• ssl tsl 1.0 attack - facts and details that matter

    First the targeted website should have a xss vulnerability (so for those thinking that xss vulnerabilities are just stupid mistakes that shouldn't be taken seriously, it is proven again that every vulnerability can become a big vulnerability if it is combined with other 'small' vulnerabilities or mistakes). Eliminating the xss vulnerability makes it harder for this kind of exploit, but maybe other ways will be discovered, who knows.

    Financial websites, online shops and other sites with personal or financial information shouldn't have any xss mistake.

    If you are securitywise you activate the xss alerts in your browsertools

    secondly it is a middle in the man target which means that there should be possiblities on the client pc or on a part of the network to intercept all the traffic. Hardening the network between the clients and your server (control your own dns servers for example) and making explicit securitydemands on client PC's who want to log in are two ways to limit the windows of opportunity.

    thirdly the victim will not see anything - no alert - nothing. so awareness will not help you.

    fourth you will have to update all the browsers in your network to the latest version (and sometimes you will have to change to another browser if you can't update the os (xp to 7). Which means that the number of users of Chrome (fixed) and Firefox (coming weeks) will increase because of that. Even if you should have updated to windows7 if you are still on xp.

    if you aren't ready to do that (because some internal applications are specifically build for older versions of IE, you can do the following (with some scripting on all the machines)

    "If you do want to change the cipher defaults, in Windows world, you will need to make some registry changes. 


    This key and subkeys control how the ciphers are used.

    This article http://support.microsoft.com/kb/245030 explains how to change protocols and weak cyphers (make sure you test in a test bed first).

    Microsoft is preparing a specific update to be released soon.

    fifth if are developing a website it is better to seperate http and https sites totally and not to mix http and https contents and functionality on the same site. Don't look so surprised, I know most banks and sites do this, but this is a known major vulnerability that constructs a window of opportunity for attacks like this one.

    smart sites put everything now on https and put an ssl-accelerator hardware before or on their hostingplatform

  • #antisec dumping accounts (passwords and logins) from infected keylogged computers

    most new viruses will install a keylogger on the machine to intercept all logins for accounts

    these are afterwards sent to central computers (botnet command anc control servers) where the most useful are chosen and distributed

    on pastebin.com there are now files that are clearly from keyloggers

    the have the site the person logged in and the logins

    the name of the computer and the version of the browser

    sometimes several logins for different sites for the same computer



  • Canadian governmental offices seperating intranet from internetaccess

    Today, the Department of Finance and the Treasury Board are still limiting internet access to their workers. Employees take laptops to Ottawa coffee shops, or work from home.

    The departments now have separate computer stations on each floor — systems that are not part of the government’s computer network.

    That’s where workers can go to access websites they need for research and policy work. If those computers are taken, people do their surfing at a coffee shop.

    no this doesn't mean that you have to go to a coffeeshop to get internetaccess - and have a man in the middle attack or a rogue access point - but yes, the basic idea is that internet and intranet are two different networks that are isolated from each other if security needs it

    you may even not need it for your whole administration but for the most critical offices this wouldn't be a bad idea at all - if you have very safe - tranportpoints (computers checking everything that goes on the internet or the intranet)

  • if you aren't smart enough, don't try to start hacking

    the problem with most of the guides and tools online is that they give the impression that anyone can hack and that anyone can do that with impunity

    this is not the case

    In Belgium for example, all important hacks by Belgians have been resolved and even if they haven't gone to trial, the hackers had their time at the police station, with the lawyers (with their parents) and a number of conditions they have to abide (if they don't want to risk jail or a trial).

