• Book Security Metrics by Andrew Jaquith

    This is one of THE BOOKS OF THE YEAR because once you have read this book you will go to your vendors and ask them for stats, you will go to your tech people and you will ask for stats and you will know which stats to ask for and what to with them or not.

    No, not the stats that all the accountants and very expensive consultants are talking about. No not the numbers that mean nothing but are there because some insurance company still believes the metrics from the real world are usable in the online world. No real every day stats for your network and defenses that give you in a dashboard a good and complete overview of where you are and where you ought to go and how much you still have to do.

    This book gives makes you fly like an eagle in the sky.

  • Tags are streets in the chaos of the blogpostings

    I have put some tags under the different posting and the tagging of the posts will be done by the admin. This to keep a blog where different people blog a bit coherent. If tagging is done consistently it could serve as a bit of a guideline and organisator of the different snippets that are blogpostings. If anybody writes anything as a tag it is just dust and rubbish and clutter.

    The organisation of the tags, can be found at your right.

    You will see that the postings in dutch are grouped together

    You can also follow our daily Google hacks

    and the books (every week a few new)

    Later on I hope to be able to group the tag of the Belgian Security Bloggers

  • New project - NEED ASN numbers for Belgian Anti phishing Feed

    I had asked several times phishtank that publishes and tries to take down phish servers all over the world (those bogus checkin sites that people click on without thinking) something. They use a community to bring them down. I didn't have the time to go over daily to check if there were Belgian servers, so wouldn't it be a good idea to have a newsfeed that you could make to your own country or region or ISP or whatever. They did it.

    Now I have collected already several ASN feeds for Belgium, but I am sure that I am missing a lot of them. I am putting them together in 1 collected feed so that it could be used everywhere as an automatic update and hosters and ISP's and banks and policemen could bring them down very fast. Such a server needs in fact to be brought down at least 3 hours after that it is being set up.

    This is the first proof of concept

     These are the feeds I've already put into it

    http://rss.phishtank.com/rss/asn/?asn=6848  telenet
    http://rss.phishtank.com/rss/asn/?asn=12392 Brutele
    http://rss.phishtank.com/rss/asn/?asn=3304 Scarlet
    http://rss.phishtank.com/rss/asn/?asn=1891 Scarlet
    http://rss.phishtank.com/rss/asn/?asn=8733  UPC

    You can send me the rest that I need. I hope I could feed here from next week on.  I would sincerely thank you if you did help me.

    The list of Belgian ASN's would also be used for other such deals we are thinking about.  

    For the people from other countries. So first you need to go to phishtank.com, there you type type in the ASN's for the ISP's of your country and than you put them together in Yahoo Pipes after you have taken a Yahoo emailaddress.  And that feed you can publish as an RSS feed or as a webpage and you distribute it around at ISP's, banks and police services. 

  • Belgian Google Dork Nr 4 find local source of file

    intext:file:///C:/Documents and Settings/ site:be

    You will find linkes to documents that will tell you the name of the person, the folder, the program with what is made, all you would need for a targeted attack and that without even leaving one trace with your future victim.

    You should always clean your documents of all unnecessary information. 

  • Blackhat physical device security by Drew Miller

    This book by Syngress (2005) is an excellent book but not because of the title but because of its very detailed and excellent explaining of the main principles of secure programming (even for embedded systems). I understand why they choose the title because the author thinks that physcial device security is most and for all the embedded software, while it may also be location and hardware change control (hack a Vista by changing parts of the hardware).

    It is a very good book for programmers because it shows us in depth that you can't talk about secure programming without validation, authorisation and encryption and that for every code and every process, how small it even may be.

    I presume that it would be legally too difficult to write a real book about black hat physical device security. It would however destroy so many popular premises that people would start to take notice. If people would know how insecure their wireless alarms and their credit cards were, they would be more on their guard and the industry would have to be more stringent.

  • Google hacking for penetration testers by Johnny Long

    This book is in its third edition I've read somewhere and it won't be its last, even as Google is trying to limit the number of malicious searches very timidly (they could do much more) and even if Googlehacking is only showing a very limited part of the online vulnerabilities. The forum by Johnny Long that started it all isn't too active anymore and every exploit has now a Google search string adapted to it. Some worms even use Google to find infectable computers.

