• why numericable and nmbs are the same kind of leakers

    even if the numbers are not similar at all

    they both wanted to silence the critics

    they both tried to fool the press

    they both disregarded personal information in marketing files

    they both had outdated and not secured parts of their network

     

    it is maybe time for the privacycommission to say that even personal information in marketing data is still personal data for which you are responsable and should be investigated

    whatever the PR crap you are trying to make us swallow

  • belsec skynetblogs and censorship

    for the second time belsec has been taken offline without warning by skynetblogs just telling that in a certain posting there was illegal information

    it was this time about the numericable hack

    the complaint  which I have never seen and i do not know from who it came

    was about some data that was published by rex mundi

    but that you could find in many other places

    I do not like the way complaints are treated

    there is no transparancy about how complaints are treated

    and there are no real usable guidelines about what is illegal

    except that if that post is illegal many things may be deemed illegal

    hard for me to change the hosters as the biggest majority of readers comes through rss

    and if skynetblogs would start bringing down all those illegal medical and counterfeit blogs

    that would be a better start

  • the numericable leak is online (or part of it)

    first fact they have increased their price or ransom, before they asked 5000 Euro now it is 22.000 euro that was asked, still very low compared to other ransoms but if you increase the price too much you increase the pressure and attention too much

    for the rest it is a very long list of addresses and names but the most confidential information has not been informed willingly or unwillingly - that is for the investigation to decide (if there will be one)

  • who has bought the data from breached buyway ?

    this is the tweet

    3m

    A third-party bought the leak from us. Not BuyWay.

  • the strange declaration from numericable and why it doesn't matter for our privacy

    the problem is in the details of this carefully crafted PR statement that probably had to pass some judicial review to prevent it from outright lying

    "the hackers had no access to actual customers"

    ok let's go back to the structure of the server with the databases that was accessed

    there are test databases and a few others that may be old

    it wouldn't be the first time that Rex Mundi finds information on a server and tries to blackmail the firm who afterwards only declares that it is old data and that they were losers because they didn't have the newer data (which they always say is protected and safe

    in fact this is the problem with many systems, they don't destroy fast enough older data and when they keep it (for reasons which I don't understand) they keep it most of the time on the same systems or on systems they don't sufficiently protect (because that costs some money)

    but this doesn't mean that this isn't personal information and this doesn't mean that it doesn't have to be protected just as any other personal data from me or you  DATA IS DATA (even if 10 or 50% of it is not correct or relevant anymore, the other information is still relevant and should have been protected as if it was new personal data and by the way how will you know if that 'old personal data' is old without checking it and by doing so making it active again ?)

    if the data is not relevant anymore, why don't you just destroy it (and put that in your standards). Imagaine how much saver the world would be if all the yahoos and googles and microsofts destroyed all our old data after a few months or years of non-action or if we could say to facebook (destroy all my data that is older than for example a year)

    it also means that the privacycommission will still have to start an independent investigation if only to find out what the leaked or breached data is about and happened. This is why the privacycommission should receive the right in these cases to send independent investigators at the cost of the 'victim'. The other advantage is that the 'public interest' they represent is assured that the incident is handled with respect to all the norms and standards that should have been implemented and with the independent appraisal from independent investigators whose only business value is that they tell the truth as it is 'in the public interest' (and I have no business interests in this proposal it is just logical sense and a copy from the Vincoitte controls before you can connect your own renewed electricity network to the public one)

    LESS DATA iS MORE SECURITY AND LESS RESPONSABILITY AND LESS COSTS

    secondly it is strange to read in the same declaration that the hackers didn't breach any information or that they didn't access any systems that were important but that they will take all necessary measures to prevent this from happening again

    if you are used to (and bored by) marketing and PR stuff than you see that this doesn't make any sense

    or the systems were not breached and the information is fake and nothing happened because your security is in order or it isn't. You can't have it both ways

    this is not the kind of declaration that will inspire confidence and it is not on that kind of declaration that the privacycommission should decide what it will do. It should base its opinion only and solely on the facts and the facts are that some data has been leaked and that in the words of the numericable itself it is some kind of their data but not actual userdata.