    the message that the police services are sending by arresting those who have been participating in any role in the antisec-lulzsec campaign (one of the most important hacking campaigns ever) is just that

    if you want to hack us, be preprared because we are prepared to go all the way and use all the powers that we have to find you and bring you to the police or to court

    take the story of this arrested american lulzsec member

    for one reason or another, this excellent student who has a beautiful career and wage before him decides - out of curiosity - to participate in the Lulzec actions

    off course there is nothing as fascinating probably as being in somebody elses infrastructure and learning what they have done right and what is totally wrong and why and yes you really need that critical attitude to go further than the books and lessons in IT and yes some firms like some hackers for that and sometimes they are also given high wages and fascinating missions (or is it only in the movies)

    but no, no firm will have trust in somebody who has been arrested because he has participated in the Lulzsec campaign because you never know when the guy is going to flip and switch again to the 'other side' for any reason (divorce, depression, doubts - the 3D's of internal personnel danger).

    the only firms that will hire these 'low-level' hackers or supportive elements will be those who are working in the grey-black markets of intelligencegathering and cyberoperations for firms and organisations that can't do it themselves for some legal reason

    so if you wanna hack, hack syria for the moment, but if you want to hack in the western countries be sure you are more anonymous than Anonymous, more clever than the FBI and you talk less about yourself than about others and you have learnt a lot from the film 'enemy of the state'.

    it is hard work, it is lonely and there are no rewards at the end of the line, there is nothing mysterious or superior about hacking, it needs long hard lonely work and discipline


    for the record : this blogger doesn't hack anything and never will (we are the red cross, we bring the boats in for repair that have already been hacked or indicated as the next possible victims)

  • #opPhilippines started by experienced hackers


    the operation is being done by https://twitter.com/#!/BlackHatGhosts

    they aren't the kind of script kiddies running around

    they scan and look around, chose the best method and than dump the files they find online (mediafire.com mostly)

    If you have connections or sites in the Philippines than it is time to watch out. The mistakes you can't make are

    * sql injection

    * xss

    * weak administrator passwords

    * directory surfing

    * non patched servers and applications

    normally any professional securityfirm will be able to help you with that and if you test your site with snort than you can more or less be sure that 90% will be found (and have to be fixed afterwards)

    and if you can't fix it, close the site for maintenance, if you want a good time to do this, it is now

  • unsafety of the cloud : thousands of websites (not 700.000) defaced with one attack


    this is why dedicated hosting is important if your website is really important for you (and it may cost a few bucks for hosting instead of peanuts with the monkeys)

    the hacker claims there are 700.000 of them that he defaced but when you download the file with all the sites you will see that the same sites keep coming back and that you could probably speak of a few thousand websites which each had several pages defaced because he claims that he has defaced (changed) all the index.html and index.htm sites. A website can have a certain number of these pages (for example for each subdomain and/or for each category)

    Many of these websites are .be and many of them are ticketssites, webshops and sites with personal information

    such sites should have been obliged by law to have a seperate dedicated hosting

    the hoster is InMotion Hosting network

    and remember this story when they tell you that you are safely hosted on such a big platform because the administrator rights are seperated, because the platform is updated and because they have installed security installations 

    the number of .be sites that were defaced will go up again this monthby adding those 100 new ones

    oh and the system was on Linux and Apache for those who still believe that from the moment you put it on Linux it is going to be safe

    zone-h.org counts 100.000 defaced sites for this action - which is quite possible if you see the doubles in his listing and the cleaning of the data that zone-h.org does

    the defacements themselves are gone but here is an example and if you forget to backup you will have now a white page (even if you are a software company)



  • hidemyass.com vpn service is NOT anonymous Nor safe

    They have given all logs to the Us courts about Lulzsec-Anonymous actions and they have put the following thing on their blog

    Our VPN service and VPN services in general are not designed to be used to commit illegal activity. It is very naive to think that by paying a subscription fee to a VPN service you are free to break the law without any consequences. This includes certain hardcore privacy services which claim you will never be identified, these types of services that do not cooperate are more likely to have their entire VPN network monitored and tapped by law enforcement, thus affecting all legitimate customers."

