If anybody would have said untill a few months ago that the Belgian Privacycommission would dispose an official complaint againt a dataleak and would say that the originator of the leak will be fined, we would have laughed and said 'yeah in your dreams'
this privacycommision ? no way
well they have done it with the NMBS dataleak and they have also said that probably the NMBS will be fined (and the guys of Storify may have also a problem)
the reason is off course that the NMBS did everything wrong they could have done wrong, before, during and after the incident
let this be a second warning for the belgian internetindustry, clean up your mess and do the right thing (meaning do the things the right way)
this doesn't mean that the Privacycommission will do this for every leak and most of the Belgoleaks are for the moment not of that order- except for the secret one of which the name has been communicated to the Privacycommission (maybe it will put enough pressure on them (and the others in their sector) to invest the necessarily resources to protect their networks and data better from now on)
lists of users
open configuration settings
cert and privacycommission (not everytime) have been informed
the first set is gone
next week we will start publishing some of them
others will be archived in the leaks or insecure belgium lists
there are also fundamental questions that we have asked
we will not send masses of mails to the cert and the privacycommission
we will send a few mails in which several problems or findings are taken together
but the small daily belgoleaks in which you will find
* old published emails and logins from Belgians (for example on pastebin)
* listings of emailadresses that are published
* information that is available in txt format while normally you should have to copy it one by one
* interfaces that we shouldn't see
* adresses and other information that people seem to have given themselves
* websites that are hacked
* non strategic websites with no ssl protection or one that is badly configurated
* websites that are not falling under the Belgian jurisdiction even if many Belgians use it
* dataleaks with only a few belgians
and so on
will be published here
We will not publish here
* access to passwords
* recently published pastebin and other publications of logins
* non-strategic dataleaks but which may have a commercial impact
these will be published on friday or wednesday when the CERT has had enough time to contact them to correct the situation - or close the site down (in maintenance)
Ransomhacker Rex Mundi had access to half a million data about Belgians in september 2012 (if you type Rex Mundi in the searchform you will find all the information about that and other incidents)
He wanted to publish the data on a friday but as we found that a bad idea we were able to convince him to say which was the victim (so they could take immediate action before somebody did something else), to get into contact with the official handlers of the case and to not publish the information of the (innocent) victims.
At that moment we were totally alone and we tried to do the right thing but we weren't covered by any handler, contract as 'cybervolunteer' or 'law'. We took an enormous risk in doing this, but the possibility of having information about thousands of Belgians on the web on a friday was too big a risk (even if some said that that would have been better to advance security - which may be right but can you look all those innocent victims in the eye afterwards ?)
We never divulged the name of the victim on this blog nor to the press - even if they were very curious. We didn't want to start a panick nor to bring it down.
We have now informed the privacycommission of the name of the victim of the breach so it could invite the victim to hear if it has taken enough measures and has implemented enough procedures and has now enough resources to make sure that this doesn't happen again and that if something happens they may be able to respond better and be able to do what is in the new guidelines from the privacycommission
and don't ask, we promised not to divulge the name, we hope that at the other side, they will be better than the NMBS and won't have the same problem again this or next year
ok half a million data is not the same as 1.4 million (although there were many doubles in it) with the nmbs but we know that a part of that data is really in the hands of probably russian hackers and the victims were not informed and we are even not sure that enough is done to be sure that this doesn't happen again (this is why we infom the privacycommission now)
because if you are hacked, you will be attacked again untill you are hacked again
We have sent the privacycommission as an answer to their letter a new list of services that use the RRN as a login
It are mainly public services from cities (like libraries and recreationservices) that are sometimes delivered by some serviceproviders and for libraries for example are based upon WOPAC.
