06/29/2012

Elantis the belgian hacked banksite back online, let's have a look (or laugh:) )

this is when we found the website in Google (starts good :) )

Welkom | Elantis-Direct

www.elantis-direct.be/nl/

var flashvars={pathToConfig:"/sites/all/themes/elantis/assets/xml/config-nl.xml", iso:"nl"}; var params = {}; params.wmode = "transparent"; var attributes = {id:"test"} ...

okay but when you type the full link we find the following response

http://www.elantis-direct.be/nl/sites/all/themes/elantis/assets/xml/config-nl.xml

page not found (but you know that somewhere there is an xml file with the configuration)

but some parts of the xml file are if you use google elsewhere like this one

http://www.elantis-direct.be/sites/all/themes/elantis/assets/xml/config-nl.xml

It also proves that those specialists didn't clean the Google cache, so we have to come back to that, who knows what is more in that cache (you only need a Google Administrator account and a line of code on your site)

you can ask an online test of how much it would cost to lend some money, let's see

http://www.elantis-direct.be/nl/online-aanvraag

heeh, no HTTPS  waaw, all the following information is in CLEARTEXT (in full confidence they say)

the amount of money, what for and the number of years you would take

than you receive a high percentage of cost (nearly 10%) and than you click on online asking

that goes to https which is good but wait a minute ....

there is a pop-up flashing before

a pop-up on a financial transaction site (isn't this the method phishers are using to intercept credentials and you are getting them used to as 'normal method this website works ?')

there is a https certificate for the other information okay what does that mean ?

- besides the fact that the site is in http and https is an sich a risk because there are attack strategies that use this discrepancy to intercept the data or confuse the users (full https throughout the site or a totally different strongly secured sub-website for all logins and secure work are the two better strategies).

hey something else, look at the information in this link

https://www.elantis-direct.be/nl/simulator?a=50000&d=108&t=9%252E95&type=INTPSA&c=60&subType=TAEGPSA1

all the information I have putted in are included in the URL (a is the amount of money, at 108 months and at 9% and for INTPSA etc.... it is even not salted or crypted

Now the SSL certificate has been analysed by ssllabs.com (ready for a good laugh)

these are the belgian results (looks like our footballteam)

https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2Fwww.elantis-direct.be%2Fnl%2F

BEAST attack Vulnerable   INSECURE (more info)

Secure Renegotiation Not supported   ACTION NEEDED (more info)

Ephemeral DH 512 bits (p: 64, g: 1, Ys: 64)   WEAK

TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x14)   DH 512 bits (p: 64, g: 1, Ys: 64)   WEAK 4

SSL 2.0   INSECURE Yes

in all it is a C or a very bad certificate (you have thought about the most insecure and dangerous users and not about the security of all your users).  Your certificate is worth nothing against dedicated professional attackers and the new malware on the market.

and in this 'secured' environment you have to fill in your RRN or national ID and a lot of other identification things

okay, let's move on, this is s.....

hey let's have a look at the code  (rightclick in the browser and show code)

<script type="text/javascript" src="/misc/drupal.js?A"></script> it is drupal ha let's try it 
https://www.elantis-direct.be/misc/drupal.js?A

what do we see, well it is a code explanation how the coders should do it and correct things and things like that, well
not very interesting for you and me but some other people may find it quite interesting to understand the website

and No I have done nothing illegal uptill now ......

haha, and now the following biggest joke of this unprotected code, ready ?

<a id='hiddenLink' onclick='return false;' style='display:none'></a><!-- Piwik --><script type="text/javascript"> var pkBaseURL = (("https:" == document.location.protocol) ? "https://www.elantis-direct.be/piwik/" : "http://www.elantis-direct.be/piwik/"); document.write(unescape("%3Cscript src='" + pkBaseURL + "piwik.js' type='text/javascript'%3E%3C/script%3E")); </script><script type="text/javascript"> try { var piwikTracker = Piwik.getTracker(pkBaseURL + "piwik.php", 1); piwikTracker.trackPageView(); piwikTracker.enableLinkTracking(); } catch( err ) {} </script><noscript><p><img src="http://www.elantis-direct.be/piwik/piwik.php?idsite=1" style="border:0" alt="" /></p></noscript>

ok they are using open source software all over the place, this is really interesting now - but not for me

