems that the news articles on the 360NewsLasVegas[.]com are written solely by this one individual. I’m also gauging this based on the content of some of these news articles, where the platform is seemingly used at times as a vehicle for personal motives–not for news.
TL;DR: a YouTube ad led to a video peddling a fake Among Us mod for iOS, but is a cover for a possible ad revenue “click fraud” scheme.
On this particular night when browsing recommended content in my iPhone’s YouTube app, I was shown an advertisement that promised the user a “modded” version of the current-hype AmongUs game. Out of curiosity, I tapped on the ad and watched the linked YouTube video. A modicum of common sense is enough to determine that this ad revolved around some sort of scam or revenue scheme otherwise; the linked YouTube video is unlisted and was only visible by visiting the link presented by the aforementioned inline advertisement. I pulled down a copy of this video in case the original poster, or YouTube, takes the video offline:
Mirrored copy of the subject YouTube video
The video starts out with what appears to be a demo of the Among Us game running on a newer-model iPhone (model X or newer?). In this demo, the user appears to be controlling their game’s character in a typical fashion, except the player’s character is moving significantly faster in the game than is typical. Of note about this demo, though, is the joystick feature in the bottom left corner of the device’s screen, where the thumb of the person “playing” the game appears to only be mimicking real game play. There are multiple instances, if you watch closely, where the joystick on the screen does not align with the user’s thumb tip or the position, which leads to the impression that the user’s phone is merely showing a (potentially doctored) video. Another element of note is that if the video is truly in play on the user’s phone, touch interactions with the screen should show the video playback interface, but a closer look at the user’s finger positioning and movements indicate that the user is avoiding making contact with the device’s screen to avoid precisely this. Clever positioning of the user’s hands, the phone, and the location of the camera capturing the video likely conceals this touch-avoidance. One last detail is the small overlay image of The Joker’s face (the Heath Ledger version from The Dark Knight), which moves to a different part of the screen in this first scene. It is suspected that this image is a sort of watermark for the video being played, or perhaps a cue for the “actor” in this video; the true purpose of this image is unknown based on the video’s contents. A transition cuts the video to the next scene, where the narrator and user (two different individuals, it is presumed) “demonstrates” the process of obtaining the purported game mod.
The next scene starts with the user device presenting the “amongmod[.]com” website in the browser (archive.org mirror), with the narrator directing the viewer to visit this site to obtain the mod. In the background, the user’s Windows 10 desktop is visible with the tray clock indicating a date of “11.10.20;” the exact year is cut off but it is assumed the date of this recording is 11 October 2020. The viewer is directed to tap the presented “Download Now” button on this webpage, where a mobile device configuration “profile” is downloaded to the device. A copy of this profile is available here for further analysis: (archive.org mirrored copy).
This author, of course, strongly advises against installing mobile device profiles without a known, vetted purpose such as for app development purposes or corporate application/internal site access. There are known incidents of malicious actors using profiles to surveil and manipulate mobile device activity, and users should not be so eager to install profiles such as in this instance.
A query of the domain’s whois and DNS records at the time of this writing is as follows:
From these results, we gather that the owner of the target site’s domain name is hidden behind a domain name privacy proxy, which itself isn’t unusual or suspicious, but doesn’t yield any further useful information about the owner. Of note, though, is the domain name’s creation date, listed as 8 October 2020. Additionally, the DNS lookup results show that the site is being served by a provider named HostStage. An additional whois lookup of the returned website and email server IP addresses indicate that the site is being provided from infrastructure owned by the French web hosting company, OVH.
The subject website was visited on a desktop computer with the browser configured to imitate an Apple iPhone running the iOS operating system version 14.0.1. A recording of the website, its network activity, and output of its running code follows:
In short, the subject web site displays a fake progress bar to simulate activity happening on the server-side of the site, and after a period of time the mobile device profile is downloaded. The browser’s network traffic inspector showed that no communication between the end-user and the server actually occurs, confirming the fake progress bar, and a glance at the browser’s web code console shows that the JavaScript handling the progress bar emits a “xD” emote to the browser’s console while running.
Going back to the video, some additional observations were made as the user demonstrates the installation of the downloaded mobile device profile:
That’s a lot of unread email.OPSEC fail?Multiple simultaneous schemes?1336 is their phone’s passcode, apparently.Email address? And “spacja” and “dalej” keyboard indicates user is PolishPassword is “ghatay,” unsure if it translates or is just made up.iOS-suggested email address/account obfuscated, good OPSEC.
Some additional research into the domains listed on the other profiles installed on the user’s device:
TTadder[.]com: resolves to 144.217.221.149 (same as above). Domain name registered on 6 February 2020 with the same Namecheap privacy proxy information from above.
TDUPGRADE[.]COM: resolves to 144.217.221.149 (same as above). Domain name registered on 17 November 2019 with the same Namecheap privacy proxy information from above.
Brawlmod[.]com: domain is not resolving to an IP address at the time of this writing. Domain name registered on 29 April 2020 with the same Namecheap privacy proxy information from above. Of note, the two name servers returned in the whois lookup results are listed as “ns1[.]virused[.]host” and “ns2[.]virused[.]host.” These nameservers themselves are not resolvable at the time of this writing and it is suspected that these name servers were set by the registrar as a result of a malicious activity complaint against the domain registrant.
