• BND wants to keep security holes in SSL to itself to spy on you

    "Confidential plans seen by the SZ and broadcasters WDR and NDR show that the BND said it would spend €4.5 million to help it find security holes in the Secure Sockets Layer (SSL) protocol used by millions of web services to protect personal information. There is a lively grey market online among hackers and security researchers for "zero day" exploits, so called because they are undiscovered and internet users have had no time to prepare for them.


    But rather than fixing the security problems, the spies want to use them for surveillance.The programme to penetrate SSL, codenamed Nitidezza, would also target the HTTPS protocol which is the standard for many banks, online shops, webmail providers and social networks.


    “Holes in SSL need to be patched [fixed] because it is ubiquitous and everyone depends on it for their security," said Jim Killock of London-based digital rights NGO Open Rights Group."There is a real risk that failing to fix problems means criminal gangs will seek to obtain the same data using the same defects."

  • how the german intelligence agency BND can spy on its own citizens

    "Dr Stefan Burbaum, who worked at the BND from 2000 to 2005, said that some Germans were targeted as “office holders”, a legal loophole the spies used to circumvent the law that protects Germans citizens from being spied on by its own intelligence agency.


    Normally, the intelligence agencies must overcome high legal hurdles laid out in the so-called “G10 law” to spy on German citizens, including when they live abroad.Otherwise, information regarding German citizens has to be filtered out from any foreign communications intercepted by the BND.


    But the German spies argue that a citizen working for a foreign company abroad is only protected in his private life, not in his professional communications, Burbaum told the Bundestag inquiry committee into National Security Agency (NSA) mass spying."The office holder is the legal person," Burbaum said. "It's a small exception. But a German citizen can function as an office holder in a foreign organization."The decisive thing is whether he's communicating as a citizen or as an office holder."

    just get a bit legally creative

  • this is why the intelligence 5 eyes cooperation is so important (us-uk-nz-aust-canada)

    if you are one of the 5 eyes you are on so much more than any other partner


  • International Atomic Agency in Wenen a target of #Regin

    this is typical for a spy operation, always spies have in history get the positions and information of the other parties to the other negotatiors at the table. It was always seen as strategic information

    google translate of http://derstandard.at/2000008742912/Spionagesoftware-Regin-nahmAtomenergiebehoerde-in-Wien-ins-Visier

  • the Dutroux documentary (VTM) and the Dutroux files and the unprotected judicial files

    When you are watching the Dutroux Documentary on VTM you will see from time to time pictures that come from the judicial files that were used during the trial.

    first it is strange that pieces of a trail are used because I am sure if those files are public

    but secondly there is a reason for this and I know very well why there is a reason for it

    those pictures probably come from the DVDroms that the journalists received during the trial to make it more easy for them to follow the trial and to do their reporting

    only there was no protection on those DVDroms - not on how to access them (password) not on the files themselves (encryption eventually with timebomb)

    in other words these files of this trial where easily copied and distributed and if you knew how to strip away the source of the files than you could do that without any danger

    I have always found that enormously dangerously and even though there seems to be some law that makes it a crime to distribute these files they could be found in a newspaper or with any interested people or on the internet (part of it on wikileaks)

    and it is not that the parliament doesn't know because they have a copy of these DVDroms to show how dangerously it is that these kind of documents is distributed freely without any protection (especially if it isn't that hard or expensive to put impose those protections).



  • #regin two important things we are looking in now - while everybody is feeling secure

    this based upon analysis of the NSA documents and of information that was leaked during the Belgacom investigation

    * we are not sure that there is no more recent version of Regin than the one of 2008 - 2011 and we still have to be sure that the version 2013 was installed before or after discovery and what are the differences between them

    * we are not sure either that there is only a windows Regin and that there is no version or no files for the other OS - as you remember the NSA was talking in her slides about a virtual component that was placed on the harddisk BEFORE the OS whatever the OS and that also unix machines were attacked 

    there is no clear proof of both things but we are searching 

    so don't feel too safe now

    because that may have been the intention

    remember it is a spyoperation by spies for spies

  • #regin the md5 names of the files according to the phase of the attack and infection

    "Stage 1 files, 32 bit:















    Unusual stage 1 files apparently compiled from various public source codes merged with malicious code:





    Stage 1, 64-bit system infection:




    Stage 2, 32 bit:



    Stage 2, 64 bit:


    Stage 3, 32 bit:



    Stage 4, 32 bit:






    Stage 4, 64 bit:


