- Page 4

  • DDOS a DNS server of an ISP : easy and efficient

    and we continue the orange day

    " MANY OF Eircom’s 500,000 internet subscribers have been left offline or experienced delays in web browsing at times this week because of a suspected attack by hackers.

    Some customers who tried to connect to popular sites such as RTÉ, Facebook or Bebo were redirected to incorrect websites, often displaying images of advertising or scantily clad women.

    The company blamed the problems on “an unusual and irregular volume of internet traffic” directed at its website, which affected the systems and servers that provide access to the internet for its customers.

    Internet discussion groups speculated that the problems were caused by a hacker accessing Eircom’s domain name server (DNS) system through a denial-of-service attack."

    They should be behind different routers at different parts of the network and with load balancing and failover procedures. If they are concentrated they are vulnerable. It is easier to attack a DDOS with half a million zombies than some website. The advantage is that you can disturb the traffic (stop) or redirect it if you use some special attacks (to a porn site for example). In the last case the investigators should follow the money.

  • DDOS attacks by zombie network against South Korea and US sites


    If your network or sites have regular connections to those sites in a way that is not normal, than you have infected zombies on your network

    [Attack site list]
    Cheong Wa Dae, the Ministry of National Defense, Foreign Affairs and Trade, Republic of Korea National Assembly, U.S. forces in Korea, Naver blog, Naver mail, bank, internet banking, internet banking, Shinhan Bank, Korea Exchange Bank, internet banking, the Grand National Party, the Chosun Ilbo, the auction

    Banking.nonghyup.com (bank, internet banking)
    Blog.naver.com (Naver blog)
    Ebank.keb.co.kr (Korea Exchange Bank Internet Banking)
    Ezbank.shinhan.com (Shinhan Bank, Internet Banking)
    Mail.naver.com (Naver Mail)
    Www.assembly.go.kr (Republic of Korea National Assembly)
    Www.auction.co.kr (auction)
    Www.chosun.com (Chosun Ilbo)
    Www.hannara.or.kr (GNP)
    Www.mnd.go.kr (Defense)
    Www.mofat.go.kr (Foreign Minister)
    Www.president.go.kr (Blue House)
    Www.usfk.mil (USFK)

    (Transformation may vary depending on the attack website)



    Yep, we stay at orange  You will have to take care if you want to continue with the same insecure and unmonitored situation. Too much things are possible and too much things are happening at the same time.

  • Meanwhile you should also update your Open SSH

    There have been a splash of openssh attacks and scanning - even in Belgium - and nobody seems to know what and why. There are some rumors and there is some discussion over at the Internet Storm Center but it is not all clear yet. The rumor is that a Zero day has been discovered for OLDER versions of Open SSH. This means there is no patch - but you can upgrade which will solve the issue.

    I know it is a lot of work but it is work that you have to do otherwise there will be much more other work that you will have to do when you become the stupid victim of an announced attack.

    Do the right think. Upgrade to the latest versions

    ps what is strange about the openSSH scans is that they are scanning a whole set of ports, not only the traditional ones. Maybe to find the diverting tactics (by chosing another port not to be found while scanning). Means they are smart these guys.

    Rumor tells us that Black Hat US may be the place where more information would be launched about this attack. That promises. It looks like this blackhat conference will become a hell of a show (anyone interested in sponsering my trip :) )


  • We are orange for now

    This to show that this is important, very important and that you should take this with the uttermost urgency and importance and do the necessary things now and not later.

    You have only a very limited timeframe.

    once the professionals step in it is too late.

    and fridays are always very popular days for malware campaigns

  • and maybe keep away from the chinese web

    it is for the moment the main starting point of these infections and the redirects in other software goes to Chinese sites (you can block for example everything .cn with the exception of those sites that your surely need).

    and the Chinese web is by al means one of the most infected and dangerous around, even more than Russia ever was. So going from blacklisting some .cn sites to whitelisting only the good .cn sites is a normal thing to do until they clean up their act.

    This doesn't mean that soon these drive by attacks will pop up anywhere else.

    It is just something you can do now and that will enhance your security afterwards also.

