well some one asked me how to control everything that changes on a website
and than I told them that Google was the best friend for the researcher
because so many documents and so much information is put online before it becomes public
that with a few google trics you can find them from the moment they are online
today some friends of them said in the press that they were against the new plans of the Harbor of Antwerp and told the press that they were very unhappy about the way the plans were being prepared without any popular or democratic consultation
how did they know ?
well it was already all on the website
not even on a closed extranet and not even with a password
just there for anyone to find if they could fill in the right searchtricks in Google and know what to look for
it is not because it is not on the frontpage of the website, that it isn't on the website....
links that the bankstealing facebook worms uses to infect the users
do not click on a picture of two blondes
well in fact be always very careful on which links you click on facebook
they said that they had now all necessary security in place
hxxp://www.offi sense.co.il / lang / b.exe
hxxp://www.bacol odhouseandlot.com /
do always log in to facebook by typing manually facebook.com in your browser, period
do this also for other important services
clicking on links in mail or on websites is not very intelligent if your service is very important
these are dangerous sites and it is also very strange that people can buy sites with the word facebook or a variant in it without having any rights on the name facebook and that some of the domains are part of an European domainextension
http://facelook.shop.co/login.php http://sigininto.horizon-host.com/facbook/facebook.php http://custom-facebook.info/facebook.htm http://www.profile.co.gp/facebook/photo.phpfbid=12447510&set=a.478812.I41224&type=1&theater.html http://s6.mywibes.com/facebook.htm
http://facedook.co.gp/wwwfacebookcomprofilephpid100001548737188.htm http://faceebook-com.bugs3.com/login/Secured_Re-login/index1.html http://facebooook.axfree.com/ http://combatarms.free.fr/ http://sweed.web44.net/ http://thekshitij.in/facebook/index1.html http://addgames.awardspace.biz/ http://www.profile.co.gp/facebook/ http://www.sjscheat.com/Hosting%20blogger/facebook http://h1.ripway.com/denal/ http://1337r00t.13.ohost.de/r00tw00tkn00wn/ http://faacebok.zapto.org/ http://h4ck3rgadungan.adfoo.info/index1.html http://www.2498.b.hostable.me/
+ Updated (28.11.2011):
http://www.facebook.reekcreations.com/ http://wvw.facebook.com-photos.php.id.1574348425.jgold.in/ http://fan-pages.vgig.ir/facebook.com.home.php.sk-2361831622.applicationspage/ http://timkoch71.net46.net/1638765386283/facebook/ http://privacy-facebook-it.f11.us/check_privacy.htm http://www.configsetting.com/facebook/login.htm http://facebook-beta.kilu.de/facebooklogin.html http://www.frfacebook.fr/ http://fun4iran.tk/facebook.unfiltered/Index.htm http://login.eu.nu/facebook/photo.phpfbid=1248427590010&set=a.1292457490730.34590.1809072438&type=1&theater.html
every year there is a whole bundle of very expensive paper (or trees) wasted on so-called reports that are being based on so-called interviews or surveys with very knowledgeable people about cybersecurity or one aspect of it
for pwc fraudprevention and frauddetection is very important so the whole 'survey' is being written as kind of promotion folder to promote fraudprevention and other services they offer.
the fact that they do it every year, doesn't proof a thing and that some professor comes along to give it some 'scientific' worth doesn't change a thing
it is publicity and there is nothing in it that is worth spending time on and there are a hundred questions one could ask about the way questions are asked or why only different aspects of cybersecurity are taken into considerations while others are totally forgotten
but for laughs, some of the conclusions
Fraud, the fraudster and the defrauded
• 34% of respondents experienced economic crime in the last 12 months (up from 30% reported in 2009)
• Almost 1 in 10 who reported fraud suffered losses of more than US$5 million
• Senior executives made up almost half of the respondents who didn’t know if their organisation had suffered a fraud
• 56% of respondents said the most serious fraud was an ‘inside job’
• Suspicious transaction monitoring has emerged as the most effective fraud detection method (up from 5% in 2009 to 18% in 2011)
• Organisations that have performed fraud risk assessments have detected and reported more frauds.
