• OMD souvenir

  • you can start preparing business contintuity now

    We are at stage 5 out of 6. one side of me says that it ain't that bad and the other side said that it is going very fast. we will be sure in two weeks time but I think nobody has a clear idea and some officials seem to start panicking or want to push everybody to take appropriate actions. We do that often with computer viruses - just to get attention and some action so it doesn't turn out to be that bad.

    * inform your workers and start distributing guidelines and start making plans in case that some cities or regions are put under quarantine. This quarantine is always in all the official plans for the next stage.

    * cancel all important business travel - you don't want your executives somewhere out there and not be able to come back. Invest in online conference services. People who are commuting in mass travel may be more vulnerable. If they are valuable you can ask them to stay home is the risk becomes greater.

    * prepare for telework schemes for your workers so they can log in from home if they are in a quarantained area - could be anywhere when we go one. They will need internet connections, good and secure pc material, some guidelines and access to a lut of stuff.

    * be sure that everything that is critical is documented. when we are one step further some staff may die or be too sick to do anything. And if there is nothing on paper who will tell how it works.

    * if people start getting sick make sure they stay at home and don't show up at work, better at home than infecting the rest of your offices

    * be sure that the contacts of all your personnel are corrected, collected and distributed or available so some at home workers can rebuild virtually their office.

    * if you shut your offices completely be sure they are not accessable and that they are secured at all times.

    * if some people are staying behind even if your city or region is under quarantine be sure that they will be able to stay in a hotel with good hygiene. You will have to reserve these. Don't worry most hotels are too many empty rooms.

    * follow the news at all time, this goes extremely fast, we have gone to stage 5 on a scale of 6 in around 10 days. I presume the US will be hit next. The panick can be bigger than the number of deaths but that is often the case.

  • old linux vulnerability becomes new direct root exploit

    The vulnerability with STCP on linux is known since 2006 but it said that it was only a DOS vulnerability. According to the description you could only use it to bring the machine down - if that ain't worse enough.

    But a vulnerability is just code and code lets you do things. It only depends on your imagination and knowledge. So a vulnerability in the Kernel (root) of the machine can it be used for much more than only DOS, could you take access of the machine. Some security researcher asked this question, did some research and published his code. I don't know if the last thing helps a lot :)

    "Last month one of my customer (that has a _custom_ deployed sctp application on his network ) asked me if the vulnerability may have some impact on his systems. The answer? "Yes it does", and since someone thinks that is not exploitable and someone else speculates over a possible locally privilege escalation only (with remote host sending TSN packet) i decided to write a completely remote exploit.

    It is extremely reliable (nearly one-shot always), given that you know the target kernel. I tested it on Ubuntu 8.04 and Ubuntu 8.10
    server boxes running with different kernels (ubuntu kernel for amd64) and on OpenSuse11.1 and a Fedora Core 10 (yes, extra-brownie points here, it works great on Selinux too). ...

    I dont want to talk about the exploit, because the code should be self explanatory, but i'd like to briefly explore the vulnerability:

    The last thing I am asking myself is if there are any other vulnerability that haven't been researched quite good enough and are indicated as doing only this or that and maybe can give much more control and access rights if you look in another way at the code.

    And maybe some patches for these vulnerabilities will be proven to be insufficient as a new way of attack will need other ways of defense.

    This can become very dangerous and interesting times indeed....

  • flu : the masks don't work but


    but you touch less your mouth if you have touched something (anything in an infected area) that is infected with the virus

    it reminds you constantly that you are in a dangerous area and that infection is just 'out there' anywhere (because it is NOT normal seeing thousands or people with masks walking around)

    it makes them shut up :) everybody will buy an Ipod or something to read as speaking to people can be 'risky'.

    and to finish this is the biggest test yet of all the plans and preparations that have been going on since SARS in 2004. This is 5 years ago so it is a good moment to evaluate. The economy came to a near standstill in 2004 because of the fear of the theoretical possibility that it could spread. This theoretical possibility is now even much greater but there is some practical evidence that it won't necessary play out like that. As doubtful as I was in the beginning about the crisismanagement and about the willingness to take appropriate preventive measures and about the chaotic contradictory communication here, things are going more or less as they should have been from the beginning.

