the last weeks I have been absent from this blogs but sometimes in your life - and this is a volunteer project since 7 years for which I haven't earned a cent nor did it advance my career (more the opposite because it angered too many people :) ) - this is not to say that I am not open to interesting proposals if they can live with someone who speaks his minds and tell things as they might happen (and sometimes do :))
but for the last weeks I have been sick just like last year and I had to keep my own health 'under control' and 'under observation' and be sure that I went to the doctor on time and had the right medication on time because of my asthma a simple bronchitis can develop more easily into pneunomia and that can have greater consequences for me if it isn't found in time than for a 'normal' person (being in intensive care in the clinic for example - which I nearly was last year)
but it is just as with security, you observe, you control, you keep the facts clean and without interpretation, you record the evolution and you eliminate and you learn the pattern. It is even as with security because here the attacks are hidden behind the continuous state of asthma and colds and so you have to learn to look behind the fog.
with everything we have learnt (the doctor and me) after the two december attacks we are better prepared for next year and as we were this year earlier in finding the right cause, we will maybe next year be even earlier.
I will be back in a week or so when the medication is not so strong because now I am quite quickly tired and I seem to hate working before a computer because it tires me and I can't keep myself concentrated long enough.
so this blog ain't dead, but just 'on sickness leave'
in the meantime I just want to say thanks to all the people who have in the main time updated their SSL certificates because I had announced in some back-channels that I would publish listings of bad ssl certificates or absent once for big banks and online services
I will get back on that in januari as with many other things in the wing
one thing must be clear for 2012 - the time of niceties and compliance and waiting and understanding is over - it is 2012 you had enough time to clear up your mess and there is enough technology and knowledge on the market - even at affordable prices to secure your infrastructure and information.
for the rest have a nice party tonight
The last time KPN stopped the production of SSL certificates in november 2011 it took them 5 days to resume production. The fact was that someone discovered that one of their pages of their webservers was defaced since 4 years. After an investigation by KPMG they decided that everything was clean and that they could resume business.
Well, that seemed too quickly.
Now someone has decided that enough is enough and has decided that they take everything online and that they will only communicate when they are 100% sure. At one side that is a good decision at the other end communicating nothing will kill their business before it can restart because we are talking about virtual trust.
Now it seems that there are two problems.
First a pure internal problem. Most of the business of diginotar of the official government has been transferred very quickly to KPN (keeping it between the good old dutch network) and that business also includes some very new markets (smartcards) for which they didn't seem to have all the necessary expertise and procedures yet. So they made a lot of mistakes in the beginning and when it became clear that mistakes were being made, they decided to audit every one of them again and revoke all the certificates (mostly for smartcards) that contained mistakes.
This indicates that there is a management and a procedural verification problem in the internal process. It will be necessary for KPN to respond to that and to take whatever action and make whatever investment needed to adjust that (while keeping the controls as stringent as should be).
Secondly there is an external security problem. If you leave your external admin controlpage on an external page you are already taking a big risk (because they could and should be working on a vpn connection to an internal management platform) but when there is no password (maybe there was one but the first hacker changed it - a possibility that has to be taken into account) there are three enormous problemn of credibility.
First it shows that there is no permanent security auditing and controls, automatic and by really paranoid security people (trust no one except what you see with your own eyes). Otherwise such mistakes would have been seen by either of them. (use metasploit for automatic scanning)
Secondly it shows that there is no permanent automatic and human monitoring and analyzing of the logs. If that would have been the case, the second hacker would have been discovered the moment he opened several confidential files that were stored on the database server but that a normal admin wouldn't have opened. Also he saw that a first hacker left some footprints on the server but he discovered something the monitors didn't see.
Thirdly it shows that the securitypolicy inside the network is not enough paranoïd for these times and haven't even been upgraded considerably after the attacks on the other ssl providers (and the news by the diginotar hacker that two other ssl providers were hacked inside out by him without naming them). If you read this and you are a dutch certificateprovider and you have been offline for 5 days because of some old hack that has been discovered that you didn't know about, you should go nuts. And if you see that diginotar goes broke, you should go through the roof because you should know that if you are one of the two others the chances are great that you can be the next one and that you also can go broke. Maybe someone inside the company is mad as hell now and is mobilizing every penny he still has to get this act together as fast as possible... but it maybe too late.