I hope their securitypeople patch, update and harden it all the time

for piwik for example there is this alert

exploit - SecurityFocus

www.securityfocus.com/bid/53773/exploit - Vertaal deze pagina

4 juni 2012 - Piwik Multiple Security Vulnerabilities An attacker can exploit these issues through a browser. To exploit cross-site request forgery and cross-site scripting issues

ooh and the server is running apache, what else ?

and now for the social engineers and the attack strategy writers - have a look at the way they are cheaply hosted together with a whole lot of other website on the same IP address (if you root one server, you root all sites)

http://www.robtex.com/dns/elantis-direct.be.html#summary

They said their site was secure, they said their site is now secure,  ........ 

the site was never logged on to or attacked with professional attack tools, we only took some general online test tools and collected publicly available information and put it all together

something a professional security analyst would have done :)

If you are looking for one, I know one who or two who do their job as it should have been done in the first place (and this is no advertorial)

Permalink | |  Print |  Facebook | | | | Pin it! |

the RSA secure-ID token attack and why tokens have to pre-boot before anything else

Based upon all the comments and answers I think this is the best global answer that I have found so far

  • This research is only related to the smartcard functionality of the RSA SecurID 800 token. This does not impact the One-Time Password (OTP) functionality of the token in any way.

  • This does not impact the RSA SecurID 700 or any other RSA SecurID authenticators, including software tokens, apart from the smartcard functionality of the RSA SecurID 800 token as mentioned above.
  • This is not a useful attack. The researchers engaged in an academic exercise to point out a specific vulnerability in the protocol, but an attack requires access to the RSA SecurID 800 smartcard (for example, inserted into a compromised machine) and the user’s smartcard PIN. If the attacker has the smart card and PIN, there is no need to perform any attack, so this research adds little additional value as a security finding.
  • This vulnerability does not yield the private key stored on the smartcard.The specific vulnerability – if carried to its logical conclusion – cannot lead to successful harvesting of the private key corresponding to the public key in a user’s certificate.

http://securityaffairs.co/wordpress/6850/hacking/rsa-secu...

In fact it is so that it is not because you use a token that your machine is safe, everything depends in which environment the token is launched, read and used.

The only safe environment is an environment independent of the computer (the preboot) after which the security-environment/tools on the pc preboot (otherwise you get viruses with boot or rootfunctionality) after which only the OS (whatever that is) will start. This will make the startup time somewhat longer but this is the most secure way. Look at it as if you are boaring a plane. You also have to check several checks who do different things (check your ID and your ticket, check your ID, ticket and your belongings and finally again check your ID, ticket, belongings and the questions security may want to ask you). It is only after this filtering process that the people who have passed them can get on the plane and planes are now much more secured (untill 2001 this was not the case for local flights on local airports which was the reason why the 9/11 attackers used those).

Well, the token is only safe if it has its own environment to life in, to change and to interact with the rest of the OS and the network and there is no way you could get to the token or any key or password untill you are prebooted before them. THat kind of computer would better be thrown away.

well and yes, every change to a product to make it more clientfriendly creates a securityproblem.

Permalink | |  Print |  Facebook | | | | Pin it! |

how new botnets bypass virtual security environments (and sandboxes) and how to bypass it

Nevertheless, the tricky part comes here. When a virtualized environment detected, unlike many other Trojans that stop to work, Citadel will continue to operate, but behaves in a different manner. It will generate a unique-machine dependent domain name (obviously fake) and tries to connect to this server (unsuccessfully), making it to believe that the bot is dead and its command and control server is offline, meanwhile the real C&C domain is kept hidden. You can distinguish between the fake ones because the way they are generated, they look like an md5 hash itself, the C-style format string used is:

 

 

http://%02x%02x%02x%02x%02x%02x%02x%02x.com/%02x%02x%02x%02x/%02x%02x%02x%02x.php

 

 

If we run a Citadel sample of this kind in a VMWare environment, closing all processes related to VMware (vmwareuser.exe, vmwaretray.exe, ...) will be enough to force Citadel to act normally as if it were running in a physical machine.

http://securityblog.s21sec.com/2012/06/citadel-updates-an...