    don't say you didn't know

    also some proxies are honeytraps operated by police and intelligence services or collectors

    so if you want to stay anonymous, paying for a proxyservice in a real country with real laws and only depending on one (and not using 7 in a row) is what gets you arrested

    already two (h)activists were arrested based on those logs

    in the book the Kingping you can also read that hushmail also cooperates with the police services

    so if you must stay anonymous, you must put up all the work, because it ain't that easy

  • security-engineering, trying to make sense out of the chaos

    as a security professional you are faced with several kinds of chaos that you have to treat at the same time

    * the chaos of all the existing and new applications and networkconnections that are asked for or put into place at the same time, mostly without much coordination

    * the chaos of all the different concepts and strategies and opinions that are published every day and are constantly going up and down in popularity

    * the chaos of all the different security products that are in fact products or functions that you would like to see in products or just plain information services

    the security-engineer has in fact to

    * put procedures in place so he has an overview of what exists (in what state) and what is coming

    * install platforms so every for example Oracle server, php-mysql application, and so on works in the same environment with the same tools for documentatioin, bugtracking en versioning and logging and a way so that every idea goes from test to production to presentation following the same path and the same management

    * integrate several products so that every security-neccessity is taken care off

    and if you don't do security-engineering you will be ruled by the chaos

    it is hard work, I know, but it is the only way to stay in front of the chaos

    and no, there is no course or certification for that, just a load of experience and endurance

  • (belgian event) a practical example of how to protect data in an old oracle server without changing applicationcode

    if you have older applications running on older Oracle servers and you don't want to put up the logging (or you can't) about the use of the data because the application is too complicated or because you don't want to be dependent on the application (or you don't trust it)

    than this practical example at Oracle is yours to follow

    it is a first in Belgium, that installation in a small egov environment

    the idea is that data has to be protected as close as possible as where the data is (not before or on top of it, but next to it, in the Oracle database). Because if you put your monitoring or protection elsewhere, than a leaker has only to put an Usb in the database itself and copy it (your monitoring device before it will always be too late - or can be deconnected).  No totally true but that is the idea

    secondly instead of looking for solutions that try to follow Oracle I look for solutions that are part of the platform so that whatever happens (patches, upgrades) it is part of it and if there is a problem there is only one responsable firm (and not several products blaming each other).

    off course, this is not cheap but it also mean that if you want to do it, than this is the best opportunity to get your data out of your applications, put them on seperate databases and protect those data-databases as if it was Fort Knox (and Oracle has now finally the products to do so).

    This makes it also possible to start thinking differently about data and to treat data differently and probably you can even close down, merge or dramatically change existing applications that are using the same data. Data quality for instance is than the next big thing.

    so if you are in Brussels and have Oracle on the 21st of october

    I will be there, proud of this one (being first in Belgian egov with this)



    if you new Oracle server these Oracle securitymodules are so easy and practical to implement that you wonder why they say people don't seem to understand their use here

    wait untill they will have to pay fines next year when there is a securitybreach ......

    and imagine what woudl happen with your position and your boss if you were in the position of some big webservices that are now going through the auditing and re-securisation process

  • say farewell to tls-ssl 1.0 before friday after which it is broken and attacked


    they use the Beast which is a man in the middle attack tool against ssl-Tls

    they have it installed on a Man in the Middle position (proxy for example - free proxy anyone :))

    when someone logs into a bank (for example) he will receive a cookie and than the beast software that is placed on a machine that intercepts all traffic and forwards it does the following

    * injects code into the browser by an iframe ad that is on the page (or inserted as for example a pop-up by the man-in-the-middle machine) or by injecting the javascript into the browser directly

    * the injected code is a sniffer that will intercept all https traffic and will intercept the encrypted cookies (from the browser)

    * he will grab and decrypt the cookie WITHIN the ssl protocol and has that way the login details for that site and as long as the browser isn't closed the attack can take place (working in another tab. And they would need max 5 minutes to decrypt it.