    Note: Stages 2, 3, and 4 do not appear on infected machines


  • #regin the samples are coming online but attention

    THis is one of the places where samples are being uploaded (I know several people (not me) have a sample of the BGC infection) 



    Just to be sure that you understand what you are up to if you download this 

    * there is no clear definition of what a Regin package is, there are several different packages with different plugins and different timestamps so many antiviruses don't see it 

      this means that if you download it your securitydefenses may not discover it or some of the new or additional code and functions. You should therefore only place it in a sandbox and handle it on a nonconnected computer (don't use USB use a CDROM and throw it away or place it somewhere else (absolutely not safe)

    * it is not because it is called Regin that it is Regin 

    * some of the samples have personal information about their victims and their employees in the logfiles (if you are a legal expert you will have to destroy these files or inform the local police that you seem to have proof of an infection). 

    * As the discovery for the latest samples is quite low, antivirus firms will have to go hunting for real and imaginary Regin samples 

    * if you don't have the knowledge and tools to handle this atombomb of code, stay far away - you will have seen nothing like this

    In my view it is urgent for the big antivirus-securityfirms to set up a working group to collect all the different samples and information to get a whole picture and to be sure that all companies and networks have sufficient protections independent of their antivirus-securitytool. 

  • #regin was also targeted at Mobile telephone infrastructure

    this is much cheaper than installating rogue GSM receivers together with jammers that will block the official normal GSM receivers

    source Kaspersky

  • the list of telecommunication cables that are intercepted by GHCQ


  • #leak police website brabant wallon est is dumped

    not that there is much information

    it was because of an international operation against local police websites

    but the attackers seems amateurs


  • suzuki.be hacked by Syrian opposition

  • #Regin Kaspersky publishes the Control Command centers and one is Belgian

    https://securelist.com/files/201 ... in_platform_eng.pdf

    important the snort rule against Regin  Snort Rules: 32621-32624 

    and the command and the control servers were ....... 

    C&C IPs: Taiwan, Province Of China Taichung Chwbn India Chetput Chennai Network Operations (team-m.co) India Thane Internet Service Provider Belgium Brussels Perceval S.a.



    because that won't be found suspicous, going to India or Taiwan for traffic going out in Belgacom could have been found suspicous 

    remember this is a spy operation so all the classical techniques and reflexes by spies are used - even covering up your tracks ..... 

  • #regin half of the antivirus checkers don't find the 64bits Belgacom variant today

    this is the list 24/55 don't find the 64bits Belgacom Regin infection 

    AegisLab 20141125 Agnitum 20141124 Antiy-AVL 20141125 Avast 20141125 Avira 20141125 Baidu-International 20141125 Bkav 20141120 ByteHero 20141125 CMC 20141124 ClamAV 20141125 Cyren 20141125 DrWeb 20141125 ESET-NOD32 20141125 F-Prot 20141125 Fortinet 20141125 Jiangmin 20141124 Kingsoft 20141125 Malwarebytes 20141125 McAfee-GW-Edition 20141125 NANO-Antivirus 20141125 Panda 20141125 Qihoo-360 20141125 Rising 20141124 SUPERAntiSpyware 20141125 Tencent 20141125 TheHacker 20141124 TotalDefense 20141125 VBA32 20141125 ViRobot 20141125 Zillya 20141124 Zoner 20141125

    this is also why it is interesting to write 64bits viruses, many antiviruses can't cope with them yet 

    so even if an upgrade to 64bits kills millions of 32bits viruses and secures access to your machine it makes it an absolute necessity to close your machine down, harden it and buy a really professional antivirus that works native in an 64bits environment 

  • #regin if you don't have any money for specialists look at FREEno ex Windows defender

    especially if you have found the following three or one of them 

    and don't forget the servers 

    and don't forget to go back into time







  • #regin everybody is uploading packages to virustotal and some aren't discovered

    interesting so you can now how regin is known by your antivirus (or not if you use clamav for example) so you can start looking through the virusalerts to see if you were impacted or not 

    https://www.virustotal.com/en/file/f9cfae78e6a79b2136d966bdd58795cecdf0b72cca4065b322109b29ac661d77/analysis/   37/55

    https://www.virustotal.com/en/file/9051b74568aae847739ccca5b48b9f8315df647535cdddcae13b264897812363/analysis/  5/55

    https://www.virustotal.com/en/file/87a5329f85e675de4f8c4c7eeb916d92b33dc6b730ddd432baa448eeb30e1243/analysis/  3/55

    and you will find others here 


  • #regin everybody knew it now - even some as far as 2003

    this the race to backtrack the files and to claim the discovery

    probably the package is based on all the older knowledge and all the new things that were tested out at the time or added over time so it is possible that you will find files or code dating long time back and others that are newer or seem more complex 

    "The date of origin of Regin seems to be a point of contention in the industry. Symantec claims the malware originated in 2008, Kaspersky Labs’ global research and analysis team reckons early traces of the virus became known in 2003, and a Telecoms.com source from the infosec industry told us that it was around even before then.


