01/31/2013

hack of the day : webshopawards website (as an example)

so we give the award in 2013 to sejal

Permalink | |  Print |  Facebook | | | | Pin it! |

the difference between open data and dataleakage in Ghent

open data is data that is open for everybody and where all the people who are mentioned in that open data know and agree (or have to agree) to the specific data that is being made available

dataleakage is when data has been made public for which you don't have that permission or when you release a file that maybe public one by one but that is dangerous if you use it for other reasons like spamming and ID theft or harassement

an example is

http://data.appsforghent.be/kotatgent/data.xml

so yes, tell me do you have the permission of each of them to have in one file available to everyone or do you have the permission to show their individual data individually

this also means that if you make such data available you shouldn't just drop it on the internet as if was some garbish but protect it and be sure that you know who will use for what purpose (especially if there are personal GSM and emailaddresses in it)

think before you run and you will go far ....

Permalink | |  Print |  Facebook | | | | Pin it! |

more about cma.be the online medical defaced dataservice

you can get your medical results here

https://online.cma.be   (but that is also running IIS 6)

and what is the use of installing ssl encryption if you do it the wrong way 

https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2Fonline.cma.be%2Fonline%2FDefault.aspx

so whatever one says here there is no security blablablabalbal

Security of your Personal Information
Centrum voor Medische Analyse secures your personal information from unauthorized access, use or disclosure. Centrum voor Medische Analyse secures the personally identifiable information you provide on computer servers in a controlled, secure environment, protected from unauthorized access, use or disclosure. When personal information (such as a credit card number) is transmitted to other Web sites, it is protected through the use of encryption, such as the Secure Socket Layer (SSL) protocol.
http://www.cma.be/Home/tabid/36/ctl/Privacy/Default.aspx

and it is not conform the latest technologies as stated here

Na een volledige facelift en volledige hercodering van de software is de nieuwe webstek voor de online resultaten beschikbaar! De webstek is volledig conform de laatste ontwikkelingen op software gebied en werd gebouwd op het .net framework 3.5, microsoft visual studio 2008, XML- en CSS-technologie
http://www.cma.be/Arts/iLabOnlineHelp/tabid/268/Default.a...

because just as this documentation shows their website dates from 2008

see this documentation  http://www.cma.be/Portals/0/downloads/online.pdf

and Microsoft visual studio is already in version 2012 and IIS in 7.5 (so not the LATEST)

if this is e-health, than we can expect some things and we shouldn't be surprised to have found excell tables from a bloodbank online

Permalink | |  Print |  Facebook | | | | Pin it! |

another defacement in jobsindehandel.be (forem-vdab) and what forem does a litte better

this is one

 

but the french speaking forem does something right that the VDAB does totally wrong when you click on french and you click on information or to insert information, than you go to the site of Forem.be, you don't stay on this site with a shitty security

but this doesn't say that the forem encrypts its information (or your information)

http://www.leforem.be/particuliers/chercher/CV/creer-un-CV-simplifie.html

but it is already under its own domain making an xss attack or injection more difficult

Permalink | |  Print |  Facebook | | | | Pin it! |

see belsec blog through Google without going to belsec blog or bypass filters

https://www.google.be/search?q=site%3Abelsec.skynetblogs.be&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a#q=site:belsec.skynetblogs.be&hl=nl&newwindow=1&safe=off&client=firefox-a&hs=qGI&tbo=d&rls=org.mozilla:en-US:official&source=lnt&tbs=qdr:w&sa=X&psj=1&ei=LZAKUcD3EOaR0QXl-IGgDA&ved=0CB0QpwUoAw&bav=on.2,or.r_gc.r_pw.r_cp.r_qf.&bvm=bv.41642243,d.d2k&fp=b204c6e8007e1374&biw=1235&bih=791   (should give all the articles of the last week)