And so the game of cat and mouse will continue on and on and on

Permalink | |  Print |  Facebook | | | | Pin it! |

the spam avatars under blogs

they say your website is good, your posting is interesting and all that kind of texts that they are repeating under so many other blogs and forums

why : probably has something to do with google ranking (backlinks) with trying to get you back and with catching visitors reading comments

this is just a sample (oh it will pass any spamfilters that doesn't use the spamwords for the names of the members or avatars) just to give you some idea

  1.  
    cheap vacation ideas
    March 13, 2012 at 9:02 pm | #7
    Reply | Quote

    Thank you for another informative website. Where else could I get that kind of information written in such a perfect means? I’ve a project that I am just now working on, and I’ve been at the look out for such information.

  2.  
    sunscreen cancer
    March 14, 2012 at 8:00 pm | #12
    Reply | Quote

    Hi! I could have sworn I’ve been to this website before but after browsing through some of the post I realized it’s new to me. Anyways, I’m definitely glad I found it and I’ll be bookmarking and checking back often!

  3.  
    accelerated nursing programs
    March 15, 2012 at 12:34 am | #13
    Reply | Quote

    Wow! This could be one particular of the most helpful blogs We have ever arrive across on this subject. Basically Great. I am also a specialist in this topic therefore I can understand your effort.

  4.  
    disque dur externe 2to
    March 15, 2012 at 3:59 am | #14
    Reply | Quote

    Very interesting subject, appreciate it for posting.

  5.  
    white ceramic watches
    March 15, 2012 at 4:39 am | #15
    Reply | Quote

    Great write-up, I am regular visitor of one’s site, maintain up the excellent operate, and It is going to be a regular visitor for a lengthy time.

  6.  
    See the Fastest Way To Lose Weight
    March 15, 2012 at 8:27 am | #17
    Reply | Quote

    I am exploring the Internet as I never have before. I have more time since I reitred. There is quite a rich diversity of information in blogs so I am getting involved and commenting. Your blog is not like most of the blogs that I read on the Internet, and I like the style of what you are presenting here. I am approaching this from all sides, sonce I recently started my own website with its own blog. In the text boxes I have entered my email address and my website URL. Is this acceptable? I hope this is allright. TheVeryBest2You 13 10

  7.  
    montre hello kitty
    March 16, 2012 at 9:40 am | #21
    Reply | Quote

    Perfectly written articles, Really enjoyed reading through.

  8.  
    blackjack asphalt sealer

Permalink | |  Print |  Facebook | | | | Pin it! |

06/28/2012

why US banks have to keep every email (and phone-call and sms and chat) by law

A big scandal is unfolding because Barclays and probably a lot of other banks manipulated an international interbank lending indicator which they gave false information to set it more preferably when they had to lend huge sums on the market (they were playing Greece-Euro game in fact).

One reason that now the whole hierarchy of Barclay Bank is to be held accountable is because the investigators can refer to internal emails - some even a few years old.

The reason they can do this is because the US banks or those with operations in the US have to keep all internal communication safely stored away for investigation if necessary.

You can read some of these damaging emails here

http://www.telegraph.co.uk/finance/newsbysector/banksandf...

oh yes and if they should have destroyed the punishment in the US would have been harsch.

Europe is still far away from that.

and you wonder, how stupid to put all that in an email ..... what did they think, that nobody would never notice ?

Permalink | |  Print |  Facebook | | | | Pin it! |

what a difference a small mistake in a foreign IT support center does

A bank RBS dismisses its IT personell and outsources it to workers in India.

During an upgrade some technical person in India made a studipt mistake.

The result

The error is understood to have occurred after a software update froze part of the banks’ computer systems last Wednesday, affecting 17 million customers.

