first some of them have been arrested and will face trial - if it are the same people than they are really playing with fire
secondly the domainname is registered with a young firm of coders but it would be very stupid to risk their firm as they could be seen as 'co-responsable' for the damage that can eventually be done a month from here (and which will be said to be enormously higher than it is in fact) so it would be astonishing if the firm owners have taken that risk or know they are taking that legal risk (especially as they try to sell their know-how to other firms)
it could also that their infrastructure can be the target of 'responsive attacks' or even preventive actions (which are illegal by the way) which could have other consequences for their clients
thirdly who-ever convinced them to host this website and didn't know what he is doing or what the consequences could be
I understand that you think that you can change the world with a few clicks and that by making big statements under the name of Anonymous Belgium you can feel important and that you think that you bring the discussion in the media (what discussion, there is no discussion about which sites are blocked and why you think they shouldn't be blocked and that discussion isn't republished in the media)
Anonymous Belgium will liberate the Belgian internet the 15th of june ? and why to develop a ddos strategy
You send a tweet and you set up a short website with some vague text and you make the VTM news seen by a million people
this is the power of the tradename (mark) Anonymous (as Al Qaida - without placing any links between them). They are call-names for whatever person or group who wants to set up or do something that falls somewhat in the action and ideological framework of what Anonymous seems to have been (and just as Al Qaida regroups the most diverse framework of actions and tendencies)
they will liberate the Belgian web from the proxies in a month from now ?
how will they do that ?
* the easy way : publish daily servers outside of Belgium that will circumvent these filters
* the legal way : you distribute a proxyserver or DNS server that one can install easily on webservers (just like TOR gateways) and they will redirect the blocked domains to one that isn't blocked
You can also do that with software that one can install.
The problem is off course that you have to be sure that the softwarepackages stay clean or that they have no vulnerabilities so that as with previous installation
The other problem is that the law on cybercriminality is so vague that one could interpret it that every one who is hosting or distributing this helping a criminal activity (as some of the blocked are said to be childporn or illegal gambling sites)
* the illegal way : by ddossing the Belgian proxy infrastructure with help from external friends or botnet networks (some of the biggest ddos attacks by Anonymous were in fact helped during some time by criminal control botnets) you could force the ISP's to take down the filters to ensure a full service for all their other (business clients).
FOR EVERY ACTIVIST IN BELGIUM WHO FEELS HE SHOULD PARTICIPATE in this event : read this clearly
You can be found, you can be identified and you can be prosecuted and sentenced for thousands of Euro's and probably if this is the action technique that would be launched, than some of you will be - to set an example
DO NEVER BELIEVE THAT AS A BELGIAN ON THE BELGIAN WEB YOU ARE ANONYMOUS. IF NECESSARY THEY WILL LOCATE YOU (except if you go out to another city and use an open network out of your car - untill the owner sees his tv and networkconnections fail, calls the internetcompany who will see the interference and storms out of the house after pulling the plug). What is even more legally you DO NOT HAVE THE LEGAL RIGHT IN BELGIUM TO USE OR ABUSE AN OPEN INTERNET CONNECTION (people have been sentenced for that).
it is up to you to think if this is worth it (I don't think so)
The other problem with DDOS attacks is that Belgium is totally not prepared. I just have to laugh when I read about the big cyberattacks on the federal infrastructure that even nearly took down the central portal website from Belgium (belgium.be) and even had - according to the press - some disturbances in the back office infrastructure of the website. In total last year there were 6 ddos attacks on all of the federal infrastructure. And it shows clearly how poorly prepared they are for this kind of attacks.
the other problem with ddos attacks in Belgium or against some of its infrastructure is that the crisislevel will increase enormously if the repercussions are felt in the central internetinfrastructure of Belgium. This means that if the central (ISP) infrastructure of Belgium is attacked (as they do the filtering) it will have repercussions for the international firms and institutions who are located here - and as you have read here above - there is no way the infrastructure will be prepared in a month to withstand ddos attacks
what can you do ?
