• belgoleaks a direct line to the technical info of webline.be

    this is the frontend

    this is the backend with all necessary info

  • belgoleaks hackable php site KUL

    cert notified wednesday

  • Belgoleaks museum Magritte has a surreal vision about helping hackers

    not only are they on a very old and dangerous server

    but they are publishing - instead of a 404 without any technical information

    a full description of every technical detail except for the passwords but that is no problem for a real hacker

    cert was informed 5 days ago

  • belgoleaks internal pages intranet inami.fgov.be

    cert was informed 36h ago

    inami is part of e-health

    in reality you could find the names of the servers and where they are placed in the infrastructure

    this makes it much more easy to prepare a penetration attack

    running on an older IIS server is asking for problems

  • Belgoleaks flanders innovatiefaanbesteden.be publishes all its technical serverdetails

    this is a governmental website from Flanders

    http://prod.innovatiefaanbesteden.be/project/test2/documents

    the security of it is a bit innovative, aside from probably being on an older server

    but publishing all your technical internal information is not a good idea - even if you are creative

    and the most interesting technical info we didn't publish

    the cert was warned wednesday

    this is the reason why test and production servers aren't on the same platform or network

    and why the testplatforms are best NOT public but hidden

  • belgoleaks : if want to give internetsolutions you should not be part of the problem

    first we found by Googling the administrative password of them

    than we found this

    and we didn't control if the password we found was the one that we needed here

    but it all seems old and time to clean up especially if you find passwords by Googling

  • belgoleaks full technical fiche and passwords for tmabevents.be

    this is the website

    this is the detailed information to enter the website

    cert informed

  • are all the snowden internal NSA documents being reviewed for global release ?

    Many press reports talk about the Snowden leaks or Snowden documents but they aren't the documents from Snowden, it are OFFICIAL INTERNAL SECRET NSA documents for which Snowden was employed to control who was doing what with them (which means that somebody forgot three principles of intelligence security, the seperate containers so very few people have a global view), the need to know (so you only see what you need to know and in the case of Snowden it was the userlogs and not the data itself) and a good implementation of the 4 eyes principle for very critical functions (so somebody controls the controller or administrator if he has specfic access rights)

    you have to see them as OFFICIAL INTERNAL SECRET NSA documents which were stolen from an official internal server

    secondly as Greenwald is having a new job soon he is considering throwing all the documents online in one batch because for him personally there is no need and no time anymore to milk them one by one. He is speaking with the Washington Post and The Guardian and experts which kind of information and documents could be liberated in one 'batch' and which should be reviewed and which could in no case be published without putting the lives of agents and people in danger.

    thirdly Greenwald and the owners of the publications will also want some advice to know if they could be prosecured if these documents were published in full - instead of a very small number incomplete documents.

    there is a momentum building and there is the feeling that with one big batch of documents drastic changes could be inevitable for the NSA and the intelligencegathering by the USA because the economic, diplomatic and political relationships with a list of countries could be endangered for some time to come if some operations and interceptions aren't stopped now or are to be transferred to something that has more oversight and is build upon cooperation and exchange of information.

    we are talking about 20.000 to 30.000 documents

    it will not be possible to go over them one by one so if there is to be a publication it will be a whole bunch of them with several mistakes

    for the security of the 'innocent bystanders' the USA should at least have a prewarning of a few days before you liberate all those documents (even if the US is already doing so - which means that the talks between Greenwald and the others are very real)

  • belgoleaks volksgezondheid is running on a very old Oracle application server

    this is the resulit means that the server in the states would not be FIPS ready it would not be acceptable as a platform for an volksgezondheid platform 