    Some parts of the book may be dated, but it stays an essential handbook for the securitypeople around here. The most important thing is not only the copying of the lists with useful searches but learning to think like a hacker that is using Google to try to do some discovery searches. There are automated tools for some of the searches but it is only the human eye and mind that will find the little snippets that have to be put together to arrive at a Google Dork that may show you the list of vulnerable sites that you were hoping for.

    PS It has some very useful scripts for Google hacking that you can install for your security work.

  • Not surprised people get hacked if they have vulnerabilities that are from 2005

    THe last days sites with the open source PHP Calendar from JAX got hacked, well injected with an event that said they were hacked. Big deal. Stupid trick. Not more harm done. But Secunia.com published the cross scripting bug in 2005 http://secunia.com/advisories/16333/

    so shouldn't you read the exploits and vulnerabilities before you install something even if it is free. It is not because it is free it is free of bugs and exploits, even if the propaganda says that it should be more secure because "the community" can check and correct it. They don't have the time to check and correct everything, so don't suppose they did.

  • Belgian Google Hack NR 3 IIS5 (part I)

    We all remember that the subwebsite van antwerp.be that was hacked was running the old and defunct IIS 5.

    We said that it was time to upgrade to IIS6 because you can't defend an old server like that.

    This is one way in Google to find IIS 5 servers running in the Belgian domain

    googlebot-com Server_Software Microsoft-IIS-5.0 "HTTP_FROM googlebot " site:be

    No big sites, but just a first warning

    If I can Google it, the hackers can and Googling ain't illegal

  • We have only each other to protect ourselves

    The Belgian government that is minding the store for the moment didn't do anything worthwhile about the infrastructure of cybersecurity in Belgium and the one that is being formed seem to have other problems.

    The administrative and technical people that are for the moment watching over the net have not enough manpower and not the legal possiblities to do what they would have (and want) to do.

    We as a community of networkdefenders have only ourselves and each other to protect ourselves against the daily avalanche of insecurities and attacks. There is nobody going to do it for us. We have only each other and if we cooperate better, we can maybe protect ourselves better.

    We can begin by communicating and exchanging contacts and information.

  • Control your site - these are hacking tactics

    ........./dealersite.asp?pageid=.......  there is an injection of textpossibility

    also redirects are being inserted so every visitor is going to http://je0pardy.org/  this is the case for forums (phpbb2)

    pages that are added to sites yaser.html or images/infaz.htm or infaz*.txt or free.htm

    insertion in php calender script possible Jax Calendar v1.34, by Jack (tR), jtr.de/scripting/php

  • Belgian Google Hack NR 2

    These are Google Hacks that have results on the .Be domain.

    If the Google results are old you should take a Google account and clean out your cache so the information is not visible anymore.

    "access denied for user" "using password" site:be  or change be with your domain

    There is far too much information in it. You can find website structure, admin pages, coding names, hidden folders, user names and so on

    Nothing too dangerous, but you shouldn't publish all this.

    The only rule is that any mistake should redirect to a 404 page with "something went wrong, we know, try again, your problem is logged" and nothing technical, no case information, no names, nothing NOTHING else.

  • book botnets by Schiller et.al.

    Syngress, 2007

    You have to read this if you are in the first lines of defense of your network or just running around cleaning up the mess that our ISP's let go through to our networks and users. Belgium has its fair part of botnets and botnet traffic and is internationally very poor in cleaning them up according to shadowserver.org

    The book gives you all the necessary information to set up some open source tools to monitor your traffic and how to analyse botnets themselves (as they are more and more tailored to a specific task or environment). Some of the information is already dated, but the fact remains that if we would chase botnets the way pedo's are chased online we would have fewer of them.

    You would still need some books about patchmanagement, IDS, network sniffing, logmanagement firewall management and forensics to have a detailed view before attacking your internal and external botnets.

  • book Network security assessment by Steve Manzuik

    Network Security Assessment by Steve Manzuik, Ken Pfeil, Andre Gold by Syngress (2007) is a book that more or less does what its undertitle says, its gives you a kind of rogue methodology - procedure to go from vulnerability to patch. The undertitle should therefore be the title because a software vulnerability assessment is not a network security assessment. A network can be insecure for hundreds of reasons and software vulnerabilities are only one of them and are not always the most important ones.