first you should use this as an exercise. There are very few occasions to set up a real live exercise in which you can prepare, eventually execute and evaluate afterwards without spending thousands of euro's and hours of preparations for consultants and collaborators working on scenario's that look like they could happen or that have happened but of which you are never sure that this is the way things will evolve. There is nothing better than a real live scenario. You should grab this unique opportunity with your two hands to put into place a test anti-ddos strategy. If you are in the future a victim of a ddos attack or feeling the consequences of ddos attacks against others or against parts of a network you are using, than you will be very glad that you will have grabbed this opportunity and have a strategy, contracts, prices, budgets, procedures, communication drafts, organizational responsabilities, proof of concepts of anti ddos products or functionalities in place
secondly do the following practical things
* ask the website developers to develop a minimal version of the website with only text, no graphics and with the minimal informational functions (or how much it would cost) You could use this website as a text-only version, so your money is not wasted.
* ask the communication departement to develop standard messages to excuse for the disturbances, to communicate urgency measures in your own network (limitation of internetconnection to only the real business urgencies), set-up of an internal coordination of the communication and the fast distribution of internal information (for ex internal blog) and an absolute interdiction to communicate whatsoever on the web about the evolving situation (except for the communication department)
* ask the hoster to ready a back-up contract for your hosted websites so that they can have a 'fail-over' backup outside of Belgian infrastructure (it is still better to have your websites - especially if you have important data in Belgium but you can host the text only no important data version
* ask the ISP to ready a back-up contract by which you can upgrade the bandwith of your incoming line of internet and ask for a anti-DDOS protection that can be activated during such crisis
* ask the judicial department to prepare the official demands and complaints to file with the FCCU if you will have real business damages through such (side-effects) off a DDOS attack and have to cover your legal responsabilities for your investors, clients and insurance.
* ask your technical teams to prepare a plan for the technical execution of the monitoring, filtering and gradual implementation of the activation of all the things above (do they have an anti-ddos function on the routers, the firewall or is there a special anti ddos infrastructure put in place). Be sure that the technical teams themselves know how to locate and filter ddos attacks in the monitoring and defending tools and infrastructure because if Anonymous will use a DDOS technique than the very few DDOS specialists that this country has will be very busy and I am not sure that you will be their highest priority
* buy a few books and read some stuff about DDOS technique - also about the new DDOS techniques because they only need a few pings to bring down a vulnerable apache or dns server
* re-inforce the hardware and be sure that everything is patched especially Apache
* follow the web (see our twitterlists for example) and especially
oh and the ISP's - they have a month to get their act together because I am not sure that they are very well prepared if this is going to be a DDOS campaign inside out outside in - they have been relaying too much on the omerta in the (even technical) press and the complacency from the parliament to invest only the minimal necessary in their security
maybe this is a wake-up call
If anybody would have said untill a few months ago that the Belgian Privacycommission would dispose an official complaint againt a dataleak and would say that the originator of the leak will be fined, we would have laughed and said 'yeah in your dreams'
this privacycommision ? no way
well they have done it with the NMBS dataleak and they have also said that probably the NMBS will be fined (and the guys of Storify may have also a problem)
the reason is off course that the NMBS did everything wrong they could have done wrong, before, during and after the incident
let this be a second warning for the belgian internetindustry, clean up your mess and do the right thing (meaning do the things the right way)
this doesn't mean that the Privacycommission will do this for every leak and most of the Belgoleaks are for the moment not of that order- except for the secret one of which the name has been communicated to the Privacycommission (maybe it will put enough pressure on them (and the others in their sector) to invest the necessarily resources to protect their networks and data better from now on)
lists of users
open configuration settings
cert and privacycommission (not everytime) have been informed
the first set is gone
next week we will start publishing some of them
others will be archived in the leaks or insecure belgium lists
there are also fundamental questions that we have asked
we will not send masses of mails to the cert and the privacycommission
we will send a few mails in which several problems or findings are taken together
but the small daily belgoleaks in which you will find
* old published emails and logins from Belgians (for example on pastebin)
* listings of emailadresses that are published
* information that is available in txt format while normally you should have to copy it one by one
* interfaces that we shouldn't see
* adresses and other information that people seem to have given themselves
* websites that are hacked
* non strategic websites with no ssl protection or one that is badly configurated
* websites that are not falling under the Belgian jurisdiction even if many Belgians use it
* dataleaks with only a few belgians
and so on
will be published here
We will not publish here
* access to passwords
* recently published pastebin and other publications of logins
* non-strategic dataleaks but which may have a commercial impact
these will be published on friday or wednesday when the CERT has had enough time to contact them to correct the situation - or close the site down (in maintenance)
Ransomhacker Rex Mundi had access to half a million data about Belgians in september 2012 (if you type Rex Mundi in the searchform you will find all the information about that and other incidents)
He wanted to publish the data on a friday but as we found that a bad idea we were able to convince him to say which was the victim (so they could take immediate action before somebody did something else), to get into contact with the official handlers of the case and to not publish the information of the (innocent) victims.
