10/24/2014

Tripware Freeware Securecheq checks for vulnerabilities in Windows desktops and servers

"

WEAK WINDOWS CONFIGURATIONS

Free tests for typical and often dangerous Windows configuration errors. Microsoft is the backbone of many enterprise networks. Find out if you have weak configuration parameters exposing you to security threats.

REMEDIATION GUIDANCE

Tripwire® SecureCheq™ delivers twenty checks for different security configuration errors and includes detailed remediation guidance on findings.

HARDEN CONFIGURATIONS

Tripwire SecureCheq demonstrates how your systems need to be continually hardened against configuration errors related to OS hardening, data protection, user account activity and audit logging.

http://www.tripwire.com/securecheq/

Permalink |  Print |  Facebook | | | | Pin it! |

VEGA freeware to find sql injections and xss vulnerabilities in websites and apps

source https://subgraph.com/vega/index.en.html

"Vega is a free and open source scanner and testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows.

Vega includes an automated scanner for quick tests and an intercepting proxy for tactical inspection. The Vega scanner finds XSS (cross-site scripting), SQL injection, and other vulnerabilities. Vega can be extended using a powerful API in the language of the web: Javascript."

Permalink |  Print |  Facebook | | | | Pin it! |

this is how mobile networks can upgrade to make surveillance more difficult

"Wireless carrier T-Mobile US has been quietly upgrading its network in a way that makes it harder for surveillance equipment to eavesdrop on calls and monitor texts, even on the company’s legacy system.

 

The upgrade involves switching to a new encryption standard, called A5/3, that is harder to crack than older forms of encryption. Testing by The Washington Post has found T-Mobile networks using A5/3 in New York, Washington and Boulder, Colorado, instead of the older A5/1 that long has been standard for second-generation (2G) GSM networks in the United States. More advanced technologies, such as 3G and 4G, already use stronger encryption
http://www.washingtonpost.com/blogs/the-switch/wp/2014/10...

Permalink |  Print |  Facebook | | | | Pin it! |

#ISIS went to the hill to be closer to god and the US helped a bit with that

Permalink |  Print |  Facebook | | | | Pin it! |

10/23/2014

why they will never find who was the commander of the Bende Van Nijvel

* Nobody can speak in Belgium without getting convicted, you can't make a deal here and even if this was the case, Belgium will need to have some partner countries where you could start a new live because belgium is too small to have people live a totally new live without being discovered at some moment in time. 

* as it was clear during the documentary of the RTBF and said time after time again, it is too dangerous to speak because you will be killed, this is what the participants said. If this was the message the gangsters were sending to the world and the people who knew them with their bloodbath it was really efficient. 

* There are at least a million of files of which not all are digitalized (some say that a about a third is) which means that you can't use the computer and the programs to analyze everything that is in the files to look at the 'big data' to get some anomalies out of them or contradictions 

* As it was said during the documentary, the proof has been re-opened and re-used so many times that it is not secure enough anymore to stand up in a court of law. 

* As it was clear in the documentary different factions within the judiciary and within the police departments have different opinions about which way the investigation should go which makes it difficult to make your case in court. 

* Many people have died or have lost memory and it is not clear what is corrrect and what has been deformed, maybe by reading too many articles and books. 

* WNP was initiated by something but nobody had any idea what is was and there seem to be enough layers between the decision-makers and the operatives. So no operative knows enough to have any idea who he may be.  Maybe they should look at it as a spy operation. 

http://www.rtbf.be/video/detail_devoir-d-enquete?id=1965459

Permalink |  Print |  Facebook | | | | Pin it! |

Azerbaijan embassy in Belgium hacked by Armenian hackers

there is a kind of war or nearly war again there

Permalink |  Print |  Facebook | | | | Pin it! |

site of Anderlecht (in France) hacked by Syrian opposition

cleaned now

several embassies were also the victim of this attack

Permalink |  Print |  Facebook | | | | Pin it! |

senniorennet defaced .... next time a virus ?

