• exclusive every week mules arrested in Belgium

    Mules are people that are transferring money from the victims account to his own account and immediately after to another account. They are being mobilized by announcements that promise hundreds of euro's every week by working at home for some money-company.

    The people in Belgium that are arrested weekly are mostly very poor people with some financial problem who think they have found a way to get out of their mess.

    Only to see that the big percentage that is promised at the end of the month will never be paid because most of them don't last that long before being arrested and thus compromised.

  • exclusive Fortis had already subprime defaults 10 years ago

    From our exclusive source who has informed the president of the PS and CDH about these facts

    CGER, before FORTIS had a big operation in Paris where their representative invested hugly with big risks in real estate. The risk department was very strongly against it but was sidelined. Only to see that after three years some billions of francs were lost - just as the risk department had said

    The same happened in Berlin

    and each time the risk department was sidelined, neglected or just pressured to just shut up.

    and so why is this person not very surprised that during the Amro operation the CEO and the other people now sitting on the management fronttables didn't take any of the alarming risk reports into consideration ?

    because it were at that time the same people that at time were modernizing the bank and learning to earn much money by taking risk (and making sure nobody talks about the losses).

    what happened to Fortis is just a consequence of a culture and the freedom of enterprises to shut out or down their internal risk auditors.

  • connecting the terrorism dots

    As journalists are just trying to win the battle to keep up with the incoming stream of facts, happenings, events, comments and non-events to connect the dots, this makes for some very strange stories around here

    Yesterday there were articles that some people were quite upset that two militar supersonic warplanes flew over Bruges and Ghent and were responsable for some small damage.

    Today there is a story that about 6 to 13 alquaida members are running free around in Brussels because the intelligence and police forces have not enough information to keep them between bars. The other half of their cell that was about to launch a new terror front in Europe out from Brussels are behind Bars for the moment thanks to the information that US satellites and services collected during the last year.

    What do the 2 stories have to do with each other. Well it seems that a civil airplane didn't respond to any contact by the air trafficer controllers and that the two planes were sent to escort the plane.

    What is so important around the Bruges. It is Zeebrugge, the largest LPG station of Europe. A terrorist attack with a plane on that target would have been felt and seen by a very large region (and have some dramatic economic consequences).

    What would the planes have done if they didn't had contact with the planes and saw that it is was only the result of chosing the wrong radio frequency ? Shoot the plane if it started to descend above the LPG habor ?

  • infections from Conflicker by VPN

    We are finding some conflicker infections that came by online VPN services (like logmein and so on) and by external connecting services that don't have a NAC (network access policy) and/or virus control and/or freezing the interface with only limited rights for the incoming pc/laptop

    this seems now to become an essential part of such services

    as is an USB policy or desactivation

    we are not seeing any auto-updating system working, so maybe most of those millions of infected PC's will also never get an update....

  • infections from Conflicker by the internet

    we are seeing the last week that all infections of Conflicker worm are coming from the internet and that they come in the form of images, always with different names and that they were discovered in the temporary files of the browsers. The problem is that when we Google for these files, they don't show up, so how they got there is another problem or it could be webmail (but you would suppose that professional webservices like hotmail and others have antivirus filtering and are at least cleaning the mail for this one)

    they are still being indentified as being the first version, not the latest one

    One should also note that it seems very difficult to clean a machine or is it because once they are infected they always receive new files. It should be wise to keep your machines that were once infected close to your chest (and monitoring)

    when more information is being discovered, we'll come back here...

    One should also not forget to clean the proxy.

  • stupid anti-forensics on Belgian television

    It has maybe something to do with my profession but watching the news just makes me laugh (so my wife calls me a cynic)

    * first there was the arrival in Britain of the British terrorism suspect who was liberated from Guantanamo. All good and well. But on one television the police and intelligence officers around him on the tarmac were blurred, while on the other news program you could see them clearly without any protection. Maybe they should wear masks in future and not trust the tv-station to protect securityofficers

    * secondly there were parts of a body that were found next to a highway in Belgium. The pressofficers of the justice officials that are responsable for the file said that the murderer was very well informed about the way identification was done because the head, hands and feet were absent. So now even the most stupid possible murderer knows....

    It is just a result of a total lack of thinking about the consequences of the information that you are giving and if you wouldn't better just shut up or not show those pictures at all. What is the risk factor of the information you are publishing ? Not that you have to censor, but sometimes it is better to shut up or not give all the information.

    This is the same in IT.

