• Cloud providers don't filter attack traffic coming FROM them (yet)

    Some people did a test and set up a group of public websites on cloudproviders that would do the following

    • Malformed traffic: Sending a series of non-RFC compliant packets, as well as aggressive port scanning.
    • Malware traffic: Sending a set of publicly known and commonly detected malware to the victim host via a ‘reverse shell’.
    • Denial of service: Sending a flood of traffic to a web server on the victim host.
    • Brute force: Attempting to brute-force the password for the credentials on the FTP service.
    • Shellcode: Launching a set of known shellcodes against various services running on the victim host.
    • Web application: Launching commonly known web application attacks against the victim host including SQL injection, cross-site scripting, path traversal, etc.

    their results

    Security posture of the Cloud platforms
    During the execution of the test cases, although we were expecting responses from Cloud providers, our observations on the five tested Cloud providers showed that:

    No connection reset or connection termination on the outbound or inbound network traffic;
    No connection reset or termination against the internal malicious traffic;
    No traffic was throttled or rate limited;
    No warning emails, alerts, or phone calls were generated by the Cloud providers, with no temporary or permanent account suspensions;
    Only one Cloud provider by default blocked inbound and outbound traffic on SSH, FTP and SMTP, however these limitation was bypassed by running the above service on non-default port.

    http://stratsec.blogspot.com.au/

    somebody should sue them for millions, that would make them change their minds

  • What is the Open Wireless Movement

    Last year, we wrote a post titled "Why We Need An Open Wireless Movement." Today, EFF is proud to announce the launch of the Open Wireless Movement—located at openwireless.org—a coalition effort put forth in conjunction with nine other organizations: Fight for the Future, Free Press, Internet Archive, NYCwireless, the Open Garden Foundation, OpenITP, the Open Spectrum Alliance, the Open Technology Institute, and the Personal Telco Project.

     

    Aimed at residences, businesses, Internet service providers (ISPs), and developers, the Open Wireless Movement helps foster a world where the dozens of wireless networks that criss-cross any urban area are now open for us and our devices to use.

     

     

    The Open Wireless Movement envisions a world where people readily have access to open wireless Internet connections—a world where sharing one's network in a way that ensures security yet preserves quality is the norm. Much of this vision is attainable now. In fact, many people have routers that already feature "guest networking" capabilities. To make this even easier, we are working with a coalition of volunteer engineers to build technologies that would make it simple for Internet subscribers to portion off their wireless networks for guests and the public while maintaining security, protecting privacy, and preserving quality of access. And we're working with advocates to help change the way people and businesses think about Internet service.
    https://www.eff.org/deeplinks/2012/10/why-we-have-open-wireless-movement

  • the details of an advanced attack on a swiss bank

    started by targeting an employee after he had placed an inquiry on Craigslist related to furniture. The email he got back redirected him to a dynamic-exploit delivery page created by an attacker, which successfully exploited Windows Internet Explorer on his Windows 7 machine to compromise it. This MS12-037 exploit, though not a zero-day attack then, did not have a patch available for it at the time, Gnesa said.

     

    Once into the compromised employee machine, the attacker used a collection of tools and a sniffer to look for where valuable content might be stored in the Swiss company's network. Though he found an application server, he couldn't get into it. But the attacker did break into the network printer, a Toshiba, and went on to check for passwords. "The administration password was in the HTML code," said Gnesa. "And unfortunately, that password was also used on another machine."

     

    Eventually the attacker made his way to documents, diagrams and other valuable intellectual property stored on a Linux file server. Although the server was well-kept in terms of security, the backup for it was not, and by using what Gnesa referred to as the phpMyAdmin 3.4.1 swekey RCEexploit, the attacker got to the remote shell on the backup server. With yet another trick, the Linux 2.6.x umount exploit, he got to the root shell and had access to every file and directory, said Gnesa.

    http://www.networkworld.com/news/2012/103012-apt-gnesa-263813.html

    and how did they detect it, by controlling the money and seeing that something was wrong when somebody tried to transfer money (they do care about money)

    after the incident they installed logs and monitoring, because they now wanted to know what was happening on their network also and they engaged somebody to do that for them (them, that is the moneypeople)

    because they understood that network- and datasecurity is after all, money

    it is all about the money

  • Nederlandse ISP's en Hosters zetten responsable disclosure policies op

    Informatiebeveiliging is voor telecombedrijven van groot belang. Om gebruikers goed hierbij te kunnen betrekken, maken telecomaanbieders het melden van beveiligingsproblemen gemakkelijker. Dit maakt ICT~Office vandaag bekend.