something with a linkinject that redirects people from the frontpage to this page on which there is an advertisement to win a trip to Spain (for the hackers who got all your passwords in your browser or on your machine)

if you can do this you can do anything

a problem with your apache and administrator rights

Permalink |  Print |  Facebook | | | | Pin it! |

websites of flemish schools can easily be hacked (on tv) because they are not secured

On VTM there was a documentary how youths were hacking servers from their schools to change their results and other notes. The teachers themselves were overwhelmed because they have hardly dedicated ITstaff and they can't keep up with the necessary Itsecurity budgets and tasks. The minister was talking about awareness and blablablablabla

The advantage of this documentary is that the hacker was better protected  than on the VRT in which you could see his face clearly. As he is protected he is a source and as a source the police will find it very difficult to get his name - except if he left somewhere a trace to his own IP address (that is why it should have been done through an IP address of a computer from the Mediafirm).

Secondly VTM said several times during the documentary that this was illegal and that students could go to jail for a few years if they do it again after their first conviction and that it was in fact very dangerous. But at the other time it presented hacking as something very easy. You only had to download some programs and than you attack the site of your school. It looks easy but if you want to erase all your traces to not get caught if somebody files a complaint, than it takes a lot of time and preparation.

Schools do not have at present safe platforms for a number of schools that are managed by professionals. Only these platforms have the scale and the resources to keep the individual sites from being hacked. A cert with a few people for all the schools wouldn't be bad either. They could notify a school then their site is hacked or send practical information out if a patch is necessary and so on.

Secondly schools need to know which information shouldn't be on the web or the network if it ain't worth the risk and they don't have the money to protect it. This is just a very healthy cheap principle. It is maybe not as easy but it is safe and secure and that is what is important.

Third double authentification is the future, the time of passwords is over. There are 1 billion passwords to download on the internet so passwords have no security anymore as a security.

Permalink |  Print |  Facebook | | | | Pin it! |

if you are paranoid enough, this is how to hide from the NSA

"Strong, non-NSA backed crypto primitives. I’m a big fan of NaCl because it’s fast, constant-time, secure crypto that doesn’t rely on anything backed by the NSA. To make it easier to use, it’s made portable (and extended) in libsodium. I won’t promote anti-NIST FUD, but some things should be questioned, such as the NIST ECC curves.

  • Minimal metadata. The amount of information that can be extracted from messages should be at a minimum. Anything that’s exposed (username, user ID, public keys, etc.) can be used when collected en mass to begin mapping relationships and undoing the veil of anonymity.
  • Encrypt everything in transit. As with metadata, anything in the clear going over the network can be captured, stored, analyzed - and in targeted cases, altered in various ways. Using TLS is a great start to this, as it removes the option for simple passive monitoring, though it shouldn’t be assumed to be enough. Active attackers can man-in-the-middle the server, passing a forged/stolen certificate. Certificate pinning, and additional layers of encryption help protect against these attacks.
  • Server knows as little as possible. The more the server knows, the more the provider(s) can divulge - either by court order, or by more clandestine means. Even the simplest HTTP server logs can provide valuable information to such an attacker, especially when combined with other data sources.
  • Encrypt everything in storage. When at rest, everything should be encrypted - if a device is compromised, it should reveal as little as possible. By encrypting everything based on the user’s password, only the user is able to access the data (though may be by force).
  • Hide everything. The CIA at least once used a weather application to hide a communication system; it was only available when looking up weather for a certain city. Such techniques make it harder to spot the use of secure communication tools. This may seem a bit extreme, but there are good reasons to do it.
https://adamcaudill.com/2014/10/19/on-nsa-proof-security/

Permalink |  Print |  Facebook | | | | Pin it! |

this is how big and completed a fake celltower doesn't look like to intercept your phones

You can place it anywhere in fact as long as you have power

http://www.newsobserver.com/2014/10/18/4245744_charlotte-police-investigators.html?rh=1

it is used in the US by several police stations and explains in some states that researchers have found rogue telephone towers that asked you to connect to them as if they were the real cell towers.

so next time why would they have to hack Belgacom to trace some cellphones ? Why bother ?