  • more news on this new big vulnerability

    It is used as a drive-by install/infection when you visit compromised sites (and as so many sites have such a lousy security and don't care a bit, there are enough normal and trusted sites that could be compromised to install this or to redirect their visitors to downloadsites.

    There are already different versions and attacks underway

    "Samples seen thus far are being detected as Exp/VidCtl-A and Mal/JSShell-D. Several new variants of the exploit scripts are being proactively detected with these names"

    After the infection they are trying to download other malware of which some may be detected. The goal is not to infect your machine with it, it is to make your machine ready to receive a whole lot of other malware. It is like smashing a window to let the real thiefs in.

    Some sites are already hosting examples of how it works

    "Metasploit has a module ready for it (can't link while at work).
    POC exploit that pops up calc.exe
    another POC

    A couple bits of yoinked code. I don't recommend running these as they are both taken from live sites hosting bad stuff (the links here are just fine though!):
    http://www.terminal23.net/2009/07/links_and_info_about_directsho.html source

    and the solution is easy - just kill it because

    ""During the investigation, we identified that none of the ActiveX Control Objects hosted by msvidctl.dll are meant to be used in IE," Microsoft's Chengyun Chi wrote on the company's Security Research & Defense blog. "Therefore we recommend to kill-bit all of these controls."

    but hey shouldn't we than do a real cleanup of all other dead code or code that only a small percentage of the people use and they should activate while for all others it is desactivated.

    Be very careful with clicking on links while you are using IE.

    For the moment the malware that is served is old stuff, so for the moment it are amateurs that are doing these attacks. But when the professionals will have their work ready and figured out how to do it massively and without being detected and how to make a lot of cash out of it, than it is a whole other ballgame.

    Meanwhile you have a very small timeframe to get your network or computer protected. Kill the code. NOW



  • Your antivirus will NOT protect you against this attack for the moment

    Antivirus   Version   Last Update   Result
    a-squared 2009.07.05 -
    AhnLab-V3 2009.07.05 -
    AntiVir 2009.07.03 HTML/Shellcode.Gen
    Antiy-AVL 2009.07.03 -
    Authentium 2009.07.04 -
    Avast 4.8.1335.0 2009.07.04 -
    AVG 2009.07.05 -
    BitDefender 7.2 2009.07.05 -
    CAT-QuickHeal 10.00 2009.07.03 -
    ClamAV 0.94.1 2009.07.03 -
    Comodo 1538 2009.07.02 -
    DrWeb 2009.07.05 -
    eSafe 2009.07.02 -
    eTrust-Vet 31.6.6596 2009.07.03 -
    F-Prot 2009.07.04 -
    F-Secure 8.0.14470.0 2009.07.05 -
    Fortinet 2009.07.03 -
    GData 19 2009.07.05 -
    Ikarus T3. 2009.07.05 -
    Jiangmin 11.0.706 2009.07.05 -
    K7AntiVirus 7.10.783 2009.07.03 -
    Kaspersky 2009.07.05 -
    McAfee 5666 2009.07.04 -
    McAfee+Artemis 5666 2009.07.04 -
    McAfee-GW-Edition 6.8.5 2009.07.05 Heuristic.BehavesLike.JS.BufferOverflow.A
    Microsoft 1.4803 2009.07.05 Exploit:JS/ShellCode.gen
    NOD32 4217 2009.07.04 -
    Norman 6.01.09 2009.07.04 -
    nProtect 2009.1.8.0 2009.07.05 -
    Panda 2009.07.04 -
    PCTools 2009.07.03 -
    Prevx 3.0 2009.07.05 -
    Rising 2009.07.05 -
    Sophos 4.43.0 2009.07.05 -
    Sunbelt 3.2.1858.2 2009.07.05 -
    Symantec 2009.07.05 -
    TheHacker 2009.07.04 -
    TrendMicro 8.950.0.1094 2009.07.04 -
    VBA32 2009.07.05 -
    ViRobot 2009.7.3.1818 2009.07.03 -
    VirusBuster 2009.07.04 JS.BOFExploit.Gen

    You should update your antivirus and set the update of your antivirus as short as possible so that all updates for all versions of this attack can be included and distributed.