    just as when a fire investigators after the fire comes around to investigate

    even if this sample of data seems on the first sight to be dummy data created to test or make a database, the test server was on the same server as the production databases and so the problem stays and if this data is from the test database they should have said so from the beginning and (depending on the data that seem to be released in a few hours (except if they or someone else for them pays (and doesn't forget to ask for a non-disclosure as part of the agreement by which you pay in two parts, one now and one much later except if the data was published something byway forgot to ask)

    nobody is going to shoot you down because you gave a detailed and explicit account of what happened it is what should have been done from in the beginning but nobody is going to believe you (anymore) witht such stupid declarations (especially if the forthcoming dataleak will proof otherwise)

    the PR people are a problem in incident management because they think they have to hide things and they think that by hiding or fuzzing things it will look better. No, on the contratry, it makes it look much worse.

    And this is another reason why during such incidents you call in the independent investigators and you communicate that independent investigators are on the scene and that you wil communicate more details as "they come out and are proven to be exact (and not a possibility)" It doesn't mean that you have to publish technical information that will make it easier to attack your network but the impactanalysis has to be 100% correct and not fuzzed up by marketing and PR people.

    this is what we expect from professionals who have to protect our data

  • belgian and dutch dns webservers under attack

    the 9th of july both the webserver of the belgian .be and the dutch .nl operators were attacked, without any certainty (at least publicly) that the two attacks were linked

    at first sight the defacement of the webserver of the belgian dns.be (which is responsable for the operation of the .be extension) seems to be just a defacement and dns said that they had taken all the necessary steps which is by one resetting the clean code that was kept elsewhere but the main problem is that the securityproblem (they were using PHP and because of the problem one can suppose there was a mistake or non-patched securityhole somewhere - even in a library. Changing the code only makes sure that there are no other backdoors or code that has been changed somewhere, but one needs always to find the securityproblem and retake a clean code before the hacker revisits the site and re-uses the securityhole even if there is no defacement

    the dutch operator of .NL was less luckily because the hackers could even go a lot further and place malware on the server and steal enough authentifications to oblige them to change the passwords of all the users resellers

    but they should remember - just as the resellers of ssl certificates - that any mistake in their code or webservices will be used against them without much hesitation and may have serious reputation and security repercussions - this means in fact that less is better (because less complex and less code to control) and a separation between marketing and operational websites should be strictly seperated

    they could start with putting a vulnerability watcher application and a WAF to stop the attacks

    they could also test their sites with metasploit and let a real penetration tester do some real tests

    before somebody with even more experience and tools than the defacer takes his time and experience and uses the same neglicence to go slowly from part ot part of the network untill they get the business jewels

    oh they will say, that will never happen,  no but the first signal was sent out, that you could be hacked and maybe penetrated, hackers don't need to know more

  • what to do if you are one of the innocent victims of the rex mundi hacks

    first it all depends on how much information is published and how secret that information is for you

    * adresse, telephone number

    If this information is not secret for one reason or another than there is no urgency, but you could ask the firm to pay for the change of your telephone number if you don't want it to be known (and didn't publish it online either)

    * emailaddress

    this is more difficult because if you have used the emailaddress of your employer it is possible that the securityguys won't like it and that you will have to change that address (and get some good advice for the further, never use you official workemail for private business online)

    if you emailaddress is private and you are bombarded with a lot of spam and you need to change and your business is being hurt by this, than you can complain I suppose

    * passwords

    if you use the same password anywhere else on the web, than you should change this as fast as possible

    for some services with telephone authentification it would be possible to steal your passwords with VOIP or infected SMS when it could be linked to an account (facebook, google)

    * personal information

    this is a breach and you could complain to commission@privacycommission.be

    * business information

    this is a breach and you could complain to the fccu.be especially if business insider information has been leaked and that information could be useful for your competitors

  • the three groups of targets of Rex Mundi

    after observing rex mundi for the last 2 years you can distinguish three groups of targets

     

    the first group are the ISP's

    the second group are the online lending companies

    the third groups are the online recruitment companies

     

    if you are one of these companies

    * they will not go away

    * you still have to implement strict security and privacy with permanent monitoring and logging and patching

