• .be domains used in IRS phishing fraud

    The domains were used in an IRS phishing fraud attack - as it is taxing season in the US.

    So if you see anywhere on your hosting platform or site pop up subdomains like IRS.GOV.yourdomainname.whatever/fraud(or whatever)

    you have been hacked and you are used to defraud US citizens and small businesses

    Just to remind you also that .be is a national Belgian domainname under national Belgian law and that in that case you can be held accountable if you do nothing or just much too late.... You would be the first but who knows....

    My other question is off course how banks and others treat the information afterwards. Do they get the logs of the used phishing websites to see which clients were defrauded and how ? Does anybody do any follow up ? Or is it just re-active, waiting for someone to contact the offices to tell them that they have been ripped off ?

  • as promised : there are the .be fastflux botnets again


    Tomorrow the .ru domain is closed for international crimegangs without a base in Russia itself - and as now real identification will be necessary it will become more risky.

    The .cn domain is already more closed to them now.

    We said that the .be and .eu domains will be the next one because

    * they are cheap

    * they are trustworthy at first sight

    * there is no real hard identification control

    * they have been used before with success in these networks

    So by controlling Arbor Networks list it was clear that

    * there is a spurr of domains in .ru as it is the last day

    * there are other domains also being used by fastflux networks as .kr, .pl and co.uk

    * and .be is back again in the list

    luckily we have (had) a quick way to get them down immediately at the root - but it is clear that in this new context one will have to set up some controls and limits to be sure that one doesn't start running after the facts all the time instead of blocking fraudulent international buys from the beginning of the process

    It is the only way to prevent that in the long run one will have to invest considerable resources cleaning up the mess and having a longtime enduring reputation loss for the .be domainextension as a whole.

    Because if this registration is not fraudulent, than I will have to go back to schooland another question is how the registrar company itself didn't see it . The country was Italy but the address in the US and the emailadres was stupid and so on.


  • tips on how to speak about confidential matters without encryption (is this for real ?)

    • If you have no alternative (such as using encryption software) and urgently need to discuss confidential matters over a mobile phone:
    • cover your mouth so you can't be lip-read
    • choose a location where you can't be overheard
    • talk quietly and be brief
    • use code words
    • split information across different channels (e.g. refer to emails or send texts etc so information is incomplete and meaningless on its own)


  • skynetblogs hosts international islamic war blog

    http://censored31.skynetblogs.be/ is made by what it calls itself "Center for Research and Islamic intelligence" but by all the  looks is an international english language direct reporting pro-holy war blog. It is linked with a number of other international jihad blogs and forums like this one

    The problem with the blog is that instead of having only good articles and analyses which you can appreciate - even if you don't agree - they are mixed with videos and other stuff of martyrdom, terrorism and jihad in which there is no doubt about the essence of the message. Which is a pity, but makes the blog even more dangerous by mixing research and jihad. It is even a mix of werkgroep zonhoven paranoia, anti-polio hysteria and other master conspiracies theories that are invading the 'real truth' web. But this doesn't mean that the jihad part of its message is acceptable.

    and with quotes like these, what would you think about the message of the blog ?

    O Allah, make them and their weaponry a booty for the Mujahideen

    O Allah, you are our support and you are our only Victor; by your order we attack; by your order we retreat and by your order we fight

    O Allah, the sky is yours; the earth is yours; the sea is yours, so whatever forces they have in the sky, drop them. Destroy all their forces in earth and sink all their forces in sea

    O Allah, deal with them for verily they can never disable you

    O Allah, retaliate upon them, afflict them like you did to Pharaoh and his nation

    O Alah afflict their country with floods, make them in need of money and food and persons

    O Allah defeat them, destroy them O the All-Strong, the All-Mighty

    Allahu Akbar

    "Honor, Power and Glory belong to Allah, His Messenger and the believers, but the hypocrites know not"

    Don't we have Belgian soldiers over there and families of them over here ? Is Skynetblogs not part of Belgacom, a semi-public enterprise ? And is this not HATE ?

    So why is this kind of stuff accepted over here, even if it is contrary to the conditions of use ?