  • some freeware a day in a special blog

    I am keeping useful freeware at different computers at different places so I am organizing them and while doing this, in the spirit of the rest of this blog it is open for the public to use - not to abuse

    Because I am not going to download from hundreds of sites, I have organised my online library with copies. THey may not be the latest, so you should always control if there are newer versions. Normally there is a page monitoring tool but in the present conditions I can guarantee anything about instant updates.

    But it will become a nice collection to use every day. The other objective is to diminish the number of posts here and to use dumpblogs for the other stuff, dumpblogs that are blogs where I just dump the stuff without much work and promotion and other stuff.

    http://freeware.skynetblogs.be

  • .be hacking just goes on even without zone-h.com

    Since the last attack zone-h.com (of which we luckily had received the database for 2008 for the .be domain) has not restarted its operation. Maybe they were fed up being hacked over and over again (they were using Joomla by the way) and having little respect or advertisers in return.

    They were a very good indicator and in fact they are unreplacable and those that could or should replace them are also under attack (some of them are also under hacking attack or are being hacked) or are too limited to be of any use. With its thousands of submissions every day zone-h gave us for our small .be domain some very good indications and the Joomla hacking campaign would never have been so evident for the security community without zone-h.com

    So now we will have to live without it, but those that are happy that there is no public archive (except our for 2008) to show how stupid their security was, if there was any.

    here is already a small list of some sites that today are being hacked, we will have to make a new list of terms and addresses to use to find them the best way we can, but when we do find it, it is already too late

    You should consider the fact that you will allways be scanned and that if you have any vulnerability that you will be attacked and if you let them hack you, they will hack you and this is certainly the case for sites that were hacked once and as shows even this small list are hacked again as if nothing has happened and nothing should happen....

     

     

    HACKED BY POWERFUL</title><center><h1><br>, HACKED BY POWERFUL. HackeD By PoWeRFuL ~ For Turkey ! FAQ · Zoeken · Gebruikerslijst · Gebruikersgroepen ...
    kmscw.crepenet.be/forum/login.php?sid=c4abf908d4d5c976f8bd0c1696a... - 15k

    http://webcams.wxcams.be/images/ (not the first time)

    http://www.tzwembad.be/writedata/kalender/date.asp?date=2/8/2009  also used for phishing this site so your insecurity may come to haunt you legally

    http://www.sargeras.be/eqdkp/viewitem.php?s=5543eaaa38865cd3da535808a65dad57&i=134&o=1.0

    kzp.be/kalender

    and so on, we will be publishing more listings, but it will take some time setting the searchtools in motion because Google is not that easy and intelligent to discover hacked websites

  • ten ebooks a day at ebooks.skynetblogs.be

    While I am collecting my own books online for personal use and without posting, I copy links to some of them at

    ebooks.skynetblogs.be

    No guarantee that the books will stay up for long

  • Fortis, parliamentary commissions and forensics

    It is only now that some people are realising that the parliamentary commission about what happened at and with Fortis will be to no use if the forensics is not done as it should be and that should have been done from the first moment the state took control of the bank (more or less). It should have taken at that time the necessary measures to be sure that all the information and communication logs that are necessary to understand what has happened and who is responsable was to be copied and contained in a safe place.

    Crying now that all the communication logs of the Fortis saga have to be contained is like crying wolf when half of your sheep have already been slaughtered.

    But what do you expect from a country where there is no law about forensics and not one technical norm about how to make and safeguard your logs ?

    The smart people around here just copy the US Norms from the NIST and do not lose time waiting for something that will need months of deliberations while the only thing to do is to translate and adapt a little the norms that already exist and are used by thousands of network operators oversees.

     

  • Fortis, risk and criminal behaviour

    When Vorton, the ex CEO of Fortis had the big plan to buy ABN-AMRO in 2007 - and made the rest of his inner crowd blind with promises and sales talk and dreaming of grandeur, history and world domination he was aware of the enormous risks he was taking (with other people's money by the way).

    In june 2007 he received a report by a private banker that put it in not to be misunderstood terms. If Fortis bought ABN/AMRO at that price Fortis was taking such a risk that the solvability and even the existence of Fortis itself could be enormously endangered. It was a thing not to do because the housing market in the USA was going to implode.

    The report was not distributed to the other members of the board of directors, nor to the investors (even the big ones) although I suppose that the report was paid with money of Fortis (and not his personal money) so the report should have been distributed to the different decision channels and investors of Fortis.

    Without this report the investors didn't have all the necessary information to make a good judgement about the OPA and the risks.

