• hacked mailbox of Venezuelan Embassador

    The documents shown present the mailbox of Venezuelan ambassador Freddy Balzani and includes mail sent and received from July 2005 to July 2008.

    Consisting of roughly 8500 mails, the mailbox has been rendered into HTML and is provided as such. In Spanish


  • Massachusetts enacts law that obliges encryption of personal data

    As of January 1, 2009, all companies that own, license, store or maintain personal information concerning any Massachusetts resident must take comprehensive measures to protect that information from unauthorized access, disclosure or misuse.

    Although the new regulations impose a broad range of requirements, the most pressing compliance issue for many organizations will be the new obligation to encrypt all personal information of Massachusetts residents that is stored on any portable device which includes laptops, flashdrives, Blackberries or cell phones (to the extent feasible) that is transmitted over the Internet or by wireless connections


  • Hacked site secretary of state Chastel and Suez : 10 long days


    and the website of Suez


    and here customers can log in about the Suez services on their enterprises, critical infrastructure you think, nothing important or critical it seems

  • hero of the day : simple folk but important folk

    Even simple folk can make a big difference by just doing the right thing. Like this guy who bought a camera on ebay and found pix on it from suspects, secret documents and rocket launchers. He went to the police with it who came the day after with a Special Branch to confiscate it. It was the right thing to do. Imagine that this stuff would have been on the internet. It was from MI6. They surely need some dataleakage prevention and data destruction and inventory products over there.

  • ING online banking was open for creating any new account on the account of anyone

    1. ING Direct (ingdirect.com)

    Status: Fixed

    We found a vulnerability on ING's website that allowed additional accounts to be created on behalf of an arbitrary user. We were also able to transfer funds out of users' bank accounts. We believe this is the first CSRF vulnerability to allow the transfer of funds from a financial institution. Specific details are described in our paper.



    This CSRF trouble has for the moment only made headlines because it has been shown to work in video and social websites but without any financial problems. This is the case here because money has been transferred. The other thing with CSRF and all the other web2.0 security problems is that when you read some books about it, it all becomes so depressing because there are so many ways to use it and so many things to check. You can start by closing all the obvious loopholes and than use the attack tools to test if there are others, but in the end if there is money involved you will need an ethical hacker to think and act like a hacker/attacker. In the end it is a human attacker that stays trying untill it finds the stuff nobody thought about before which is exactly the way CSRF attacks came about.

    Just a reminder for our Belgian friends, testing this without the explicit approval of the owner of the site is a crime in Belgium.

    We said last week that Belgian banks were becoming safer, sorry for our naivite, we wanted to believe them. honestly we would be so happy if we could believe and go back home and play with my computer instead of writing this stuff

  • E-passports can be falsified without any alerts going off, make your own

    "THC/vonJeek proudly presents an ePassport emulator. This emulator applet
    allows you to create a backup of your own passport chip(s).

    A video demonstrating the weakness is availabe at

    The government plans to use ePassports at Immigration and Border Control.
    The information is electronically read from the Passport and displayed to a Border
    Control Officer or used by an automated setup.
    THC has discovered weaknesses in the system to (by)pass the security checks.
    The detection of fake passport chips is no longer working.
    Test setups do not raise alerts when a modified chip is used.
    This enables an attacker to create a Passport with an altered
    Picture, Name, DoB, Nationality and other credentials.

    This manipulated information is displayed without any alarms going off.
    The exploitation of this loophole is trivial and can be verified using thc-epassport."

    We knew this would happen.
    The research to discover vulnerabilities - which obviously wasn't done
    during the production phase has turned into research to manipulate these vulnerabilities.
    There is only one efficient control and that is human control and this is why border controls
    should be human in the first place,
    before entering (appliant case) during (control) and afterwards (analysis travels)

  • never has there been so many viruses unlashed on the internet in august and september shows no sign of changing that trend

    and while the Belgian press sees nothing

    "More than 1,000,000 threat signatures now recorded...

    August was the worst month on record for cyber-crime activity, according to managed security company, Network Box. The company’s alert status, which measures the severity of Internet threats, was at four (out of a maximum five), indicating ‘critical threat’ status, through the entire month of August.

    Virus activity peaked on 23rd August to the highest rate on record, with more than 14,600 new viruses seen on that day alone (with a monthly average of 4,500/day). However, September’s big threat is gearing up to be from Trojan and Worm activity, with a significant rise in Trojans through early September, peaking on 12 September at 65 detected per day.