  • urgent remove active x support in Internet Explorer - keep an eye on windows update

    There are attacks underway that use a real zero day - this is to say that there is NO patch, only this workaround. The attacks are real and they will be increasing and it will take some time before Microsoft has a patch ready that will satisfy all different users (no critique because other firms with less complex environments and products take sometimes much longer for even acknowledging that there is a problem).

    Microsoft has promised that an update will be underway soon but if you have critical machines (or use firefox for the moment if you have both on your machine - I also switch between the two all the time depending on the issues and sites).

    The systems affected are 

    • Microsoft Windows Server 2003 Service Pack 2, when used with:
      • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
      • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
      • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
      • Microsoft Windows Server 2003, Web Edition
      • Microsoft Windows Server 2003, Datacenter x64 Edition
      • Microsoft Windows Server 2003, Enterprise x64 Edition
      • Microsoft Windows Server 2003, Standard x64 Edition
      • Microsoft Windows XP Professional x64 Edition
      • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
      • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
    • Microsoft Windows XP Service Pack 2, when used with:
      • Microsoft Windows XP Home Edition
      • Microsoft Windows XP Professional
    • Microsoft Windows XP Service Pack 3, when used with:
      • Microsoft Windows XP Home Edition
      • Microsoft Windows XP Professional

    But also read this and you know it is for nearly all the machines

    " Though unaffected by this vulnerability, Microsoft is recommending that Windows Vista and Windows Server 2008 customers remove support for this ActiveX Control within Internet Explorer using the same Class Identifiers as a defense-in-depth measure.

    For those Microsoft has published this page with an online tool that will activate the fix automatically or the things you have to do if you want to do ityourself. A very nice idea by the way, should become common ground with all software security emergency workarounds.

    A reminder : In windows 2003 and the newest Internet Explorer and Outlook most websites are opened as restricted which mitigates the vulnerability. But as nobody is really sure what the attack does and how it works and if it does the same on all the different machines and infection possibilities, you can't be sure for the moment.

    It is never a good idea to use a critical machine to do websurfing. Surely not now.

    Everybody is rising the alertlevel. I know it is a holiday but please do what the security people are advising. It they take the time to put such an alert out than this is really dangerous stuff that could develop in a very dangerous situation.

    We will keep on reporting on Belsec - as this situation is serious and needs frontpage attention (if infection goes massive the lists and other indicators will go to security alerts).

    You can read this also http://www.iss.net/threats/329.html it says that attacks have been going on since the 11th of june but I presume they now become so massive that it is time to alert and to go beyond the normal patch routine.

    Prepare yourself for an immediate distribution of the patch on all your machines from the moment it is delivered. Organize your services, prepare the patching for your servers (maybe restart is necessary) and your laptops. This is a very good exercise.




  • KBC gets a Belgian politician in big trouble

    Schouppe a secretary for state of Transport for the Belgian federal government thought he was a smart guy when he ordered his local bank to sell his stock in KBC in may just a few days before it became publicly known that they had to be saved for another time (and their stocks crashed of course).

    But he forgot that the Belgian banks are obliged by law to inform the authorities when they think that transactions may be fraudulent. Banks can lose their license if they don't (and it is found out). No bank ever lost it license but I am not sure that means that every banks informs the justice department directly when it thinks it sees a fraudulent transaction.

    So he was realy surprised they acutally did so.

    As a politician he should be proud they do the things they should do by law and didn't take the risk of being investigated for 'covering up'.

  • online holiday fraud : easier to stop than thought

    Some articles are appearing about dutch sites that are being used as a vehicle to rent appartements and houses in holiday countries that they don't have. So when the final departuredates start, the sites disappear and the money is gone. (in the case of morairaway.com the fraud is about 3.2 million euro).

    In Belgium holiday operators have to be licensed. Licensed holiday operators have also an insurance and there is a special commission if you have complaints.

    So you better stay with big operators or those linked with big travel operators (like railways and airlines) or those that have also an offline certified existence.

    But it shouldn't be too difficult to put up a certification procedure for online .be holiday operators. You still would have to include some privacy and security provisions but for the rest it would be more or less identical to the offline certification.

    They are doing it for the pharmaceutical sector.