    But hey, I am a security paranoid :) luckily that is my job...

  • Microsoft introduces autorun protection for windows 7 and announces it for Vista and xp

    In order to help prevent malware from spreading (such as Conficker) using the AutoRun mechanism, the Windows 7 engineering team made two important changes to the product:

    1. AutoPlay will no longer support the AutoRun functionality for non-optical removable media. In other words, AutoPlay will still work for CD/DVDs but it will no longer work for USB drives. For example, if an infected USB drive is inserted on a machine then the AutoRun task will not be displayed. This will block the increasing social engineer threat highlighted in the SIR. The dialogs below highlight the difference that users will see after this change. Before the change, the malware is leveraging AutoRun (box in red) to confuse the user. After the change, AutoRun will no longer work, so the AutoPlay options are safe
    2. A dialog change was done to clarify that the program being executed is running from external media.

    This change will also be made available for VISTA and XP users in the near future.

  • twitter, web2.0 and communication about flu

    Everything should be put into context

    twitter is an online chat tool on which anything can be published and is not to be used for facts but for firsthand rumors, stories that will develop and buzz. Using it as a kind of news service is silly. Using it as an indicator or first alert (to be verified) source is interesting but you have to keep your distance.

    the internet is also hosting masses of more credible and official news sources which are also mentioned and used by numerous of other official and news sources worldwide. If you want correct news that is official than you go there.

    the official communication that is being distributed is only trustworthy if it is correct and put into context and without losing too much time (knowing that otherwise incorrect information could be spreading enormously fast by online twitters and headlines). In fact they have to follow the online rumor and newsstreams to be sure that incorrect information is not spreading too fast and will be corrected. It is important to do this.

    the credible news sources have to concentrate on selecting the news from the rumor and checking the information and have to be very careful about the wording of their headlines - especially online. The goal should not be to have the most eyeballs getting headline - like in the newspaper but to be most factual and correct. The paper edition of the news source will have more resources and time to correct and check and adapt the story untill its final version while the online version will be written on the spot and without much doublechecking.If online news sources show themselves to be professional and trustworthy today, they will have kept or rewon a credibility that will have shown their usefulness. Collecting headlines with short texts that aren't verified is not a credible news source.

    For the rest context is important

    * the only real place where it leads to death is Mexico city but the reason for this has not been found yet although specialists are being sent over

    * the number of deaths and sick people is far less than even the SARS crisis. In fact for the moment less than 10 people die every day from the virus in Mexico city (21 million habitants). I think there are lots of other viruses that kill more people over there each day than this one.

    * the biggest fear factor is the lack of a cure and that this virus could change again in something even more dangerous. Also the fact that the virus has been spreading for some weeks before being noticed is worrisome.

    meanwhile it is a very good example to test your pandemic plans and procedures and correct them afterwards. Like with conficker, the world won't fall down but there will be some difficulties and now we are learning if we are ready to cope with them together.

  • EID there is other middleware that is compliant

    If you don't trust an open source middleware or just want to be compliant in your infrastructure from end to end there are products (middleware) that incorporate or use the EID but just as an card and use it in an secured and compliant environment.

    These are commercial products but as they are used in high secure environments they have to protect the authentification and the data on the EID in a better secure way.

    Some security products and installations that let you use EID also use these commercial middleware installation instead of the FEDICT software.

    one example is this

    If anyone has a list of commercial security compliant EID reader middleware, this may be interesting

    If you have the money, you don't have to use the opensource solution from FEDICT if you want to be absolutely sure.

  • Belgians love facebook (but who says something about security and privacy)


    some privacy and security awareness seems to be in order here

    and with so many people using Facebook, what does the PrivacyCommission think


  • the Google datacenter in Belgium and water treatment

    Google says two of its data centers now are "water self-sufficient." The company has built a water treatment plant at its new facility in Belgium, allowing the data center to rely on water from a nearby industrial canal.