    Overall, threats increased by 51 per cent in August, from July.

    The number of threats recorded have passed the one million mark; Network Box now has 1,080,899 threat signatures, and 1,374,666 spam signatures active in its database.

    Simon Heron, Internet Security Analyst, Network Box, says: “We expect to see a slight increase each month, but August this year was the single biggest jump in cyber-crime activity we’ve ever seen. It could be that criminals target this time of year to make the most of people being on holiday, that includes IT managers and technical staff best able to deal with issues raised.”


    The only security when a wave becomes a real storm is blocking, blocking, blocking. Only blacklisting whole domains, countries and servers will keep you saver than the virus identification signatures (set those updates as fast as possible for your endpoints). You should only leave through what you know that you need. It is also time - in such an environment - for senders of email to go back to simple text.

  • Download 6 chapters of Access Denied, about internetfiltering

    Today we are proud to announce that chapters one through six are now available online in PDF format; they will soon be integrated into the site as well.

    Check out the first six chapters of Access Denied:

  • Block AMD overclocking utility in your enterprise

    This is why (from Yahoo news)

     Advanced Micro Devices tied a new corporate branding campaign,"Fusion," to a beta utility that is designed to speed up AMD-powered PCs. The company warned, however, that the utility could turn off antivirus or other security software without notifying the user.

  • Attention to all report and presentation writers : get back to text please

    When I opened the new Sophos threat report the first thought was immediately

    "damn another stupid picture of another stupid face or person that has absolutely nothing to to with the information and that will only take up bandwith, storage and ink."

    So please, get back to text or make a text version of your report with only the necessary graphics but no pics

    nature and bandwith and storage thank you for this

  • Cybercrime convention progress reports

    A comparative analysis of the translation into national law of some countries

    A progress report of the convention itself

    Belgium has signed but not yet ratified the convention.....

  • after hacking contactless cards for bus trips, next for shopping

    Sometimes you can't believe your eyes when you read things. It happens over and over again. Fist they launch something and only later on they will discover the problems (or just neglect them) and than try to solve them.

    Using contactless cards for shopping is on the table with the 4 biggest banks in Belgium and Visa and mastercard. I am sure there will be very expensive engineers and consultants making huge expensive reports saying that there is no problem and that everybody shouldn't believe all these rumors and articles about the lack of security of these cards. Just sensationalism. These things will be fixed or are already fixed.

    I think that if they want to study the question really thoroughly they should put together a No team that would give all the arguments and proof why they shouldn't do it and contradict all the propaganda they receive from the vendors and associated research institutes. Hackers are in fact a reality check. When you see what happened with the contactless paycard in Holland, London and the VS you can imagine that wireless shoplifting will become a very interesting sport - especially in rough economic times.

    You don't have to be a professor to know that a contactless paycard or creditcard is just stupid because you take one level of identification and autorisation away that is essential, the pincode. Even if the pincode has some disadvantages and isn't perfect, taking it away creates a lot more problems. For starters how are you going to proof that the card was used by the holder when he says that he lost the card ? Now you can have a limited protection by the pincode. When it is contactless there is NONE. So the banks will say that they will take the costs of theft on them. That is not so, the additional costs of theft because a level of fundamental security has been lifted will be transferred to ALL the users. We will ALL pay the bill of this disaster in waiting. Secondly as the cards will be contactless it will be crucial to block the cards IMMEDIATELY (in minutes and not in hours) because every minute will count. For this you will need a bigger call center with more resources and you will have to invest more in awareness and response and detective teams. Also these cards will become naturally the prime targets of attacks. Imagine that you are a hacker and you have the choice of attacking a contactless card for shopping or a transportcard. Which one would you choose ?

    And using the cellphone for payments is a joke because the cellphone - nor its operators - have any security for the moment that is worth mentioning here. The procedures to get it blocked are even in Belgium not as easy as for your EID or visacard.

    So why would they absolutely need to do this ? To be fashionable ? To have more transactions faster (if their servers can follow...) ? To make it easier for the clients ? But that was the discussion with some online Belgian banks last year untill they saw the first real succesful attacks against their banks and upgraded security instead of thinking of usability for the clients. Security has some inconvenience but it has the advantage of adding trust (talking about trust in these times....).