    Federal Information Processing Standards (FIPS) are publicly announced standardizations developed by the United States federal government for use in computer systems[1] by all non-military government agencies and by government contractors, when properly invoked and tailored on a contract. Many FIPS pronouncements are modified versions of standards used in the technical communities, such as the American National Standards Institute (ANSI), the Institute of Electrical and Electronics Engineers (IEEE), and the International Organization for Standardization (ISO). The purpose of FIPS is to ensure that all federal government and agencies adhere to the same guidelines regarding security and communication.
    http://en.wikipedia.org/wiki/Federal_Information_Processing_Standards

    the reason is that if we type the version of the server in the exploit database there are two pages with exploits that are possible, which means that there is an enormous lot of work keeping the server secure, money that should be invested in upgrading and keeping current

    http://www.cvedetails.com/vulnerability-list/vendor_id-93/product_id-707/version_id-26592/Oracle-Application-Server-10.1.2.0.2.html

    and more recent one can be found here http://www.cvedetails.com/vulnerability-list/vendor_id-93/product_id-707/cvssscoremin-5/cvssscoremax-5.99/Oracle-Application-Server.html

    and even if you don't upgrade to Oracle 11 even than there seems - I could be wrong - to be a new version

  • belgoleaks how to get a password for our volksgezondheid

    the most stupid trick because one of the most stupid methods for very important sites

    one billion stolen passwords were collected the last two years of which many of emailaddresses

    we have sent the last days lists with logins to the cert.be new ones

    the idea we got from a document online  http://www.health.belgium.be/internet2Prd/groups/public/@public/@dg4/@foodsafety/documents/ie2divers/19083635_en.pdf

  • belgoleaks do you want to see a test or dev version of volksgezondheid

    this is the site

     

    this is the version in the Oracle Content server for developers

  • belgoleaks did google bypass the logon for the administration of volksgezondheid

    this is the logon page

    look at the link

    and now look at this link

    8. Bijkomende specifieke verplichte vermeldingen overeenkomstig ...

    www.health.belgium.be/internet2Prd/idcplg?IdcService...
    De etiketteringsbepalingen voor voedermiddelen en mengvoeders zijn opgenomen in de artikelen 11 t.e.m. 23 van verordening (EG) nr. 767/2009 (.PDF).

    not that there seems to be patient or other personal information
    but it shouldn't be messy like that
  • belgoleaks patient-partners.be publishes its own administrative passwords online

    this is the sqldump they have published on their own site with the hashed administratorpasswords more down

    http://www.patient-partners.be/ppp.sql

  • belgoleaks : volksgezondheid certificate still supports broken RC4

    we shouldn't use it point final

    Start warning our users about RC4 weaknesses. RC4 is demonstrably broken and unsafe to use in TLS as currently implemented. The difficulty is that, for public web sites that need to support a wide user base, there is practically nothing 100% secure they can use to replace RC4. We now have no choice but to accept that, no matter what settings we use, some segment of the user base will be at risk.
    https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what

    the rest of the certificate is an example for many other Belgian sites, but they should take the minimal risk and desactivate it

    ssllabs.com

  • belgoleaks : play security administrator at the site of volksgezondheid

    we have no idea what it is but we have to stay in the strict interpretation of the law and even if we would click next we could be doing some thing illegal or that could be interpreted like that in some harassment complaint just to make me shut up

    so we didn't click on anything

    but it looks scary and stupid... for ehealth

    and it will attract attention from people who don't care about our law and ehealth

    but we continued with the fun and googled some tricks

    and than we arrived at googledork site:http://www.health.belgium.be/internet2Prd/groups/ -filetype:pdf  admin

    and that gave us the following link

    http://www.health.belgium.be/internet2Prd/groups/public/@public/documents/ie2templates/180014~35.hcsp

    now it looks chinese to me but there is a lot of code and information in it even if this picture is only part

    and you can ask yourself what else can be found that shouldn't be there

    the less technical information you are giving away, the better

  • belgoleaks instead of hacking publish yourself the info about your adminstrators

    why don't you publish all the details about the administrators of your site online

    just to make it easy

    http://77.241.93.48/webroot/dichtbijhuisgidsen/sources/Administrators.sql