• Cybercrime now ranks as one of the top four economic crimes
• Reputational damage is the biggest fear for 40% of respondents
• 60% said their organisation doesn’t keep an eye on social media sites
• 2 in 5 respondents had not received any cyber security training
• A quarter of respondents said there is no regular formal review of cybercrime threats by the CEO and the Board
• The majority of respondents are not aware of having, or do not have a cyber crisis response plan in place
game : find the biggest contradictions between the two lists of results knowing that a majority of the respondents were management of some kind
yeah a real party :)
things to have fun with
or wild things that happen at a party :)
if you have stuff for the party (belgian stuff that is)
you can mail it to me
as you see - things are already arriving slowly
you don't have to hack the UN server as the teampoison crew did for the birthday of their crewleader
sending an ecard is also nice (without a virus this time)
for those who are nervous, I am not a hacker and not lulzsec or antisec
but I am pissed off about the general insecurity of the belgian networks and websites
so the time of the omerta is over
every announcement to the cert.be will have its time-limit
just that you understand
the FCCU is arresting young Belgian teenagers who are hacking or trying to hack from their own PC at home
(they should better recruit them for other Belgian state services like they do everywhere around the world, .....)
for those who have forgotten
1 million visitors at belsec
around 1 million at the others
1O years in ITsec professionally
the information has been sent to the cert.be
for those who know where to search my resources they can find the list and file
it shows another time that only double identification (no, the EID is NOT ready for this sorry) will have to become the norm - but more about that next week during the #belsecparty (as if this ain't already a party :) )
it shows that nothing is totally secure and that in important and big infrastructure without strict monitoring and policies there is always something that isn't followed up as should be
it shows that every organisation should have a policy in case some of its users will use its passwords online or some of its infrastructure (with members) will be leaked online
in this case the victims will have to change every passwords that looks like their password for every service online and their administrations will have to cut all access to all external resources as long as they aren't sure that every interaction with that account is normal
what is strange is that Teampoison is normally the anti #antisec #lulzsec man because he tried everything to dox them, to leak information about them and to bring down their servers or websites
You can follow that kind of discussions and actions at twitter.com/mailforlen look in lists and take the first 'leaks and dumps' to which you can subscribe (and should subscribe if you are in intelligence or security) If you think I am missing some twitters that are essential (and do more than only retweeting or bragging without doing something) you can send them or tweet them to me for inclusion
it is normal that teampoison has hacked the UN because he seems more like the rightwing anti islamic, anti-liberal patriot shoot first and ask later type of guy for which the UN is probably part of a conspiracy.
hacking, ddossing and leaking are just methods that are now available to every nut and activist alike
this is the new revolutionary trend for 2011 and although a lot of people have been arrested or have retired because they fear being arrested for every 10 arrested there will always pop somewhere one new one up who may make a difference for some time untill he also gets arrested
ps the passwords are too small (go to passphrases - long sentences - and that you can do immediately)
the first one being not using Google adwords or analytics
- Don't use Google Analytics or any other third-party embed system. If you have to, create a new account with an anonymous email. At the very least, create a separate Analytics account to track the new domain. (From the "My Analytics Accounts" dropdown, select "Create New Account.")
- Turn on domain privacy with your registrar. Better, use a hosted service to avoid domain payments entirely.
- If you're hosting your own blog, don't share IP addresses with any of your existing websites. Ideally, use a completely different host; it's easy to discover sites on neighboring IPs.
- Watch your history. Sites like Whois Source track your history of domain and nameserver changes permanently, and Archive.org may archive old versions of your site. Being the first person to follow your anonymous Twitter account or promote the link could also be a giveaway.
- Is your anonymity a life-or-death situation? Be aware that any service you use, including your own ISP, could be forced to reveal your IP address and account details under a court order. Use shared computers and an anonymous proxy or Tor when blogging to mask your IP address. Here's a good guide.