THe problem with the RRN is that if we want to keep that weak UID a bit safe we have to limit the distribution of it on the internet and through unsecured systems
we haven't send a list of all the services who ask in a form for the RRN without proper protection because that list would be too long and it would be more productive to publish securitynorms if you want to ask for the RRN of something (and in my book it is better to ask for such specific information after a secured wall and not on the public part of a website - another advantage is that you can send and backup this information in a seperate environments that are protected by different securitytools according to the degree of protection that is needed)
we know that the ball is now running and we will be patient :)
maybe it would be a good idea to work with the organisations that regroup all of the cities so they could inform their members of the new standards and controls
yix seem to have the problem so many services have - they launch the service and they don't invest in securityservices and they don't do any securitymonitoring and so they can be abused by virusridden websites to redirect users by them to their sites while circumventing the securitychecking products that should stop the user
the great danger for yix.be is that after this test that they will become the tool of preference for phishers and malwaredistributors all over the world and will be blocked an sich - and not specific links
the accounts are inactive at the moment but it still seems the other way round, it shouldn't have been possible in the first place as different other redirect services have done after being the victim of such attacks
Most of the users didn't notice a great difference when using the site during that short period, but some login attempts and API calls failed, and the sysadmins chose to disable some site features.
"The pattern of the attack clearly indicated that this was a malicious attempt aimed at taking the site down. For example, thousands of separate IP addresses all hammering illegitimate requests, and all of them simultaneously changing whenever we would move to counter," wrote Harvey.
"At peak the attack was resulting in 400,000 requests per second at our CDN layer; 2200% over our previous record peak of 18,000 requests per second. Even when serving 400k requests a second, a large amount of the attack wasn't getting responded to at all due to various layers of congestion. This suggests that the attacker's capability was higher than what we were even capable of monitoring."
He pointed out that the attack was coming from thousands of IPs around the world, which means a botnet was used.
First most of the users didn't say something but they had a CDN failover infrastructure without it they would have been dead. (do you have a CDN layer ?)
Secondly they have decided to disactivate certain functions of the website to make it quicker to respond. (do you have a fallback policy in which you know what you will disactivate immediately when such attacks or a too big use are seen)
Third they had people technicians that were REAL LIFE trying to respond to the ever changing attacks which will have an influence because the attackers will have to change their targets and formats all the time which makes it easier to leave some forensic indications.
if you respond no to any of these three, you are just a sitting duck
In the last post we mentioned that the Privacycommission has intervened in a few specific cases in which your RRN was used as the identifier for your LOGON to a website or webservice.
THey have stopped this kind of practice which means that you may not use this anymore.
If you are confronted with this kind of practice, please contact us so that we can collect this information, verify it and forward it to the privacycommission so that further action can be undertaken (and eventually formalised and generalised)
#belgoleaks is also your business because it is to prevent the leakage of your data
#belgoleaks is the sole name of the different anti-leak and nosecurity Operations (the old OPS) that were hold before
one of these operations was the #OPRRN about the use of the RRN as unique identifier as single sign. THe RRN is a unique identifier of each person like the SSN in the US but the number has so many known identifiers in it that only 4 numbers are unknown (and even that)
the privacycommission is responsable for a the use and the rules and security of RRN by administrations and private firms and even if there was a debate in which several persons thought that the number should be public the majority thought that the risks of letting everybody use this number for everything were too great because the number is too weak as an identifier (it is too easy to find it) and also because the front- and backoffices have much too often not enough security and encryption to safeguard them
but meanwhile organisations were using more and more the RRN numbers or asking it in unsecure forms (even without logon and without ssl)
some even went further and used the RRN number as a sole identifier (libraries and sport clubs do this)
Today I have received an official answer from the Privacycommission which says that in the specific cases that I have mentioned concrete actions were taken but maybe it is time for the Privacycommission to state clearly itself that you can NEVER use the RRN in a login and that the RRN can not be asked on a public form and that if the organisation wants to have the RRN that this has to be done after authentification and in a secure environment and that these data - as other identifiable and important data - has to be encrypted and so on....
