• The misleading Googlehack download websites

    There are tricks to find music, films and books with very specific searches, there are online search engines, freeware and list of googledorks for it.

    But the normal download websites have understood that part of their traffic is now going there and so they have adopted their websites to look in Google like a Googlehack website index but in reality are just fake fronts for their normal website where you have to download after clicking link after link after link etc...

    An example http://www.mp3-spider.com/Marilyn+Monroe/Golden+Hits/

  • Book review Hacking web2.0 exposed

    2008  by Rich Cannings and Himanshu Dwivedi and Zane Lackey

    Some remarks after clsosing down the book.

    * I didn't know that Flash applications were that powerful and dangerous. And even more when you use them together with dns pinning.

    * XSS just seems at the beginning of its road into the networks and the interactivity of websites. The possibilities seem endless.

    * ActiveX needs to be secure or not allowed. Period.

    The book gives a lot of code, it is nearly a manual for attackers. It gives also a lot of tips, but these seem a lot less ordened and structured. What I mean is a procedure of things you should have done and tested, a kind of checklist.

    Another weakness of the book is that there is a lot of attention for the security firm of the writers and not too much at other initiatives, but I presume you also read other books and so this wouldn't influence you too much, won't it.  

    I wouldn't read it as a first introduction, but if you have already read some stuff about hacking web2.0 applications, than this should be your following book. And if you aren't convinced yet that you need an application firewall and a more static website without flash, activeX and the lot, than you throw this book at them.

    I find it in fact a depressing book. Maybe we should send these books to all the hypers and investors of web2.0. to show them that the possibilities are unlimited.... for hackers. 

  • Links for today

    http://www.furl.net/item/31065315  Fox lost millions of personal data because of Google Hacking and a sleeping administrator

    http://www.furl.net/item/31065289 Good habits for UNIX

    http://www.furl.net/item/31065250 New features for Windows Server 2008

    http://www.furl.net/item/31065010 Twitter was something geeky before but is becoming the fastest news and information medium around. Will have to set it up for intrusion and cert alerts one day.

    http://www.furl.net/item/31065004 Obama uses Facebook for his campaign, but there are lots of other campaigns that can use it. Only try to respect the privacy of your members better than Facebook does.

    http://www.furl.net/item/31064447 Facebook started cleaning up the pages of the persons that said they were Sarkozy or Bush or whoever. Facebook is personal. Maybe someone has to set up a spoofbook with spoofed pages. In Marocco someone got conviceted for doing this.

    http://www.furl.net/item/31064730 the top 100 analysts blogs

    http://www.furl.net/item/31064431 Data portability is another hot topic. Let the data flow, security will come later. Will it ?

    http://www.furl.net/item/31064271 As another posts says that linking is not journalism (and has some copyright issues), this post says that Digg is making us dumber because it is hyping things too much. Another posting says that digg and wikipedia are controlled by a small minority. This is why I have 2000 RSS feeds. Never trust one source.

    http://www.furl.net/item/31064112 Your cell phone will show when you are approaching a speed trap on the high way. Even if they relocate them so many often.

    http://www.furl.net/item/31063977 the impact of humans on the oceans, an amazing visualisation of an enormous stock of data. What would the same techique give if we would use internet usage data worldwide. The impact of the internet on communications.

    http://www.furl.net/item/31060876 this is an online webpagemaker the web2.0 way. So easy even a kid can do it (if they are not already on Myspace or some other space).

  • Today is the 29th or leap bug crash day for some

    Some software and machines won't work today because they can't find the date. The 29th of february is an old problems that seems to come back every 4 years and that is proof of sloppy programming.  

    If you have problems, you should contact your software provider.  

    In 2000 a system of the Australian Immigration services crashed and systems all across Japan (including in a nuclear facility).