https://www.google.be/search?q=site%3Abelsec.skynetblogs.be&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a#q=site:belsec.skynetblogs.be&hl=nl&newwindow=1&safe=off&client=firefox-a&hs=Gwc&tbo=d&rls=org.mozilla:en-US:official&source=lnt&tbs=qdr:d&sa=X&psj=1&ei=NJAKUZO9JOOm0AWuzYGIAw&ved=0CBwQpwUoAg&bav=on.2,or.r_gc.r_pw.r_cp.r_qf.&bvm=bv.41642243,d.d2k&fp=b204c6e8007e1374&biw=1235&bih=791 (should give all the articles of the last day)

than you take the most recent one and you read it in the cache

and you look at the date of the last posting

than you go back to your google results and you get a posting for the day before that and so on

this way you leave less traces - if that is your goal

or It seems that I am blocked in some enterprises and administrations - but with Googlecache you can sometimes bypass them (translate is sometimes another way to do that)

this is easier if you have a Google account

Permalink | |  Print |  Facebook | | | | Pin it! |

another belgian online creditcompany defaced and unsecure

this is the hack- sending out the warning to everybody that they are vulnerable

this is them

and they have also an unsecure webform in which personal and financial data is in CLEARTEXT

and they are running NO HTTPS and still on ...... yeah   not IIS 7.5 but

Server:Microsoft-IIS/7.0Set-Cookie:.ASPXANONYMOUS=BVI6kFo2zgEkAAAAMjAwYjMxMmQtYjY1OS00MGUyLTgwNjctYzI5MGU5ODBjYjgy0; expires=Thu, 11-Apr-2013 02:16:23 GMT; path=/; HttpOnlyX-AspNet-Version:2.0.50727
http://www.web-sniffer.net   (better but not perfect enough to secure a website with that kind of data)

Permalink | |  Print |  Facebook | | | | Pin it! |

yahoo spamfilter too stupid to stop phishing for yahoo logins

first never use those messages

hoover with your cursor over the link and you will see that it is not the yahoo.com domain so it is false

but what is most astonishing

is that Yahoo spamfilter are normally very good

and the fact that they are so good people begin to think that yahoo estimates that arrive in their inbox are real messages from Yahoo because they see so few spam (and so much in their spambox) that they think that as it has passed the very good antispamfilters it is real

yes, really that is the biggest danger of nearly efficient spamfilters - that people think that the 1% that gets through is genuine

what should yahoo do

first you should educate the people with a banner or warning above the mailbox stating that yahoo or any other service will never ask for your logins by email or to change them by email

secondly you could make a servicewarning - together with other big operators - in a banner or servicepage in which you could place warnings (not about an email but that people have to relog to for example this website to change their credentials)

third you could make a special button in the mail in which you could send all emails asking for your yahoo logins that comes in the mailbox of a 24H team that will immediately put them into the filters for the future ones (and set up the procedure to kill the phishing page online)

fourth you should augment your spamfilters with everything that is yahoo service or login message or in which the link that message has doesn't belong to the yahoo domain (even if the link is in text)

fifth you should make spamfilters refilter the last 100 messages or so to empty the box from spam that has only be identified as such afterwards

fifth never trust emails instantly, take your time, nobody is going to kill you if you have waited a day, to see it disappear into the spambox

Permalink | |  Print |  Facebook | | | | Pin it! |

hacked medical labo website asks belgians a lot of medical information (close it down)

so when a website is defaced it doesn't mean that it is penetrated and hacked but it means that automated vulnerability scanners have found a way to inject information but this doesn't necessarily mean they have rooted the server and have access to the database

but it does mean that there are a few problems with the server and that if the defacement is old enough that nobody is watching over the security of the server and so it indicates that those servers are like house without strong frontdoors or who have windows open on the groundlevel when everybody leaves for holiday (which doesn't mean that they will find the juwels)

but that on the same server there is an UNENCRYPTED LOGIN and an UNENCRYPTED FORM that asks all that information in CLEARTEXT is just enormous

imagine all that information being in a database and that database being leaked on the internet

but that information can be hackable because it is running a very old server version against which we are campaigning (like Microsoft itself) as being totally undefendable (meteokust.be uses it)

oh and this is the hack

and Google cache says this dates from "Dit is een momentopname van hoe de pagina eruitzag op 31 dec 2012 19:01:20 GMT"  exactly one month old

and even more there is a second page - they also didn't see

http://www.cma.be/Portals/0/ulow.txt

this is the reason why

Connection:closeDate:Thu, 31 Jan 2013 14:52:32 GMTServer:Microsoft-IIS/6.0MicrosoftOfficeWebServer:5.0_PubX-Powered-By:ASP.NETX-AspNet-Version:2.0.50727
http://www.web-sniffer.net