    Finnish security vendor F-Secure says it came across the virus in 2009, and claims it’s a purely cyber-espionage toolkit used for intelligence gathering. “It’s one of the more complex pieces of malware around, and just like many of the other toolkits it also has a long history behind it. We first encountered Regin nearly six years ago in early 2009, when we found it hiding on a Windows server in a customer environment in Northern Europe,” the firm says on its website.


    The server had shown symptoms of trouble, as it had been occasionally crashing with the infamous Blue Screen of Death. A driver with an innocuous name of ‘pciclass.sys’ seemed to be causing the crashes. Upon closer analysis it was obvious that the driver was in fact a rootkit, more precisely one of the early variants of Regin.”


  • #Regin the examples that was found at Belgacom

    1. From previously identified Regin samples, The Intercept developed unique signatures which could identify this toolkit. A zip archive with a sample identified as Regin/Prax was found in VirusTotal, a free, online website which allows people to submit files to be scanned by several anti-virus products. The zip archive was submitted on 2013-06-21 07:58:37 UTC from Belgium, the date identified by Clément. Sources familiar with the Belgacom intrusion told The Intercept that this sample was uploaded by a systems administrator at the company, who discovered the malware and uploaded it in an attempt to research what type of malware it was.

    2. Along with other files The Intercept found the output of a forensic tool, GetThis, which is being run on target systems looking for malware. From the content of the GetThis.log file, we can see that a sample called “svcsstat.exe” and located in C:WindowsSystem32 was collected and a copy of it was stored.

    The malware in question is “0001000000000C1C_svcsstat.exe_sample ”. This is a 64bit variant of the first stage Regin loader aforementioned.

    The archive also contains the output of ProcMon, “Process Monitor”, a system monitoring tool distributed by Microsoft and commonly used in forensics and intrusion analysis.

    This file identifies the infected system and provides a variety of interesting information about the network. For instance:





    The following environment variable shows that the system was provided with a Microsoft SQL server and a Microsoft Exchange server, indicating that it might one of the compromised corporate mail server Fabrice Clément mentioned to Mondiaal News:

    Path=C:Program FilesLegatonsrbin;C:Windowssystem32;C:Windows;C:WindowsSystem32Wbem;C:WindowsSystem32WindowsPowerShellv1.0;C:Program FilesMicrosoft Network Monitor 3;C:Program FilesSystem Center Operations Manager 2007;c:Program Files (x86)Microsoft SQL Server90Toolsbinn;D:Program FilesMicrosoftExchange Serverbin

    3. Below is a list of hashes for the files The Intercept is making available for download. Given that that it has been over a year since the Belgacom operation was publicly outed, The Intercept considers it likely that the GCHQ/NSA has replaced their toolkit and no current operations will be affected by the publication of these samples.


    the same article gives more information about the loaders and why they think it was this virus that attacked Belgacom it also seem that some sources in Belgacom are leaking again and have forgotten about their NDA except if it is a hidden policy. 

    the second thing is that it seems as if people during the discovery phase have used online tools which leaves traces to identity the problem. For a critical environment like Belgacom during an Espionage attack this is like hanging a banner outside : we have found you. 

    De Standaard will be publishing more information it seems in the coming weeks. Well, now I understand something...... 

    We always said it was an intelligence operation and we always said that there were problems with the certificates of some files. We only have to wait to be proven right. And for that we didn't have contact with leakers. 

    Now that all that information is out in the open it is time for BIPT to make a real technical file.

    That Intercept thinks that all the files have been replaced is wishful thinking except if they gave the intelligence services a head-start by informing some one that this information would be published at a certain date so they could go into overdrive. But even than there may be security and networkmanagment tools that will have a trace for the filenames and other events on the network or on the servers.