#belsecparty Exclusive the list of 1400 Belgian IP addresses infected with the Estonian DNS-changer botnet
this information has been given by Arbor Networks, thanks
this information are the Belgian IP Addresses that contacted the new clean DNS servers from the ISC that intercept all the traffic to the malicious dns servers from the Estonian gang
these are only the IP addresses that were infected by the software-malware that was installed by this gang and not by any other variant that has gone out since
the FBI has together with a group of private and public american and international institutions, groups and enterprises stopped the operation after a 2 year investigation
These Belgian IP addresses ARE infected with this botnet and need to be cleaned and secured again.
What is the virus
Instead of infecting your machine with a virus who tries to visit itself a website or server they only change the dns of your machine so that you will never detect that you were infected (if nothing else is being installed). Some variants also left a mark because they disabled the antivirus on the machines.
The dns is one of the most important aspects of the internet because it changes the number of the server on which you are (the IP address) into the domainname we all know and type. Imagine that you would have to type in a telephone number in your phone but a name and that the phone would connect to a server and would itself search for the telephone number(s). As servers change often and as website also change from location it would otherwise be impossible to 'surf' the net.
The dns is for this reason mentioned in the characteristics of your pc, your router and your network. It can be changed at any place except for the server that is authoritative (trusted) for this domain.
Why this virus
It is clear from the description that this is the best way for the underworld to make much money on an industrial scale without having to invest much money in vulnerabilities and changing servers and so on. In fact if you want your victims to go to another server and download or click something, than you only have to change it in your dns server. This is also the case with the poisoning of the dns server in which the results for a site (for example the ip address for ebay.be is a server in Russia and not in the US) but as dns servers become better defended and monitored this has become harder.
Who can get this virus
One thing that is clear from this virus is that it has been adapted. It works on Macintosh, linux, windows and on routers (homerouters or networkrouters). THe only thing it wants to change is redirecting all the internettraffic through its own malicious dns servers.
How can I control if I was infected
If you were online the 28th of november and you aren't in this list, than that is a good sign
You can also check online with the FBI database
If you are infected, the FBI is looking for victims for its courtcase against these cybercrooks (who made 14 million dollars over 2 years)
https://forms.fbi.gov/dnsmalware looking for victims
The malicious dns ranges are these
220.127.116.11 - 18.104.22.168
22.214.171.124 - 126.96.36.199
188.8.131.52 - 184.108.40.206
220.127.116.11 - 18.104.22.168
22.214.171.124 - 126.96.36.199
188.8.131.52 - 184.108.40.206
You can find them with the following operations on your machine (for your routers at home and in the enterprise you should look in the documentation).
For networks we would advise you to put these ranges in your dns rule as blocked and logged so you can see if any machine in your network has been infected. THe best policy is to divert all your dns traffic to an internal dns server who will forward all the external dns traffic to some other defined external dns servers. Bad dns traffic should be logged or send to the firewall for closer examination.
It is also not a bad idea to install wireshark or another network traffic monitoring and to look for infections. Posts that are infected will probably also be infected with other malware or botnets.
check DNS settings on Windows open a command prompt and type "ipconfig /all" and then check the DNS Server field.
check DNS settings on a Mac, choose System Preferences and then select Network. Then click on the Advanced button of the active connection. Users may also want to check the DNS servers used by their router.
check DNS settings on a Linux: cat /etc/resolv.conf.
How to clean it
For Macintosh you have this Free tool
For windows there are a bunch of free antivirus tools like avast and avg that will do the job. if you install a firewall you make also a rule excluding
The Belgian list of infected IP addresses 28th of November
the Ip addresses in excell were a bit of a hassle sometimes but you only have to see it as an ip address (leaving the ,00 out at the end)
the easiest format to download is excell
Based on ATLAS honeypot sensors.
Scanning belgian computers looking for victims
Based on ATLAS honeypot sensors.
Based on internal link analysis and third-party reports.