If the KPN ssl business wants to survive they have to do as Globalsign the following three things
1. Get online again and communicate about every step you have taken and every step you will be taking
2. Get external auditors in and give them all the powers that need to be and let them only respond to the CEO and no one else. It is the business itself which is on the line and there should be no discussion about what to do next.
3. Secure part by part of the business and go from the inside to the outside. Every part of the inside business that has been secured (or transferred to a secure environment) should go back to normal procedure (which means that they become active and that they deliver service - even if all passwords, rights, access, trusts, links and auditing have been reviewed from scratch or are revoked and are only re-activated after the re-securing process has been finished). The secured parts should be totally seperated from the part of the infrastructure that has not been re-secured (also in backup, networklinks and so on).
This is why leasing contracts for hardware or cloudcontracts for immediate new infrastructure are so important as standby contracts on which you can act swiftly.
Every installation that would cost too much money to resecure or of which you can never be sure again because it was too deeply compromised, should be simply thrown away. The data (without the rights, code and access) should be migrated to an enterily fresh hardware platform.
There should be a strict isolation between online public information and internal management, between business assets and managment tools for external information, between confidential or secret information and public information
this is how globalsign did it
all the other paths are risky and may FAIL
just a last question : who decided in the firm that php was a platform that you could use without having permanent controls, checks and updates - becasuse free and cheap software costs much more in security and maintenance. I like PHP-MYSQL but it not cheap in maintenance if you want to keep it safe and updated. You should use because it is flexible, not because it looks cheap and easy (just like any other open source tool)
okay you have to sit down and forget everything you have ever believed about internetsecurity and to remember that this a service that should be at the highest level of security because its certificates create the trust on the internet that is used by all businesses and egov and all the other e-hyped things
so we are talking about a service that you should trust completely because it gives you the certificates that all your users will trust to be sure that they are on your server and not one in Russia for example
this is not a small firm, this is a subsidiary of KPN one of the biggest dutch ISP's and an official provider of official certificates for the dutch governement, even more after the downfall of Diginotar
It was already hacked once - somebody placed an online DDOS tool on one of its servers - in november 2011 but it went online again after a 'positive report' from KPMG (which proves that security auditing has to be done in real life and not on paper, globally and not locally and permanently not only after an incident)
Now a hacker contacted the online webzine webwereld.nl to say that it wasn't difficult to penetrate their internal systems - even those with confidential information
(are you sitting down) okay their PHP admin webpage didn't have a password (yes, read that aload to believe it)
and the internal administrative password was 'easy to find'
but the guy also said that he saw that he wasn't the first one who had penetrated the network and that he saw confidential information about confidential networks for governments and businesses (as you now also create certificates for servers on internal networks with confidential information) and which pc's they used with sometimes unsecure methods to manage these certificates (good for targeted attacks)
so the server went offline
it is also clear that since september the number of certificates that have been revoked by the firm has risen dramatically. it is strange to see that when you have to do such a thing that you don't ask yourself if there is something wrong and you that they didn't do some audits to find out
virtual trust is absolute or relative and with certificates it has to be absolute
the problem is that if it would be the case that thousands of false certificates have been made or that someone had access to the systems that the trust in all their certificates would diminish and eventually the trust in their capability of providing such services would disappear and that thousands of certificates (of which many by official institutions who fled from Diginotar) would be in jeopardy and that this is not even a dutch decision, it is a decision that the other operators on the internet may take independently (Microsoft, firefox, google etc...)
even if they think that these guys aren't worth the trust because they don't know how to handle their business as it should be (they discovered a 4 year hack in november, fixed it and than forgot that the main door to their database was open and that all the rest wasn't too secure)
some firms like Globalsign take such situations as an opportunity to review every detail of their operational and virtual business and they can restart
if you can't do that (and put your money where your PR is) than you may lose that trust quickly
because you can fool the people once (in november) but not every month....