The video continues on to demonstrate the “install” process following the installation of the given mobile device profile. The profile inserts a home screen icon for what Apple calls a WebClip. The installed profile adds the “mod” icon to the device’s home screen, using an embedded PNG image and a WebClip flagged as full screen and non-removable by the user. Apple’s documentation states that any WebClip installed by a profile with the non-removable flag is only removable by uninstalling the related mobile device profile. The profile installed here links to a subdirectory of the amongmod[.]com website. (archive.org mirrored copy) The video’s narrator indicates that the mod must install some “important updates” when opening the “mod” for the first time. (“It’s completely normal so just click the button Update Now and follow the given steps. After you do it, you will instantly be able to use this mod.”)
Upon tapping the “Update Now” button on the full-screen WebClip, the user is sent to the locked1[.]com site as indicated by the now-visible browser URL bar at the top of the screen. This process was performed on a desktop browser, configured the same as before to simulate a mobile device, to further analyze the background network activity:
While the video narration states that updates must be installed to utilize the Among Us game mod, the true purpose of the “updates” (and aforementioned locked1[.]com website) is to persuade the user into installing applications linked by the presented site. (“…it’s necessary because needs these apps to work properly.”) Three apps are presented on the page. Upon tapping one of the links, the user’s device will redirect them to the Apple App Store to install the targeted application, and the narration says that user’s need to use each app for at least 30 seconds. (“30 seconds is enough time to let the game take the necessary stuff from the app.”)
It is presumed that the stated “30 second” timeframe is given to indicate to whatever backend analytics/promotion tracking system that there is an “active” user with the given app, similar to the minimum view times that YouTube dictates with video advertisements to discern whether an impression (or “view”) actually occurred for the advertisement. The video’s narrator also says that the given timeframe “will give the updater enough time to finish the process,” which is a cover for the 30 seconds required for the app to be considered “active.” I suspect that the true purpose of this scheme is to make money from referrals or advertisements of apps, requiring new accounts or “installs” to occur to yield a payment for the referral or ad. By persuading users to install targeted applications and use them for the minimum of 30 seconds, the scheme operators yield a payment of some form for the referral to said app.
The video goes on to inform viewers that after completing this process for two apps, if the “updater” page (the locked1[.]com site) does not indicate completion, the user “did something wrong” and they should “try one more app;” the displayed web page also indicates this and suggests that the user “try again with different Apps.” (capitalization as displayed on the locked1[.]com site) There is a potential that the referral/advertising/analytics processing built into these targeted, installed apps isn’t 100% accurate or flawless and may result in a failed “acknowledgement” of an active install or user. Additionally, the persuasion for users to install a third app may be artificial and is designed to coerce users into completing three installs (or “referrals”); some may consider this to be an advertising trick related to artificial scarcity or manufactured urgency.
The video concludes with the completion of the mod’s “updater” process and the launch of the Among Us game. Upon close review of the user’s interactions with the device, there are noticeable discrepancies with the user’s finger movements and what is displayed on the screen, suggesting that the WebClip installed by the mobile device profile is playing back a video. Specifically, the “cheat menu” displayed in the “modded” app doesn’t align with all of the actor’s taps and scroll gestures and at one point, the actor attempts to conceal this by frantically tapping a menu item to try matching what is displayed on the screen.
One more note regarding the locked1[.]com site: whois lookup results for this domain name share the same indicators as all of the previously discussed domain names, except this site’s listed name servers point to Amazon Web Services (AWS); the domain name resolves to IP address 3.225.87.211 which is, indeed, registered to AWS. When visiting this IP address directly in a web browser, a certificate mismatch error is presented since the site’s SSL certificate does not list the given IP address as the site the certificate is issued to. Furthermore, the presented certificate indicates that it was issued for the “appregistration[.]net” domain; the whois record for this domain also share all of the indicators for the domains discussed previously and, overall, indicates a shared operator for all of these sites and the underlying advertising/referral schemes. A quick query of the Shodan database also shows a SSL certificate associated with this site, but specifies “mobileoasis[.]net” as the assigned website and not the discovered appregistration[.]net domain name. Of course, the whois records for this site also shares the same information as the sites already discussed.
Lastly, a quick web search of the appregistration[.] domain led to some direct links to the site, revealing subdirectories and other active advertising/referral campaigns:
With the subdirectory names of “filelockers” and “contentlockers,” I think I’ve potentially discovered the names associated with these activities. If these are already well-established categories or names then I’ll admit that it’s new to me! A quick peek at the site source code for these pages found a curious indicator as to who may be operating these schemes:
The whois record for mobverify[.]com lists Namecheap as the registrar, of course it did.
This rabbit hole needs to stop getting deeper, so I’ll end with this: one of the first web search results for “mobverify” led me to a GitHub repository, listing a repository owner named MobClub of Shanghai, China. This is worth more research, I think.