     

    Hoe werkt het?

     

    Hiervoor bieden telecomaanbieders een eigen meldpunt op de website aan, waar gebruikers - eventueel anoniem - vermoedelijke beveiligingsproblemen direct kunnen doorgeven. Tot dusver bestond er nog geen standaardprocedure voor gebruikers.

     

    Er is afgesproken dat iedere aanbieder op z'n website aangeeft hoe gebruikers een melding kunnen doen. Ook geeft iedere aanbieder informatie over de voorwaarden bij een melding. Zo wordt er nadrukkelijk gevraagd om het beveiligingsprobleem niet met anderen te delen. Op deze manier kunnen aanbieders een eventueel probleem eerst oplossen. Vanzelfsprekend geldt de strikte voorwaarde dat de melder geen misbruik maakt van de mogelijke zwakke plek.

     

    De aanbieder zal in goed onderling overleg met de melder afspraken maken over het herstel van het beveiligingsprobleem en over de wijze waarop er na herstel eventueel een publicatie plaatsvindt.

     

    Welke bedrijven doen er mee?

     

    De volgende bedrijven bieden binnen twee weken een eigen meldpunt aan op hun website:

     

    http://www.ictoffice.nl/?id=12161

    en in België ?

    Volgens Quickenborne in een antwoord op een parlementaire vraag had de CERT dat moeten opzetten want zij is de ideale tussenpartij hiervoor maar zelfs als Quickie snel was met zijn antwoord is de realisatie ervan ondertussen uitgebleven

  • ING geeft gratis antimalware scanner aan haar klanten

    ING biedt zijn klanten een gratis antimalwarepakket van de firma Trusteer aan. De veiligheidssoftware, beschikbaar voor Windows en OS X, zou malware, zoals trojans en keyloggers, kunnen herkennen en ook kunnen verwijderen.

    ING stelt dat het in het buitenland al langer het pakket Trusteer Rapport aan zijn klanten levert en dat het pakket op de Nederlandse markt is aangeboden aan klanten die kampten met een besmette pc. De bank heeft nu besloten de software voor al zijn klanten beschikbaar te stellen. Opvallend is overigens dat de software op de ING-site niet via een versleutelde https-verbinding wordt aangeboden.

    De Trusteer Rapport-software nestelt zich in de browser. Volgens Trusteer weet de software man-in-the-middle- en man-in-the-browser-aanvallen te voorkomen, en blokkeert het ook keyloggers en tools die pogen heimelijk screenshots te maken. De tool belooft ook phishingaanvallen te neutraliseren en gerommel met certificaten te herkennen. Trusteer Rapport is beschikbaar voor zowel Windows- als OS X-gebruikers, en is compatibel met Internet Explorer, Firefox, Chrome en Safari.
    http://tweakers.net/nieuws/84819/ing-gaat-klanten-gratis-antimalwarepakket-leveren.html

    met alle phishing mails voor ING die de rond doen is dit geen overbodige luxe

  • do not think that a Macintosh-Apple will keep the targeted attacks away

    In his presentation at SecTor, Hardy presented data from one advanced attack first detected in May, 2011. The attacks combined spear phishing e-mail sent to individuals within the target organizations. The e-mails appeared to come from the accounts of real people, and contained content relevant to the recipients. Each contained URLs pointing to legitimate organizations, and a ZIP archive attachment that contained the Mac-specific malware payload. Mac users who opened the attachment were infected with a version of two malicious programs: Revir and iMuler, which are capable of downloading other malicious programs and monitoring activity on infected systems.

