• most important patch monday in sight for windows

    Microsoft is releasing monday - tuesday for some timezones - an out of band patch for the link vulnerability.

    This is very important and should be implemented on all external and critical systems.

    the patch will probably not be available for windows 2000 and xp service pack 2 (upgrade to 3)

  • wikileaks and the afghan war documents

    wikileaks.org has published thousands of internal documents about the War in Afghanistan

    the source will probably be quite high up because otherwise it would be quite difficult to have such access to so many different documents

    maybe the source is even not more in place because there are no recent documents - but they may be between the 15.000 documents that are still too sensitive to be published

    but there is another question that fascinates me

    how is it possible in a high secure military environment that nobody used Document Leakage Prevention or watermarking or puttin invisible markings so you can see who received which copy

    all that money for military cybersecurity and still such a leak ? How much more money do you need ? Or do you need more strategy and paranoia ?

    wining about the unresponsability of the leakage won't change a thing about that

    the more that wikileaks said they would do something enormous in the coming weeks after they published the Iraq attack video

  • EDP network infected by a Russian botnet

    and Arbor network has seen it and mentioned it

    it only seems a long time to get it down even if it is responsable for a lot of malicious traffic and is known as such

    it seems more and more clear to me that in Belgium there will be only one way to get network- and hostowners to react and that is a security/preventionblocking of access to those domains à la Google used by the local ISP's.

    It is in fact in operation since december 2009 according to this antibotnet blog

    and according to Arbor networks it is a very active malicious server.

    block it 83.217.70.132

  • fastflux domains very active on Belgian networks

    New FastFlux bots in Belgium

    Firstseen (UTC) IP address Hostname Lastseen (UTC) asnumber
    2010-07-29 11:11:07 85.201.149.228 host-85-201-149-228.brutele.be 2010-07-29 18:45:25 12392
    2010-07-26 12:11:15 82.212.143.87 82-212-143-87.teledisnet.be 2010-07-29 16:42:56 12392
    2010-07-26 06:47:13 85.26.44.26 2010-07-26 08:56:47 12392
    2010-07-26 01:20:49 85.201.113.77 host-85-201-113-77.brutele.be 2010-07-26 04:09:14 12392
    2010-07-25 18:09:23 85.201.199.138 2010-07-25 18:09:37 12392
    2010-07-25 18:07:36 213.189.171.55 host-213-189-171-55.brutele.be 2010-07-26 19:42:22 12392
    2010-07-24 07:54:20 62.166.210.83 cust210-83.dsl.as47377.net 2010-07-26 22:41:53 13127
    2010-07-23 18:40:32 85.201.171.227 host-85-201-171-227.brutele.be 12392
    2010-07-18 13:34:17 84.193.163.113 d54C1A371.access.telenet.be 6848
    2010-07-15 16:29:48 85.201.118.250 host-85-201-118-250.brutele.be 2010-07-15 16:37:48 12392
    2010-07-15 12:55:37 85.26.83.75 2010-07-27 17:52:08 12392
    2010-07-13 13:50:46 62.197.71.121 62-197-71-121.teledisnet.be 2010-07-28 20:14:36 12392
    2010-07-13 11:50:16 213.213.222.147 host-213-213-222-147.brutele.be 2010-07-27 07:06:48 12392
    2010-07-13 09:47:59 85.27.99.148 host-85-27-99-148.brutele.be 2010-07-28 14:38:23 12392
    2010-07-13 09:32:52 85.201.225.3 2010-07-14 10:54:44 12392

  • illinate.be registered for malware attack ?

    The WHOis from DNS.Be shows the following information

    Naam illinate
    Status REGISTERED
    Registratie 27 juli 2010
    Laatste wijziging 27 juli 2010 15:15
    Licentienemer
    Taal Engels
    E-mail email
    Onsite contactpersonen
    Naam Naveen Khali
    Taal Engels
    Adres address
    E-mail email

    but the technical or other information was changed two days later to Ukraine. Trustedsource even says that this high risk domain is only used as a proxy for high risk servers in Ukraine.

    with those misleading drive by downloads for the phoenix exploit kit

    how to clean it

     

    so now what ?