For the dutch speaking people
above we could change the password
here we can change the date of birth - we didn't
we could see and change anything we wanted
it is now only seeable in Google cache
and as the administrators say that there was and is no problem, we have proof of the Google Cache of 25th of march showing what we could do but didn't effectively do
but if you seen the links and the information, than you know that there is much more to it and much more that could be found out
the cert was informed last week but tried to descredit me with some journalist who luckily knows that I am not playing around. More dangerous is that the CERT was saying that they didn't control my information that I send to them because otherwise they would be breaking the law, which is implying that I am breaking the law, which I am not because I change nothing, I log in to nothing and I only use Google to find the information
this means privacycommission that these are all public dataleakages
a big article about a hacker who has attacked .belgium.be and now is facing trial. He is just a kid who wanted to do something Anonymous and installed the LOIC tool and tested it on two tools
a local website of a scoutsgroup (that stayed up)
.belgium.be the national and international portal of the whole country of Belgium and which is also the national gateway to a whole bunch of online e-services (like taxonweb.be who uses a very confusing webaddressing throughout the logon process) that went down
reread this please (which one went down again ?)
so one person with only the LOIC tool brought down the webportal of the country Belgium. Cyberwar, Cyberterrorism and so on
he says he couldn't imagine that he could have brought down the belgium portal - and the effects were even seen in the backoffice of this very important national service
I can understand that
to defend this the Belgian government is going to spend 20 million euro's (instead of the hundreds that were originally asked for)
I am really impressed by this sense of urgency
cyberwar is coming and we are preparing ourselves ..... with words
there are md5 passwords for the logins
and these are a part of the members of which the accounts are compromised- the emailaddresses have been altered
THIS IS HAPPENED WITH ONE OF MY FRIENDS FRIEND SO PLS B CAREFUL MY DEAR FRIENDS....
Please read the whole post
The ordeal ended at 4pm today. It all started with a mail on 20th Jan 2013 while I was in Gujarat on work. It came from email@example.com threatening to upload NUDE pics of my wife & few female fb friends if I fail to pay Rs 1 lakh within 3 days. Also threatened to mail those pics to all contacts on my mail. The pics were lifted from pornsites & morphed with faces of wife & fb friends. I was dumbstruck for few minutes when I first saw on my mobile and immediately called my wife and told her about the mail. Next I called and alerted my younger daughter to be on the lookout if anybody tags me and posts obscene pics. Then I called a close friend who is a senior IPS officer and told him about the mail. He just said try to engage him and buy time. Then I replied to that fellow stating that I don't have that much money and would pay some immediately and pay balance in feb. On that night I didn't sleep and removed all pics of women on my fb account and requested few female fb friends to remove pics in which I was tagged. I returned to hyd on 21st night and lodged complaint with both Task Force & Cyber crime units on 22nd morning. The cops immediately started action as my IPS friend talked to them. It took 2 weeks to nab the bastard as he has been sending mails from different internet kiosks everytime. I even paid 20000 bucks into the account provided by him on 30th Jan and that clinched the final evidence though that account doesn't belong to the creep. Cyber crime cops with their own methodology captured the bastard today.
The name : Baddigam Nagi Reddy.
I had to write this to warn all of you not to post pics of yours and your loved ones on fb even with utmost security. And if this kind of situation comes keep calm and approach police.
step 1 look up in Google for example site:facebook.com hotmail.be (or any other emailaddress)
TD Objektiv | Facebook
3 dagen geleden - Email or Phone, Password. Keep me logged in. Forgot your password? .... firstname.lastname@example.org. Photo: Model: Iris Geuens Locatie: Fotostudio MUA: TD ...
than you click to see an example of the site
you will see this appear next to it
than you scroll down and you see the rest of the postings
and maybe they have put this to public and this is their way of making publicity but maybe not everybody knows that their facebookpostings are set to OPEN for Google and the rest of the world
but you can add whatever searchterms you would like to find specific public profiles, postings, friends or links without logging in to anything and leaving no trail whatever because you google cache is your proxy (and if you use a proxy yourself they can't even do anything with the Google logs)
Naar aanleiding van een stevig aantal “high-profile” gegevenslekken, waarover ook uitgebreid bericht op deze site, heeft de Privacycommissie een nieuwe set aanbevelingen rond informatieveiligheid gepubliceerd voor eenieder die gegevensverwerkingen uitvoert en daarbij met computerbestanden werkt.