CC, ASN, IP, port, URL
BE, 9031, 220.127.116.11, 80, "http://www.lacavedubailli.be/free.fr/index=1019649346/"
BE, 16276, 18.104.22.168, 80, "http://koletrezzo44.ru/_cp/gate.php"
BE, 39318, 22.214.171.124, 80, "http://www.everyoneweb.com/gratiscreditsvoorhabbo123123/"
BE, 39318, 126.96.36.199, 80, "http://everyoneweb.com/wp/Presentation_tier/Index.aspx?We..."
BE, 16276, 188.8.131.52, 80, "http://koletrezzo55.com/_cp/gate.php"
BE, 16276, 184.108.40.206, 80, "http://koletrezzo44.com/_cp/gate.php"
BE, 6848, 220.127.116.11, 80, "http://d5152f6d3.static.telenet.be/phpmyadmin2/de34df234r..."
URLs contacted by malware during automated analysis.
Timestamp, CC, ASN, IP, URL
1322493197, BE, 39318, 18.104.22.168, "http://www.fla-ts.be/downloads/Demo_Draaitijd_Fla_lvn.exe"
we will be closing a whole set of websites and blogs here and over the web and will be republishing the most interesting stuff that was published over time
and where necessary the links will be controlled
so look forwards for 'going back in time' and 'being remembered about some things' and seeing how
'so little has changed over the years in so many ways'
you may be surprised and find some interesting articles made up from several blogpostings combined
I don't think that on for Belgians there will be another 'Belgian historical Itsecurity' resource like this
more information will follow
tips, research, publications and other things to add at the party are always welcome
in this land where silence is golden
so these belgian lawyers are hosted in the us and will now see what it is better to be hosted in Belgium because it will be very difficult to get the logs in time if you go to the fccu or ecops
secondly they were hosted on older servers and so their webmaster didn't act as a responsable father and so it was only a matter of time until they got hacked
and how can they now be sure that their information wasn't leaked and that clients are compromised or that their communications on and through the websites (and eventually any other linked or logged in computer) will be monitored by undiscovered trojans
yeah, maybe farstretched but aren't lawyers not doing that also .....
it is all technically possible
linux - apache
anyone responsable there thinks that just taking it offline will be sufficient
any personal data lost maybe
the most leaked accounts seem to be polish or russian
but it is a Belgian domainname and so the question is who is responsable because it falls as a Belgian website under the Belgian law and so under its privacylaws
other question that may be posed is who will inform those russian and polish users that their accounts are leaked and that if they have used the same passwords for other services they can be scammed and hacked
is it the website owner who have left no message on its server that they were hacked
and will they be hold accountable
or is it the underfinanced belgian cert who will have to do that or contact the Polish and russian cert to contact the users
and now it is only a small number of accounts, but what if we are talking about thousands of accounts
neither the Belgian cert nor any other cert nor even most of the webservices have put any procedure and the necerssary resources into place to respond effectively and fast to these situations
and no I won't show here the accounts because it is the least I can do (it is sunday night and the CERT in Belgium is closed)
why party ?