    So why wait for Europe if you can do it yourself

  • grenz-echo.be the newspaper was hacked

    yeah they have forgotten to mention it but they were

    and they will be re-attacked and hacked again if they only changed a page


  • new Belgian phishtank watch service from Belsec

    After some work - and being convinced now that also Belgian hosters are so crazy to host .cn and other names or are infected with zombies with that name - I have started collecting a list with all the ASN adresses that could be of use or that appear in attacklists. So I have made a collective watchlist - RSSmix.com

    If you think that others should be included just leave a comment here and I will follow it up.

    You can find it here http://www.rssmix.com/u/252289/

    the link and postings about the findings will be posted at http://insecure.skynetblogs.be

    It already shows for the last days a versatel client that is heavily infected and used and another few sites that were hacked for phishing the last few days.

    Meanwhile the link database at diigo.com has passed the 20.000 mark

    in preparation is also a list a few thousand links to books at scribd.com in the coming weeks and a place where you can leave links and so on.

    There is even at http://proxy.skynetblogs.be our own hiding online webmail

    If some people want to help a few hours a week or month, contact me. Enough things to do or test.

  • Did major economic espionage at Goldman disturb trading for weeks ?

    It is a story that is bubbling underneath, just waiting to burst open. For more info you should read the original post. THis is the main argument and facts.

    "In the 5 days immediately preceeding his departure from "Financial Institution" (potentially GS), Sergey allegedly downloaded 32 megs of ultra top-secret quant trading proprietary code, that, according to Special Agent McSwain's affidavit, he then proceeded to encrypt and upload to a website in Germany, with a UK owner. One can only imagine the value of this "code" not only to Goldman but to the highest bidder. After all, from the affidavit: "certain features of the [code], such as speed and efficiency by which it obtains and processes market data, gives the Financial Institution a competitive advantage among other firms that also engage in high-volume automated trading.The Financial Institution further believes that, if competing firms were to obtain the [code] and use its features, the Financial Institution's ability to profit from the [code]'s speed and efficiency would be significantly diminished." Needless to say, many others are now also likely hot on the trail of the code....

    Now the real question here is, does [GS?] feel lucky? Because the code has supposedly been in the hands of an outsider for over a month, one might suspect that anyone who wanted to has had ample opportunity - if the holder(s) wished to sell... Would that have anything to do with the even weirder than usual market action over the past 2-3 weeks: after all it is the very Goldman Sachs (which may or may not be the target of this program trading industrial espionage) which is the primary SLP on the world's biggest stock exchange.

    just a few remarks

    * the person was informed of his departure and still had access to the network and such information ? And the access codes and encyrption wasn't changed when it became clear that someone was going to leave the firm.

    * ultra secretive code that can be uploaded and decoded is not ultra secretive. For ultra secretive you need to have three things. (where (in the office) who (your biometrics) and what (your smartcard)) otherwise it is just secret or confidential but not ultra secretive. It may be that but it was not treated as such. Ultra secretive stuff never leaves the office. That is why it is ultra secretive.

  • new rights in the US for creditcard holders (how are yours ?)

    Here is a summary:

    • No more retroactive rate increases on existing balances for "any time, any reason" or "universal default" (rate increases when you miss a payment on another, different credit card)
    • Severely restricts retroactive rate increases due to late payment.
    • Contract terms must be clearly spelled out and stable for the entirety of the first year.  Promotional rates must be clearly disclosed and last at least 6 months.
    • Consumers get at least 21 calendar days from time of mailing to pay their monthly bill.
    • Prohibits late fee traps such as weekend deadlines, due dates that change each month, and deadlines that fall in the middle of the day (now it's always 5pm on due date).
    • Credit card companies required to apply excess payments to the highest interest balance first
    • Ends the confusing and unfair practice by which issuers use the balance in a previous month to calculate interest charges on the current month, so called "double-cycle" billing.
    • Card issuers must obtain a consumer’s permission to process transactions that would place the account over the limit.
    • Fees on subprime, low-limit credit cards will be substantially restricted.
    • Requires disclosure on fees for gift and stored value cards
    • Restricts inactivity fees unless a gift card has been inactive for at least 12 months.
    • Gift cards cannot expire in less than 5 years.
    • Creditors will give consumers clear disclosures of account terms before consumers open an account, and clear statements of the activity on consumers’ accounts afterwards.
    • Card issuers must display on periodic statements how long it would take to pay off the existing balance and the total interest cost if the consumer paid only the minimum due.
    • Card issuers must display payment amount and total interest cost to pay off the existing balance in 36 months.
    • Card issuers must make contracts available on the Internet.
    • Higher penalties if card issuers violate the law.