  • apple, VMware and Internet Explorer patches

    Apple has released a bunch of security updates

    VMware has also released a new bunch

    tomorrow a whole series of critical holes in internet explorer 6 and 7 (also non-published) will be released Go to http://updates.microsoft.com

    This is an advance notification of an out-of-band security bulletin that Microsoft is intending to release on March 30, 2010. The bulletin is being released to address attacks against customers of Internet Explorer 6 and Internet Explorer 7. Users of Internet Explorer 8 and Windows 7 are not vulnerable to these attacks. The vulnerability used in these attacks, along with workarounds, is described in Microsoft Security Advisory 981374. The out-of-band security bulletin is a cumulative security update for Internet Explorer and will also contain fixes for privately reported vulnerabilities rated Critical on all versions of Internet Explorer that are not related to this attack.

  • worrying about risk ? let the navigators take it for you ? (hack)

    It is clear that your online reputation of your business stands with your online security especially if you are in the security, risk and reputationbusiness

    so if you have a site saying this



    It shouldn't look like this


  • safe ecommerce in Belgium ? entreparticuliers defaced

    So this is the site that wants you do this


    and this all in http when you log on - yes no https

    and even than the security has a problem because a page was added without the knowledge of the administrator

    but don't worry your payments are secured ( I didn't test it if it is in https)


  • active hackers on the .be front

    been quite sick the last days, but that didn't seem to impress the hackers (as if it should :) )

    At one side there were more than 100 sites hacked because they were all hosted on one linux server. You know if you get pay pennies you won't get gold service and if you sleep with dogs you get flees. So if your business reputation online is anything worth, take dedicated hosting. If anything goes wrong you will get only yourself or your technical support to blame. Not one of the hundred other administrators on the same machine.



    and maybe this is the first thing not to do when you want to write a veiligheidsboek (a website about a book about security)


    but as long as the hosting sector itself isn't setting independent verification and standardisation, maybe the clients should ask more security (even if it costs more because nothing is for free and security asks time and investment - even with open source stuff or free patches).

  • If china has such a firewall and cyberwar capability, than why ....

    do you have such long listings in zone-h.org of Turkish hackers penetrating .gov.cn systems all the time

    No firewall to stop them

    No cyberwar capability to defend it or clean it

    Maybe China is not the real hackers paradise


  • shredit.be hacked (linux/apache) zone-H.org



  • cert.be presentation at infosecurity.be

    Infosecurity is a small fair in which every year the people of the security industry see each other and have a good chat. Nothing that special, no big inventions, some interesting products and concepts but nothing to be overwhelmed about. Although met some interesting people and had some interesting discussions.

    The one thing I didn't wanted to miss was the first presentation before a more or less professional public of the Belgian CERT. BUt afterwards one thought that maybe the cert had better given a presentation behind closed doors for the professionals that were working with all the big firms that were present and another one in for the public without any knowledge of what security is all about.

    The problem with the presentation and the very - official - timid way in which the CERT presented itself - bounded by several other limitations and lots of people watching over their shoulders - is that for professional security researchers and people who are responsable for CSIRTS in security and other companies it was a really cold shower. So some said so afterwards. However I still think they should send their Belgian ecrimedata to the CERT because otherwise we will never get the funding it needs.

    Which is a shame, because now after so many years of lobbying for it we have a CERT and we should help and support it and give it all the money and resources that it would need to do its job as it should because the return on investment of a good focused professional CERT is immediate and 100 time fold.

    The other cold shower is that it will from now on take some 2 years before the next stage will be set. Nowadays, it only works between 08 and 18h, 5 working days a week. The project manager Lionel says after that the phone calls arrive at home and everybody is helped (social engineering information leakage) but this is not ideal and I now. It is work you aren't paid for it and all depends on your health, your partner and family and so on and all of them will always have to accept those intrusions for something they see as 'work'. Even if you are passionate about security and even if you see this not as work but as a mission, your personnel could become exhausted or very sarcastic because why should take the phone while having dinner with your familiy to respond to a case  in which a server is hacked from a company that doesn't give a damn about security and because the government doesn't want to invest the necessary resources to have a real CERT that is effectively running like it should be running, around the clock. Explain that to your wife and kids. You can do this once, twice but not all the time. I know.