  • a technical but very interesting presentation about EID (link added)

    The presentation in 63 slides shows in a detailed but very complete and comprehensive way (for security and IDM people) how the encryption (PKI) of the EID in Belgium is organised. It doesn't talk about any weaknesses or other conceptual or political questions one may have, but on the basis of this you can already have a theoretical idea about how it should work in theory.

    It is very interesting to read in the last slides he talks about the requirements for it to work securely but as nobody is responsable for certification one can ask who will do the monitoring and testing.

    But it is a document one should have read if you are interested in the future of our EID. Any remarks are welcome off course.

    Introduction to Belgian eID cards, presented at K.U.Leuven, 27 April, 2009

  • the effects of a DNS hijacking

    NET Virtua's DNS records reportedly were hijacked on April 11, so that customers who visited any site that ran Google Adsense content were redirected to a site that tried to install and run a Java applet that in turn installed a Trojan horse program.

    Globo.com said the attackers also took aim at Bradesco, one of Brazil's largest financial institutions. NET Virtua customers who tried to visit Bradesco.com.br during the four hours the DNS records were hijacked were redirected to a counterfeit version of the site designed to steal customer credentials, the story notes


  • new network conficker scanner freeware

    Today, April 18th, Bkis has released Bkis Conficker Scanner which can detect Conficker infected PCs in a network. Network administrators can download the software :

    Download here


  • new word confirmers

    As a way of reducing risk, many financial institutions have begun using a technique known as "out-of-band" authentication (such as calling a customer on the telephone) to verify highly sensitive account transactions, the panel pointed out. But the cybercriminal community has responded, for example, by forcing phone calls to victims to be forwarded to them, or by spoofing their numbers when calling the bank themselves.

    Shroyer said many criminal web forums are seeking "confirmers" to play the role of actual customers should the bank call to verify a fraudulent transaction. Often times, the crooks will seek out a person whose voice would resemble the victim's ethnicity, he said.


  • the flu difference between words and acts

    in their own words

    "Belgium has developed an pandemic flu preparedness plan, which describes the different organisations and the role they will have to play confronted with a flu pandemic. A limited version of the Belgian preparedness plan, is published here.

    For more information about the Belgian Preparedness plan, check this powerpoint presentation: Belgian Preparedness Plan

    For more information about the flu and its possibility to become a flu pandemic, check this presentation: Pandemic Flu

    For more information on the Belgian crisis management organisation: check the presentation of the Belgian crisis center.

    their acts no negative travel advisory to Mexico, just stay away from places where there are many people (hide yourself in your hotel room)

  • swine flu resources to follow news instantly and globally

    Just one precaution, double check alerts and news and wait for official confirmation before spreading 'rumors' or 'eye catching newstitels'

    The official news



    Not so official but expert views and news


    news aggregators







    http://twitter.com/healthmap (spreading slowy)



    Infection prevention awareness

    send e-cards with health awareness (wash your hands and don't touch people and things in an infected area)

    Infection maps

    Overview of Google maps

    All outbreaks for all health alerts http://healthmap.org/en (some say it is out of date and not indicating all cases)

    US (Google) http://www.google.org/flutrends/

    Mexico (not longer only the capital) http://uchalas.com/influenza/

    some US - Mexico Map http://swine-flu-information.com/outbreak-map


    New information tools


    And if all goes bad, how to prepare



    No Belgian sources ? No, they just think they better say nothing interesting by fear of installing panick while not saying anything useful while you can find it on the internet is the most stupid thing you can do

    As I said yesterday, the effect on the stock market and some stocks in particular is beginning to show. Pizza hut and other delivery or homefood or online delivery services maybe in fashion now also. Airlines and holidays seem to get a negative effect.


  • Fear uncercainity Danger in the real virus world

    We know from our work in the computervirus world how panicks and preparation work and how to monitor and contain outbreaks - even if we (except a bit for Conficker) don't have any support on the same scale from governments and administrations - and are looking with astonishment to the facts surrounding the new real flu.