CLOSE THIS DOWN AND UPGRADE

Permalink | |  Print |  Facebook | | | | Pin it! |

the real danger of the site jobsindehandel.be (VDAB and FOREM) National ID asked

we have seen that the site has been defaced, this means that it is possible to inject new information or trojans or redirects or downloads (presented as a needed plugin or update to be able to view all information)

but there is something more

you will see that the site uses forms and has NO SSL encryption

ok, let's search for a job

let's suppose that you have find a job and you want to give the employer your CV 

for that you have to log-in to the systems of the VDAB or FOREM if you already have your personal login there (so you are normally at vdab.be) normally you should have been send there by a pop-up page sending you to that domain and staying on that domain 

this is not the case, you are without any encryption or protection (the marketing boys have made it easy but have forgotten to speak to the security and riskguys or have just overshouted them with terms like usability and everybody does it)

and look  NO HTTPS  and they ask for your National ID

but if you thought that this was the end of it ?  no there is much better to come

you can send your personal details online immediately without any protection - non encrypted

and so they will be somewhere on the server in cleartext for people like Rex Mundi to hack

and how many people are stupid enough to fill in in this unsafe environment their real telephone or emailaddress

remember these people are looking desperately for a job, so they are willing to give any information if that gives them more possibilities to have a job

so how many emailaddresses are there on that site ? 10.000 ?  100.000 ? and for how long are they kept ? and how are they protected ? 

no blablablabalblablablablablablablablablablablablabla  do something and shut up

Permalink | |  Print |  Facebook | | | | Pin it! |

database jobsindehandel.be from Forem and VDAB defaced

De openbare arbeidsbemiddelaars ontvangen elk jaar zo'n 30 000 vacatures voor de handel. Daarom werken Comeos, Forem en VDAB samen om u dit dagelijks ruime aanbod aan vacatures te laten ontdekken.

and they can be happy that it is only a defacement and that no hacker decides to try a sql injection into their database so he gets around 30.000 emailaddresses or other info from employers he could send spam or phishing links or banking trojans to because if there is one section of our population where they use online payment tools it is with those people who have too much work and too litlle time

oh yes and the server is not monitored because according to Google Cache they didn't see a thing since 21 jan 2013 11:58:07 GMT and it is called index.htm (not seeing that they have added an index.htm page or defaced it is just mindblasting)

todo  tests with sql injection and security

ok they run IIS 7.5 (but has it been closed down ?)  web-sniffer.net

Permalink | |  Print |  Facebook | | | | Pin it! |

beta, test and development website should not be on the public internet

except if you want to others to play in it

Permalink | |  Print |  Facebook | | | | Pin it! |

if you were defaced, don't clean up with this technical message

just redirect to the homepage - period

never give technical information to the visitor, the administrator should receive the technical information about the incident in his email

Permalink | |  Print |  Facebook | | | | Pin it! |

how to f.... up your reputation with a stupid defacement

for example

but imagine you are a hoster, a pc company, a software company, a webshop, a webdesigner,......

Permalink | |  Print |  Facebook | | | | Pin it! |

catho.be hacked (it is possible to add pages - maybe one about gays and marriage ?)

this is the portal

 

and this is the added page - oh it is not because it is in the error and forbidden section that you can't seen it

Google sees it and in a browser do you see it, so you can link to your new page from wherever

this is the case since months and hasn't changed since (they say they are running apache and ubuntu so you

don't have to scan this, they tell this all by themselves on their server, which is quite nice, no ?)

maybe some people will want to propose some malware from the devil ?