    You have a .be domain that is listed all over the internet as being malicious and that is probably used as an infector and solely as such

    or the domainowner downs the site (India) and cleans it up or the hoster does this (Ukraine) or dns does it if both don't want to do it - only dns.be doesn't want to take this reponsability - with the risk of being a second time in a negative report about the security of some domainextensions...

  • meteokust.be one of the most insecure servers in Belgium

    from zone-h.org

    2010/07/27 TroJenX R www.meteokust.be/trojenx.htm Win 2003 mirror

    2009/10/26 MeT1N R nl.meteokust.be/kg.txt Win 2003 mirror

    2009/05/20 iskorpitx M R www.meteokust.be/xx.htm Win 2003 mirror

    2008/10/22 zAx M R nl.meteokust.be/zax.html Win 2003 mirror

    2007/10/22 Mor0Ccan Islam Defenders Team M R nl.meteokust.be/sa4d.htm Win 2003 mirror

    2007/10/22 sinaritx M meteokust.be/ayyildiz.html Win 2003 mirror

    2006/10/14 uykusuz001 M R www.meteokust.be/nofr.htm Win 2003 mirror

    2006/04/18 Arabian-FighterZ H M nl.meteokust.be Win 2003 mirror

    2006/04/18 Spy_Pc1 www.meteokust.be/spy.txt Win 2003 mirror
    http://www.zone-h.org/archive

    Could someone learn them something useful about security ?

  • cyberwar is no good basis for cybersecurity ideology

    One of the reasons that Cyberwar is being used is out of desperation. Activists and decisionmakers are sometimes desperate about the nearly total incomprehension and realisation or attention for the risks that come with a digitalized economy and society (and army). You can see that desperation when those associations, big digital corporations and activists are jumping on whatever subject that is for some time in the media and that could be used to get more funding and attention. Once it is about online pedophiles and the dangers for our kids, than it is about cyberespionage if some case is effectively publicized and another time it is about the dangers of being too dependent on the internet for social relationships.

    Cyberwar is just one of these subjects but like the other subjects that were mentioned cyberwar is not a good basis for an ideology about cybersecurity. An ideology needs more and war as an ideology is very dangerous, even if you think that in the short run you may get more funds for some time. It is dangerous because you are supporting an ideology that is in fact militaristic. Not to say that any military action is bad and not to say that I am against an effective military infrastructure that can be used to defend our democracy and protect against its external enemies and also - to be totally clear - if a democracy decides to send its armies to a faraway country it should do so openly and strongly. We should never send our soldiers somewhere to be slaughtered because  their operational freedom is too limited for the war theater they are finding themselves in - and conditions can change over time. So this means that the army should have all the powers it needs to defend its networks and cyberinfrastructure just the same way it defends its bases and infrastructure in their country.

    But this does not mean that the army should take over the securisation of the national internet beyond the defense of the critical infrastructure and without the necessary democratic oversight. This does not mean that by starting a turf war with the intelligence services for those cybersecurity funds the result will be that neither can do a good job because both are getting too little for all the tasks they think they should be doing while affecting too much to those jobs they shouldn't be doing. Intelligence is something different from national military defense and is as important. Because both jobs are so important they should be clearly limited and defined and they should have the appropriate institutions, funding and oversight and should cooperate without trying to outsmart each other. If all the funding for cybersecurity that the US is now preparing to invest would be invested wisely and without overlapping projects or infrastructure the US would have no problem defending its national critical infrastructure and its international military digital networks. The series in the Washington Post show otherwise. The problem with big countries is that they can spend so much money in defense and intelligence that it sometimes doesn't seem to matter. In Belgium we will have to define clearly the different roles and responsabilities so we can spend the limited resources more wisely.