The Belgian privacycommission has been informed by Belsec that several of these installations are in Belgium according to international reports and that is illegal according to Belgian law if they haven't been certified for that.

Permalink |  Print |  Facebook | | | | Pin it! |

the oldest hacking method brings in enormous cash because everybody forgot about his phones

"Hackers had broken into the phone network of the company, Foreman Seeley Fountain Architecture, and routed $166,000 worth of calls from the firm to premium-rate telephone numbers in Gambia, Somalia and the Maldives. It would have taken 34 years for the firm to run up those charges legitimately, based on its typical phone bill, according to a complaint it filed with the Federal Communications Commission.

The firm, in Norcross, Ga., was the victim of an age-old fraud that has found new life now that most corporate phone lines run over the Internet.

The swindle, which on the web is easier to pull off and more profitable, affects mostly small businesses and cost victims $4.73 billion globally last year. That is up nearly $1 billion from 2011, according to the Communications Fraud Control Association, an industry group financed by carriers and law-enforcement agencies to tackle communications fraud.
http://www.nytimes.com/2014/10/20/technology/dial-and-red...

these attacks on your pbx also happen in Belgium and there is very little you can do about it if you didn't place a firewall or some very specific infrastructure before it and strict controls and real-time alerts on it

we always forget about our telephone infrastructure but we forget that they also can be used to penetrate networks and they can be used to deroute communications (sometimes in a circle so that investigators will never find who is the real victim or target) and telecom operators don't pay back and you aren't insured for this either so all that money is lost

Permalink |  Print |  Facebook | | | | Pin it! |

#ukraine denies Der Spiegel desinformation about BUK missiles and #MH17

we have published here time and time over again all the information that has been published by specialists since long time that the BUK came in from Russia and there is all the photographic evidence to proof it.

But the propaganda and intox campaign of the masters of the Kremlin is as good as even when it comes to the western press who just copy-paste without verifying or critically researching information before researching it.

And this strategy was even foreseen from the beginning directly after the disaster.

“We have clearly stated that all our missile systems, including their personnel, were not present in the area of the tragedy,” Ukraine’s Ministry of Foreign Affairs spokesman Yevhen Perebyinis told DW on Monday, October 20.  “Statements that  militants had seized Ukrainian missile complexes do not conform to reality since all these systems had actually been moved in advance. We find it strange to hear conclusions that the militants had used Ukrainian missiles,” he said.

 

Similarly, Ukraine’s Ministry of Defense in an official statement posted on its website, October 20, has categorically denied claims that terrorists had seized the BUK-M1 (NATO code: SA-11 Gadfly) anti-aircraft missile system from a Ukrainian military unit.

 

“Certain media citing the German magazine Der Spiegel have been disseminating information that the Malaysian passenger plane, flight MH17 , flying over the Donetsk Oblast had been downed by a BUK anti-aircraft missile system seized by pro-Russian separatists from one of the Ukrainian military units. The Command of the Air Force of the Armed Forces of Ukraine officially states that information on the seizure by terrorists of the BUK-M1 anti-aircraft missile system from a military unit of the Air Force of Ukraine is not true,” the Ministry’s statement said.


http://euromaidanpress.com/2014/10/22/ukraine-asks-german...

Permalink |  Print |  Facebook | | | | Pin it! |

the german drones can't be used in Ukraine because.....

yeah you read it

they will never go to Antartica

http://euromaidanpress.com/2014/10/19/bundeswehr-german-drones-are-not-suitable-for-the-osce-mission-in-ukraine/

Permalink |  Print |  Facebook | | | | Pin it! |

the military ships of the future don't look like ships

In fact they are constructed to survive in electronic warfare attack and to keep attacks off that try to intercept communications (Tempest)

If in the next war you can't defend yourself against the electronical signals and protect your own, than you have lost, no matter how big your bomb is

by the way Russia is building an enormous Electronic warfare base in Kalingrad the Russian enclave that oversees the baltic sees (he is sending a few hundred electronic and cyberwarfare soldiers there)

Permalink |  Print |  Facebook | | | | Pin it! |

#gamergate:how a small bunch of online SS-style bullish trolls bring down big gamessites