    * you need an incidentplan and to look at the new reglementation of the privacycommission.be

    maandag, 21 januari, 2013

    especially if you belong to one of these targets
  • Rex Mundi hacks places the privacycommission before its first big test

    the two new hacks by Rex Mundi places the new Privacycommission and their new reglementation about databreach notification (january 2013) before their first big test

    the biggest incident since the new reglementation has been handled behind the scenes because it was a leak and not a breach

    this is different

    if Rex Mundi blufs and that information is not on their servers and has been faked or copied than even in that case the servers in question have to be inspected by real forensic inspectors to verify that this information was not on their servers and never was - this is the only way those two firms can make me believe that there was no compromise (only believing what you are seeing)

    if Rex Mundi is right that there are three questions for the firms (I won't call them victims because the real victims are the innocent bystanders)

    * did they inform the privacycommission and started an information campaign to the victims and the necessary investments to answer calls from people and if they didn't why ? The only reason that they shouldn't inform the privacycommission should be if they have the 100% proof that this leaked information from a socalled breach was never on their servers and they can proof that. All the rest is hearsay.

    * did they inform the victims in time so that - even if they wouldn't pay - these victims could change the passwords (and eventually the telephone numbers if it was a private one) and they would pay for any costs that that would bring with them

    * did they take all the necessary actions to close the securityholes, look out for new backdoors and change the internal passwords and start encrypting that data ?  In fact do anything so that this doesn't happen again.

    so the first big test for the privacycommission is to show that its new reglementation from january 2013 has some meaning and that it will be enforced and implemented

    if not, the cynics are proven right again

    another question is if the personal victims based upon this breach can now step to the court and ask for compensation as not only they weren't protected as it should, but the instances were informed and the procedures weren't followed (48h after the breach the victims should be notified)

    my last remark is that in California, the mother of the breach notification law, they have now said after their evaluation of the law that they will go now heavily after firms that don't encrypt their data because that seems to be the biggest problem and loophole

  • Rex Mundi hacks another Belgian recruiter, habeas.be

    I wanted to keep this off the record but as numericable has been so stupid sending out a press release and the infosecuritycommunity is now reading the rex mundi tweets again, there is no sense in not publishing this news and other interesting comments and thoughs around it

    so this is another interesting one who thinks that nothing happened and that they can neglect such a warning or even don't research in their logs what has happened and if something is true

    secondly they don't have a seperate login which is fine but as they are running older PHP scripts it is possible that one of the bugs and security vulnerabilities that has been fixed in the more recent versions (it is not because it is free that you don't have to work on it) was the gaping hole inviting hackers, not rabbits

    so now they have a problem

    if Rex Mundi is right, than they have lost their database with the profile and personal data of the people who were placed with them (it is an outplacement firm - so their 'candidates' aren't the happiest ones because they are forced to take another job somewhere else and the outplacement is supposed to make life easier for them)

  • rex mundi, twitter and PRISM

    among all the hysteria about the online spying activities of spy agencies, people (aside from watching the film brasil) should remember that all is not perfect that socalled perfect cooperation on paper between police and intelligence agencies and the webservices (even American ones)

    * Rex mundi has kept his twitter account, while the lulzsec and Anonymous accounts on twitter has been suspended or destroyed systematically

    but maybe the police services want that account to stay active because it seems to be the only way to communicate and even with the worst enemies and criminals you have to keep some 'line of communicaiton' open

    this will maybe explain why on pastebin he has lost quite a lot of posts but the account was not suspended either, while other hackers have seen their full account blocked at pastebin

    * Rex Mundi hasn't been arrested yet

    as Rex Mundi has been hacking in Switserland, USA, Canada, France, Belgium and so on ..... there are a lots of police investigators looking for them but why don't they find them

    there may be two explanations

    first there may be a lack of cooperation. Rex mundi is not a threat for the system because it doesn't hack police and governmental databases and doesn't publish them with pamflets about revolt and so on. THere is in other words no political urgency to liberate all the necessary resources to get them.