    Having said all that - to make clear that I am not against the army or intelligence services and the role they are playing in our democratic societies if they follow the democratic rules and accept the democratic debate. And that I don't want to limit their responsabilities and resources for the cyberdefense of the infrastructure they are to be held responsable for. And as a last thing - I also think that some military form of organisation, structuring and command of the cyberdefense of a country can make it easier to respond fast and effectively against attacks and follow up faster against vulnerabilities (even if the army in its history hasn't always been a good example of taken adequately risks and vulnerabilities into account). But this doesn't mean that the army has to take over the cyberdefense of a country as a whole.

    Cyberwar is not the right ideology for cybersecurity because war is an extreme situation in which real destruction and chaos is around us and the army is in fact the only institution capable of keeping up the appearance of organisation and decisionmaking. It means that in wartime the whole society becomes militarized and democratic oversight is just very limited.

    Cybersecurity should in fact be the defense of our democracy, free speech and freedom of organisation and creativity. We should be using internet like we use electricity, gas or water. Somewhere there will be organisations controlled and funded by society who will do everything to keep it as clean and safe as possible. They will not control how much we use and for what reason.

    to be continued

     

     

     

  • get free "compromised hostinformation" for your network, hostingplatform or ASN

    The shadowserver foundation is made up of volunteers who run a network of honeypots (you can add one in your network) They were and are the motor behind the cleanup operation of some major virusoutbreaks.

    You can get now for free incident reports for your network, ASN or hosting platform. Some may be false positives but if it helps you pulling down some compromised hosts or services you should use them if only to stay on your guard.

    The Shadowserver Foundation is pleased to announce the formal rollout of our ASN/netblock alerting and reporting service.

    This reporting service is provided free-of-charge and is designed for ISPs, enterprises, hosting providers, and other organizations that directly own or control network space. It allows them to receive customized reports detailing detected malicious activity to assist in their detection and mitigation program. Shadowserver has been providing this service to many subscribers for over two years, and currently generate over 4000 reports nightly. Since the response to this service has been extremely positive from our consumer base, we now wish to make it more widely and openly available.

    The reporting service monitors and alerts the following activity:

    • Detected Botnet Command and Control servers
    • Infected systems (drones)
    • DDoS attacks (source and victim)
    • Scans
    • Clickfraud
    • Compromised hosts
    • Proxies
    • Spam relays
    • Malicious software droppers and other related information.

    The Shadowserver Foundation filters data received from its worldwide sensor and monitoring networks and employs an analysis engine to classify the attacks. It then sorts this data according to ASN, netblock, and even Geolocation. Detected malicious activity on a subscriber's network is flagged accordingly and is included in daily summarization reports detailing the previous 24 hours of activity. Reports are only sent upon detection of malicious activity. These customized reports are made freely available to the responsible network operators as a subscription service.

    How to request service

    To request a free subscription to The Shadowserver Foundation's ASN/netblock reporting service, send an email from your organization's email account to admin *<at>* shadowserver.org

    Please provide the following information:

    • Name
    • Organization
    • Networks of responsibility by ASN or CIDR
    • Email address(es) of the report recipients
    • Contact information for verification

    The Shadowserver Foundation is an all volunteer, non-profit, vendor-neutral organization that gathers, tracks, and reports on malicious software, botnet activity, and electronic fraud. It is the mission of the Shadowserver Foundation to improve the security of the Internet by raising awareness of the presence of compromised servers, malicious attackers, and the spread of malicious software.

  • Belgian criminal investigation in moneymule operation finished after two years

    The Belgian justice has finished an investigation in a moneymule operation that took 2 years. It is now closed and the prosecutor has released some details.

    He was surprised about the number of victims and the sums that the Russian crimitnals were harvesting. Those were millions of Euro's. The leaders of the organisation were not identified (even not after 2 years)  The small moneymules will be prosecuted. Small frey.