You could say that there is now a moment to get through the articles and debates and interest ourselves in a few concrete points on which further work is possible or necessary
1. Logging and monitoring is necessary but one has to articulate clearly what one is sending from your computer or networked device to the operator or technical teams. One cannot expect a network operator to upgrade its network without having access to metrics. Those general metrics should be general and anonimized so that they can't be used for forensics.
2. You can't have a helpdesk that can answer any possible technical question without having the possibility to get very detailed information about what happens on or with the networked device. This should be given by an already installed software and should be able to send test messages and other information - as long as the analysis is necessary - and should be deleted afterwards.
3. Some jobs will need to have networked devices that are are recording everything so that in case of a court order all the information can be looked through that is linked to that case. This is the case for american traders for example. But these people now that this is the case (and the most intelligent won't leave any digital footprints any way)
So even if we are comprohensive, some rules have been broken
1. If there is a discussion about your software or your methods or procedures you should accept the debate and respond to it. It is clear from this incident that the firm is playing with its future by not doing so. Not only have they first tried to silence the blogger, but they only didn't respond in detail to the allegations, even if others have shown that with some technical analysis of the case, many of the presumptions have been proven to be too general and too negative.
2. THe user of the networked device is never informed of the presence of this tool and what it actually does and where one can see what information is transferred and what is actually done with it and how it is managed.
3. The user has no choice but to accept the tool(s) and the information. On a computer a software company or the OS (Microsoft in this case) asks you if they may receive information if the program crashes or encounters a problem and you have the possibility to opt out.
4. Even if the software now doesn't really control and record every stroke you type (speaking seems gold) there is no guarantee that this software could be adapted in our countries or by other agencies (with or without the knowledge of its user(s)
5. It doesn't seem that there has been any consultation with any privacy organization or commissioner and that the general technical and legal terminology isn't enough to guarantee the privacy of each users under all circumstances.
Some practical points to keep in mind
1. Android is an open platform and a provider or phone-reseller may do with it whatever it wishes. Maybe it is time to seperate android installations from network or phone resellers so that you could chose to install a never version or one that is privacyproof (from a cd). Maybe Android should also oblige adapted versions to detail online what was changed and why.
This is the case for Apple devices up to Ios5 (which won't have this software) by turning off "Diagnostics and Usage" in "Settings."
2. The network device was during its analysis in debugger state which is different from the normal state of the device during the normal operation and use. Any device in debugger state will record everything that is happening on and with the device and send or record it as detailed as possible.
3. Some of the information was not recorded by the software of Iqcarrier but by Android debugger tools which makes it necessary to index and control all the tools on the platforms that are recording user data.
4. The software is an integrated part of some Android installations and removing it or installing an alternative ROM is in the present state dangerous for the stability of your device or software and could open other security problems. Secretive organisations and institutions will have to develop their own Android (I suppose NSA would be capable of doing this) that can guarantee or full logging or no logging.
5. This particular software isn't installed on Belgian phones or networks as far as we know but more research will be needed.
scribd.com has decided that my 40.000 links to books organized and my 1000 documents were somewhat infringing some-one and so they threw me (again) away (with all the work)
but that is the last time ....... no more uploading to scribd anymore
except if they would have the same rules for every-one (inclusive their OWN staff) and a copyright monitoring software that is decent and would discover actually something worthwhile quick enough....
if you want to find the listings you can find them here with this Google
for securitybooks (links that is) this is one
http://www.scribd.com/collections/2801760/security2?page=39 (and before and afterwards)
other collections (to help you search were)
business - business2 - business3 - ecology - art - political - political2 - terrorism - international - international2 - fun and practical - fun and practical2 - history - history2 - filosophy - filosophy2 - security - security2 - science
in all around 40.000 links
this is also the reason why scribd.com will never be the youtube for video's
if youtube used the same discriminatory and stupid tactics it wouldn't have the userbase it has
and to make their hypocritical attitude total, they aren't at all interested in promoting original stuff on their website or have any strategy to do so - a website that is a total mess with a tag system that is confusing
content is king, the rest is stupidity (and they are throwing it away by the thousands)
Retweeted by MartijnK and 100+ others
so our belgian politicians have started tweeting throughout the day, trying to say things the smart way in 160 characters and looking sometimes very silly indeed
this extreme right wing politician said a year and a half ago that he would go and live in Namibia if Elio Di Rupo became prime minister in Belgium
Elio is prime minister in Belgium
so, now what ?