     

    Citizen Lab is now tracking at least four separate families of Mac-focused malware that are being used in targeted attacks against human rights organizations, with names like Sabpab, Lamadai, MacControl. Many of those malware families are actively being developed, with new variants appearing at regular intervals, Hardy said. At least one family, dubbed Davinci, appears to be a gray ware Mac surveillance software package developed for the law enforcement community.
    http://www.itworld.com/software/308196/targeted-attacks-against-mac-users-continue-climb

    they are not targeting the machines, they are targeting you whatever you use and for whatever you use they will develop the necessary tools to have access

  • a fine by the UK privacy Commission of 150.000 Euro for not having encrypted your sensitive emails

    The declaration to the press says it all

    The Information Commissioner’s Office (ICO) is reminding organisations that sensitive personal information should be encrypted when being stored and sent electronically.

     

    The news comes as Stoke-on-Trent City Council receives a monetary penalty of £120,000 following a serious breach of the Data Protection Act that led to sensitive information about a child protection legal case being emailed to the wrong person. 

     

    Stephen Eckersley, Head of Enforcement at the ICO, said:

     

    “If this data had been encrypted then the information would have stayed secure. Instead, the authority has received a significant penalty for failing to adopt what is a simple and widely used security measure.

    “It is particularly worrying that a breach in 2010 highlighted similar concerns around encryption at the authority, but the issue was not properly resolved.

    “The council has now introduced new measures to improve the security of information sent electronically, as well as signing a legal notice to improve the data protection training provided to their staff. This should limit the chances of further personal information being lost.”

     

    The breach happened on 14 December 2011 when 11 emails were sent by a solicitor at the authority to the wrong address. The emails included highly sensitive information relating to the care of a child and further information about the health of two adults and two other children. The emails should have been sent to Counsel instructed on a child protection case.

     

    While the authority was able to establish that the email address used was valid, the recipient failed to respond when asked to delete the emails.

     

    The ICO’s investigation found the solicitor was in breach of the council’s own guidance which confirmed that sensitive data should be sent over a secure network or encrypted. However, the council had failed to provide the legal department with encryption software and knew that the team had to send emails to unsecure networks. The council also provided no relevant training.
    http://www.ico.gov.uk/news/latest_news/2012/penalty-highlights-need-for-encryption-of-sensitive-data-25102012.aspx

    There are enough solutions to do that - even for only some mails - and these are a lot cheaper than the fine.

    Rumor has it that the lobbyists are trying to stop the European Commission from implementing them across Europe in the next 2 years.

    The advantage of the system is that as a privacy or security officer you could easily make your financial case for some investments.

  • webs.com is one big commentspam machine for childporn, pharmacy and you name it (also Belgian sites)

    take this Belgian search in Google

    .webs.com/apps/blog/  site:be preteen OR CP OR lolita Or underage

    and what do you find

    211.000 results but if if were a few thousand that will be closer to reality (old links, doubles, massive infections of one site are all to be taken into consideration)

    Powered by DigiOz Guestbook Version 1.7.2 - Rietvissers
    *www.rietvissers.be/guestbook/list.php?page=707&order=desc
    30 juli 2012 – </a> Why would you do this? <a href=" http://yaunany.webs.com/apps/blog/ ">Preteen Bbs List </a> Gotta Have That in my Life. <a href=" ...
    Our Colors our Speciality | Novita
    *www.novitabeits.be/our-colors-our-speciality?page=3330
    A jiffy bag <a href=" http://ohomejeat.webs.com/apps/blog/ ">Lolita Teens </a> this girl is hot. <a href=" http://ybarilic.webs.com/apps/blog/ ">Nn Preteen Pics </a> ...

    and also the city of Ghent

     

    Sponiduagiandda DyernewrareG | qa.personeelsevenementen.gent ...
    personeelsevenementen.gent.be/comment/44813
    7 aug 2012 – <a href=" http://pydyesanue.blog.petitmallblog.jp/ ">cute preteen incest</a> wow ...... <a href=" http://hauutyhita.webs.com/apps/blog/ ">Preteen ...