    It is a vulnerability in tls 1.0 that has been known since long-time but for which no exploit was available untill now and that is the case with thousands of vulnerabilities that aren't fixed because there is no exploit for the moment

    what about your secure webapplications ?

    Actually we have worked with browser and SSL vendors since early May, and every single proposed fix is incompatible with some existing SSL applications."


    okay so let's now get down to earth with practical things

    1. For the surfers. Never do other things when you are doing online confidential stuff. Close the browser afterwards immediately. Use the latest version of your software and if you are experienced enough, use noscript and other limitation so that no code can be loaded in your browser. Personally I think it is necessary that browsers develop a 'high secure mode' that will automatically go into high security and will block all things that are not needed to fulfill the ssl sessions. The advantage is also that the secure services can demand that the browsers are set to high-secure mode and with specific updates they can only be updated when you are in high-secure mode.

    2. for the webdesigners : it is much better to have a blanco loginpage with no scripts and no ads than a login that is cluttered on the homepage with masses of ads and scripts

    3. For the server managers : TLs 1.0 may be nearing its end and so it is time to upgrade to TLs 1.1 which may demand some adaption and upgrades in browsers (although it is not sure if the exploit will NOT work in tls 1.1. that is the friday evening or saturday morning question) many online webservices will break down and will have to be updated, but hey that has been coming since long time. If you want to be futureproof you go for the highest standards only and ask your users to upgrade

    and for next week : expect patches, chrome is already patched they say and expect others to follow soon

    oh and for the hype : no ssl is NOT broken and yes ssl is still the best solution it is only that one old version of a protocol of tls is broken, but that is evolution and normal, it is only because nobody prepared for this as they should have done that it will ask a revolution (of updates and patches) to find a solution for this for so many webservices and users.

    but we have gone through the regeneration ssl attack and the patches (not installed everywhere) so we will survive that one for now

  • #diginotar you Must Install this new Microsoft update (attacks ongoing)

    Microsoft re-released Microsoft Security Advisory (2607712) regarding fraudulent DigiNotar Root CA. "Microsoft is aware of active attacks using at least one fraudulent digital certificate issued by DigiNotar, a certification authority present in the Trusted Root Certification Authorities Store."[1]

    The update is available for all supported version of Windows here and via automatic updates.

    [1] http://technet.microsoft.com/en-us/security/advisory/2607712
    [2] http://support.microsoft.com/kb/2616676
    [3] http://blogs.technet.com/b/msrc/archive/2011/09/19/cumulative-non-security-update-protects-from-fraudulent-certificates.aspx


    there are attacks underway which means that some people or regimes are using some certificates to install updates or to intercept logins

    this means that you can't wait any longer if you are living in Holland

    if Microsoft says that they are being used in targeted or other attacks and that it is serious enough to update the millions of users, than you should understand that it is serious indeed

    I told you that we didn't see the end of it

    and what about the microsoft updates ? He can do microsoft updates if he can trick people in installing a new 'microsoft updateclient' signed with a fake Microsoft certificate and sending new updates from a fake server with fake certificates

    this is why you should - for the time being - if you are living in Iran or another dictatorship - get your updates by going to http://update.microsoft.com (and no other) except if he has manipulated the dns server but than you should change your dns to opendns (just to be sure if you are living in that kind of countries)

    and yes, do not install microsoft update or crack microsoft tools with updates - except if you are a security researcher