    secondly even if the hacks of Rex Mundi are not nothing, they aren't the big ones (and when they got a very big one it was handled behind the screens without the impact that it could have had), the numbers are small (in comparaison with lulzsec, the ransom is small (in comparasaison with the ransom asked from online casino's) and the public relations effect is relatively small (you're not on CNN)

    so before becoming paranoid one should remember that 

    * in this international interconnected world it is still possible to blur your tracks enough to not be found by one or more police forces who are NOT working together

    * that it all depends on the priorities of the police force and that those are political and that for this reason it is not the live monitoring that is the biggest problem but the fact that the NSA wants to keep the data for always (imagine Hitler getting his hands on such a database - even if he wanted to create one with the help from IBM)

  • Rex mundi hacks numericable.be and they say it ain't true

    Rex Mundi publishes a warning that they will publish tomorrow a lot of information about 6000 clients from Numericable.be and other business information that will make them sorrow that they said that

    "Belgian cable operator Numericable said none of his customer data or business information was comprised in a recent hacking attack on its systems. The statement follows a claim from the hackers collective Rex Mundi, which claimed to have details on 6,000 of the operator's customers. Numericable said it has filed a complaint with the Computer Crime Unit.
    http://www.telecompaper.com/news/numericable-says-data-safe-after-hacking-attack--955289

    the sample is here censuur  for the moment

    and have a look at this

    DB users:
    -sa
    -website
     
    if this is true, how long it is already known that the default sa user in a database has to be desactivated before you do anything with it ? As far as I remember
     
    the second user is the website with its own credentials which means that if you have taken over the website, you have also access to the database as a user (and if your rights weren't limited because why make things always difficult as those securitypeople always ask ?) than you own also the database
     
    the server has the following databases  (numericable has to proof that this isn't the case not to say that as far as they know their personal or businessinfo wasn't compromised) and here are some interesting things to see (and you ask yourself if the architecture guy talked to the securityguy at any moment during the installation because a real securityguy would never have accepted this, among other things)
     
    censuur
     
    and than there are the users, the innocent bystanders
     
    a very interesting one working for a bank (phishing and ATP coming your way baby)
     
    censuur
     
    and some Belgians
     
    censuur
     
    If Rex Mundi reads, do not publish tomorrow social securitynumbers and passportnumbers, in fact even the phonenumbers are not necessary to be complete (if they are in excell you can scramble with a mathematical formulae) and than you export them again in a csv file - just for the innocent bystanders
     
    Numericable isn't the only ISP that hasn't taken Rex Mundi seriously. I have been warning that this group won't give up and has been going on for nearly 2 years now without ever being found out.
  • why Snowden won't get real political asylm but will be treated and protected as a spy

    Glenn Greenwald, a columnist with The Guardian newspaper who closely communicates with Snowden and first reported on his intelligence leaks, told The Associated Press that the former NSA systems analyst has "literally thousands of documents" that constitute "basically the instruction manual for how the NSA is built.
    http://www.syracuse.com/news/index.ssf/2013/07/edward_snowden_has_documents_on_how_to_evade_nsa_surveillance_journalist_says.html

    someone going over with that kind of data is always a spy - period

    but that proofs that he will be protected on the reciprocal protection of ex-spies by the different countries

    and this is also why Russia (or another friendly country) is so interested

    * they have their own full interception system since years and would like to make it more perfect (those keywords alone are very interesting)

    * they have to learn their allies and spies how to circumvent the system and stay under the radar

    even if you would hack the network of the nsa you would never find so much data in one place (it has been collected during a year - without any one seeing that an employee of an outside contractor was copying all that kind of data)

    there are Data protection and data access systems available that would have prevented this (as they would have prevented wikileaks and stopped Mannings)

    Maybe some-one should sue the NSA for negligence and endangering the national security by incompetence :) because the technologies are there and they have more manpower than they can recruit (which is why they are using so many contractors with all the securityrisks)

  • metadata : how to bypass the NSA prism (or make it them difficult)

    1. don't take an emailaddress with your name in it

    2. use temperorary emailaddresses if needed

    3. don't use words in your title that reflect your content

    4. steganography is a great tool

    5. place passwords on encrypted files

    6. use a professional proxy or tor to access the internet

    7. use a local dialect

    8. write it down, scan it, encrypt it and set a password on it

    9. use some totally different pseudo identities on the net that have no connection whatever with each other