I am this year working since 10 years in the security-aspect of IT
I am blogging this year since 7 years about ITsecurity in general with close to 3 million visits over all
the belsecblog reaches it one millionth reader after 4 years servicing for free the infosearchers
the belsecblog has been the last year working hard to help the innocent belgians caught up in the Lulzsec campaigns and public leaking of accounts
personally it is my own birthday and some other things to remember
so for 10 days I will party online like
the easiest to follow the flood of messages during 10 days that are programmed to be released every hour of the day during 10 days is to follow from the firs of december #belsecparty in twitter or this feed
* get downloadspace and jdownloader
* tell your wife to shut up and give you some time to download stuff
* get popcorn, monster drinks and good deep house or 80's waves or gummy funk or latin hot ladies or cool jazz
* clean your screen and get some boxes
* get a tablet to read all those articles and links to books
* install a second computer ready to use all that securitytest software passing by
* keep an eye on the vulnerable belgian websites passing by
* remember the reposts and releases passing by
* have a look at the hard comments and setting the record clear
you can send in stuff as much as you like
anonimity is guaranteed
all releases of new information will be mentioned to the CERT some time before
if you receive a message from the CERT that your network or site has a problem and that it will be released between the first and the tenth of december, you better follow up on it
but nothing will be a direct and immediate danger to critical infrastructure or financials (they have busted their own business already bad enough)
no files are hosted by me and the uptime of files is not guaranteed
the coming week will be quite calm as everything is being programmed for friday to start a week of party and mayhem :) If you know that I am in my forties you know which movements and music influenced me when I was younger and inspired me (it is not for nothing that the Occupy movement is a crossgenerational movement)
although the Belgian Isp's promised that they would secure themselves their infrastructure and their networks if the Belgian parliament didn't enforce the obligation in the New Telecom Law that would oblige them to give every user a free license for a security package, this doesn't mean that it is done and that they continue to do the necessary efforts
since a few months we see memberpages infected with malware and redirectlinks
not in huge numbers - but enough to get our attention and to be able to say that it wouldn't be a bad idea to virusscan often their own 'userspace' and block pages that are unsafe for one reason or another
just as an example
security is a dynamic business
every time you think that you have found the solution and that you can protect your environment, the attacks are becoming so different and the way of infection has so changed, that you have to look at new solutions and limitations to keep the same level of security
so when rootkits TDL v* started infecting .sys files, the antivirus and protectionmechanisms weren't ready for it
"They infect a different .sys driver on the system at each infection, and when you try to recover the sys file, it will give you the clean file, and that (besides others) is a common characteristic between them"
this mechanism is now according to the Internet storm center becoming more widespread
the problem is that your antivirus is not necessarily uptodate for this
you will need for this reason to use one (or several if you are paranoid enough) of these free tools
the fact that your normal antivirus doesn't show it doesn't necessarily mean that you aren't infected
(this is also a reminder that controlling and filtering your webtraffic is a necessary if you really want to find infections before they spread or cause havoc)
1) Phishing email contains a link to a website
2) The website contains four links like:
3) Each JS.JS contains a redirection to a final website that contains the BH Exploit kit:
That makes really easy for the author to update to new websites, and at the same time, make it harder for a takedown
so practical this means the following
* you won't have a simple linkinjection but a scriptinjection in your website
* if you don't see this kind of scripts it will continue to be dangerous for your users, because even if some of these sites have been taken down or were blocked, the attackers can change the ultimate destination anytime (and with some scripting even change it everytime it has been blocked or taken down which we could call fastflux redirecting (which should be scriptable also and which has been used by several viruses the last years)
this is the reason why you will have to set up a system in which you can log, monitor and alert the security and/or webmaster about any non-authorized scriptinclusion (if they can deface it, they can include such scripts)
you can also filter comments and so on by leaving out everything that is code or scripting and only allowing dumb text (this is the cheapest for commentsystems and forums). If someone is interested in the link, he or she will copy-paste it.
his post has made the headlines in the itsecurity blogosphere and the open-source fanatics
and it shows that aside from some very intelligent ITsecurity guys working in Google, there are also some very stupid ITsecurity unaware people who really need to be held as far away as possible from anything related to itsecurity because they don't understand the basics of it
I can understand that his culture of freewheeling communitybased open source is totally contrary to the strict and controlled environment of a secure software (open-source or not) and I agree that such an environment is necessary to learn, test, experiment and try but these environments are not made for critical things and important data and in many cases shouldn't even be promoted as such on the web
when I start open-source projects I want business support, I want frequent updates and documentation, I want standards and guidelines and I want a way to coordinate and control everything that is happening in it (even if I wouldn't use it for anything too critical)
security is not about open-source against closed source it is about the source and the procedures that you use to keep it safe from the beginning and how you would close and fix security and other issues as fast as possible
both open-source and closed source have given the last years the best and the worst examples of security and mistakes and the whole discussion about open-source being better because it is open-source is just as stupid as linux against windows and apple against windows even if that discussion is back again in full force at his posting
which is a pity because we shouldn't lose any time with that kind of discussions because in the end any company or software will finally arrive at the same conclusion, that there are no thousand different ways of staying secure and informing and helping your user-base and that the techniques and procedures that Microsoft has used and tested over the last years is the best experience around (which is why for example Apple hired Microsoft security staff to re-organise its security of its products).