    Microsoft about the bug

    http://www.currybet.net/cbet_blog/2008/02/leap_year_errors.php

     

  • 10 weblinks for today

    http://www.furl.net/item/31067388  This is a way to use your mobile phone-cam to take pictures and have barcodes with them

    http://www.furl.net/item/31066949 Meet me here because I have a mobile and it has location services. Smart service.

    http://www.furl.net/item/31067223 How stupid managers can be. DIVX.com

    http://www.furl.net/item/31067008 Electricity is too important to ignore, especially if it ain't there

    http://www.furl.net/item/31066834 Web2.0 for Health services. They surely should begin reading about XSS before launching this. This will go clinical.

    http://www.furl.net/item/31066787 OpenID begins to develop into something that even could be integrated with the US ID card (or some talk about it)

    http://www.furl.net/item/31066781 Online print services are gaining force. So let's hack the printers online. Nothing as insecured as a printer nowadays.

    http://www.furl.net/item/31065769  It is all about "cloud computing" (where services and data are located all over the web) but the outage of Amazon for several hours was more of a thunderstorm and even in a cloud system, the data has to be physical somewhere on something (that can break down)

    http://www.furl.net/item/31065568  Have a watch on your online reputation before it is gone

    http://www.furl.net/item/31065358 Create code for a mobile website the easy way. And make a simple text site if you are smart. Very few have 3G so text is the mass-medium.

  • How are the encryption vendors reacting to the bypass before we throw their software out ?

    Nothing is safe all the time, but the broken methods will get fixed in time (we hope). The latest victim is encryption. Encryption has been sold the last years as the wrong solution for a real problem and is also used as an one layer of defense (the last one) that makes it more difficult if all the rest fails.

    It is being used as a wrong solution because it gives a wrong sense of security where there should be none. Nobody should have personal or secret data on a laptop that he takes with him on a ride. Nobody should have access to such a data if there is no real reasons to give him that. And if you do, you only give access to the data he needs for the time-space that he needs it, period.

    So now some researchers have found a trick to get your encryption keys with a quite simple hardware physical attack. We will see more and more of these attacks - and systems that should be totally secure will have to spend more attention to the physical security of their installations and integrate the alerts and physical monitoring into their Integrated Security Management System.

    If you wanne know how secure your encryption is - especially on your laptop - check it out here.

    http://isc.sans.org/diary.html?storyid=4024&rss

    This is a posting you will have to keep in your favourites as information will still have to come in (for example for all the question marks).

    So anyone working in the business will have to develop new methods of self-defense. Maybe be locking the key so you can only so retrieve that information (the key) unless you have some other means of identification (fingerprint, smartcard, usb stick.

    btw the excellent posting was written by Swa, a Belgian     Hello :)

  • she was looking for a man in her underwear and got web-famous instead

    Carmen Kontur-Gronquist, mayor of the small community of Arlington, Oregon with about 500 voters. She has been recalled by a vote (with only a very small difference) because she had published lingerie pix of herself on myspace. Family found that a good gag that maybe should help her get a boyfriend. The pix itself are nothing enormous, but many voters did seem to object that they were still over the web. There was also some disagreement about other policy matters. 

    She had closed access to those pix to only her friends, but that was only after the outcry started. The pix are all over the web. So next time you make some naked pix of yourself, you better do it all by yourself and keep it all by yourself. The web has no amnesia.

    Meanwhile I think she will have no trouble now finding a man because her pix are all over the web, even on the more serious blogs and newspapers sites.

    More info (pic, video)

    By the way, nice that you can recall someone locally and not have to wait untill the next election.  

  • Belgian crooks defrauding others

    You have crooks in every country, but according to the history in this dutch forum it looks like a whole lot of work to get them busted. Banks that aren't responsive and don't seem to work with the ecops and the Dutch police that doesn't automatically transmit the information to the Belgian ecops. They should know that the Belgian ecops have enough power if the proof is captured to act immediately.

    They send stupid not helping messages like this to their victims

    "Geachte mevrouw, De wet op de privacy en de discretieplicht opgelegd aan de banken, zeg maarbankgeheim, verbieden ons informatie over eventuele cliënten mede te delenaan derden.Indien u opgelicht werd staat het u vrij klacht neer te leggen bij depolitie. De politiediensten hebben trouwens een speciale computer crimeunit opgericht om dit soort zaken te behandelen.Ook kan u bij de provider via dewelke u de aankoop deed, klacht neerleggentegen de verkoper.Wij hopen u met deze informatie van dienst te zijn geweest.Met vriendelijke groeten,  KBC Cliëntenservice - PCSBrusselsesteenweg 100B-3000 Leuven Christiane ReyskensHoofdadviseur Cliëntenservice Tel.: +32(0)16 86 68 71Fax: +32(0)16 86 30 38christiane.reyskens@kbc.be "

    So if you are the victim of someone using a Belgian ISP, server, .be domainname, emailaddress or bank account.