  • occupy wall street : easier said than done (live stream)

    follow the live stream here http://www.livestream.com/globalrevolution

    it is easier to tweet and make websites than to organize a blockade or sit-in

    and to keep it going day after day

    but what the heck, people from all over the world are paying for pizza's and other shops in shops around the district to be delivered to them to give them a feeling that they are not alone

    at a time when behind the big story of the Ubs disaster there is a whole new scheme of speculation and structural risks that may blow up in their minds (and get more money out of our pockets) because it is just the very same thing as in 2008 (inflated and poisoned in exactly the same way)

    so they have every reason to be there

    at a time when it becomes clear that there are no new stringent rules for the financial sector and that their lobbyists are effectively blocking those efforts

    so they have every reason to be there

    at a time when that money is most of all needed to invest in real industries who create real wealth for real people with real jobs and families - not some virtual numbers on a global monopoly where only the few gets richer

    so they have every reason to be there

  • better than infecting computers, steal the data from the spyeye botnet


    we are seeing the last several weeks account data being published on pastebin that can only have come from keyloggers (who intercept everything you type)

    but now it has become even better

    you can steal all that info from the command and control servers and infected posts with a blind sql injection

    hack the hackers

    and the list of vulnerable servers workposts is here


    in Belgiuim we would like to call the attention to the following two servers who are still ONLINE

    it shows the need for an Europeanwide or international antibotnet team which will have as only occupation to close down or blackhole (dns) botnet command and control servers one by one and be sure that at the end of each week all the botnets have been closed (see this from january and still alive)

    2010-12-24 www.privathosting.eu
    2011-01-27 traffka.eu
    2011-01-27 justcrs.eu
    2011-07-16 capodeicapi.eu

    if the hackers start hacking the hackers than it is really time to start bringing this botnet down

  • #refref was a info-operation in the cyberwars

    this is the news from mysterious sabu (the big knowledgable leader who pops up like Loch Ness from time to time, disappearing afterwards to bring complicated operations to a good end)

    @AnonCMD was setting up a massive DoX of most anonops op’s and anonymous’ members. #RefRef Never Existed. We have taken him over, and he is done. He also used one password for all of his services. Expect a DoX soon, we now have his Twitter and Email.

    so it goes like this

    - I want a list of all active anonymous twitters who are ready to participate in Mayhem

    - let's say we have a super ddos- tool and that you will have to register to get news about it

    - a thing like an 'information-honeypot'

    - and they will be smacked like flees aterwards

    - based on those accounts we can set up listings to monitor and put them in specialized software

    - so from the moment they tweet something interesting we got it and we can analyze it and if it is criminal we get the accountinfo and the history and ask for logins and all the rest we need to arrest them

    - let's try it

    if the info-ops were smart there is no link to some intelligence firm or organisation, if they are dumber than dumb it will be one of a list of failed undercover operations into Anonymous

    but for those who think that they are safe now and can go to sleep again, there are (inspired by refref) new more powerful ddos tools released the last weeks and there is at least an Apache vulnerability with practical exploit that will bring your apache server (half the internet) down in seconds or minutes

    for the simple anonymous clicktavists using LOIC the situation doesn't change, when you use loic you will be found out (or you will have to use proxies) and LOIC is still stupid vulnerable software that can even be used against their own sites (no filter)

    for the anonymous operators who fell into the info-honeypot, it is better to close your twitter account and emailaddress and restart with something else and do it low profile (not : "hey guys I was anon_op_germany and now I am anon_germany_op") do as if it was the first time you are on twitter :) Be a virgin once a while. Be more careful, there are people doing this kind of operations all day long with no budget limits.

  • #diginotar #globalsign comodohacker attacked and scanned others (exclusive)

    we know from internal sources that more service providers in the certificate business have been attacked and scanned by the same hacker

    this was also the case in Belgium

    by the way this shouldn't be earthshocking because he said so himself

    but here is the thing that most seem to have forgotten

    they have checked

    * if someone has made fake certificates

    * if someone had access to the production environment of the certificates

    but in fact - learning from his Globalsign Waterloo debacle and from this internal report

    he scanned all the webaccess infrastructure and code using a limited number of IP addresses (and they can be the same (quite astonishing for a superhacker:)) looking for vulnerabilities, open doors and weak passwords

    so do not look inside your infrastructure, look at every incident between march and now at your external infrastructure (know or unknown) and if you aren't 1000% sure about your internal networkpeople or your external serviceprovider to inform you every time they have messed up or didn't act immediately on such an incident, than you could choose for an external scanner-penetration tester

    it is also clear that you will also need a permanent vulnerabilitiyscanner like Qualisys because every week there are a high number of new ones available for the same code

    a commercial version of snort if you aren't sure how it works (sourcefire)

    and some hightech tests

    you probably need to change your mindset

    * everything on the net is vulnerable some moment in time and will get hacked at some moment in time