and the same goes for the mobile environment, there is nothing magical and nothing exceptional about mobile codes and os and people aren't more securitywise because they are mobile and they can be ripped off and scammed as easily (if one reads the articles about the mobile malware in asia where much more people have their internetconnections through mobile stuff). The problem is that the mobile internet finds itself in the same situation as the internet before around 2005. There is between the serviceproviders no security coordination, no securityinstallation on the networks, the app providers don't have the same securitystandards and there is no CERT (in Belgium not) for mobile networks or mobile malware.
but with your mobile you can now pay a lot of services, you can transfer money and you get tens of texts at your costs that will cost you a lot to stop them for sending you such texts so your mobile has become your computer (except if you take a seperate mobile only for your online payment and moneytransfer business).
if Android is for the moment winning the war (even if the popular press is still Apple hypnotized) because it is more flexible and has less control over its apps and installations and so on, it can lose the war in a few months or years from here if it doesn't secure better its environment and its apps because victims will start to complain, governments will start to look into the matter and press articles will start to have an impact and at that time, someone very high up will ask
who is that stupid guy who said that we didn't need any security and that it would work itself out and is he capable of repaying the millions or billions I have lost today (a securitybudget should be minimal about 7 to 10% of your total projectbudget)
security is something no one needs to think about, it should be there from the beginning, being adapted over time and still be protective for 99,99% of your clients all the time
all the rest is ideology and that has no place in this industry
you can also wait untill the mobile operators start securing their networks or the mobile producers will secure them but they will wait untill the politicians will react and they will only react when there are enough victims and than it is nearly too late
so chris, I hope you don't have much leverage in Google and the less you have to do with security the better
in what is a perfect example of how an IT black-ops could try to derail an international political event (like an international congress about very important measures against the warming of the earth with enormous business interests at stake) hackers released a few years ago email from the scientists responsable for writing most of the scientific reports that support immediate drastic action and wanted to proof that they were in fact manipulating world opinion, the press and the political leaders.
it may be didn't have an immediate dramatic effect but I am sure that thousands of workhours have been spend by all kinds of people to handle the immediate and longterm effects of the hacking and the after-effects.
so just before another international conference about dramatic international agreements about what to do with the changing of the climate (as if we don't see this happening with our own eyes) another part of the database of stolen emails from 2009 was released (and hyperblogged about by the conservative and pro-business webcampaigns)
the total set of emails is more than 200.000 which are encrypted
the total set of emails that are now leaked is around 5000 and out of that set only a few fragments have been quoted and send around (referring for the full versions to a zipped file on a Russian server - which doesn't mean that they are russians because anyone who wants to hide its identity looks for a country like Russia to host its criminal files although it shows that the Russian authorities do not totally disagree with the actions because otherwise they would have shut down the server as they would do with their own democratic opposition and free press).
so this is a clear example of what is an info-ops, an operation with clearly set information goals in the informationwar about your minds as they would say
just to remember, the reports about the incidents and the emails in question have cleared the scientific discussions that were held in the emails but had some questions about the opportunity of some politicial and PR remarks and rightly so
it also shows that they have now better secured their emailserver because otherwise they would have released new files (or their paymasters didn't want to pay the necessary sum to set up such an operation)
This made me look for other "pastes" by pr0f. What I found:
More Simatic HTML (not clear were it comes from)
A Vacuum gauge configuration file from Caltech
A control system from smu.edu. Looks like power generation to me, but may be an experiment, not production
Another paste, showing the (pretty good) password for a spanish water utility has since been removed.
this doesn't mean that these systems have been hacked, they have been attacked or scanned and information about them have been published but that doesn't mean that the control over the infrastructure has been gained and maintained by the hackers
it doesn't mean that cyberwar and the militarization of cybersecurity is necessary
it is more necessary that critical infrastructure is NOT linked to the internet, they should have their own closed networks and bases