At that moment we were totally alone and we tried to do the right thing but we weren't covered by any handler, contract as 'cybervolunteer' or 'law'. We took an enormous risk in doing this, but the possibility of having information about thousands of Belgians on the web on a friday was too big a risk (even if some said that that would have been better to advance security - which may be right but can you look all those innocent victims in the eye afterwards ?)
We never divulged the name of the victim on this blog nor to the press - even if they were very curious. We didn't want to start a panick nor to bring it down.
We have now informed the privacycommission of the name of the victim of the breach so it could invite the victim to hear if it has taken enough measures and has implemented enough procedures and has now enough resources to make sure that this doesn't happen again and that if something happens they may be able to respond better and be able to do what is in the new guidelines from the privacycommission
and don't ask, we promised not to divulge the name, we hope that at the other side, they will be better than the NMBS and won't have the same problem again this or next year
ok half a million data is not the same as 1.4 million (although there were many doubles in it) with the nmbs but we know that a part of that data is really in the hands of probably russian hackers and the victims were not informed and we are even not sure that enough is done to be sure that this doesn't happen again (this is why we infom the privacycommission now)
because if you are hacked, you will be attacked again untill you are hacked again
We have sent the privacycommission as an answer to their letter a new list of services that use the RRN as a login
It are mainly public services from cities (like libraries and recreationservices) that are sometimes delivered by some serviceproviders and for libraries for example are based upon WOPAC.
THe problem with the RRN is that if we want to keep that weak UID a bit safe we have to limit the distribution of it on the internet and through unsecured systems
we haven't send a list of all the services who ask in a form for the RRN without proper protection because that list would be too long and it would be more productive to publish securitynorms if you want to ask for the RRN of something (and in my book it is better to ask for such specific information after a secured wall and not on the public part of a website - another advantage is that you can send and backup this information in a seperate environments that are protected by different securitytools according to the degree of protection that is needed)
we know that the ball is now running and we will be patient :)
maybe it would be a good idea to work with the organisations that regroup all of the cities so they could inform their members of the new standards and controls
yix seem to have the problem so many services have - they launch the service and they don't invest in securityservices and they don't do any securitymonitoring and so they can be abused by virusridden websites to redirect users by them to their sites while circumventing the securitychecking products that should stop the user
the great danger for yix.be is that after this test that they will become the tool of preference for phishers and malwaredistributors all over the world and will be blocked an sich - and not specific links
the accounts are inactive at the moment but it still seems the other way round, it shouldn't have been possible in the first place as different other redirect services have done after being the victim of such attacks
Most of the users didn't notice a great difference when using the site during that short period, but some login attempts and API calls failed, and the sysadmins chose to disable some site features.
"The pattern of the attack clearly indicated that this was a malicious attempt aimed at taking the site down. For example, thousands of separate IP addresses all hammering illegitimate requests, and all of them simultaneously changing whenever we would move to counter," wrote Harvey.