    * everything that is on the net need to be strictly isolated from all the rest

    * only presentation read-only things can be on the net, all the rest need to be quarantained in secured environments

    WHO are the other FOUR certificate businesses

    * some will probably have some webserver owned or downloaded or a database injected

    * others may have an ssh or vpn connection owned or penetrated

    * others may have some pc workstations owned inside out (going inside, getting stuff out)

    it is also clear that the ssl business will need some standards, their own cert and securitycooperation procedures  and ways to exchange 'anonymously' information about attacks that are happening (you only need to know which IP addresses are attacking what with which tools, not who they are attacking)

    they probably will need to invest more in security (normally that would have to be 7 to 10% of the IT budget at the least

  • exclusive : how to hack the personal information from a flemish person

    You only need

    his RRN - you can find that on his EID or in many other online transactions

    a mobile phonenumber from Belgium (whatever the number)

    than you go to

    some egovwebsite  (sent to cert.be)

    you go to change password

    you fill in rrn and the phonenumber

    you get new password by sms

    you fill it in

    you have access to his file


    no more information is given to protect the innocent

    oh yes, you have to use a stolen number of one that is only up for some time and anonymous or redirected by a hacked Pbx  and if you search you have to work from a cybercafé or even better through a few proxies (#antisec says you have to use at least 7 of which different from different countries)

  • 10.000 visits from one million visits here - partyblogday expected soon

    yeah, nearly 1 million visits since this blog started

    and without changing the tone of it

    even with stopping now and than

    because blogging is just something you do now and than

    it doesn't make you live

    just a voice and get some respect

    because one million visits without porn, hacked downloads and pirated music

    that is something I have earned with this boring and not for dummies technical securitystuff


    now I have to go on thinking what I will do when it reaches one million

    have a party blog day - like I did already once (musicvids, thoughts and other things you do when you party)

    yeah, I think I will do that

    through this blog, twitter and filesonic

    if your firm wants to give free stuff away that day okay by me (mail me)

  • ALERT important hack for Belgium :www.nweurope.eu

    INTERREG IVB NWE is a financial instrument of the European Union's Cohesion Policy. It funds projects which support transnational cooperation. The aim is to find innovative ways to make the most of territorial assets and tackle shared problems of Member States, regions and other authorities.

    and all of the passwords of its members have been published online

    CERT.be is busy with it

    if you have been a member you have to do the following

    * expect targeted attacks in your mailbox (strange pdf and officefiles in your mail or with links but with very interesting titles)

    * expect more spam

    * if you have used the same password elsewhere, consider it broken and change it everywhere

    the members are from all kinds of institutions and organisations in Belgium and in Europe and the file is still online

    wallonie.be, vlaanderen.be and a whole bunch of others will get an email from the CERT.be soon


    THERE is no notification on the website - even now

    and this for an organisation that is subsidized by the EU that wants to give the whole of Europe a breach notification law (which is great) but meanwhile you can voluntary begin with your own sites - or those that you pay for (to set an example)

  • all these sites are vulnerable to xss (and the direct links are published on the net)

    These are the site and some among them are from firms, universities and so on

    even a securitynews portal



    you may expect to be attacked soon - if you weren't already

    In fact you will have to test whole your site for xss and close all the loopholes

  • tens of websites hacked and thousands of accounts leaked and published (domainnames organised by extension)

    This is the list

    If you are member of one of these sites, you should change the password if you have used the same password somewhere else