 

Although the problem was resolved on Friday, it created a backlog of more than 100 million transactions that were not paid in or out of bank accounts as they should have been.
http://www.telegraph.co.uk/finance/personalfinance/consum...

wow this was a really good business decision in the end

Permalink | |  Print |  Facebook | | | | Pin it! |

#opnewlaw antisec operation announced against hosting industry

This is the declaration

  1. What is the main thing  in today's world  that  supports  everything  that these  Carders    do in order  to get there stuff out there?
  2. Its called  Hosting Companies
  3. Ive been in the Hosting industry for years  , I've worked as a  level 3 Systems Admin for  2 of the world largest offshore hosting companies in the world +  contract work for over  30+ offshore hosting companies securing there networks.
  4. With doing so  i was able to get a firm grasp behind the  legalness and as well the technical aspect  from the  Hosting Industry.
  5. The hosting industry is a  joke and  it needs to be treated more serious
  6. Hosting Companies  do not   Follow state laws  - Nor  do they care  about  anything that is placed on there servers.

etc etc

http://pastebin.com/dq7KGfJb

should I say you are warned and it is time to prepare your defenses and responses

euh, somebody wanted to go on holiday ?

Permalink | |  Print |  Facebook | | | | Pin it! |

(Full decision) Australian judge dismisses FBI search warrants and closure of Mega-upload

On Thursday, High Court Judge Justice Helen Winkelmann found the warrants used in the seizure of property from Dotcom's mansion near Auckland were illegal and that moves by the FBI to copy data from Dotcom's computer and take it offshore were also unlawful.

 

"The warrants did not adequately describe the offences to which they related," Winkelmann said in her ruling. "Indeed they fell well short of that. They were general warrants, and as such, are
http://www.reuters.com/article/2012/06/28/us-newzealand-d...

The full decision

Mega Warrants

Permalink | |  Print |  Facebook | | | | Pin it! |

Free DDOS botnet source code (value 100 dollars) just for educational experience

many users will see that their antivirus won't detect it :)

it has for DDOS purposes the following characteristics

A brief functional:
• Intuitive control panel
• DDos (HTTP / SYN Flood / UDP)
• Loader (Load and run).
• Cheat visits (visits to the page views).
• USB Spread (spread through flash drives)
• Socks5 (picks up socks proxy on the infected machine)
• Update (Updates the bot)
• [color = red] The process can not be completed because the He is critical.
• 256 Bit AES encryption of traffic from the bot to the server
• Anti-Debugger
http://thehackernews.com/2012/06/zemra-botnet-leaked-cybe...

remember that with Anonymous the best and most successfull ddos attacks came from zombies in a DDOS network not by volunteers and that DDOS is still very succesfull

Permalink | |  Print |  Facebook | | | | Pin it! |

Accord.Nl database leak or hack published online

so instead of publishing proof that he has more Belgian data of the databases he said that he has - he published some information he says he has from Accord.nl

Dear Interweb users, You may have heard about us in the news when we hacked into web databases  belonging to Elantis and AGO-Interim, two Belgian  companies, along with AmeriCash Advance, an American one.  (http://news.cnet.com/8301-1009_3-57456330-83/hackers-grab-  customer-data-demand-cash-from-payday-lender/)

Last week, we exploited a vulnerability on Accord's website at Accord.nl and downloaded their entire Web database.  As you probably know, Accord is a Dutch temporary work agency. The data we have downloaded contains the records of job applicants. Those records include their names, email addresses,  passwords, addresses, as well as their online CV. We offered Accord to prevent the release of their data on their Internet by paying us a fee of less than EUR 10,000.  If Accord does not pay us this week, we will release the confidential data of their applicants on PasteBin and BitTorrent. This data release will be advertised on our Twitter feed (RexMundi_Anon). Sample data can be found below:

 