think before you tweet :)
we have contacted the cert that we will be publishing information about essential websites without ssl login and websites with ssl login where the configuration was sometimes so bad that it is better not to have ssl at all
we have giving access to the cert to the first staple of collections of sites
as promised belsec 2.0 will be publishing more stuff like that from now on
keeping it under the carpet has done no one any good
remember there is an European directive coming our way with data breach fines
so just setting it back won't be sufficient any more
there is nothing illegal with using tor but it does indicate that you are taking some special measures to defend your privacy and there is a lot of totally illegal stuf on Tor and Tor is mainly being used by activists, spies and criminals - beside all the normal people who use it (but it is an element that would be mentioned in your profile)
Tor is being maintained by volunteers who set up freely servers as entrance points or as sorties. There has always been a lot of discussion about the control and security of those servers and what the maintainers of those servers are doing with all that information. In the beginning of Wikileaks there was a lot of discussion or debate about the source of all that material and some people thought that it was legitimate or stolen material that went trough TOR.
Tor is a system - network that is under surveillance and many people are all the time busy with trying to hack or crack it (not for criminal but for espionage reasons) and that is why people should update all the time their Tor software (which is not the case if you look at the list). Maybe Tor should set an update control of the software before anyone can connect to the network so it is sure that no users would enter with vulnerable software and compromise the privacy and security of others.
around 2000 people are listed here as they are probably users or admins of an entry or sortie point with an IP address and an emailaddress or because they have left somewhere information
I hope there are no servers of your firm or organisation in it or that are also used for other services .....
so the best advice would be to
* use a fake or exclusive emailadres for your TOR connections as contact
* never go in with your own ip address use a proxy or change your IP address immediately afterwards with your ISP
this list is even more interesting for targeted attacks, because if you can't break the system, you can break nearly always the security of the individual installations and information
but by looking a bit further there seems to be some-one or a crew searching and researching everything they can find about TOR and every part of their installation and configuration (is an attack in preparation ?) and publishing the data on pastebin (and some with some time-limit)
time will tell - but you are warned
by the way - intelligence and security-agencies should stop gazing at twitter all the time, the real stuff is happening in the paste-site world now - instantly before anyone on twitter even knows about it
Researchers from the Ruhr University of Bochum’s Secure Hardware Group in Germany have cracked the copy protection system used by HDMI ports: Intel’s HDCP, or High-bandwidth Digital Content Protection. In addition to HDMI, HDCP is used to encrypt video signals transferred via DVI, DisplayPort and other connectors.
“In 2010, an HDCP master key, which is intended to form the secret core element of the encryption system, appeared briefly on a website,” reads the official press release. “In response, the manufacturer Intel announced that HDCP still represented an effective protection component for digital entertainment, as the production of an HDCP-compatible chip using this master key would be highly complex and expensive.”
Seemingly taking that as a challenge, the team accomplished the “inexpensive” man-in-the-middle attack by using Digilent’s Atlys Spartan-6 FPGA development board. It features a Xilinx Spartan-6 LX45 FPGA (field programmable gate array) in a 324-pin BGA package, two HDMI video input ports, two HDMI video output ports, a 10/100/1000 Ethernet jack, a RS232 serial port and more.
You need a new business model, not a new encryption, DRM or whatever snooper you can think off.
Microsoft is the one firm in the world investing the most resources in tackling botnets and using any means to disrupt their networks (including getting them in US courts)
Botnets are a complex problem that requires a multi-faceted global solution. As such, no one entity can solve the problem alone. Microsoft believes that voluntary efforts to combat botnets must include members of the entire ecosystem. In fact, the most interesting and effective solutions will come from the partnerships between different parts of the ecosystem.
o We emphasize the need to disrupt and ultimately prevent botnets in the future. It is important not to simply build mechanisms by which botnet infections can be cleaned up very efficiently, in perpetuity. To do this, we must disrupt the botnet business models by simultaneously raising the attackers’ costs while lowering their gains.