    1. Nobody has a clue

    "What makes this so difficult is we may be somewhere between an important but yet still uneventful public health occurrence here — with something that could literally die out over the next couple of weeks and never show up again — or this could be the opening act of a full-fledged influenza pandemic," said Michael Osterholm, a prominent expert on global flu outbreaks with the University of Minnesota.

    Security managers have one common reflex, where-ever they work (fire, health, banks, protection, computers) : be prepared for the worst and leave nothing to chance and be able to gradually but FAST heighten and lower security and monitoring as needed.

    2. There are plans but they are not executed by all countries in the same way

    It seems now that since last night the Belgian government is a bit changing course and asking all doctors to report each flu case. This supposes that somebody who has the flu goes to the doctor and doesn't think that it will go over.

    They say that they have experience because they have contained some ANIMAL flu outbreaks but animals are not like people. Animals can be contained and controlled. People have freedom of movement and action. If the population decides to buy more medicines and water or sugar (First Iraq war) or to distrust any meat or egg based products (dioxin crisis) than they will. It is for this reason - especially in this INSTANTLY changing interconnected NEWS Headlines environment - that you have to give the impression that you are on top and AHEAD of things.

    The cases that are found in the other countries seem for the moment to be better recovering than those in Mexico. As the research about this virus (and its possible variants and mutants) is only starting it is too soon to draw any conclusion.

    3. As an enterprise it is a good opportunity to test some procedures (even virtually).

    If for example everybody should stay at home would your 'work from home' infrastructure work or how many days would it take to set it up. Maybe you can think about cold 'standby' contracts with 'cold' access and other procedures for the firm in question ?

    A cold standby contract means that when needed a firm will activate an internetconnection (or upgrade it) or a hosting solution or a webservices platform for x number of employees and partners. The advantage is that when needed it can be activated very fast while installing and activating a new contract would take weeks or months, especially in big enterprises and official institutions. You could also start setting up your planning about how it would work in practice and prepare the information for the employees.

    The advantage is that this way you are in fact setting up a business continuity plan or testing it if you already have one.

    Another problem that comes to mind is knowledge sharing in the enterprise or network. What will you do if x number of employees become ill or die (in the worst case). Is all their knowledge on paper or on a computer and do enough people know how to access and interpret that information ? And is the information functional, can you actually do the things that person does or is some information missing (maybe because they are too obvious for the person himself but not for an outsider). And do you have a backup of that information on another physical location ?

    Such a strategic thinking also helps when you have to make people redundant without abolishing their functions.

    Virtual tests means that some people are doing the tests but - there is even some software and services that are being developed or on the market - that you don't have to disturb the whole production process.

  • swine flu has potential to spread fast and number of infections are rising

    Our Belgian government/administration meanwhile thinks it ain't worth any special precautionary actions for the moment. Instead they will be running (as hell) behind the facts when it is too late.

    This is what Yahoo is writing in its reports - and what we don't hear on Belgian tv or radio - where they try to minimize the risks and so on

    "Countries planned quarantines, tightened rules on pork imports and tested airline passengers for fevers as global health officials tried Sunday to come up with uniform ways to battle a deadly strain of swine flu. Nations from New Zealand to France reported new suspected cases and some warned citizens against travel to North America.

    World Health Organization Director-General Margaret Chan held teleconferences with staff and flu experts around the world but stopped short of recommending specific measures to halt the disease beyond urging governments to step up their surveillance of suspicious outbreaks.

    Governments including China, Russia and Taiwan began planning to put anyone with symptoms of the deadly virus under quarantine.

    Others were increasing their screening of pigs and pork imports from the Americas or banning them outright despite health officials' reassurances that it was safe to eat thoroughly cooked pork.

    Some nations issued travel warnings for Mexico and the United States.

    Chan called the outbreak a public health emergency of "pandemic potential" because the virus can pass from human to human.

    Her agency was considering whether to issue nonbinding recommendations on travel and trade restrictions, and even border closures. It is up to governments to decide whether to follow the advice."