  • 2334        tamara-vergouwe@hotmail.com        kusje1206        Tamara Vergouwe                Kortenhoef        1241 NK                0616702832 2335        antoinehuisman@online.nl        hu1291        A. Huisman        Kostmand 17        Huizen        1276 CG                0653904858 2337        hwl_hananh_@msn.com        Snoopdogg        Hannah Lucas        Claudiagaarde 47        Bussum        1403 JN                06-44596270 2339        asmeenk1972@home.nl        welkom01        alex smeenk        leonardspringerlaan 246        deventer        7425 ha0570513664 2340        gewoon_les@live.nl        kassak12        Lesley        Brinklaan 106A        Bussum        1404GS                0681465778 2341        winstonmanuela@hotmail.com        alfaspider8780        manuela        sluiswachtershoeve 307        apeldoorn        7326 zd 0611956851 2342        piet1.schipper@planet.nl        medan2301        Schipper Piet        Berkenrodewe 20        Ede        6711 RP 0318-610190 2343        sham@live.nl        sheena25        Shamien Lie-Atjam        Gitaarstraa 81        Almere        1312PT                0628562874 2344        enge2637@planet.nl        delano10        Claudia Engelen        Dorpsstraat 36        IJzendoorn        4053HN                0639504191 2345        mijnnieuwecollega@gmail.com        solliciteren        Daniel Mul        Akkerwind 50        Apeldoorn        7322DJ 0615155882
  • 1817        JHJ van Gunsteren                Zie bijlage cv        Zie bijlage cv        1356        6 1818        cv frank van deventer    1819        werkzoekende                heb vmbo gedaan niet afgerond        Ik he ervaring in schoonmaak en productiewerk        1300        0 1821        Ik zoek zo snel mogelijk Full Time Werk!                                        3 1822        Schoonmaken                geen        Heb ruim 2 jaar gewerkt bij Iss Schoonmaakbedrijf
  • ik zoek werk voor 24 uur in deweek                21824        Arbeidsverleden        M de Groot automobielbedrijf de Groot 01-01 t/m 31-08 1996 Arbeidsverleden:auto serv eemland 01-01 t/m 30-04, Boltjes plaatwerk 24-11 t/m 31-12 1997 De formido 10 aug 1998 t/m 29/11/2000 praxis 2000 t/m 1oktober 2001 Nijhof 30 augustus 2001 t/m 14/02/2008 Vedior, manpower, olylimpia uitzendt kracht 01/10/2008 t/m 21/11/2008        vmbo motervoertuigen        Heb ruime werk ervaring op veel gebieden.        4000        30 1825        administratief, secretarieel, financie                mbo detailhandel, mbo arbeids- en sociaalrecht        Hoofdkassiere supermarkt        2250        8 1828        schoonmaak/groen voorziening.                tot mavo 3 geen diploma.        kan bijna veel doen,laden en lossen metbehulp van heftruk kan ik ookwel doen, alleen is mijn certificaat verlopen,oppakken stapplen,bedienen van machine, inpakmachine.        1000        27 1829        Chauffeur rijbewijs B en motor                LTS Metaalbewerking afgesloten met
  • http://pastebin.com/hyvHRusL

Permalink | |  Print |  Facebook | | | | Pin it! |

06/26/2012

why police infiltrators in antisec-lulzsec operations are a good investment

you read it very clearly in the book about Anonymous

when Sabu became a police informer he was capable of informing the police about

* zero days that otherwise wouldn't have been known for months (and ready to be used)

* internal leakers who were forwarding information and logins about confidential networks

* vulnerabilities in big networks and websites of governments and coperations

all longing to be part of the action

only the action was on the other side

oh yes, they gave up on Stratfor but maybe this was necessary to keep all the other stuff coming

and was that much more worth than some private cia company whose cover and usefulness has been compromised anyway

but for that

* or the hacker hacks nothing (and copies it from other sources)

* or the hacker hacks something but has a permission for it under 'special operations' to gain credibility

if at the same time he is bullying other hackers and trying to descredit them and making trouble

so they become less organised and have less time for attacks

than the millions won with the (preventive) operation are no match for the investment and the risks

Permalink | |  Print |  Facebook | | | | Pin it! |

Karel de Gucht wants his ACTA agreement no matter how the European parliament votes

The day before the EU's International Trade committee (INTA) recommended that the European Parliament should reject ACTA, the EU commissioner with responsibility for the treaty, Karel De Gucht, had given a speech to its members, trying to win them over. Although it was short, it turns out to be highly revealing about the European Commission's future ACTA strategy. Here's what he said:

If you decide for a negative vote before the European Court rules, let me tell you that the Commission will nonetheless continue to pursue the current procedure before the Court, as we are entitled to do. A negative vote will not stop the proceedings before the Court of Justice.

That is, whatever happens next week, the European Commission will wait for the European Court of Justice (ECJ) to rule on whether ACTA is compatible with EU law. If it is found to be incompatible, De Gucht admits that rather than accept this ruling, the European Commission will try to find some trick to circumvent it:

If the Court questions the conformity of the agreement with the Treaties we will assess at that stage how this can be addressed.