In het begeleidende artikel op de site van de Privacycommissie benadrukt zij dat concrete beveiligingsmaatregelen voor iedere organisatie specifiek beoordeeld en geïmplementeerd moeten worden in een zogeheten informatieveiligheidsbeleid. Er is echter een gemeenschappelijke basis die voor iedere organisatie – die persoonsgegevens verwerkt – geldt en die de Privacycommissie door deze nieuwe aanbeveling nog eens extra in de verf wil zetten: de privacywet, meer bepaald de artikelen die handelen over informatiebeveiliging en de verantwoordelijkheden die daarmee gepaard gaan.
De aanbeveling leunt aan bij de reeds bestaande referentiemaatregelen en richtsnoeren alsook de ISO27002 norm en geven heldere aanknopingspunten voor de opzet van een effectief informatieveiligheidsmanagementsysteem en informatieveiligheidsbeleid.
Waar de Privacycommissie tot op heden steeds een louter adviserende rol heeft rond de bescherming van persoonlijke levenssfeer gaan er steeds meer stemmen op om de Privacycommissie een minder vrijblijvende rol te geven. Dit in navolging van bijvoorbeeld de ICO (Information Commissioners Office, de Engelse Data Protecton Authority (DPA)) die geregeld het nieuws haalt met boetes aan ziekenhuizen, politiediensten en gemeenten als gevolg van persoonsgegevenslekken.
Een daadkrachtigere Privacycommissie kan overigens sneller werkelijkheid worden dan gedacht: de aankomende Europese verordening rond de bescherming van persoonsgegevens dreunt gestaag doorheen de Europese legislatieve molen naar een verwachte ratificatie vóór de Europese verkiezingen in juni 2014. Eén van de aspecten die deze verordening bekrachtigt is de mogelijkheid van DPA’s om boetes uit te delen.
Overzicht van de publicaties door de Privacycommissie omtrent informatiebeveiliging:
- referentiemaatregelen voor de beveiliging van elke verwerking van persoonsgegevens
- richtsnoeren rond informatiebeveiliging
- aanbeveling uit eigen beweging betreffende de na te leven veiligheidsmaatregelen ter voorkoming van gegevenslekken
tip : if you receive such mails and you click on respond you will see most of the times the real emailadress that they have hacked instead of the email@example.com that you see when you go over the emailaddress
if you have responded to such an email you should contact Yahoo to change the passwords and so on
it is really stupid from Yahoo that it let those spammails pass through its systems even if it they have all the characteristics of spam and phishing emails
From: Base Des Données <firstname.lastname@example.org>
Sent: Wednesday, April 17, 2013 4:59 PM
Subject: AVIS DE DÉSACTIVATION DE VOTRE COMPTE YAHOO !!!
they have been hacked last year with the antisec storm and now some-one hacked them again- they never alerted no one and they just did nothing nada
as the privacycommission says that it will now investigate public leaks and dumps we will publish them here instead of sending them to cert and others - just to see what will happen now
we didn't hack this ourselves - we never do anything more than Googling and using online free webservices
if we publish it is because it is already public
http://pastebin.com/PqRqLMUr - it was already downloaded 146 tiimes since the 5th of march and has more than 600 belgian logins
it was after studying the passwords when deleting them from this list that it became clear that probably not all the accounts here mentioned are real because the passwords that were used over and over again were the same except for a few and the loginnames are also very strange except for a few
so at the least muziekcentrum.be will have to research what happened and will have to upgrade its defenses and security and monitoring because it is clear that as they were already attacked several times, they will be attacked again and again and again
also this website is sponsered with public money so the least that they should ask is that they set up secure websites that secure the security of the users
http://pastebin.com/u0RWmuVE 17th of march
when we go to the site it is still in Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group (6 years old that is)
but the number of users that are mentioned on the site "Totaal aantal berichten 255 • Totaal aantal onderwerpen 108 • Totaal aantal leden 40 • Ons nieuwste lid is Lien"
while the hackers says that he has 1286 logins (and there are some Lien in that list
or the site had an archive list of all the old members and in 13 years they had 1286 logins in total
or there is dummy data and other data between these because the hacker knows that the other hackers will test all the logins in the list no matter where they come from (some also are doubles)
so maybe the privacycommission should ask them to research this and confirm this or not