TL;DR Foreign interference in 2020 U.S. general election doesn’t blatantly occur on Election Day, but will manifest as additional tension and civil unrest in the following days.
U.S. election interference was postulated to be a concerning matter in November 3, 2020. No flagrant indicators that such activity is occurring or has occurred at this point in time.
In response to public concern surrounding potential exposure to SARS-CoV-2 (“COVID-19”) by means of community spread in polling places, many municipalities around the U.S. have expanded and encouraged absentee voting (“mail-in voting”). As a result, there is postulated to be a significant amount of yet-to-be-counted votes remaining at the end of Election Day–November 3, 2020.
Municipality- and state-level election agencies operate within a wide array of policy regarding the handling early/by-mail/absentee ballots. As such, there are variances in when state-level election results are finalized, and published. There is potential that a firm victor for some states will not be known, or announced, for days to weeks. Not to say that this is a matter of concern, for efforts placed in ensuring accurate and equitable tallying of ballots is critical to ensuring a fair election. But tensions will fester and expand per-state as the time elongates between the close of polls in a state and the announcement of a winner for said state.
With this in mind, it is predicted that these almost certain tensions and frustrations in this year’s election period will be prime for foreign influence to insert some sort of manipulation. Social media platforms, like Facebook and Twitter, already show how misinformation and emotional-catering messaging can sow division and mistrust, in both fellow citizens and institutions (government or otherwise). Tensions from not knowing election results will result in capricious activity from outside entities seeking to do harm to the United States.
This prediction forecasts that external influence(s) will seek to fan the flames via social media and other free-wheeling communication vehicles to sow and foster division and mistrust. There is a potential for election outcomes to be manipulated not directly by external malicious actors, but by means of instilling intra-national pressure on election bodies and government organizations to “count the ballots faster” and possibly even prematurely announce a winner or end a ballot counting effort.
The current U.S. election cycle is subject to numerous societal pressures and tensions, and the ongoing pandemic situation only magnifies peoples’ frustrations and anxiety surrounding the process. Foreign ne’er-do-wells may capitalize on domestic-based divisions to push an election result in a desired direction, not by direct manipulation of the election itself, but by manipulating the represented bodies of the U.S. via expounding of already high-running emotions among the nation’s populous.
Pressure/manipulate the electorate ➡ electorate pressures the election institutions ➡ institutions act with partiality or unequally resulting from influence
I was browsing some “recently shared” search queries on Shodan this morning and stumbled upon one for Zoom, which yielded some very interesting results.
No surprise, Zoom has a sizeable public-facing infrastructure presence on the Internet.
One great feature that Shodan offers to analyze search results is the ability to drill down by country and even city. In this case, I took a closer look at the “top cities” for this particular search query.
Potential geographic indicators of where Zoom clusters most of its infrastructure?
The entry for “Dulles” stood out to me as Dulles, Virginia is known for having numerous and substantially-sized data centers due to its proximity to Washington, DC and much of the Federal government’s operations. Standing out in the crowd nearly right away is an endpoint showing indicators of some sort of VMware application.
The SSL certificate metadata for this host lists “VMware” for the organization, warranting a closer look
Drilling down further into this host shows that it was, indeed, a VMware ESXi virtual machine hypervisor that Shodan detected. This IP address also maps back to an entity named “Zoom Proxies,” where a quick search found that there is not an association with the Zoom Communications video conferencing company.
Self-signed certificate for a VMware ESXi installation
A second host with the same indicators was found under a neighboring IP address (216.115.185.163).
whois information for the discovered hosts, listing Greybeard Technology, LLC as the assignee
Greybeard appears to offer hosting services, including dedicated servers
The IP addresses of the suspect hosts are registered to Greybeard Technology, LLC of Bellefonte, Pennsylvania
Having found the assignee for these addresses and taking a look at the owner’s provided services, it is presumed that the suspect VMware systems are installed on dedicated server instances leased from Greybeard. Taking a closer look at the organization listed on Shodan leads us to the Zoom Proxies site page.
Proxies not in the sense of regular network traffic, but perhaps for automated purchasing of product from commerce sites
After looking through a few of the pages, it’s my guess that these folks provide purchasing automation for the buying of items from commerce sites (like Shopify, Supreme, etc., as listed on their site). Perhaps these solutions allow an individual to spawn multiple instances of “proxy purchasers” (okay, let’s just call them what they are: bots) to quickly capture limited edition items (see YeezySupply, Adidas, and Supreme), or in this case, a possible focus on limited edition shoes. Other indicators of this are things like “10 GBPS PORT SPEED,” “100% CLEAN IP[s],” and of course the direct references to the ability to work with Shopify, Supreme, and so on. Oh, and it was worth seeing where their main home page/storefront was being served from:
Looks like they’re keeping their storefront separate from their production systems, a sound choice.
Anyway, just a friendly reminder to make sure you’re not making yourself *too* available on the Internet.
![Stillframe of header video with Rob Lauer, author of posts on 360Daily[.]net/360NewsLasVegas[.]com](https://www.onyx.earth/wp-content/uploads/2020/11/a1fc9d306c1fdf59.jpg?w=1024)