    Who are you gonna call ?   the http://www.ECOPS.be   

    or should we call them FRAUDBUSTERS ?  

    Maybe Ecops should give the responsable bankpeople a few hours of training how to ask the right information and send that to the right institutions in the right format.  That shouldn't be too hard ?

  • insider threat : the Liechtenstein question

    This is the story of a bank placed in a small tax heaven country with a prince with his own bank worth about 100 billion dollars next to big country where taxes are high and the rich make it a national sport to travel with their money to place it in a foundation of that little 'country'.

    At a time the bank needed someone smart to digitalize all of its documents since 1970. They found a guy and he was really smart. They didn't know that he fled to Argentina because he defrauded some people in Barcelona for about half a million Euro's in a corrupt landdeal, but who cares ? So he was digitalizing all these documents by hand about all those dodgy deals and all the transactions and manuals and the whole work. He was even so smart that he wrote a special program to be able to interpret the data.

    So in 2001 he is mad as hell and gets fired. But he does want some payback and tells the bank that he doesn't want to be convicted for that corrupt landdeal and if the prince couldn't make a deal with the prosecutors. They did and they thought that was the end of it. He wouldn't make the data public as he threatened, wouldn't he ?

    Oh yes he would. First he sold it to the Americans, than he tried the Brits but those negotiations were taking too long, so he send an email to the inteilligence service of Germany. Would they be interested ? The German Intelligence Service was trying for years to get spies into those banks in Liechtenstein, a 'state' they already called corrupt 6 years ago but they didn't have any breakthroughs. This could be it.

    First they had to cover their backs and they asked the tax administration to ask them in writing to assist them with organizing and securing the negotiations. Secondly they had a legal obligation to treat and receive the information if they were sure they could use it to prosecute crime. Thirdly the government was willing to pay the money the whistleblower asked for his information and his assistance (as he had digitalized all that information himself by hand). He also needed another identity.

    When the information was finally paid (and they solved some problems  because some thought it was being used for money-laundering) the full extent of the information on the DVD's was becoming clear

    * around 1400 Germans of which some highranking industralists and even some government official responsable for dataprotection were going to be prosecuted. Some already agreed to pay the sums. 

    * some German private banks and members of the board of german banks were involved in those schemes

    * Russian and other criminal networks were using Liechtenstein as a money-hub. Some of the companies used by these netwerks were unknown before.

    The prince of Liechtenstein was naturally not amused and he said it was all the result of the criminal activities of the germans and that he was going to change nothing to protect the privacy of its users. The OECD calls that privacy excessive and says that Liechtenstein is only one three European 'states' (Andorra, Gibraltar) that is not working with the OECD against money laundering. The germans responded saying they wouldn't accept that Liechtenstein became member of Schengen before there was a cooperation agreement (like Liechtenstin has with the US) against money-laundering. 

    The swiss are having fear of a political fall-out even if they have such agreements and are part of the OECD schemes. They even said that they would now suspect that germans working in Swiss banks could be spies. But there are already files circulating from another german-Liechtenstein bank that could spell trouble for thousands of other Germans and institutions.  

    There are a lot of articles furled about the subject

    I finally ask myself. If one should already be paranoid about data that is totally legit, how paranoid shouldn't you be about your illegitimate business ? Did they really think they would be immune for prosecution, espionage, insider threats and hacking ?  Even the most simple risk analysis would have said that even enormous investments into securing that data would have been worthwhile. And surely those procedures and techniques against the insider threat.

    Nowadays everyone knows that you can become very rich very quick if you could get your hands on information from banks about their black backoffice schemes. And you won't be prosecuted for it.  