  • Mensura dient klacht in bij skynetblogs tegen belsec but.....

    ze wensten de verwijdering van bepaalde postings en wilden in feite de totale verwijdering van deze blog 

    ze zeiden dat het opnemen van screenshots en links naar de datadumps illegaal is 

    de betrokken verwijzingen en screenshots op de genoemde postings zijn dan ook verwijderd en er is gemeld dat dit is door een klacht bij skynetblogs 

    deze klachten worden trouwens altijd opgevolgd 

    maar maak u zelf geen blaasjes wijs 

    deze data is slechts een peulschil van de data online 

    en er is niemand in België die deze dataleaks opvolgt op een systematische manier en de CERT die het zou moeten doen is zodanig onderbemand en overbelast dat ze deze datasets zelfs niet aankan 

    dit kost trouwens niet veel moeite om ze te vinden (ik gebruik een tweetal sites en een paar googledorks) en het gaat niet om duizenden .be mailadressen maar in het slechtste geval een paar tiental in een week (tenzij Rex Mundi weer bezig is) 

    Het zou slechts een paar duizend euro kosten om dit efficiënt te monitoren en een kleine applicatie om de slachtoffers onmiddellijk na de automatische ontdekking hiervan op de hoogte te brengen. Maar er is wel geld voor grote onderzoeken over wat al onderzocht is. 

    trouwens wat doet Mensura dan met de meer dan 400 downloads van de data die al hebben plaatsgevonden 

    ik zou zeggen, nice try Mensura maar er zijn belangrijker dingen om je mee bezig te houden 

    vb hoe verklaar je dat je certificaat nog altijd kreupel is en dat je formulier voor ziektecontrole nog altijd niet achter een beschermde inlogpagina zit en dat men nog altijd het Rijksregisternummer vraagt van de persoon die moet gecontroleerd worden (die dit dus NIET weet en daar ook zijn akkoord NIET voor heeft gegeven) en dat de 'meer info' rubriek (waar al die schandalige onuitwisbare commentaren in stonden) er ook nog altijd in staat 

    zelfs al wist u sinds het lek dat u NOOIT heb aangekondigd op uw blog (tenzij onderhoudswerken op zondag maar zonder te specifiëren) dat er drie grote problemen zijn met dat formulier

    * het is niet beschermd door een inlogscherm

    * het bevat persoonlijke info waarvan de eigenaar van die info de toelating niet toe heeft gegeven (rijksregister)

    * het staat niet alleen op het internet maar het heeft een gebrekkige encryptie maar het had een sql injection (die niet getest was ondanks het feit dat ze in de OWASP 10 staan) 

    en indien dat de fout is van uw serviceproviders, dan bent u beter bezig met een andere te zoeken en met een klacht tegen hen in te dienen

    btw there are numerous blogs, forums and twitterstream who do nothing else than to report and link to new datadumps on the internet  - it is even by such a twitterstream that I have found the information on saturday that you were trying to hide. 

    Trouwens indien advokaten bezig zijn met een klacht voor te bereiden zullen ze deze informatie al lang hebben. 

  • #NSA stop hacking our telecom infrastructure and get a global surveillance permission for REAL terrorists

    If the NSA hacks telecom infrastructure worldwide it is because it wants to get the information without having to go through court to get it and because it thinks this is more effective and faster. The latter is more evident than the first because you won't be able to present this information in court (although many of the presumed terrorists are now killed by Drones before they ever get to see a real court). 

    But this poses some big problems and can also create diplomatic and other difficulties even if the different intelligence agencies need information from the NSA to be able to re-act fast enough to dangers yet unknown to them. So they are like two scorpions in a bottle who will only get out if they help each other out. 

    This is only possible if there is an European agreement that a number of people or organisations can be tracked and monitored throughout the European Union without having to present an individual court order in each of these countries. We already have Europol that can coordinate this and it needs the necessary supervision. 

    The only problem here is mission creep and the only way to stop mission creep is that the list may for example be never bigger than 100. This means that there is no way this system can be turned into a global surveillance tool but that is fast and general only for the most important terrorist suspects or contacts that need to be followed anywhere. The terror watchlist of nearly half a million people is a perfect example of this.

    It is by going after the real leaders and organizers one by one that one can limit the operational possibilities of a terrorist organisation because they can't be replaced as easily as another disgruntled fighter taking up the gun or bomb of his fallen comrade in arms. And to do that you need the top100 tracklist throughout the US, Europe and the partners. 

    Nobody seriously has a problem with tracking the most dangerous terrorists but many people have a problem with the fact that some want to watch everybody all the time as if they all can turn into a terrorist one day. 

    And if the intelligence agencies have an instrument by which they can concentrate their resources on immediate dangers and the biggest organizers they can submit court orders for all the rest if they still need it.