    I have also somehow the feeling that the book could be much less pages and that at the end they were just repeating themselves or giving information that should have been gone online (index of software distributors). The same problem with the description of the software tools that they have selected for vulnerability or patch management. You can't describe in a book in detail how it works because at the time the book is published the software has changed or isn't even available anymore. There should have been more information about how to set up scans and rescans and methodologic tracking of the situation on the net, on the firewall and on your network.

    It is a good book to start with if you don't have a clue how to set up an inventory, start a vulnerability scan and plan your patch management, but you will have to buy a few more books to have a network security assessment.

    belsec is not linked to any publisher or online bookseller

  • quote : PCI is there for the banks, not for the users

    PCI focuses heavily on protecting a credit card number throughout its life cycle. It does not address protecting the customer's personal data associated with that credit card number.

    from  network security assessment by Steve Manuik et. al. p 225

    PCI is the security standard every website should follow that wants to use credit cards for its online transactions

  • How to make your own hacked domain inventory (for your country domain for example)

    The first principle is that the less work you lose on this project, the better.

    The second is that you won't have to pay anybody a thing.

    You go to www.furl.net and you make an account. In your subjects you make a category for example hacked-fr or whatever. You go to tools and you install the toolbar.

    Secondly you go to www.zone-h.org and you go to the digital attacks archive. You have two of them. THe first you do is the 'on hold'. Above you set up the filters and you ask for domain. A list of websites will go up. They won't all be hacked, there is some bogus traffic or zone-h.org was too late to take a screenshot to confirm. You put your computer in higher defense (at least with a script and download alert) and you open the list of sites that you see (to confirm). The saved copy is not safe, you will still need your defenses because the scripts continue to work, it is not a screenshot.

    For each website you go to your furl button and furl it and you save it to your category (which is also an RSS feed although they seem to break it during their updates from time to time). The screenshot here is safe because the scripts don't work.

    When you have done those fresh ones, you go a bit more above for the new confirmed ones.

    Afterwards you go to www.turk-h.org  You will see at your right a box with the word domain under it. you type in the extension of your domain. The search function doesn't work well so you will have lots of other sites in between and the site is sometimes slow. You can also check the unconfirmed ones that are in the category on hold at your left.  The advantage of this site is that some hackers were fed up with the on-off status of the zone-h database and wanted to create their own. Some sites are only mentioned here.

    The third method is googling. The most simple is 'site:.extension hacked by or hack or the name or address that you have found in the defacements. You can also look at the names of the pages that they are adding to sites and try to search (advanced) for those names in the urls). You will see that google mentions many sites as hacked even if they aren't anymore (look at the cache). THis is why any administrator should have a Google account for his website so he can clean the cache fast if this happens. This step takes time. But it makes the difference.

    If you publish an inventory of hacked domains of a domain extension, let me know, I'll link it. The advantage. After around 6 months you start to get a feel and see if things are nervous or not and what is important or not or how they are doing it. You will even see which hosters are crap.

  • lessons from the first anti belgian Turkish hacker campaign

    A few weeks ago after turkish nationalist rioted in the streets of Brussels we discovered a series of hacked Belgian sites that announced a massive Turkish hackercampaign against our infrastructure as a protest against the so-called police brutality during those riots. We put the warning up and it sounded off alarms. A week later more than 100 belgian websites were defaced by Turkish hackers but it could have been more.

    There is always a certain amount of bluff in these claims. Although the defacer claimed to belong to one of the biggest and most dangerous Turkish Hacker clans it became clear that the other members or cells didn't follow this 'everything against Belgium' strategy. The levels of hacked .be sites fell back to the 'normal' level of around 5 to 10 a day at the max. (off those that are found).

    We don't know if this is a prank, a loner or just the start of something. We only see snippets of information, that can be confirmed or not (if you have information, post it under here as a comment or ask a blogaccount to keep us posted in realtime if necessary).

    We can only hope that the other cells or members of the Turkish hacker community see the stupidity of his political message and even more of hacking innocent websites to distribute it. And if it is a prank, we hope that they won't retaliate by re-hacking the hacked sites ot hacking more sites to publish their denial.

    We are not panicking. We are not saying every site will be hacked and attacked and there will be nothing left of the Belgian internet. We are just saying to watch several times a day your logs for your websites and your websites and to be sure that everything is patched and secured. Especially if you were already hacked before (as 700+ others) Just be on your guard.