This implicitly confirms that the referral was simply a way to buy time, rather than an honest question about ACTA's legality.

Even assuming the ECJ rules eventually that ACTA is compatible, there could still be a problem if, in the meantime, the European Parliament has voted not to ratify it. Here's what De Gucht says he would do in that case:

First, I would consider proposing some clarifications to ACTA. For example on enforcement in the digital environment. We could look at this in the light of the discussions you will have had on legislative proposals which the European Commission is set to put before the Parliament and the Council. Or for example, we could seek to clarify further the meaning of 'commercial scale'.

Remember that ACTA is now signed, and cannot be altered; so De Gucht is instead trying to fob off European politicians with this vague idea of "clarifications" -- as if more vagueness could somehow rectify the underlying problems of an already dangerously-vague treaty. That's clearly just a sop; here's the real plan:

Second, once we will have identified and discussed these possible clarifications, I would intend to make a second request for consent to the European Parliament. Whether the Parliament will consider it under this legislature or the subsequent one, will be for you to decide.

This is an extraordinary admission. De Gucht says that even if the European Parliament unequivocally refuses to ratify ACTA next week, he will simply ignore that result, and re-submit it at a later date.
http://www.techdirt.com/

Maybe he should just abolish the parliament and sign the agreement all by itself

that would be much simpler because democracy is just too complicated to get things done

Permalink | |  Print |  Facebook | | | | Pin it! |

apple is now a computer like any other computer.... with security problems

Apple has quietly removed a statement from its website that the Mac operating system isn’t susceptible to viruses. Apple released a patch to a Java vulnerability that lead to the infection of roughly 600,000 Macs with the Flashback Trojan earlier this year, there were claims weeks later from security researchers that hundreds of thousands of Macs were still infected.
http://thehackernews.com/

now the communication and user education and alerting and coming out saying that there are problems and that they will be dealt with and that vulnerabilities are no functions but a problem if they are vulnerable

maybe they should have a look at how Microsoft is doing that ...... since more than 10 years

they may learn a thing or two

Permalink | |  Print |  Facebook | | | | Pin it! |

this is why security is in the end always cheaper (with US clients)

Over two days in March 2010, nearly $466,000 disappeared from the accounts of Village View Escrow, a small business in California that holds funds for real estate transactions.

 

The money was siphoned in 26 online wire transactions that scattered funds to a network of people under orders to wire the money to banks in Eastern Europe via Western Union.

 

This type of cybercrime fraud is all too common. The FBI has warned for years of wire transfer fraud and said in 2009 that it had cost U.S. businesses and organizations as much as $100 million.

 

Village View Escrow sued its financial institution, Professional Business Bank, alleging that it misrepresented the security of its online banking systems -- which used single-factor authentication -- and was liable for the fraud.

 

On Monday, Village View Escrow's law firm announced that Professional Business Bank agreed to pay a $600,000 settlement, avoiding a trial that could have set a new legal precedent and made it easier for small businesses to take banks to court over fraud.
http://www.computerworld.com/

The advantage of US clients is that they can and will sue you, the disadvantage of European clients is that they can't and this makes that the security obligation is much more difficult to enforce in Europe than in the US.

Because if your risk for unsecurity is 600.000 dollars and the additional security for your site costs 10% from that, the CEO choice is very quickly made (keep it for his own bonuses)

Permalink | |  Print |  Facebook | | | | Pin it! |

if Apple can rip off its users permanently, why shouldn't others

Orbitz told the paper it was showing Mac users different, and in many cases more expensive, hotels to those shown to people browsing on a Windows PC.

 

Orbitz said research suggested Mac users generally spent about 30% more per night on hotels than PC users.

 

But it never showed the two user groups the same room for different prices.
http://www.bbc.com/news/technology-18595347

Permalink | |  Print |  Facebook | | | | Pin it! |

06/23/2012

Parmy Olson confirms some of our thoughts about Lulzsec at the time

We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency (9780316213547): Parmy Olson (ps you can find it if you look for it)

I don't like the book at all, but that is for another posting tomorrow

1. it all is about Sabu  (google dork  site:belsec.skynetblogs.be sabu)

If you read the book as a social engineering book in which people inspire, motivate and coordinate and lead others (young and somewhat bewildered people on the search for estime and adreline and a goal) and in fact in the end manipulates them to continue, than you come to the conclusion that it all turned around Sabu. And yes for that reason he was the most hunted hacker at that time and yes for only that reason the FBI wanted him to work with them and yes only for that reason the FBI wanted to get him keep the things going (even if a big firm as Stratfor working for the US intelligence agencies and many other governmental agencies around the world would have to go under).