Permalink | |  Print |  Facebook | | | | Pin it! |

why turkish hackers will continue to hack belgian servers untill pkk and the turkish gov sign a peace treaty

we found this on infometeo.be  (where else ?)

it also the meteo of the security of the belgian internet where you see the campaigns that will arrive (first victim)

and those that are underway (don't forget this one, they never upgrade their server)

Permalink | |  Print |  Facebook | | | | Pin it! |

if you want us to trust you, you should invest in security

or make yourself a big joke, even beginning with your domain name

Permalink | |  Print |  Facebook | | | | Pin it! |

luckily are defacers stupid lame kidz because if they were smart

now have a look at this

yes you read it right, it is personalloan.be and it is the homepage

instead of just placing hacked by

what if they made a phishing page

yes, not a phishing page added somewhere to a site where every malware scanner would see that it is a phishing page and has nothing to do with the product they are talking about

no a real phishing page on a real domain in which it would look like you could ask for a creditcard or a personal loan and that would collect real information that would be send to another server

okay it would only be online a few hours or days but your victims would be no way know what hit them

the security of online loan, gamble and creditcompanies is a mess for most of them (even the basics are wrong)

Permalink | |  Print |  Facebook | | | | Pin it! |

meteokust.be still hacked - yeah we are doing something about it yeah yeah

blablablabbla

please go on and forget about us

this is why it is still on the most hacked server of belgium - ever (IIS 6 - non defendable server)

|LEGEND| Hacked BY POEM

www.meteokust.be/Poem.htm -

SITE HAS BEEN HACKED BY POEM. Special Thank To : DRAGON FORCE MALAYSIA | RILEKS CREW | NEWBIL3VILCO6ES | HEXOR CREW | SECRET

my poem :)

on the internet it is stormy weather

hackers coming buy and throwing exploits

but I am on the beach seeing nothing

sleeping in the sun, drinking a cold beer

forgetting about the stormy weather

Permalink | |  Print |  Facebook | | | | Pin it! |

KVS.be hacked with injection

imagine now that you would change the data for artists, change artists or why not numbers of bankaccounts

inject once inject more inject everywhere something

just for lulz

or inject a link to a bank trojan in case you would afterwards go to the online banking or creditcardcompany to pay online for some tickets

Permalink | |  Print |  Facebook | | | | Pin it! |

http://mega-search.me the copyrighted files search machine on mega for pirates and cops and mega

In fact if you look at the site and you go through the files you will see that most of the files are gone before the day is over

which means that

or mega is indexing the files that appear on this searchmachine and is checking automatically if there is a high probability that they are copyrighted or not (for example a file with the name of a film uploaded on a folder that is not owned by the producer of the film is for 99% copyrighted)

or mega has already its own search machine in place (like scribd.com has for books for example) and eliminates automatically these files

or the copyright cops are watching this search machine or others indexes and are sending complaints through a more or less automated process that is being followed up more or less automatically and executed very fast

which means that the complaint in the US against mega for some copyrighted files on her systems is a non-issue (and in the worst case is legal harrassment and nothing else) because all hosters work on this system (even youtube eliminates hundreds of videos each week this way) because the proof is here for all to see that these complaints are being followed up actively

the copyrightholders should also thank mega because each file that is more or less the same (not based upon name but based upon the bits and dots of a file) has the same ID which means that if you get a complaint against one copy, all other copies will also disappear. I imagine that their lawyers won't be too happy but the cost of applying their copyrights is much easier. In fact you have to look for all copies of your file (for example the hobbit) that have the same number of bits and file one complaint for each of them

this means that for copyrightbreakers or pirates changing the name of the file is not sufficient to make your file survive, you should also change the number of bits of a file (for example by encrypting, hashing or zipping it or by adding other files or cutting parts of it). You can expect software to be developed quite soon (take one file of xbytes and get 5 files with a totally different number of bytes)

the best thing to do is not to use mega for public P2P but to do what people have always done throughout history, exchange personal copies for personal use knowing that in nearly all the countries of the world they will break some law with that (you should better go to the library or the secondhand shop if you can't buy the shopversion)

Permalink | |  Print |  Facebook | | | | Pin it! |

1 2 3 4 5 6 7 8 Next