o We are supportive of efforts to notify customers of infected devices, but recognize the increased possibility for fraudulent notifications. There are two key aspects to making notifications resistant to fraud and effective to end-users regardless of the form they take. First is to establish a trusted communications channel, so that users can be assured they are getting notifications from a trusted entity, and not just another attacker trying to get them to put malware on their system. Second is to explain the problem and the solution in terms the user can understand and with steps they can easily follow.
o We believe the most effective measure end users can take to stop botnet infections before they happen is to use the most current versions of operating systems, applications and security software available to them. Our recent Security Intelligence Report shows that each successive version of Windows has a lower infection rate than its predecessor.
but even than I still think it is up to the ISP's to block the addresses of known botnet servers and to alert by trusted channels (why not the ISP bill for example) that that person could be infected and should install an antivirus or any other securitymeasure
and I still think that a securitypackage should come automatically with your ISP subscription (even if you would be able to chose between different products).
The EC is doing what national governments seem to be failing to do, and is asking for more power to deal with offending businesses. It is looking for fines of up to five per cent of annual turnover for breaches of privacy rules, according to a draft of the Data Protection Directive to be unveiled in the new year.
Documents seen by the Financial Times suggest that the EC's proposals will also impose mandatory notifications for all companies within 24 hours of any data breach, as the institution looks to strength citizens' privacy.
The document contains provisions for any organisation with more than 250 employees to appoint full-time staff dedicated to data protection, a requirement that is not enforced in all EU member states
at the privacy conference in Brussels this year the representative of the commission had a hard part defending it against the lawyers and businessmen in the audience, but that as one other person :) said
it would make a world of difference for the securitypeople in organisations and businesses if they could say : if you don't invest enough in security (normally 7 to 10% of your ITbudget) than you will risk to pay a lot more if you would be fined and it would also cost you your image and reputation and trust because it would become public
I think it is in the interest of any interested party to support this measure with any means posible because the lobbyists will do everything in their power to get all the teeth out of the measures and measures without teeth are meaningless.
If those fines would be used to subsidize the Privacy commissions in the respective member countries than those would have a budget to pay firms to do real audits and fine firms where it is clear that their audits are meaningless (Diginotar for ex.). Simply waving with a report or some accreditation wouldn't be sufficient.
It would also mean that firms and organisations would have every interest in staying out of on the online battles with antisec-anonymous as it would - in time - lead to hacking and leaking of accounts for which they could be fined. As those attacks happen under the cover of DDOS attacks it will be in the interest of hosters and ISP's to upgrade their DDOS attacks as a commercial firm or institution shouldn't be hosted on a platform that can't defend them against DDOS attacks who would weaken their defenses and could lead to dataleakages and fines. These fines would be more expensive than the cost of hosting your sites and applications with secure and ddos-resilient infrastructure firms.
It is also time to integrate security, privacy and performance (ddos) fully into any IT course worth that name.
A last thought is that in Belgium we would need an ITsecurity MBA that wouldn't be just a copy of international and US norms but would be built upon the Belgian and European law, norms and infrastructure while using the international knowlegde and experience.
Anonymous hacked the mailaccount of a cop who is a member of the special Occupy crackdown taskforce (as it is called) and published all its emails on torrent (and some on the web)
it gives some credibility to the fact that Apple didn't know some intelligence services were hacking and cracking itunes and consorts to install monitor software
this one is with a mail to our own FCCU.be
Oh Facebook!.... kthx for the tips :D
Just a thought, I recently solved a missing (runaway) by getting Facebook login IP addresses. The missing checked her Facebook account from her secret boyfriend’s residence. You know that the younger generation can’t live without their social media. Find out what your missing was in to; i.e. Facebook, MySpace, Tweeter or even email accounts. They all store IP information.
Detective Jim Verlander CFCE, CEECS
Baton Rouge Police Department
High Tech Support Unit
4445 Plank Road, CIB - Annex
Baton Rouge, La. 70805
How do you know the user doesn't already have it installed? Did you check the iTunes application list on their desktop machine?
It's possible it could already be installed and connected to their iCloud account, and if so, would be traceable. The carrier should also be able to provide location data if the device is on the network.