  • 3 million documents scanned of an investigation and still no solution

    Technology or even profilers are no solution for investigations that don't get the priorities from the beginning they ought to have. This is the case with the 'Gang of Nivelles' that terrorised our country nearly two decades ago but where never caught. Meanwhile 3 million documents have been scanned (and only part of it is translated in the other official language of Belgium).

    So if you have to do an investigation you have to get it right from the beginning and not hope that others will be able to clear up the mess or find anything useful if you have forgotten to look where you should have in the first place.

    Meanwhile today one of the innocent victims of this carnaval of justice has committed suicide in prison awaiting trial for another crime. He was a petty small criminal at that time but his wife found out that he had an affair so she went to the police and denounced him as one of the 'Gang of Nivelles'. As they didn't find anything or anyone else they decided to take him and some other small petty criminals as the 'gang of Nivelles' which nobody believed. So they were acquitted because the 'gang of Nivelles' committed another holdup-attack while they were were in prison. 

    http://www.bendevannijvel.com    

  • Massive hack against Photobusiness site IFP3.Com

    and all of its other sites that are using that service for selling their pictures

    an example where the unique business host doesn't become the fortress it should be but the single biggest vulnerability for all of their customers

    source is zone-h.org because Google hasn't indexed it yet

    It hasn't even been found yet by the hoster (anybody awake over there or are you counting your money ? Invest it in logging software and HIDS)

    The defacer Roselare has add this file to each of its victims (pages full of victims) tjjjst.htm and written is only by roselare

  • Security warning for VMWare on windows

    From Internet Storm Center

    This new VMware vulnerability discovered by Core means a full scape from the guest virtual machine to the host is possible: "On Windows hosts, if you have configured a VMware host-to-guest shared folder, it is possible for a program running in the guest to gain access to the host's complete file system and create or modify executable files in sensitive locations."

    It has been rated as critical by VMware and it affects all VMware client products on Windows, that is:

    • VMware Workstation 6.0.2 and earlier, AND 5.5.4 and earlier
    • VMware Player 2.0.2 and earlier, AND 1.0.4 and earlier
    • VMware ACE 2.0.2 and earlier, AND 1.0.2 and earlier

    VMware on Mac OS (Fusion) and Linux are not affected by it.

    By default, the shared folders feature is disabled in Workstation 6, Player 2, and ACE 2. Workstation 5, Player 1, and ACE 1 enable the shared folders feature by default, but exploiting this vulnerability still requires at least one folder to be configured as shared between the host and guest.

    The impact on production environments is supposed to be limited as they tend to use the server versions. However, we, as security professionals, make an extensive use of virtualization technologies for multiple purposes: malware analysis, incident response, forensics, security testing, training, etc, and we typically use the client  versions of the products, so... It is  time to disable the shared folder capabilities!!, as no update or patch is available yet:

    Workaround (from the VMware advisory)

    Until VMware releases a patch to fix this issue, users of affected Windows-hosted VMware products should disable shared folders.

    To disable shared folders in the Global settings:
    1. From the VMware product's menu, choose Edit > Preferences.
    2. In the Workspace tab, under Virtual Machines, deselect the checkbox for Enable all shared folders by default.
    To disable shared folders for the individual virtual machine settings:
    1. From the VMware product's menu, choose VM > Settings.
    2. In the Options tab, select Shared Folders and Disable.

    This is why this virtualisation thing makes me uneasy. Seems too easy and not self-evident.

  • More than 1000 .be hacked websites in our furl archive

    we have passed the magic cap of 1000 furled hacked .be sites that were archived the last year and that is another form of archiving than http://be-hacked.skynetblogs.be

    By publishing the names of the sites we hope that someone will take notice - especially as there is an RSS feed.

    not that we have to make ourselves illusions

    * people still don't look at what is happening at their site

    * people still don't Google their own site from time to time

    * people still take shared accounts in which the most stupid admins fucks up the sites for all the rest also

    * people still use free open software and interactive functions nobody is interested in and get hacked because they don't understand the software or don't patch it

    * people still don't understand that if you were hacked once, you will be attacked over and over again until you have forgotten to patch and will find yourself hacked again

    raak_21

  • Belgian Evoting : the biggest problems with the university report

    The Belgian universities published together a study about the future of evoting in Belgium. Each of them was the 'creme de la creme' and the report is an enormous bundle of information but the purpose of the report was not to make an inventory of the evoting situation nowadays, but to make a proposition about which new secure evoting system would be used in 2009 or thereafter. For the moment about 40% of our electorate votes electronically and there are no problems at the scale of those of the US - as far as we know. For the moment the parliamentary commission has refused to accept the proposals in the report as such and wants more discussion.