    10. use different computers or telephone accounts or tablets to communicate

    and all this shows how relative this interception may be

    in fact this means that how much the NSA may invest in infrastructure, the human intelligence will still make the difference because you can make the interception of communications so difficult that it will take too much time and if the supervisors is not  convinced that that message or converstation needs the necessary recources it will be too late for them (9-11)

    the advantage of the system is off course that you can get the amateurs and the stupid and that you can find them easily (and as in most of the cases infiltrate the new cell to arrest them all the moment they want to effectively do something instead of just talking about it)

    but technologicalobsessed securitythinkers will do everything to proof that they don't need that 'too old spy' tool of Human Intelligence anymore, they say that it is costs too much is ineffective and so on

    it is, unless it uses the intelligence that the technological interceptions can collect and this has been the case for the last century

  • metadata : the wrong discussion about the wrong metadata

    Metadata are the data about the content

    in my job I can use three kinds of metadata

    1. the global anonymous metadata

    this means that I will only see for example how much videotraffic there is, how much to which country for example and so on. I have no idea to locate the source of the data. This is important to know if you will need to upgrade your infrastructure or limit certain access rights and so on.

    2. the specified anonymous metadata

    this is important for securityresearchers and securityguardians at the ports of the securityinstallation - a global interdiction of the use of all metadata with very stringent implications would make it very difficult for the securitypeople to do their jobs in time

    this means that I don't know who is behind the IP address but I only see the IP address and I even don't want to know who is behind it, I only can use to eliminate botnet, virus and spamtraffic and to get the computer out of the network and than it is up for the local IT people to go and repair the computer, the helpdesk only receives an IP address and the mention that it is probably infected (which is most of the times is)

    in the case of spam or the proxy we don't see the IP address or the receiver but only the title or the website when we type in certain words like porn, hack and so on. This just to see if there are mails passing the controls and to adjust the controls. The content of the communication is not seen. The person self is not contacted and the filters are adjusted. He or she will see that his bypass won't work anymore or that the spam is not coming through anymore.

    in most systems you can now select the metadata you want to see and so you can chose only those things you effectively need and eliminate all others and you always you have to remember that you don't have to look at all the traffic all the time, you can use filters and searchstrings that give you only those traffic streams that need more research (for example blocking all traffic to Russia and China on your firewall if you don't have any business there)

    3. the individualised metadata

    in this case (as is the case with the NSA - echelon system) you have everything except the content - but in fact you have everything because most people use words in their subject that reflect the content, you can say that it is in fact a bridge too far.

    PRISM

    I suppose the NSA systems uses in first instance the second system with around 38.000 triggers and keeps those in their database and than decides or gets the approval to follow some of those with the third system of metadataspying to get more proof. If they have enough proof I think they just get everything.

  • public folder with documents about Bitcoin

    you can download it from here

    bitcoin has been built as an answer to the financial blockade of Wikileaks, the activist community needed a currency that was decentralised and anonymous and safe

    the last part is always the hardest and there has been some hacking scandals, it is after all money so it is worth something to somebody

    bitcoin will not replace our normal money but it will be an important channel to a certain segment

  • public folder with documents about Anonymous, Lulzsec, hacktivism and antisec

    download from here

    you will not find any password and other leaks here

    it is not complete either, there is still a lot of stuff to come

  • Summertime : french classical literature (zola, jules verne) to download

    You can download this from here

    this folder will be updated from time to time

  • summer reading : download some interesting english public domain books

    more to come (all more or less public domain)

    not throwing everything online, only books that you should have read

    this is just a small sample

    access to the folder

  • 21th of July : download Henri Perinne L'histoire de la Belgique

    This is according to Archive.org in the public domain

    it is one of the most extra-ordinary works of the Belgian History

    even if other historians find that it was very Belgistic and found traces of Belgium where others saw none (still do)

    but here you can download it without spending a lot of money and with the possibility of searching through the text and finding all the references (it is in cut in 7 pieces)

    download here