    and Youth counseling (sic)

    Gastenboek Berichten 196 tot en met 210. Lddeweij 29-07-2012 I ...
    www.jeugdwerkhosea.be/.../gb-tekst1.php?start=1... - Vertaal deze pagina
    Dgcjrtnn, 29-07-2012. I'm a trainee <a href=" http://paajicehoteb.webs.com/apps/blog/ ">Preteen Bikini Models </a> girl is so sexy n guy is moron..lame.

    and sites for religious family festivities

    Supercoole Communiekaartjes ! » gek op spruitjes
    www.gekopspruitjes.be/supercoole-communiekaa... - Vertaal deze pagina
    24 Sep 2012 – <a href=" https://github.com/jyypuuqe ">small preteen lolita masha</a> ..... <a href=" http://afysunatyki.webs.com/apps/blog/ ">Preteen Boy</a> ...

    and judicial sites

    FORUM - FAILLISSEMENT EN GERECHTELIJKE REORGANISATIE
    www.curatorennet.be/printable/.../index.php?... - Vertaal deze pagina
    29 Jul 2012 – <a href=" http://edajolodi.webs.com/apps/blog/ ">Preteen Underage Lolitas</a> who is the guy? He is wonderful!!! Plase Tell me his name!

    and we are talking about PRETEEN (so under 10 years old)

    for the police department and FCCU : I haven't been to any of these sites, I only use Google and online info

  • Anonymous brings down 89 childporn websites but discovers a 1000 others on webs.com

    Now we have good news and bad news; the good news being: we have succesfully
    attacked and removed 89 child porn sites from the .webs service. The bad news
    is that when we run some google queries it shows that there is about 197,000
    websites on the .webs service hosting CP (this is 100% legitimate). It is
    depressing to see a number like that involved with something like this. BUT WE
    WILL NOT GIVE UP! Our attacks will not cease until every child porn site on the
    internet is erased and every pedophile who has ever done harm is punished.
     
    We invite .webs to aid us in the eradication of child porn websites from their
    servers, they already know we mean business and if they refuse to remove the CP
    sites we will take them down by force. This is not a threat, it is a promise.
    http://pastebin.com/NAzTGeM2

     

  • Mostly Dutch website infected with javascript infecting Iframe

    Google Dork  

    http://osbasedreceiva.pl/img3/count.htm site:be OR site:nl   

    http://www.lamiabiocasa.it/class/cls-memcache.php  site:nl OR site:be

    Dr.Hauschka Cosmetica
    www.hauschka.nl/wsh
    body iframe src http osbasedreceiva pl img3 count htm width 1 height 1 frameborder 0 iframe p deze website gebruikt frames frames worden door uw browser ...

    the iframe doesn't appear as such but just as if it wasn't code but when you click on the links than my antivirus pops up and eliminates a virus in an Iframe

     

  • why it does make still sense to block .ru if you don't need total .ru access in your network

    These are the 20 biggest malicious redirectors for this month, look at the domainextension and think how much infected traffic you would have stopped even if the infection had bypassed the securitysoftware

    redirectionshttp://lpistw.4pu.com/

    26redirectionshttp://xudyhbes.ru/count6.php

    19redirectionshttp://penetrateperil.ru/restyle?8

    18redirectionshttp://desk-airline.ru/ais/ditante.php

    16redirectionshttp://rugbycurrent.ru/newsroom?8

    11redirectionshttp://miamiheattickets.com/http.php 1

    1redirectionshttp://dubstep.dumb1.com/

    10redirectionshttp://xudyhbes.ru/count6.php

    9redirectionshttp://24medi.ru/timetose?19

    7redirectionshttp://pastro.ru/example/status.php

    7redirectionshttp://24-verygoods.ru/in.cgi?9

    6redirectionshttp://rebuildingirk.com/Supplier?8

    6redirectionshttp://froling.bee.pl/

    5redirectionshttp://wayoseswindows.ru/Tech?8

    5redirectionshttp://trashycoach.ru/newsroom?8

    5redirectionshttp://theinter.ru/in.cgi?12

    5redirectionshttp://rugbycurrent.ru/newsroom?8

    5redirectionshttp://rec-creations.com/adv.php

    5redirectionshttp://placeholderpadstyle.ru/Cuisine?8

    5redirectionshttp://capitalizingwere.ru/pavilion?8
    http://labs.sucuri.net

    Yes, 13 out of 20 would have been stopped before reaching them

    you could whitelist only the most important sites - with care

  • what is a Traffic Distribution System or TDS

    As we have with the ZeroAccess botnet the primary goal of the malware writers is to make money, much money