On Nov 3, 2011, at 8:02 AM, <firstname.lastname@example.org> wrote:
> Got my answer from Apple:
> Dear Mr Cools,
> Unfortunately this is not possible. Apple has no means to remotely install and enable the 'Find my iPhone' facility.
> Regards, Martin Reed
> Thx anyway.
> Tim COOLS
> Federal Judicial Police
> Federal Computer Crime Unit (FCCU)
> Notelaarsstraat 211 - 1000 Brussels, Belgium
> Tel +32 2 743 74 49
> Fax +32 2 743 74 19
> Van: Jonathan Zdziarski [mailto:email@example.com]
> Verzonden: donderdag 3 november 2011 12:24
> Onderwerp: Re: tracing an I-phone
> I'd think you should be able to subpoena that from Apple... As well as a subpoena to get location data from the cellular provider.
> Pardon teh Spellnig; Sent form my iPhone
> On Nov 3, 2011, at 7:14 AM, <firstname.lastname@example.org> wrote:
> In a case of a missing person who has an I-phone,
> Is there a possibility to trace that iphone without having the login details of the apple account of that missing person?
> And without knowing that the app “find my Iphone” is installed …
> Thx, Tim
> Tim COOLs
> Federal Judicial Police
> Federal Computer Crime Unit (FCCU)
> Notelaarsstraat 211 - 1000 Brussels, Belgium
> Tel +32 2 743 74 49
> Fax +32 2 743 74 19
so you want to sell your house
and people will use Google Street view to look at your house
but what if
* the street has been renovated (there are hundreds of km of streets who have been renovated throughout Belgium the last years because the waterinfrastructure has to be renovated and seperated at the same time)
* you have renovated your house
how do you let them know that the picture is old and that the street and your house is totally different from what is on the picture
shouldn't Google put a date next to the picture just as an indication and alert
because the watermark on the pictures says Google 2011 but that is false, it can't be 2011 because the street where I live is totally different from the street they have taken a picture from, so it can't be 2011
for some cities - of which Ostend - Google has taken the pictures a few months before an electoral campaign (I suppose it would be the one from 2010)
while Google has undertaken enormous efforts in blurring the numberplates and the faces of people you can still find (for example in Ostend) who was a supporter of Groen because they were quite early with their campaign
it is quite amazing that they have not thought one minute of blurring also the political or religious affliations of individual houses (and we are a democracy, imagine the same thing in Russia)
no - you can say that it is public because you put that poster on your home - but that doesn't mean that at the time that you were hanging that poster that you would know that it would be published on the net for years to come - imagine if you sell the house and the new home-owner is member of a totally different party
also, because the names that are coupled to the house are full of mistakes and that only on the few I know about
so, no these things shouldn't be indexed in any way - even by Google
game : find the Groen supporters in Ostend :)
The spam campaign is pretending to be legitimate e-mails from the National Automated Clearing House Association (NACHA), advising the user there was problem with the ACH transaction at their bank and it was not processed. Once they click on the link they are infected with the Zeus or Gameover malware, which is able to key log as well as steal their online banking credentials, defeating several forms of two factor authentication.
After the accounts are compromised, the perpetrators conduct a Distributed Denial of Service (DDoS) attack on the financial institution. The belief is the DDoS is used to deflect attention from the wire transfers as well to make them unable to reverse the transactions (if found). A portion of the wire transfers (not all) are being transmitted directly to high-end jewelry stores, wherein the money mule comes to the actual store to pick up his $100K in jewels (or whatever dollar amount was wired).
Investigation has shown the perpetrators contact the high-end jeweler requesting to purchase precious stones and high-end watches. The perpetrators advise they will wire the money to the jeweler’s account and someone will come to pick up the merchandise. The next day, a money mule arrives at the store, the jeweler confirms the money has been transferred or is listed as “pending” and releases the merchandise to the mule. Later on, the transaction is reversed or cancelled (if the financial institution caught the fraud in time) and the jeweler is out whatever jewels the money mule was able to obtain.
so we have seen in the Anonymous campaigns that DDOS was used as a cover for break-ins and account and document stealing. Here it is used as a cover for fraud. DDOS as a cover can become a method which will have an impact on securityprocedures. You won't concentrate on the DDOS but on all the other things that are happening at the same time.