    In fact it is cirminal that this information was not distributed and if it is not criminal by law it should become so. The board of directors should have its own budget to ask independent outside advice about decisions that have to be taken and the board of directors should have all the necessary powers to ask any document that could help it with taking a good decision. And if the board of directors didn't do this they should be prosecuted for negligence. Their role is too important to be done this way.

    Each company should also have independent risk auditors that can't be fired by the firm for his opinions or advice, except if he doesn't give any....

  • back next week 24/02

    I have to get some things together and in times of mourning and grief I have to be there as a father and a husband. THis is much more important for the moment. I hope the law of murphy doesn't send more familymembers 'up' or brings more bad news and disaster because even a man can only take that much....

    It is just the living proof that Belgium needs a real CERT with real people that are paid to do this as a job - so I can go on and do also other things....

    BUt for this blog to go, would be for the moment not responsable. It is possible that there are some changes, but that you have been used the last year.

    This is another reason there has to be a  CERT. This is my personal initiative just to help out and get the esecurity discussion going. I do with it as I want and I don't get a dime for it. A real CERT has a format and obligations and is a public service.

  • Fortis is NOT sold to BNP/Paribas

    the unknown unknown is there

    and if anybody has any idea how everything will evolve and react to this event, than he can claim a nobel prize

    meanwhile there is a big bang happening over here

    and the effects are the unknown unknown

    some results are the known unknown and could be mentioned now, but the interaction between those events and the intensity of the reactions can never be foreseen or calculated

    you should now be prepared for the worst and be happy if it didn't turn out to be that bad, but prepare for the worst

    sadly you had ideological demagogues at one side and desperate shareholders that are out for revenge at all cost at the other side

    the result is this

  • whatever happens with Fortis, Europe has no strategy

    The European Community is just that, a community but not an union. We don't have a president that is elected but a bunch of administrators that are appointed by national government. It is as if all the States of the US would appoint each one administrator in the Administration, agree together on the nobody that would become the caretaker of it all and for the rest would each month or so decide together what those administrators could and could not do. To have some perception of democracy there would be a parliament that has less powers than the parliaments in the 18th century and a money that is shared by some but that isn't backed up by any financial services or industrial strategy.

    And so just as happened with the speculation against the different national currencies before the EURO speculators and investors-too-afraid-to-lend-anything are playing each country against each other because the national budgetary norms for the different states were made up when all things went well and everything believed that they would only go better. Nobody thought that we would arrive in a situation as find ourselves today.

    Meanwhile that financial services and industry were being pushed with funds and salestalk to expand and internationalise and grow as fast as they could.... and they did. They grew so much that they became bigger than the national budgets of the states where they had their central offices and became as such a real big danger for those states. But as nobody thought that everything could go wrong at the samen time, nobody thought of any international or European system that could intervene to save them. But how could they have any European vision ? They were all national administrators that were appointed by national governments to work for the national interests. And the European parliament couldn't give impulses either as it is helpless and senseless as a parliament.

    For this we are paying a big price, beginning with Ireland, Italy, Spain, Greece,  Portugal, Hungary and let's hope the list doesn't get any longer.  Maybe with Belgium because our banks are much bigger than the whole of our BNP and there is no way that we could pay for all the guarantees that were given or substitute for all the money that the other banks aren't lending any more because they are afraid of the unknown and everything has become unknown for the moment.

    So whatever the result, Europe needs a New Deal. An elected president with a new deal and a forceful parliament that can impose European financial services and economic stimulus plans.

  • Microsoft patches - Internet storm center recommendations

    You better follow them, they are seldom wrong

    Overview of the February 2009 Microsoft patches and their status.

    #AffectedContra IndicationsKnown ExploitsMicrosoft ratingISC rating(*)
    clientsservers
    MS09-002Cumulative MSIE patch, adds fixes for multiple vulnerabilities that lead to random code execution with the rights of the logged on user
    Replaces MS08-073 and MS08-078.
    Internet Explorer

    CVE-2009-0075
    CVE-2009-0076
    KB 961260

    No publicly known exploits

    Severity:Critical
    Exploitability:1,1
    CriticalImportant
    MS09-003Multiple vulnerabilities allow code execution  and DoS.
    Replaces MS08-039.
    Exchange

    CVE-2009-0098
    CVE-2009-0099
    KB 959239No publicly known exploits.Severity:Critical
    Exploitability:2,2
    N/ACritical
    MS09-004An input validation vulnerability in a extended stored procedures leads to random code execution.
    Replaces MS08-040 and MS08-052.
    SQL server

    CVE-2008-5416
    KB 959420Exploit code publicly available since December 2008Severity:Important
    Exploitability:1
    Critical (**)Critical
    MS09-005Multiple vulnerabilities allow random code execution with the rights of the logged on user.
    Replaces MS08-019.
    Visio