    I do not know if you can read behind the lines but if this ain't a very worried official without any power trying to tell the governments to do everything they can to limit the spread of this virus, than I am a blind man.

    Does any politician think that one month before our regional elections (but that are very important) people have any sympathy for their inaction. We already had once elections during a dioxine crisis (and the governmental parties lost bigtime). Do they really want another one during another health scare (even if there is much more scare than risk). A scared population can have a much bigger impact than the risk itself. Imagine that they wouldn't travel anymore for example. Imagine them buying all kinds of medicins - thinking there won't maybe enough when this really breaks. You better show a firm steady control from the beginning, leaving nothing on chance than giving the impression that you don't have a clue where to start.

    For example. They are not informing Belgian travellers returning from Mexico because there are no direct flights between Belgium and Mexico and they think it is up to the other countries to inform the returning travellers..... By the way how many people could decided in a few weeks time if the situation worsens (if) to come back to their home country ? Or should they be evacuated to nearby centers ? Things you have to think about NOW not in a few weeks time ....

  • this can go extremely fast - the pandemic

    So it is the same game all over again. First you pay millions for plans and when it comes to implementing those plans and acting accordingly to the intentions and goals of those plans, you just forget about them.

    Yesterday on the Belgian news the official responsable scientist for the pandemics observations said that he was extremely worried, that this was the first time that a pandemic from human to human seemed to be possible.

    And than - just as if he had amnesia and had forgotten everything he said just before - he said that there were no new regulations or observations to make. If we went to Mexico - were public life is slowing down extremely fast in the Capital  according to some reports - we would just have to wash our hands and stay out of places where there are many people (in a capital ?).

    He probably said this because he feared for the reactions. But people are preoccupied with this and when they see that the government or administration is doing next to nothing and says that there is no big risk and they see that the virus is spreading and coming closer home, than panick will spread - even if the government says and does nothing. (we know this situation from the computer virus world, but while you can stay indifferent to computers and networks being infected and virtually dead, you can't say the same about people (except if they live in Africa as it seems to be the case (Darfur)))

    It is better to take some measures - even if totally logically they seem totally overreacted at this minute - and to keep the confidence than to do nothing and see the enterprises and people taking their own measures in a total chaos.

    This is a rule of security thinking. Better be prepared and preparing yourself for the worst than to wait untill it happens and being dead (virtual or really).

    Meanwhile two possible infections have been reported in France. This is next door.

    The only thing that you can do in a pandemic is isolation of the infected territories. You have no reason to go to Mexico City for the moment and probably in the near future to Mexico as a whole. You have no reason inviting now people from Mexico City in your country or city or enterprise. Everybody coming in and out those regions should be registrered and followed up - just to be sure they don't get sick.

    If you are an enterprise you cut all physical ties with Mexico City for the time being. There are webcams, there are telephones and internet services. There is no reason you should have congresses, meetings or holidays there.

    Maybe some will say this is fearmongering. No it is in all the pandemics plan. ISOLATE the infected territories or at least stop the worldwide spreading beginning with the airlines.

    And if you don't believe me. Imagine the panick that will spread when people will start dying in New York, Paris, London, Tokyo or elsewhere and the scientists will say that they are not sure that they are not sure that a cure will take months or years and we all just need to be careful. Looks like a movie.

    And maybe we are lucky this time. Maybe not. Who knows ? They don't seem to know.

    How can you see what the most expensive researchers with access to the most expensive research and information are thinking ? Look if those stocks are growing : pharmaceuticals, undertakers, internet services and home entertainment and see if they are cutting longdistance carriers, outside events, travel destinations(except those isolated from cities)

  • pandemics, fear mongering, scepticism and now brute reality

    Since the first bird flu attacks states and international private enterprises have been (sometimes) preparing for pandemic preparation plans. If such a new flu (some feared a variant of bird flu but now it seems to be a strange mix of different human and animal flus) would brake out (or in the human body and more importantly between human bodies) without any treatment available for a certain number of days, weeks or months, the number of deaths could be high in our big cities and our ever deplacing population.