    so they will try to get traffic to sites that pay money for clicks or views and they will get that money instead of the sites that send it or the owners of the infected computers (imagine getting a check for 100 dollars because your computer is infected)

    the site where they send their money to is a Traffic Distribution System that pays them for the traffic that is served with popups and pop-unders and all kinds of other screenspam and gets most of their money from installing fake antivirus or pchealthsoftware  (computer running slow that kind of stuff)

    they can even install that system on hacked servers or sites, mostly you see it because there is a /TDS/cgi.in on it that wasn't there before

  • the new searchtric for vulnerable apache websites

    some people really think that administrator or networkinformation should be open to anybody (even knowledgable hackers or would-bees)

    http://server118.jnet.be/server-status  have a look here and write down everything you know now without having even access to the server (Belgian cybercrimelaw you know)

    site:be inurl:.server-status apache

    there aren't that many of them, but if you leave out the limitation for sites within the .be domainextension than your pick is much greater

  • why it makes economic sense for ISP's to clean their network from zeroaccess infections

    The malware then makes a connection to another computer on TCP port 12758 and sends
    it a copy of the data retrieved from the exchange above. This second system responds with
    additional data (50K), similarly encoded. This appears to be the instructions (URLs
    probably) for the ad-click scheme. The infected computer then proceeds to visit hundreds
    of web sites during the next minute clicking on links. It then stops abruptly, waits for 5
    minutes and then repeats the process from the start.
    The browsing only consumes about 0.1 MBits/second when averaged over a long period.
    However for an individual user this adds up to 32GigBytes per month, which can have a
    significant impact for users with a bandwidth cap. To put it in perspective, it is the
    equivalent of downloading 45 full length movies. For the service provider, the impact on
    their network depends on the infection rate. The observed infection rate in mid June was
    about 0.8%. This means that at any instant this bot alone is consuming 800Mbits/sec of
    bandwidth for every 1M users in the network.

    http://www.kindsight.net/sites/default/files/Kindsight_Malware_Analysis-New_CC_protocol_ZeroAccess-final2.pdf

    ZeroAccess is a botnetinfection that send the computer in the background to click on different ads that would bring in sums of money to the programmers

    Imagine what it could cost you in crime-traffic if your network would get infected with this botnet. It also uses a specific port which makes it easier to block or monitor.

  • better than publicing a whole mailbox from the managment, sending emails from that mailbox

    The email, obtained by the Herald, was sent on August 22, purportedly to address staff concerns that the manager had hired his son in a newly created position despite budget cutbacks and the fact that the son had "no formal skills or qualifications". The email says "there is no corruption" because the manager had the discretionary power to create the position.

     

    "The staff have also said that because the director and my [son] have the same sex preference they have a special relationship and this is why the position was approved," the email reads. "This is not true and is very offensive and is against the TAFE code of conduct and must stop."
    http://www.smh.com.au/it-pro/government-it/more-emails-hacked-as-revenge-for-education-cuts-20121030-28hkn.html

    THis was as a revenge against the severe budget cuts in that university and has already happened twice. There are only two ways it could have happened. Or someone has the password or someone has access to the passwords he uses (even if he changes them).

    Now everybody knows he and his son are gay.

    But imagine this with a financial institution, a minister, a police officer and so on. Coming from the mailbox itself it would need an immediate enormous response to get the damage under control.

    this is why double authentification instead of simple passwords is so important

  • if you do something stupid (like crashing a bus) be sure you are not on camera, knucklehead

    During the World Series some fans just like to stir some trouble - like every year (it is as if they life up to it) and than with the beer and the victory in their head they do things they would never dream of doing in their own street, watched by their neighbors and friends.