    The trick was to transfer only small amounts of money instead of emptying accounts. The adnantage was that most banks and financial institutions didn't bother to file an official criminal complaint. They aren't obliged to, even if it would be anonymous.

    The virus was responsible for a man in the middle attack. When the virus saw that a user was logged on to a bank it popped up a securitypopup asking the user to login again because of some problems. This way a small amount of money was transferred to the account of a moneymule. They afterwards transferred the money to their ringleaders and kept a small percentage.

    Several banks have already given their users/clients a free antivirus and refuse access if there is no updated antivirus on their systems. This may not be perfect, but it limits the risks.

    http://www.standaard.be/artikel/detail.aspx?artikelid=DMF20100724_014

  • Frontpage article in De Standaard about Cyberwar (and me in it)

    De btandaard was preparing an article about Cyberwar after having read the new book about it by Clark.

    It was published today with on the frontpage of De Standaard a great title 'The enemy is on the internet, cyberwar'. A better attentiongetter can hardly be imagined.

    De Standaard is an important newspaper in Belgium and is read by decisionmakers all over the place. It has also the last year made several times place and time for the different aspects of cybersecurity (or lack of it) in Belgium.

    http://www.standaard.be/artikel/detail.aspx?artikelid=T72T70HA

    Some important points were made

    Everything that is digital can be read or intercepted (not alway very easy to do but with enough  and creativity everything can be broken)

    There is no cyberwar but there are coordinated attacks during the course of wars or civil disturbances against different parties. It is very hard to prove that those attacks are directly linked to a government. Cyberterrorism is now mostlly limited to propaganda and by terrorist groups.

    THe cybercriminals are much more sophisticated than before, make a lot  of money and have all the time of the world. The cyberattacks themselves have become much more sophisticated than ever before.

    It is quite dangerous to link SCADA systems (water, electricity, transport and industrial processes) to the internet as they don't have the necessary degrees of security in their code and networks.

    Some interesting points were made

    The Belgian army has now a cyberdefense team (of 4 people sic) who try to defend the networks. It seems the networks have been hit so hard by attacks last year that there was no choice.

    4 Belgian servers were used to attack South Korea last year when it was under a big cyberattack presumably by North Korea (who denied everything)

    More than 1 million Belgian creditcards were blocked last year because they were compromised

    The police estimate that about 68 million Euro was stolen online from Belgians last year. Only a fraction of that was declared to the police (as the banks and eshops prefer to pay the damage to keep their reputation intact).

    There are for the moment some criminals investigations under way for Cyberespionage against Belgian enterprises in which commercially important information was stolen.

    The Belgian cyberarmy has the official permission to hit back at an attacker (something quite dangerous in Cyberspace where you never know who is behind which server or uses it as a proxy)

    And to end with the following hard to understand situation in Belgian

    For the moment nobody controls the security of private utilities and there is no coordinated effort between the different securitycells throughout the official and private infrastructure.

  • more than 50.000 links and feeds and tools at your disposal here

    You can find online tools and virus- and exploitwarnings here

    http://www.netvibes.com/mailforlen

     

    You can find permanently updated ITsecurity tweets of all kinds here (twitter)

    http://www.twitter.com/mailforlen

    and have a look at the collection of securitytweets that are categorized

    like security - viruses - exploits privacy

     

    You can find here a collection of about 50.000 links to ITsecurity and other stuff

    http://www.diigo.com/user/mailforlen

    and have a look at itsecurity - privacy - Freeware - Documents or any of the other lists

     

    Some feeds in my Google Reader have become public (with RSS feed)

    - securityblogs

    - security headlines

    - copyrights

    - privacy

  • high number of incoming DDOS attacks in Belgium

    source Arbor networks

    this doesn't seem much but is much more than 'normal'

    THis is for today - but it is the case since several days

    We are in the world one of the preferred attacked countries for the moment

    bo28.jpg

    and those attacks are mostly directed against Leaseweb and Belgacom - or some sites that are hosted there

    bo29.jpg

     