    The only way to prevent such from happening would be the isolation of infected cities, populations or even countries. All traffic to and within these cities or regions would come to a standstill and all public gatherings in those cities or regions would be at least a risk and at the worst case prohibited. If at the same time important personnel (going from doctors, judges, policemen, ITpeople and civil servants) would become ill or couldn't get to work public services and private enterprises would come to a standstill.

    The pandemic preparation that some countries, cities and enterprises have done at a huge cost during the last years is just to prevent that. It means that people and civil services would know how to isolate certain cities or regions and how to keep the essential services working (by IT).

    Some said that the chance that this would happen is near zero for the next years and that it was fear mongering and a waste of money (the same who said that the year2000 bug was hype). The security and risk people said that you have to prepare for the worst from the beginning to be able to survive every and any crisis even if it doesn't seem to be as bad. Knowing what to do and being able to do exactly what ought to be done - especially if you have tested it with an exercise - makes all the difference during a crisis. It is not during a crisis that you will develop such a plan or that you will find available consultants to set it up for you.

    So when this first big possible outbreak of a new human deadly flu is taking place in Mexico some firms know they are prepared while others don't have a clue and hope it will just blow over.

    The first thing you can already do is to stop all business travel to affected regions and to ask people travelling there to take all the necessary precautions and not to show up for work without a proper medical exam.

    The second thing you can already do is prepare your infrastructure so that your workers can continue to work on their servers and documents even if there is no transport and some cities are quarantained. Having the necessary (even cold standby contracts) in hand gives you some more rights than the firm looking for external services and backup when the first panick reaches your country.

  • why the Belgian cybercriminality law is dangerous

    It is because it is so vague that it can be used for anything

    and there is no specification or limitation and if you want to enforce some gradualism in the law you have to go to court but that is a huge risk and can cost you dearly (if the judge will understand what you are talking about)

    and in this case who are you going to go to trial against ? The prosecutor ? And who is going to handle your case ? the prosecutor ? Kafka.

    no they are trying to blackmail the ISP's to accept a blacklisting list of so-called childporn sites. I know there are childporn sites and sites that are so deviant and ugly that you should block them and I am the first to say that you should block these sites if possible (and there is an international accepted list of childpornlinks that is being used by ISP's worldwide - even if Wikipedia came on it for a while) but I have never seen one such list (as leaked to wikileaks.org that was so clean that no other sites were involved.

    Off course this is also the fault of the pornsite operators themselves that don't really control the content that is being placed on their websites in for example their galleries or don't control if the legal 'teen' age of their 'models' is really conform the law - even if they try to operate from countries where this age is lower than elsewhere.

    And this blog has also opened the case about childpornography on the Tor network so you can't say that we don't care.

    And this blog has worked hard to get the fastflux botnets blocked, so you can't say that we don't want to use blocking.

    But blocking site site is more problematic than useful and not a good example. If you really wanted to block something by using the full force of a badly written vague law, there are plenty of other sites around that would reinforce your case, not weaken it.

    At the other side, I don't like the site and the list of persons was at one side a list of people that were known to be convicted (dutroux) and at the other side a list of people that were only mentioned by name (and for which there were several people of that name in Belgium)

    I don't like the idea of anyone mentioning anyone that is not convicted of anything as a pedo or whatever on the web. But I do find that all the services that work with children should have the right to check if the people they have or will have in service had any such convictions in the past (under whatever name they may have). That would bolster my confidence and trust. No there is nothing to follow up on liberated pedo's. And they get back close to children. ANd that makes people do stupid things like this website. And that they are stupid and sometimes out of their mind proves the fact that they sometimes just go into overdrive, while just playing it safe would bolster their case as a platform for people who just would like pedo's to be followed up always and everywhere. Because we don't want another Dutroux again.

    Meanwhile there is nothing for securing the Belgian networks from the daily ddos attacks and viruses and spam and so on ......

    So as you see it is a 'and if but also ' story in which you can't do things like they did with this filtering. I suppose someone just took it too personal and had too much power with too few checks and balances and critical reviewers.