It was because in the chaos and frentic space he was a kind of calm methodical organizer, nearly leader and that was inspirational (not that he inspired me to hack, but it gave a meaning to it, not the declarations but the strategy and methodology). We called him old school and in the book it is explained that he is old school.

If you look at the new school lulzsec without any oldschool organisator around, it looks pretty kidz even pittyful. Maybe much lulz but no impact whatsoever. Many broehahaha but not much real goods.

Lesson : a hackersgroup without an old style methodical organizer is just a loose riot or bunch but not a real threat that will endure and inspire

2. When they penetrated a network they stayed in it for weeks or months

It is quite amazing that in a time where there are very professional and effective open source tools that can monitor everything that happens in a network or on a server, in a time in which database can be totally closed down so no new users can be added or anything 'unlogical' is alerted, in a time in which encryption is just the push of a button that they were spending weeks or months in big networks without being discovered in time.

They penetrated a network with very simple toys and stayed in the networks for weeks or months, downloading everything that interested them, making networkplans, reading the mails of the people concerned or the administrators and preparing new backdoors in case they would need them afterwards

Lesson : This means also that the monitoring of the outgoing traffic is as important as the incoming traffic and attacks. Data leakage prevention, somebody ever heard about it

3. They penetrated networks also during DDOS attacks

It was something that was clear from the beginning that in de details of the attacks it was clear that there was a link between the DDOS attacks and the penetration. Somewhere in the book it is said that while when group bounces the victim, the technical hackers penetrated the network.

We always said that while your technical people are too busy trying to keep the network and servers up, your security people should be in the highest state of alert possible because while everybody was watching the frontdoor the hacker was coming in through the backdoor (or the window of opportunity)

You have to automate your DDOS defense and put clear procedures in place to be sure that when they come, you are calm you have your contracts, technical means and procedures so everybody stays calm and just does their job so everybody has all the time to continue to check everything else that is going on at the same time (and wants to stay under the radar)

And two other points out of the book that can be taken into account as a conclusion. First the attacks were not that massive, sometimes at the max a few hundred (so it is just a math of bandwith and users). Secondly they only succeeded when they got the help of botnets (so your botnet defense should be integrated with your DDOS defense).

And last but not least, they are not that Anonymous and the most heavy hitters can be prosecured if they are that stupid to hit sites in their homestates. (never attack your home).

4. There is no real integration between the leakers and the stealers who just become dumpers

So you stole the full mailbox of HBgary or Stratfor and in those thousands and millions of data there will be very interesting stuff but you still will have to analyze it, put it into context, get reactions from others, make stories out of it.

We have analyzed a lot of the things that were in the dumps of HBgary and have found things that were really astonishing (aside the stories in the press) as that the NATO network in Brussels has been compromised at a certain time and so on. But it was too much for too few people who had too few resources and too few intelligence to do something meaningful with it.

THey were also sitting on a massive dump of data in the end (and still as I remember there was still more that wasn't released) and they dumped it because there wasn't enough time to go through it all. Is is very fascinating to go through all these internal mails and documents and to read things that you think were there but that were now proven by insiders - but it takes also a lot of time and effort and endurance and it doesn't always lead to direct big results and press attention - as Wikileaks found it several times (and which is the reason wikileaks turned before its downfall into a publicity machine instead of a researchportal for leaking and whistleblowers)



Permalink | |  Print |  Facebook | | | | Pin it! |

Anonymous Belgium : Accor Metal hack investigation accelerates

news has leaked out that the Federal Computer Crime Unit has visited the homes of three suspects of the hack in the Accor Metal website in Luxembourg (not far from Belgium and has close ties with Belgium, so working together will have been easy). They have confiscated computermaterial (but if they have read any Anon_guides there wouldn't have been anything on them by now - or ever ?). It is for the moment unclear if they are under indictment. 