    Inbound Attacks 39
    Outbound Attacks 0
    Maximum packet rate 112.80 k pps
    Maximum traffic rate 38.80 Mbps
    Attack class Misuse: 39
    Attack subclass DNS: 1,
  • new series of .be sites with mistakes

    we went through our listing of 2009 of googledorked websites .be domain

    those who still have a problem will be published here

    http://www.diigo.com/list/mailforlen/list-201007221439004

    the feed for the new ones is here

    http://www.diigo.com/list/Mailforlen/list-201007221439004/rss.xml

     

    some of the sites that show how they are programmed are

    cinergie.be

    Index of /admin naturalsciences.be

    server info vie-privee.be

    ombudsdienstpensioenen.fgov.be/ under construction page

    Index of /wp-content/plugins vrt.be VRT.be

    saferinternet.be

    and a whole lot of other sql errors that show how the database is programmed

     

    normally you shouldn't show any mistake to the visitor (or the searchengine) and if  there is a mistake a message should be sent to the programmer and the user should be redirected to the homepage or see a 404 error page with excuses and that a mail has been sent and that one will correct it as fast as possible.

    more Google dorks and sites will follow from now on from time to time

  • spaminserting script for sites

    This is the script that is used

    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
    <html>
    <head>
    <title>Best Searches</title>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    <link rel="stylesheet" type="text/css" media="all" href="http://find.gl/js.css" />
    <script>
    function init_aw(){
    var children = document.getElementsByTagName('td');
    var l = children.length;
    var ri = 0;
    for(i=0;i<l;i++){
    if (children[i].className=='ac'){
    children[i].onmouseover=function (){this.className='ach';};
    children[i].onmouseout=function (){this.className='ac';};
    children[i].onclick=new Function('document.location="' + results[ri][3] + '";');
    ri++;
    }
    }
    }
    </script>
    </head>
    <body>
    <script src="http://find.gl/js.php?qr=3&f=h&q=-trunk%20-viewvc%20-CVS%20inurl%3A%20site%3Abe"></script>
    <script>document.onload=init_aw();</script>
    </body>
    </html>

    and it is inserted here

    joomla1013/mambots/editors/jce/jscripts/tiny_mce/plugins/style/langs

    So if you have joomla you should be sure that nobody can insert this kind of script and add pages


  • what happened to the .be sites that were hacked in 2009 ?

    We had a listing of .be sites that were hacked in 2009 and did a check

    what is the situation now

    * only very few are still hacked (we didn't say they aren't hackable)

    * many of these sites went offline or were sold to spampages or just went dead

    * when they were online most had already blocked the page that was added

     

    this seems good but

    * it was 2009 the situation is far worse with sites that were only hacked recently

     

    but as long as they can't get fined or fired for it

    who cares ?

  • new feed with hacker googledorks (find hacked sites with Googledorks)

    So we were playing with the Googledorks to find Belgian hacked pages and instead of throwing those out without any Belgian victims, we thought, well keep them for the other guys.

    The Googledorks for hacked pages are the following

    * specific terms and codes

    * specific sites and emailaddresses

    * specific names of persons and groups

    with hacks the last year

    Not all hacks are active but as long as administrators don't ask Google to go back and give a fresh look at their pages they will stay in Google as hacked untill they come back (which may be never because the page was added to the site)

    http://www.diigo.com/list/mailforlen/all-hacked

    The RSS feed is here

    http://www.diigo.com/list/Mailforlen/all-hacked/rss.xml

     

    If someone has an idea or program to insert those and new ones to fetch

    * the links

    * the description

    * check for doubles

    * let people search by domainname or domainextension

    * put a geolocation on it

    let me know (mailforlen  at  yahoo.com)

  • the example of blackhat SEO script inserted in the code of a page (not visible on the page)