    I wouldn't trust the card because I wouldn't trust the concept beside it and so I wouldn't use it and if every card would become like that, you can stick your cards in your dustbin. And if they really are that stupid to go ahead for no logical reason at all, they should leave the choice to desactivate it and keep the old pin code.

    Or they can do even better and change the pincode by a finterprint. It would also cost some money but it would diminish fraud with cards in shops worldwide and lower general costs and heighten trust and they would sell more cards because instead of having one card for a family each familymember would need one.

    We will be coming back on the discussion of these stupid smartcard ideas. There are better smartcard ideas but this is surely not one of them.


  • and if I were now to hack a financial news site

    and I would inject a news headline that a bank would need money

    or I would change a declaration of a press officer from 'we don't need extra money' in 'we do need extra money'

    and if people wouldn't doublecheck (which they seem to have forgotten)

    what would the effect be today ?

    - that is why security can be so important - it guarantees also the integrity of information especially in times like these when everybody is looking for the most uptodate and correct information in a very very volatile situation

  • ofwel is een nieuwssite uptodate of ze is gevaarlijk

    Indien ik mij voor mijn financieel nieuws vandaag zou concentreren op De Morgen dat zag ik om 10.55 dit


    ssl keys_02 Sep. 30 10.53


    Indien ik echter http://www.detijd.be zou volgen dan heb ik dit

    ssl keys_03 Sep. 30 10.54

    In het Engels zeggen ze 'If you can't stand the heat, don't stay in the kitchen' Met andere woorden als je uptominute headline nieuws wilt geven - of die indruk wilt creeëren - in een uiterst snelle nieuwscycle en waar het nieuws elk uur er totaal anders kan uit zien, met soms enorme gevolgen voor de indruk die wordt gecreeërd dan moet je daar de resources voor hebben.

    Het is natuurlijk ook de taak van een cybercrisiscommunication team binnen de bank om vanaf dat dergelijke titels achterhaald zijn ze zoveel zo snel als mogelijk te laten corrigeren en de belangrijkste redacties en persburelen dit zeker te laten doen, waarna de rest wel zal moeten volgen.

  • Does OCAD, the Belgian anti terrorist nerve center, have secured ecommunication ?

    In the report of the parliamentary oversight commission, this phrase calls this into question

    "Het Comité I dringt aan op de noodzaak om snel een performant en beveiligd communicatienetwerk op te richten tussen het OCAD, zijn leveranciers en zijn cliënten, wegens de aard van de inhoud van de uitgewisselde inlichtingen. Naast het evidente veiligheidsrisico, zou het een zware klap zijn voor het imago van België en zijn diensten indien inlichtingen verloren gaan of in de verkeerde handen terechtkomen."

    The commission asks that such a secured network should be in place very soon. If it was already in place this phrase wouldn't be present in the report. The fact that it is mentioned in this public report shows that this should be a high priority. It shouldn't be that difficult either because there is enough stuff on the market to make this happen quite quickly. So where is the problem ?

  • Nevada first to oblige encryption of personal data

    Beginning October 1, Nevada state law will require all businesses to employ an encryption tool for any electronic transmission that includes a customer’s personal information. According to a new study entitled “Joint Research Report: Encryption Solution Implementation Landscape” conducted by Osterman Research on behalf of CertifiedMail, Nevada companies will be a step ahead when it comes to protecting customers’ personal data. Read more

    This means that if you chose new products like email, NAS or other storage or install new servers and services that encryption should be an inherent part of your product or installation. And with encryption comes key management and recovery. If a product or new installation doesn't have that, it is not future-proof and can in the end be more costly than you anticipated.

  • De Tijd begint commentaren te wissen bij bankenartikels

    Het is misschien beter om geen commentaren meer te plaatsen voor het moment aangezien alle informatie toch gedubbelchecked moet worden en al de rest speculatie en theorie is. De zaken evolueren van uur tot uur en niemand heeft enig idee wat de volgende stormloop zal zijn.

    een vb

    • Van mij zijn er gisteren ook 2 reacties gewist, hoewel daar zeker geen beledigingen, schuttingtaal of dergelijke instonden. Alleen een beetje bedenkingen bij de manier van handelen van onze politici... of mag dit ook al niet meer? Geplaatst door asterix op 27 september 2008 om 14:09 |