"At peak the attack was resulting in 400,000 requests per second at our CDN layer; 2200% over our previous record peak of 18,000 requests per second. Even when serving 400k requests a second, a large amount of the attack wasn't getting responded to at all due to various layers of congestion. This suggests that the attacker's capability was higher than what we were even capable of monitoring."
He pointed out that the attack was coming from thousands of IPs around the world, which means a botnet was used.
First most of the users didn't say something but they had a CDN failover infrastructure without it they would have been dead. (do you have a CDN layer ?)
Secondly they have decided to disactivate certain functions of the website to make it quicker to respond. (do you have a fallback policy in which you know what you will disactivate immediately when such attacks or a too big use are seen)
Third they had people technicians that were REAL LIFE trying to respond to the ever changing attacks which will have an influence because the attackers will have to change their targets and formats all the time which makes it easier to leave some forensic indications.
if you respond no to any of these three, you are just a sitting duck
In the last post we mentioned that the Privacycommission has intervened in a few specific cases in which your RRN was used as the identifier for your LOGON to a website or webservice.
THey have stopped this kind of practice which means that you may not use this anymore.
If you are confronted with this kind of practice, please contact us so that we can collect this information, verify it and forward it to the privacycommission so that further action can be undertaken (and eventually formalised and generalised)
#belgoleaks is also your business because it is to prevent the leakage of your data
#belgoleaks is the sole name of the different anti-leak and nosecurity Operations (the old OPS) that were hold before
one of these operations was the #OPRRN about the use of the RRN as unique identifier as single sign. THe RRN is a unique identifier of each person like the SSN in the US but the number has so many known identifiers in it that only 4 numbers are unknown (and even that)
the privacycommission is responsable for a the use and the rules and security of RRN by administrations and private firms and even if there was a debate in which several persons thought that the number should be public the majority thought that the risks of letting everybody use this number for everything were too great because the number is too weak as an identifier (it is too easy to find it) and also because the front- and backoffices have much too often not enough security and encryption to safeguard them
but meanwhile organisations were using more and more the RRN numbers or asking it in unsecure forms (even without logon and without ssl)
some even went further and used the RRN number as a sole identifier (libraries and sport clubs do this)
Today I have received an official answer from the Privacycommission which says that in the specific cases that I have mentioned concrete actions were taken but maybe it is time for the Privacycommission to state clearly itself that you can NEVER use the RRN in a login and that the RRN can not be asked on a public form and that if the organisation wants to have the RRN that this has to be done after authentification and in a secure environment and that these data - as other identifiable and important data - has to be encrypted and so on....
For the dutch speaking people
above we could change the password
here we can change the date of birth - we didn't
we could see and change anything we wanted
it is now only seeable in Google cache
and as the administrators say that there was and is no problem, we have proof of the Google Cache of 25th of march showing what we could do but didn't effectively do
but if you seen the links and the information, than you know that there is much more to it and much more that could be found out
the cert was informed last week but tried to descredit me with some journalist who luckily knows that I am not playing around. More dangerous is that the CERT was saying that they didn't control my information that I send to them because otherwise they would be breaking the law, which is implying that I am breaking the law, which I am not because I change nothing, I log in to nothing and I only use Google to find the information
this means privacycommission that these are all public dataleakages
a big article about a hacker who has attacked .belgium.be and now is facing trial. He is just a kid who wanted to do something Anonymous and installed the LOIC tool and tested it on two tools
a local website of a scoutsgroup (that stayed up)
.belgium.be the national and international portal of the whole country of Belgium and which is also the national gateway to a whole bunch of online e-services (like taxonweb.be who uses a very confusing webaddressing throughout the logon process) that went down
reread this please (which one went down again ?)
so one person with only the LOIC tool brought down the webportal of the country Belgium. Cyberwar, Cyberterrorism and so on
he says he couldn't imagine that he could have brought down the belgium portal - and the effects were even seen in the backoffice of this very important national service
I can understand that
to defend this the Belgian government is going to spend 20 million euro's (instead of the hundreds that were originally asked for)
I am really impressed by this sense of urgency
cyberwar is coming and we are preparing ourselves ..... with words