    In fact you are being watched by your neighbors and friends ..... online

    http://blog.sfgate.com/crime/files/2012/10/tony.jpg

    A Chronicle photo of the man smashing the front window of the bus during post-World Series celebrations was widely circulated online, and police say tips led to the arrest of Gregory Tyler Graniss, 22, of San Francisco. Graniss was booked Tuesday night on charges of felony vandalism and injuring or destroying a passenger transit vehicle. The latter charge is also a felony.
    http://blog.sfgate.com/crime/2012/10/30/police-arrest-man-in-muni-bus-vandalism/

    the other thing is what are those bystanders laughing about and why do they take pictures ? Do they never need to take a bus ?

  • a good educational story about sexting and sextaping the first time by teenagers

    So two american  teenagers in love since 2 years decided at their sixteen to have legal and consensual sex during a school trip to Marocco. They could have been send home for doing this according to the rules of behaviour but they were suspended and several trials are going on now - having the names and reputation publicly damaged 

    for the older ones under us, we have done such things but luckily there was not so much easy recording technology all the time around us so nobody could have done the same thing to us and nobody would know and it wouldn't have stayed on the internet for all to see and know for as long as it stays on the internet

    so a friend decided to film the act with his phone

    and this friend send this film to others and others to others

    so the boy involved goes to the direction of the school asking for help with this matter but they decide to suspend him (lawsuit one against this suspension because he is the victim and because of invasion of his privacy by naming him), the girl and the student who filmed it (who is being sued by the acting boy)

    and in the end of it all, the boy and the girl are no longer dating

    so much for the first time you will never forget

    http://www.sfgate.com/news/article/Pa-student-sues-over-sex-tape-suspension-3970627.php

  • This teacher is suspended as long as Google remembers her erotic pictures

    Lincoln Unified counters that Kaeslin, 36, engaged in unprofessional and immoral conduct. The district accuses Kaeslin of keeping thousands of pornographic and erotic images on her school-issued laptop, then lying about her activities when administrators questioned her. The district was subject to embarrassment when the story hit the Internet, the district has maintained.

    "If you were to Google her name today, you would find there are still over 10,000 live hits," attorney Marlene Sacks said, adding that Kaeslin "set an appalling example for a teacher" and that her character is "so fundamentally flawed" she cannot return to the classroom.
    http://www.sfgate.com/news/us/article/Calif-teacher-fired-for-porn-site-wants-job-back-3974873.php

    and getting that out of Google would cost you an enormous lot of money and would even in fact not be possible, because the more you would try to get it away, the more it would become hot to have it and distribute it

  • if your kid does stupid things on Facebook, this is a way to punish them

    publish loads of stupid pics of her parents on her wall just to ridiculize her, like those did

    http://blog.sfgate.com/sfmoms/2012/10/24/parents-punish-daughter-by-posting-this-photo-her-facebook-wall/

    but if this is serious enough for a journalist to spend time on it is another matter

  • is the US the mailboxes of public officials are ... nearly public

    look at a case like this

    "People who've e-mailed Oakland Police Chief Howard Jordan over the past year about Occupy Oakland probably didn't get much of a response.

    That's because he used a spam filter to dismiss messages sent to him with "Occupy Oakland" in the subject line, according to a federal court filing Monday. Same goes for the phrases "stop the excessive police force," "respect the press pass" or "police brutality." Instead of landing in his in-box, those messages went straight into his junk mail folder, which he apparently never looked at.

    Because of those filters, Jordan missed e-mails from other city officials and a federal court monitor, who oversees the department's compliance with court-ordered reforms stemming from a police abuse scandal.
    http://www.sfgate.com/crime/article/Oakland-chief-filtered-out-Occupy-e-mail-3991835.php

    but this means that people by using the court can get access to mailboxes and the way their emails are handled, just as was the case with paperwork before (and in the financial sector has been extended to nearly every form of communication including chats)

    imagine that in Belgium