    I haven't read the entire law. There are a couple interesting things tacked on. One has to do with the right for licensed gun owners to carry a gun in a national park. The other is Section 603 which appears to allow the FDIC and NCUA to borrow more funds, from $30 billion to $100 billion; not sure what that's about but I assume it has to do with allowing them to save more failing financial institutions.

    Read up on the bill (S.414 and H.R. 627) at the Library of Congress.


  • twitter network and services face a month of bugs


    A month of the twitter bugs is organized on this blogs and the worms are coming out of the can, but there are already two very interesting things to say

    * the importance of XSS bugs can not be underestimated and it is a pity the applications and communications between the applications were not tested before for these bugs. There are already enough tools to do that. It should become necessary in every webdeployment.

    * the ease with which access to the twitter network is given to other applications that not necessarily abide by the same or any securityrule is a big risk for such an important network. Some certification and communication guidelines should be developed if the network is going to survive.

    It is also remarkable that so many bugs can be fixed in less than 24h. It makes you wonder why they didn't do this before launching their webservice.

    Web2.0 : there are worms and holes and something rotten but they are hidden under a new look and feel.

    btw I like the idea of the month of bugs because it mobilizes attention and new tests and attack possibilities. It was a year ago that during the month of EID we discovered not only that all the propaganda was crap but that the securityconcepts were crap and that the hardware infrastructure for the users was not certified and sometimes even not safe. Since than not much has changed.....

  • ehealth is just another (insecure) networkservice

    and the same things that happen with any other network or data, happen with ehealth

    "A former security guard for a Dallas hospital has been arrested by federal authorities for allegedly breaking into the facility's HVAC and confidential patient information computer systems. In a bizarre twist, he posted videos of his hacks on YouTube, and was trying to recruit other hackers to help him wage a massive DDoS attack on July 4 -- one day after his planned last day on the job

    the only question is in how far you are ready to protect it as if it was your own gold

    or should we 'just trust' and shut up

  • What to do to prepare for the flu

    A. Do you have a VPN at your network ?

    Yes. Start to make it work for most of the people. Already insert their rights, upgrade your license, inform them how it works.

    No. Buy one now and do all the things described here above.

    Control your security (firewall, IDS, antivirus) and be sure that all the information that is needed is on the servers and accessable for anyone that needs to work with them (rights on the folder or document). If you have windows 2003 server or higher activate sharepoint.

    B. Do you have telework arrangements ?

    Yes. Globalize them and make them less specific and strigent. People will call in to say they are feeling a bit sick and are awaiting the doctor and maybe the results of the test a few days later. If these tests are positive all the persons who were in contact with that person will have to be sent home.

    No. Do not start writing detailed rules. Just use those three.

    1. When feeling sick, stay or go home and await the test. If capable work from home. Come only back if the test if negative or the cure is finished.

    2. When sent home, stay home untill further notice or when you receive a negative test. If capable work from home.

    3. When you have to stay home because members of the family are infected or the public transport is unrealiable or just stopped, work from home if capable.

    You will have to organise for about 10 days of isolation of each sick person. It would be good to have some material in reserve (faxes, laptops and mobiles, printers and scanners).

    If you have paid your workers their ADSL connection at home you are in a very good situation, if you haven't you can only hope they have one or are willing to use it.

    Be flexible as long as someone seems to be doing everything to do his work if this is from home or on his job.

    C. Re-roganize yourself

    Diminish the number of meetings and isolate important personnel from all others inside your infrastructure. The lesser contact they have with others while the epidemic is in full swing the better. (use the phone, the webcam, the mail, the net, the fax) They should even be housed in expensive hotels so that they don't have to go home.

    Invest in hygiene on the office and learn people to wash their hands several times a day. Distribute real protection mouthware (the clinical stuff not the others) if infections are spreading in your region or among your staff.