  • Alert New anti-belgian Turkish hackercampaign in support of Vlaams Belang (they claim)

    Today festivalduriredebierges.be was hacked, this is a kind of humor festival. I am not sure that they can laugh about this practical joke ..... (http://be-hacked.skynetblogs.be)

    But after some laughs it seems Belgian sites are being defaced (we had a feeling this was coming....) because a Turkish Hackersclan (or those that claim to be part of them) are supporting Vlaams Belang (seperatist rightwing 'sometimes called racist' Flemish party).  The admins and security people of belgian websites may go to the trenches now to inspect the security of their installations and to check the logs very often or to correct the damage (if it is hacked get it offline, upgrade it and take your time to do it as it should be done). 

     If you are in the list of 725 servers that were hacked the last year than you will be attacked again and if you haven't upgraded your security you will be hacked again.

    This is the text

    As AYYILDIZ TEAM we support rightist Vlamms Belangs (VB) Party.

    We are at the side of freedom.

    You Belgium see Flemish as third level citizen, while they want there freedom and independent.

    Do not just ignore it, we are warning you in the Virtual world and we can let you pay for this.

    As Turkish, we are next to our Flemish brothers. We are always with Vlaams Belangs (VB) Party.

    We are calling all our Flemish friends for protest and for a walk.

    Always, and in all ambient watching the benefits of its country and the one challenging, VirtualWorld Only Cyber defense Group AYT, is now asking Belgium...

    “Into how many pieces are you going to be seperated?, The words which you used against Turkey for Human rights, how will you implement it for your people?

    For years, you have tried to impose Turkey, now you felled to the same situation, see how it hurts...

    Maybe this will be a nice lesson for you so next you wont interfere on other countries Internal works.




    Virtual Worlds Soldiers



  • what does a security researcher in Belgium do with his information ?


    He should even deny he has any information of that kind.

    He can try direct contact - but that is risky (you depend on the goodwill of the other party and if that one is too pissed off or paranoid he can sue you and you may say goodbye to anything in IT). Also as proven in the first period of the index van belgian hacked sites, even sending an email didn't help much and getting hacked online servers for phishing offline was even more paranoid and tricky. The proof is there, only a few of the hacked servers are cleaned up after their publication on http://be-hacked.skynetblogs.be

    We live for the moment in a cybercountry of irresponsability. Nobody is responsable. Not the hoster, not the ISP, not the programmer, not the webdesigner or keeper, not the owner, not the domain owner, no it is always somebody else....

    We hope in the coming weeks to have a few announcements to clear this up so we have a dropoff address where this kind of information can be dropped without risk.

  • Why you should check your sites in Google and not be the only BAD site

    In this article (dutch) a dutch ITsec bloggers describes what he can do with a certain Google hack (specific search form) and which internal information on the printer was published. We checked no .be domains, in fact that printer is the only one that Google found with such a BAD configuration. I know that with homeworkers and so on printers, faxes and other multifunctionals have to be made accessable to outside workers, but what about authentification an control and monitoring ?

    That is why you should Google yourself and look through every link - eventually you should take some long links and try to do some directory surfing. It is not because it is not in Google that it is not accessable.  But blocking some things is only a good start. You don't have to make it the guys too easy to find your vulnerabilities.


  • shadowserver shows the daily belgian botnet traffic

    These reports are based off of all the active and inactive Command and Control (C&C) points that we have tracked and are currently tracking. The columns are defined as follows:

    • Number - 78 C&C's hosted within belgium
    • Closed - 38%  percent of the C&C's are now inactive
    • CC DDOS - 119 DDOS attacks issued from that C&C's within Belgium
    • CC Scans - 7878 scans into other networks the C&C's issues from Belgium
    • CC CHosts - 27 successful compromises completed by that C&C's within Belgium
    • TGT DDOS - 120 DDOS attacks that were targeted to Belgium
    • TGT Scans - 44843 scans that were targeted to Belgium
    • TGT CHosts - 793 hosts compromised within Belgium with about 7557 url's or domains 

    GeoLoc Number Closed CC DDoS CC Scans CC CHosts TGT DDoS TGT Scans TGT CHosts URLs

    BE 78 38% 119 7878 27 120 44843 793 7557