These big gamers sites are all about the money, about having advertising and the advertisers all want to be hip and cool and not be embroiled in an online war between young women who happen to be gamers but of a different kind (even if professional gamer specialists say that women are the new market as the men market for gaming is already totally conquered and every industry looks for enormous expansion to be able to invest and develop and grow and diversify)

but as they didn't win on the public forum about the place that women couldn't have in their gamers environment, they went on the attack against the firms who often lack the moral courage to withstand public campaigns and fight for the freedom of each to live, speak and breath whatever the sex, religion, race or political opinion

"On October 1, the computing giant Intel pulled its ads from Gamasutra, a trade website for game developers, over an essay called "'Gamers' don't have to be your audience. 'Gamers' are over" by a journalist named Leigh Alexander. Intel had been successfully harassed by a small, contemptible crusade called "Gamergate"—a campaign of dedicated anti-feminist internet trolls using an ill-informed mob of alienated and resentful video game-playing teenagers and young men to harass and intimidate female activists, journalists, and critics.

Unable to run Alexander out of game writing, as they had with the writer Jenn Frank, or force her from her home, as they did to the developer Brianna Wu, or threaten her from public engagements, as they did the following week to the critic and activist Anita Sarkeesian, Gamergate went after her publisher. And, in an unbelievable and embarrassing act of ignorance and cowardice, Intel capitulated. The company's laughable "apology," released late on that Friday afternoon, didn't cover up the fact of Gamergate's victory: Intel was not replacing its ads.
http://gawker.com/how-we-got-rolled-by-the-dishonest-fasc...

And other advertisers followed suit and those big gamer communities are losing hundreds of thousands of dollars. But now it is time for the others to go back on the offense against the firms who didn't stand firm, who didn't defend our and your freedom and let the bullish gangs cry victory. Even in Football stadiums girls and women go with men to see the match and support their teams together. There are even women in the police, the army and other professions that were before solely for men. Why should gaming be different ? And every woman working for firms like Intel or buying products from Intel or distributing them should tell Intel they were wrong because by withholding their advertising because of a gang of people who have no respect for the rights of others they go against any moral leadership they claim in all of their social responsability ads.

If women can be no part of the community there is no community.

 

Permalink |  Print |  Facebook | | | | Pin it! |

10/22/2014

hacking the announcement screens in a Belgian train

well there are only two ways

or you have only fysical access and that means that you have to open the door and type a new message in

or it works wireless and than you have to observe the kind of system, look up the administrative password that probably will still be the same and than you log on with your wifi (look at the logons if you keep that) and set the message

Stefaan is shit

I'll have a look at it tomorrow in the train :) and report back to you later

if I got more info (anybody knows the name of the system ?)

Permalink |  Print |  Facebook | | | | Pin it! |

some belgian servers that use SHA1 that can be used to make a fake certificate

this one is used by millions

 

and so on and so on and so on

but others are doing the right thing by disactivating SHA1 like Belgacom - nice

Permalink |  Print |  Facebook | | | | Pin it! |

naughty users of sextoy site leaked

well now you will be the joke

maybe you need a spank

Permalink |  Print |  Facebook | | | | Pin it! |

massive attacks against flashplayer - patch now

"Regardless of where the exploit came from, users who have not yet installed the latest Flash Player updates should do so as soon as possible; especially companies, where automatic updates are typically disabled and the patch deployment process takes longer.

 

Windows and Mac users should update to Flash Player 15.0.0.189, or 13.0.0.250 if they’re using the extended support release. Users of Flash Player on Linux should upgrade to version 11.2.202.411. The Flash Player plug-ins bundled with Google Chrome, Internet Explorer 10 and Internet Explorer 11 will receive patches though the update mechanisms of those browsers.

 

Adobe also released updates for its AIR application runtime and software development kit (SDK), since the program bundles Flash Player.
http://www.pcworld.com/article/2836732/one-week-after-pat...

Permalink |  Print |  Facebook | | | | Pin it! |

1 2 3 4 5 6 7 8 Next