    So I hope that by the end of the year we will have more realtime information from the CERT. Something like Arbor Networks - the real attacks now happening on our networks (sql, 445,.....) where do they come from and wich vulnerability do they use, that kind of information would be practical because it would give us something to work with and to watch out for. 

    By the way their twitter feed is dead and their delicious

    You can find hundreds of securitytwitters on my account and you can follow interesting delicious links in the dashboard. There are about 40.000 links (not all esec) in diigo as well.

  • the worst spamservers in Belgium according to honeypot project


    Off course these are only the spams that have arrived in the distributed network of honeypots that this project has set up and doesn't indicate that these are the only ones or the most important ones in Belgium.

    It only shows the top 5 spamservers that have sent Spam to these honeypots and are still active in the last days. The number of spams received from that server is since the server has been registered (first date). It is curious to see that these servers are doing so since 2009 and nearly one year later are still sending spam.

    Maybe no one is controlling these servers and so they should be handled as very risky contacts. Sorry to say. | SDBad Event1,7422009-12-09 2010-03-24 | SDBad Event1,9592009-04-08 2010-03-25 | SDBad Event3,1542009-08-24 2010-03-24 | SDBad Event6,9942009-03-30 2010-03-24 | SDCBad Event5,7982009-11-23 2010-03-24
  • first blocklist for Koobface attacks now happening

    the list is not complete and for several reasons

    one is I don't accept .ru and .cn domains anyway except if they are whitelisted

    secondly it is a copy of a list I use myself and it maybe that some domains seem to be already blocked somewhere where I use it and others I did not check because I have also other things to do


    block koobfacelist 24/03

  • koobface seems to be still infecting a lot of people

    According to the web the attacks started at the end of last week but they seem to be continuiing

    so if you have a facebook, twitter, netlog or any other social site, be careful with links, have an updated antivirus and download stuff to seperate folders that you close down for a while

    do not click on codecs to view a film

    do not click on fake securitysoftware and don't let your computer be scanned by those crooks

    if you need something free, go to microsoft.com and look for securityessentials or go to download.com and look for other free antivirussoftware (do not look for it on the web through Google because many domains will pop up that look like the right thing but aren't)

    it is also better to close down your browser and to put it in the highest security and to add some special security stuff

    and maybe ask your friend if he or she has really send you that stuff before opening it, if it is a virus the answer will be negative or none

  • infosecurity.be uses bad SSL

    The commercial happening for securitypeople - and as it is a small world in Belgium it is in fact a meeting-with-friends-you-didn't-see-for-a-while - has started.

    It is off course infosecurity.be

    something funny although

    when you want to make your access card online there is a warning that it uses a bad ssl key that is already compromised since a very long time

    they are not alone - some other big firms and applications have still the same stupid breakable SSL certificate - but they aren't securityfestivals



  • some Belgian hosters were hacked for the koobface attack

    according to the malware domainlist it were the following



  • where are most of some phishes placed according to phishtank

    For the moment there is a big attack against facebook users under way to try to steal the logins and install malware. It is known as koobface but other malwaredetectors use other names sometimes.

    When we look at phishtank where the url's are placed to steal those logins, there are some hosters that are being preferred




  • IIS 6 servers being hacked in series also in Belgium

    As we have written before, there is an exploit for IIS 6 and the only way to fix it is to upgrade to IIS 7 (and windows 2008)

    or maybe someone in Microsoft should take notice and send out a clear fix for this attack so that people have time to keep their online presence safe while awaiting the migration to IIS6. The main problem with the migration is that it is a double migration and in most cases even a triple migration. You have to migrate the server (IIS), the OS (to windows 2008) and sometimes even the hardware if it isn't enough to run websites and the new OS.

    Windows2008 is much safer than windows2003 so you will have to upgrade soon but can someone in Microsoft get a fix for that that is more than a workaoround ? It doesn't mean that IIS7 on windows2008 can't be hacked or defaced but it won't be so simple if you use the tools and advice that you get. There are IIS7 hacks happening.

    Last year, more than 2/3 of the hacks were linux/unix servers. This could change if this problem ain't fixed. Joomla also took the centerstage of the hackers attention when they found an easy whole in its system. Now the exploits against Joomla just continue to come out.