    Re-organise so that essential services can always continue or be outsourced.

    Do not underestime the impact if this is really in full swing.

    And if nothing happens. There are three reasons you should be happy you have done this

    * you have heightened productivity by diminishing the out of office or in a meeting situations

    * you have externalised your office

    * you have indexed the critical information and functions and workflows in your environment and put processes in place to keep them functioning.

  • testing for swine flu in Belgium seems to be expensive

    This is the situation

    The vaccin itself will be free for some categories of people (older, children,....)

    The normal flu test is free in many institutions and enterprises. But for the others it is being paid back for the greatest part.

    The swine flu test is expensive and according to medical sources NOT being paid back for the most part.

    So how do you want people (one third of our population) to take such tests ? Especially if you say in public as the big chief doctor that for the most of the infected people they will only be a bit more sick ? And by doing so how do you want to monitor the development of the epidemic across the population and country and be able to take specific actions ?

    Call in the army. Get them back from around the world to set up vaccination centers around the country. Millions of people need to be vaccinated before 3 million infected people start to walk around. Get the UN in here. THis is disaster country. :):)

    seriously. This is a sick joke.

  • the swine flu panick is spreading in some heads

    So we had the fabuluous remarks by our scientist-superdoctor-crisismananger Van Riest who after months of losing time in press meetings (wasn't I good ?) decided it was time for a wake-up call in case we would have in september not hundreds but thousands of people infected and it would become clear that the preparation process is just virtual in comparaison with the number of 3 million infected people in Belgium.

    I don't believe this number. This number is based on nothing and it is a scandal that someone launches numbers like that without having any scientific basis to refer to. It is panick mongering and even worse because the person itself was responsable for the non-communication before and the non-preparation situation we find ourselves in.

    So with the full holiday season in swing, what will happen ?

    * will all essential personnel in the army, police, doctors and adminstration see their holidays being suspended untill further notice ?

    * will no politician or important person leave the country to lower the risk that important or necessary persons become infected ?

    * will everybody rush to the pharmacies to buy whatever there is against the flu just to be sure to have anything. Will people begin stockpiling food and water because with 3 MILLION People infected the whole distribution process will break down.

    * will people rush to the bank to get their money because in september with 3 million people infected around here most of the banks will be closed and everything will have to be done online

    * will all holidays and conferences (European capital) be suspended because Belgium would be the most infected swine flu country of the world. And I propose to change the name from Mexican flu to Belgian flu in that case.

    Come on, this is totally ridiculuous. I propose to hire professional crisiscommunication manager to take over the role of the communiction process and handling and to let the doctor do what he does best, medical analysis for policy makers.

    You will find more documents in the links about the flu at your right and in http://ebooks.skynetblogs.be. The US documents and WHO documents are rather impressive if you compare it with ours....

    Lots to worry about .

    THe schools got no instructions yet. THe kindergartens got no instructions yet. The doctors just got some but it are the communes that will have to organise it (they didn't have any real training for such a thing of such an impact over such a long period of time). The administrations didn't get a letter with instructions so that they will have to act. The hospitals have plans some laugh about.... especially with one in three infected around here.and so and so on.

    If you were reading this blog, you were warned months ago that this would spill out of control. But we never said one in three.... There is NO basis for this.

    Just to add. A scientific US article said that for their country they arrive at 1 million infections. So how could our country have 3 million infections (on 10 million habitants) ? How could our country have a much higher infection rate than Mexico or any other country ?

    Close the frontiers. Close that airports. Stop the trains. get out your guns :):):)

  • which cities are actively preparing their own domainextension

    A number of them can  be found here where they propose a step by step implementation of this new framework.

    The biggest fear is that so much is to do and to be decided and if one waits untill all has been decided nothing will come of it.

    That aside one should have at the least all the security and piracy and responsability issues totally worked out and cleared. We already had malicious ISP's, hosters and domains. We don't need malicious TLD's also.

    Flanders is for the moment still studying the issue. But as the Belgian .be domain has been securing its operations and is responding quite fast to some infractions it will have to be at the least as secure as the .Be domainspace. This will ask an investment that will have to be accounted for.