    CVE-2009-0095
    CVE-2009-0096
    CVE-2009-0097
    KB 957634No publicly known exploits.Severity:Important
    Exploitability:2,2,2
    CriticalImportant

    We will update issues on this page for about a week or so as they evolve.
    We appreciate updates
    US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
    (*): ISC rating
    • We use 4 levels:
      • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
      • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
      • Important: Things where more testing and other measures can help.
      • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
    • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
    • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
    • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
    • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.
  • new belgian zombies

    2009-02-10 16:30:4285.28.64.155 cable-85.28.64.155.coditel.net 2009-02-10 17:58:0921502
    2009-02-10 14:04:2087.65.167.230 230.167-65-87.adsl-dyn.isp.belgacom.be 2009-02-10 23:18:475432
    2009-02-09 15:39:3887.65.166.124 124.166-65-87.adsl-dyn.isp.belgacom.be 2009-02-10 00:47:475432
    2009-02-09 12:03:1985.28.122.79 cable-85.28.122.79.coditel.net 2009-02-09 12:20:2521502
    2009-02-09 11:08:5988.147.47.29  2009-02-10 23:49:5029096
    2009-02-08 23:16:1587.65.224.159 159.224-65-87.adsl-dyn.isp.belgacom.be 2009-02-09 02:08:075432
    2009-02-08 20:10:3581.244.192.134 134.192-244-81.adsl-dyn.isp.belgacom.be 5432
    2009-02-08 19:32:3387.65.146.203 203.146-65-87.adsl-dyn.isp.belgacom.be 2009-02-08 23:27:565432
    2009-02-08 19:20:1681.242.149.55 55.149-242-81.adsl-dyn.isp.belgacom.be 2009-02-08 19:46:265432
    2009-02-08 19:09:1381.244.143.16 16.143-244-81.adsl-dyn.isp.belgacom.be 2009-02-08 19:57:335432
    2009-02-08 18:18:1581.245.132.226 226.132-245-81.adsl-dyn.isp.belgacom.be 2009-02-08 22:00:265432
    2009-02-08 16:20:4081.244.92.152 152.92-244-81.adsl-dyn.isp.belgacom.be 5432
    2009-02-08 13:22:3383.134.91.153 ip-83-134-91-153.dsl.scarlet.be 2009-02-08 13:58:583304
    2009-02-08 10:12:4588.147.8.150  2009-02-08 19:43:0229096

  • phishing in Belgian much redirection and one real one

    The 256 phishing sites that we alerted about - it was an extremely high number - was the result of an indicator going buggy over probably a redirection script

    some of the sites had no real changes on their sites, they only send their customers to that site - especially those coming by clicking on a link in an email to other sites (that are offline for the moment)

    these sites

    http://kinkystar.com/public/login.html

    http://cantucci.be/cache/bon.html?MfcISAPICommand=SignInFPP&amp;UsingSSL=1&amp;email=&amp;userid=?MfcISAPICommand=SignInFPP&amp;UsingSSL=1&amp;email=&amp;userid=?MfcISAPICommand=SignInFPP&amp;UsingSSL=1&amp;email=&amp;userid=?MfcISAPICommand=SignInFPP&amp;UsingSSL=1&amp;email=&amp;userid=

    http://vertongen.net/modules/premio.html

    http://flink.be/parcbooks/or.html

    http://verbinnenpoultry.be/press/xyx.html

    have for example redirections to

    http://semida.wrzhost.com/error/www.poste.it/index.php?MfcISAPICommand=SignInFPP&UsingSSL=1&email=&userid=

    http://wlzuojia.com/news/posteit/index.php

    http://blueoceannetwork.bonlive.com/sys_cpanel/images/.skin/index.php?MfcISAPICommand=SignInFPP&UsingSSL=1&email=&userid=

    http://bieliznasklep.com/images/index.html?privacy/Control.do?body=privacysecur_prevent_fraud

    but this is a real phish

    http://www.certexo.be/admin/_notes/.xml/.1/

  • spammers that are trusted

    slimeasypro.com
    healthierwaytogo.com
    freeacaiburn.com
    courseadvisor.com
    geniustrades.net
    supermedz.com
    eharmony.com
    bestwhole.com
    quotewizard.com
    freecreditreports360.com (even controlled by verisign, safe site,...)

    they pass phishtank, some webfilters, finjan,.....

    It is NOT because those filters declare a site safe that it IS safe. They declare it only safe because they don't know (yet) that the site is being used by spammers and/or crooks.