    This is the kind of insert in a page to insert porn and other spamlinks in the searchresults of a page without showing them on the page itself

    the other problem one may have with this is that if this is possible, what else

     

    <div class="pr-seo">
    Tedavi yontemleri ve diyet ile <a href="http://www.zayiflamaturk.com" title="ZAYIFLAMA">ZAYIFLAMA</a> bilgileri ve makaleleri icerir.
    Turkiye neler oluyor bitiyor <a href="http://gztlr.com" title="gazeteler">gazeteler</a> mecramiz ve medya takip merkezimiz ile emrinizdeyiz
    <a href="http://www.universitesaglik.com" title="universite saglik" target="_blank">universite saglik</a>
    <a href="http://www.trmedicaluniversity.com" title="medical university" target="_blank">medical university</a>
    <a href="http://www.bestofuniversity.com" title="best of university" target="_blank">best of university</a>
    <a title="hepsibende.net" href="http://www.hepsibende.net/" target="_blank">hepsibende.net</a>
    <a href="http://www.oyun4.org" title="oyun">oyun</a>
    <a href="http://www.maxivid.com" title="müzik dinle, mp3 dinle">mp3 dinle</a>
    <a href="http://www.kingfilmizle.com" title="film izle">film izle</a>
    <a href="http://www.video.muzik23.net" title="video izle">video izle</a>
    <a href="http://www.mp3muzikdinle.org" title="mp3 dinle">mp3 dinle</a>
    <a href="http://www.tr-redline.com" title="e30" target="_blank">e30</a>
    <a href="http://www.kanaldfan.com" title="Kanal D Dizileri" target="_blank">Kanal D Dizileri</a>
    <a href="http://www.gunceldurum.com" title="haberler" target="_blank">haberler</a>
    <a href="http://www.dewaweb.net" target="_blank" title="video izle">video izle</a>
    </div>

    and so Google thinks that these pages have more links to them and are more trustworthy and popular and all the rest

    security is quality

  • follow the real-time distribution of newspapers by AMP in Belgium online

    I don't think this was the intention

    Their website is just totally open  index of/admin (one of the oldest Googledorks around)

    This is what you see

    bo26.jpg

  • sites from bisdom, and some newspapers, politicians and villages and universities spaminfected

    In some sites it are just forums or other interactive services without much security that are abused because they have no word, script or linkfilters or any other security

    In some cases it are just blogs that are made on free blogservices and that are filled up with crap and than forgotten

    Sometimes it is a script that is added to the site. An example is this

    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
    <html>
    <head>
    <title>Best Searches</title>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    <link rel="stylesheet" type="text/css" media="all" href="http://find.gl/js.css" />
    <script>
    function init_aw(){
    var children = document.getElementsByTagName('td');
    var l = children.length;
    var ri = 0;
    for(i=0;i<l;i++){
    if (children[i].className=='ac'){
    children[i].onmouseover=function (){this.className='ach';};
    children[i].onmouseout=function (){this.className='ac';};
    children[i].onclick=new Function('document.location="' + results[ri][3] + '";');
    ri++;
    }
    }                                                             
    }                                                                 
    </script>                                                         
    </head>                                                           
    <body>                                                            
    <script src="http://find.gl/js.php?qr=3&f=h&q=hack%20warez%20porn%20mp3%20site%3Abe"></script>     
    <script>document.onload=init_aw();</script>                       
    </body>                                                           
    </html>

     

    some 48 sites can already be found here

    http://www.diigo.com/list/mailforlen/hacked-for-spam

    We have among them

    bisdomhasselt.be porn

    videos.lalibre.be porn

    vrouwenonline.be porn

    porn site:fgov.be

    environnement.wallonie.be porn

    site:isabelledurant.be sex or porn

    and so on and so on

    so please clean your stuff up and filter what is being placed on your blogs (no code, no links and block certain words) if you need those comments and links after all. Most of the time you can preview them before publishing or block your site from accepting any comments after a certain moment in time.