the hack itself wasn't that spectacular also, a webpage with Anonymous and some internal files but where nothing secret or earthshocking was in or something with which you could do some social engineering

it will cost them a lot of money though - why do you think that I stay so far away from anything that has anything to do with hacking or pure illegal activities

* our national cybercrime law is one of the more general and strict around

* the fccu doesn't have enough manpower and material but they work as hell and surprisingly they very often have good results (in their eyes) especially when it is by Belgians against Belgian targets (never attack your home country from your home country even with proxies)

* we are a small country so there is much less data to shift trough, less people and groups to observe and so on

and after all, it is not worth it, personally nor for the movement

the movement, that is indignados, that is also occupy, that is lobbying against Acta, that is helping other organisations get more limelight by giving them a platform, that is thinking about privacy and personal rights in our digital society and changing laws and making them be implemented

hacking, defacing and dumping logins is lolz for kids and retarded that have some WOW factor for some time, but after a time don't bring anything new to the movement and surely not to the goals and have become just a distraction in a game in which you in fact don't know who is manipulating who with which purpose

so, no you are no victims, no heroes, no martyrs for the cause

you knew the risks, you knew the non-existent political or other positive results from such an attack and still you chose to play the game for the lulz, for the exitement.

you are lost. you are over. you are out.

I hope you are still young and the judge may take that in consideration and give you another chance to do something that really changes the way things are going (the wrong way)

Permalink | |  Print |  Facebook | | | | Pin it! |

reckz0r says he hacked hackforums.net (but reminds us of a good securitypolicy)

it is what he calls his summer of rage but after the fake disclosures of the attacks on the banks, the Visa file (but not the stolen data of the breached payment processor we knew about) and the other copied older leaks who are we to believe him

so he leaks some hashes from the hackforums.net

should we be impressed

no because if you google hackforums.net hacked and the period one year you will see that the site has been hacked, ddossed and penetrated in all kinds of ways

and that 200.000 accounts were already leaked before

which reminds me of something : it is time to make it an obligation for all sites to destroy all accounts that are inactive during one year - except if the person reactivates it - especially if you get hacked several times a year - because you are a hackers forum

just good policy

Permalink | |  Print |  Facebook | | | | Pin it! |

06/22/2012

interim hack : Belgian Privacycommission can't do a thing but the victims can ask compensation

so the SIS, RRN, address, email with password and a negative evaluation were stolen from interim office Agon

the hacker only placed three profiles online, said he had 9900 others but since than has more or less disappaered from Twitter, probably feeling the heat and realising that if he released them, he would be a prime target for the cyberpolice (who take their time but are in fact very effective in the end)

there is at the other hand no report by an independent organisation that certifies that no other data was lost or compromised - so whatever anyone says

the site is still in the same state as we have described it after the hack

now the privacycommission says that they can't do a thing, they can't impose a fine but if the three people mentioned in the leak would file a complaint because there would be unsufficient security and because they didn't respect the recommendations by the Privacycommission, they would negotiate a compensation.

that will make every hoster of confidential data in Belgium very afraid .......

now they will really respect you:)

the tendency elsewhere in Europe and the world is just the opposite and this is why the European Commission will have to impose stricter rules

http://www.demorgen.be/dm/nl/5403/Internet/article/detail/1457162/2012/06/20/Gelekte-gegevens-interimkantoor-vormen-inbreuk-op-de-privacy.dhtml

Permalink | |  Print |  Facebook | | | | Pin it! |

what to expect (review book about Anonymous)

first we are signing up our first yearlong sponsor here (interested ?, contact me, there is not that much place left) And it is for a good thing, I need to buy a new computer and stuff :)

secondly during the weekend we will be cleaning up some backoffice material (twitterlists, googlereaderlists and netvibes of course and diigo.com)

we are also always interested in tips and Belgian data

yep, here to stay

and we are working on another project but that is what it is, a project

during the weekend I will also write my damning review of the recent book about Anonymous (can you find the book ?) that supports a few things I have said all along but is NOT about Anonymous as a phenonemon or movement

Permalink | |  Print |  Facebook | | | | Pin it! |

1 2 3 4 5 6 7 8 Next