    Maybe they should organise hearings with specialists ? As those representatives complain that they have nothing to do, what would be more useful than to question specialists outside of the study about the security of evoting ?

    I say as far as we know because each parliament has a commission that has to control and audit the selection, installation and execution of the evoting process. It is only if you really read the reports from these commissions - about which the press rarely writes (maybe because they are published months afterwards) - that you can pose yourself some fundamental questions. I will come back to that in another posting but the most important remark is that there are no real independent tests because the auditors (of for example the code) are CHOSEN by the firms who will install the evoting operation. Yes you have read it right. The audited choses his auditors. This is not to say that they are maybe corrupt or incompetent, but you can say that it is a bit odd to say the least.

    But back to the report from the universities and my first note is that our computerpress has been really lame in their reporting. I don't know if we have read the same report but when I read that they propose to use RFID chips on the votingpaper, than there are about 20 security questions that go through my mind and I start looking in the report for tests and technical descriptions that will limit those problems that have been proved to be possible with RFID chips. When they propose a machine for evoting and they don't consider anywhere in the report that there are maybe problems with tempest (or information leakage from the screen) as have been proved with evoting machines in our neighbouring country Holland than there is a big problem with the report (or the part that is public). And these are only questions that I ask myself based on my limited technical programming knowledge. There is no trace in this report of any testing or consideration of what securityresearchers and whitehat hackers could find in votingmachines. In a next post during the weekend I will go deeper into the report itself.

    I would like to empasize that I am personally very happy that there is a paperbased proof (double check) in the proposal. This is a very big advancement compared to now. It will give the possibility to check the difference between electronic votes and paper votes - if this is organised in such a way that both can be effectively traced back to the same polling places.

    And no, I don't complain If I go to count once again the votes a sunday - or watch over the counting process. I can't be for paper votes (or a paper vote duplicate) and refuse to count them at the same time. After all, there is nothing as important as an election in a democracy and if we cherish our democracy we should be very carefully with the way we organise its representation.

    So it looks like it will be evoting weekend....

  • Think twice if you want to launch a pokersite or play poker online ?

    Are you safe enough or is the server safe enough.

    There are some books and some articles that have already been written about the online warfare against and between online gambling and pokersites (it is a wild wild west) but this is an live example of what happens in the real world now and not only against small russian servers (would you play on a russian gambling server ??????)

    And if you do business for online gambling and pokersites you should really keep in mind that you could be the standby victim - pushed off the web (and lost a bit of credibility) because you have links to the online gambling business.

    I hear that our national Belgian Lottery will go online next year. I hope they will have a very strong anti DDOS plan and anti phishingsite or anti-scammail policy and that they do everything that should be done by professionals. They shouldn't underestimate the malware world. THis is part where the big money is made (extorsion) and where you better be armed or be shot off the web.

    Read this blog

    It also shows why we in Belgium need a big CERT.

  • Make from every webhost a mule for malware

    theinstalls.com is the latest twist in the commercialisation of malware.

    Now everybody can install malware and distribute it and be paid for each installation. Everybody a malware host and so everybody can earn money by the stupidity of unprotected users (or the unresponsability of its ISP's....).

    Installs is a malware server itself.

    other malware sites that use the same business model

    cashcodec com
    avicash com

    What is worse is that affliatesites don't do any research about this kind of business and give it a high rating, even if it could destroy your business or name because you will wind up in blacklists and be treated like a crook yourself.

  • Estdomains.com the registrar where rogue security malware are friends

    If you look at the list of domains that are mentioned in the listings and blogs about malware and adware and greyware and rogue securityware or scamware or whatever -ware, than the name of the registrar estdomains.com seems to be coming back again and again. It is an US based (Delaware) company that hosts domain registrations for servers based in Russia.

    In fact they also took thousands of domains - also many famous malware sites - from publicdomainregistry.

    They don't do .be domains and the better so, they do .eu domains, but that is a domain which is having quite a few problems - just as the .us domain is not really a clean domain.

    They are also linked to the stormbot fastflux network - that is still active.

    Another service that you would like to keep out of your domainname or dns business is privacyprotect. They protect the identity of the registrars of the domains but as is shown in the link above - it is also used by the botnet crimebusiness to hide themselves.

    Maybe one should complain here

  • Everyone can use this botnet to bring down whatever they want

    This is a true internetcommunitylike or web2.0 let's bring the internet down all together DDOS botnet. Power to the zombies ? All zombies are equal even if the zombie master is a bit more equal ?

    For those watching hacking and security forums or running them we have heard the same question a thousand times. "Can you hack a msn account or a hotmail or a yahoo ?" So there are always enough stupid dudes looking around for a software that promises just that.

    The files of this trojan are hbt1.gif

    and than you can if you have IRC ask all infected zombies to attack a server by sending a link to an image of that site. (This is smart because many anti-ddos tools are based on Ip addresses and domainnames)

    This means that

    * you will have to activate ddos for all imagelinks on all of your sites if you see such attacks beginning to happen

    * you should block IRC everywhere you can - Belgacom - our biggest ISP - already did so to external IRC servers but I am not sure if infected zombies couldn't communicate if this tool was updated with a distributed botnetstructure (in which each zombie also plays a server role). If this would become a puppynet and use a simple http channel or tunnel this could even become more worrying. Do not forget that this kind of malware code is now being developed as open source with communities and permanent upgrades.

    If all pc's had a firewall and an antivirus given by their ISP's as Belgian law asks them to - this evolution would already be less troublesome.

    http://blog.spywareguide.com/2008/02/htbomber_a_botnet_with_infinit.html

  • A very interesting advice from Internet Storm Center to software developers

    and I quote

    As such, developers should really implement mechanisms to prompt users of their software that an update is available. Naturally, plenty can go wrong with an update mechanism, so keep into account that:

    • If you expect enterprise deployment, you want to foresee a way to allow corporations to centrally manage the deployed versions or at least disable the mechanism. They prefer not to lose control over their base image.
    • You don’t control what your hostname resolves to at the client side. Think about DNS cache poisoning and authenticate your update server to the client;
    • Ensure the updates themselves are signed, so clients can check their integrity;
    • Ensure users are made aware of the difference between a security and functionality update;
    • Let the client report its version to the update server, so it is aware if a large part of the userbase isn't upgrading, and you can find out why.

    Copied it here because it is so important that I shouldn't forget it - anywhere anytime anyhow

  • Belgian EID and PKI infrastructure

    Most of the mathematical underpinnings of our cryptographic engine technology have been published in the book “Rethinking Public Key Infrastructures and Digital Certificates; Building in Privacy,” authored by Dr. Stefan Brands and published by The MIT Press in August 2000 (ISBN 0-262-02491-8, first edition) with a foreword by professor Ronald L. Rivest. The MIT Press has kindly granted us the permission to make the book contents available for free download, subject to the following copyright notice.

    The whole book can be downloaded here.

    http://www.credentica.com/the_mit_pressbook.html

    The book is cited as a source for a critique about how the EID has been operationalized

    Each eID chip contains two X.509v3 identity certificates (each specifying the citizen’s name and RRN number, one for authentication and one for digital signing), as well as a basic signature key to authenticate the card with respect to the RRN. The certificates and public keys, which are assigned by the central issuing authority, by themselves serve as “omni-directional” identifiers that are globally unique. For a detailed account on the various privacy problems caused by this use of PKI, see, for instance, here

    As Marc Stern says you should be a bit careful because credentia is also trying to sell a product. Credentia thinks it has a product that protects more the privacy of individuals and is campaiging against products that and concepts that have decided otherwise. It is a firm with a commercial goal, but this doesn't mean we shouldn't take its technical arguments into consideration. That would be too easy. At the other side, it is still a free book and it is a good book, even if it is old, and I like free quality stuff.