- Page 2

  • Aerospace firm eurair.be infected with JS/iFrame.bzw.51 and googleblocked

    BMT Aerospace - Aerospace Gears and Gearbox assemblies
    www.bmtaerospace.com/ - Vertaal deze pagina
    Deze site kan schade toebrengen aan uw computer.
    ... subsidiaries which are located in Romania (BMT AEROSPACE Romania), Belgium (BMT Aerospace - EURAIR) and the United States (BMT Aerospace USA).
    Operator oppervlaktebehandeling - BMT Aerospace
    Bestandsformaat: PDF/Adobe Acrobat
    Deze site kan schade toebrengen aan uw computer.
    ... naar: hr@bmtaerospace.com t.a.v. Mevr. Karine Tas. BMT Aerospace International NV – Kampveldstraat 51 – 8020 Oostkamp http://www.bmtaerospace.com.
    Deze site kan schade toebrengen aan uw computer.
    Deze site kan schade toebrengen aan uw computer.
    BMT Aerospace – Romania Division. Bulevardul Chimiei 6 660 Iasi Romania.

  • if you read this description of a backdoored infection of a macintosh, would you feel safe without protection ?

    this threat likely starts with an exploit to get it past Gatekeeper. Once on a system, it sets up a reverse shell. That is to say, rather than announcing to the controller that the machine is infected (because the machine has been targeted and they already know where it is), the controller periodically contacts the infected machine to perform commands. Initiating the contact from outside the affected machine potentially helps it get past firewalls. This part of the threat is comprised of clear text Perl scripts, which means it’s fairly easy to spot if someone knows what to look for.


    So that’s where the second part of this threat comes in. The binary component uses a modified version of existing tools (namely OpenSSH 6.0p1) for creating a secure connection to encrypt the traffic so that it is much better hidden. The tool is further hidden by placing the file in a directory that is usually used for printing, so that if anyone sees a list of processes contacting the network, it will appear as if the affected machine is simply printing from a networked printer. This version of the tool also has been modified so that it will not save a log of its command histories.


    The threat encrypts traffic with the command and control channel by use of an RSA key.

    so it install a reverse shell on a machine - and no securitytool reacts to that

    the machine is contacted from external websources - and that is not blocked by the firewall

    it sends encrypted SSH traffic outside - through the firewall

    it accepts perl commands in clear text - through the firewall

    and RSA has given them an RSA key to hide even better

    you will have to block corp-aapl.com (but which has been overtaken by securityservices and is blackholed)

  • cyberwar is not only over at the other side of the ocean, also EADS attacked

    Deutsche Konzerne verzeichnen nach Erkenntnissen der Bundesregierung immer mehr Angriffe chinesischer Hacker. Vor einigen Monaten habe es "eine bemerkenswerte" Attacke auf die Rechner des Luft- und Raumfahrtkonzerns EADS gegeben, bestätigten Unternehmenskreise dem SPIEGEL. Offiziell spricht EADS von einem "Standardangriff" und schweigt zu einem möglichen Schaden. Der Vorgang war aber so gravierend, dass EADS ihn der Bundesregierung gemeldet hat.

    there are also Belgian firms part of that consortium

  • Ogone inspires Mastercard to build global mobile payment platform

    Ogone is a service provider for websites who make it possible for them to take payments whatever the person is using as traditional payment system, making it for the webshop owner easier to handle and let it focus on the customer experience, content and marketing instead

    Mastercard will have thought that the total chaos in standards and solutions in the mobile payment field will have as an only effect that ti won't be used and that it is better to build a big protected castle than to have tens of different solutions who may over time pose problems with privacy, security and upgrading or integrating.


  • the blackberry breach by Indian gov could become a total breach

    they want all of it

    and how to know if that information is not shared with agencies that normally have no access to blackberry traffic

    "In late 2012, back when it was still officially known as Research in Motion, the company behind BlackBerry handsets worked with the Indian government to enable surveillance of Blackberry Messenger and Blackberry Internet Service emails. But now India’s authorities are complaining that they can only spy on communications sent between the estimated 1 million BlackBerry users in India—and they want a list of all BlackBerry handsets across the globe.



    Each BlackBerry handset is allocated a unique PIN that can be used to send messages for free to other BlackBerry users. The service has caused security concerns because these messages, sent encrypted over special servers, can be difficult to intercept and therefore used by criminals to evade surveillance. However, though India’s government says its spooks have now been provided with a list of all Indian BlackBerry users’ PIN codes—meaning monitoring communications of these users is now feasible—the authorities don’t have PIN codes of foreign users. That makes it difficult for them to identify and eavesdrop on messages sent between India and people in other countries. And that’s what they want to change.

    blackberry had a local problem that is now expanding to a global problem because India has nothing to do with a Belgian Blackberry if it is has no traffic with an Indian one and is not under monitoring for some normal reason (drugs, terrorism, .....)

  • lacking itsecurity on oilplatforms make it a haven for malware

    Malicious software unintentionally downloaded by offshore oil workers has incapacitated computer networks on some rigs and platforms, exposing gaps in security that could pose serious risks to people and the environment, cybersecurity professionals told the Houston Chronicle.


    The worst-case scenario could be catastrophic: A malfunctioning rig and safety systems could cause a well blowout, explosion, oil spill and lost human lives, experts said.




    Some of the infected files - from online sources featuring pornography or music piracy, for example - have been downloaded directly through satellite connections. But other malware was brought aboard on laptops and USB drives that were infected on land.

    it is just waiting for the first real accident on those platforms

  • upgrading your television with a kit ..... example samsung smart tv

    Samsung's Evolution Kit, which was introduced at CES 2012, is a plugin that can transform Samsung Smart TVs from its 2012 range into models with the latest features from this year's line. The firm says that each kit can be plugged into the back of an older television, and includes hardware enhancements including improvements to CPU and GPU which will give users faster speeds when surfing the web or using apps.

    The Evolution Kit will also bring improvements to the Smart Interaction features, including voice control and motion control.


    maybe now they will think about a blackbox that would monitor what we are doing online or with our tv or send messages to us by tv (changing the news for example) or am I watching too much big brother

  • will Samsung Knox knock Blackberry out of the workplace ? I doubt it

    To achieve a similar end as BlackBerry's balance system, Knox allows IT admins to keep employees' personal and work data completely separate by operating at the application layer level. Samsung said keeping the information separate helped mitigate the threat of data leakage, viruses and malware attacks.


    The system, which incorporates an enhanced security version of Android developed by the National Security Agency (NSA), also supports integrity management services on a hardware and Android OS level. It will also play nicely with existing MDM, VPN and directory services, Samsung added.


    "Easily accessible via an icon on the home screen, the Knox container offers a variety of enterprise applications in a secure environment, including email, browser, contacts, calendars, file sharing, collaboration, CRM and business intelligence applications," Samsung said in a statement.

    it aludes on Fort Knox

    first I don't think international organisations will install an OS that has been developed by the NSA if they have even a low level of paranoia

    secondly it has to be proven to be secure, not described as secure and so it will have to be testen before

    thirdly the advantage of blackberry is twofold. First that it has its own network - while Samsung uses that of the official service providers who have legal obligations to their respective politicial regimes (except for India where Blackberry has lost that advantage) and that it is unbreakable if it was not connected to a pc and has only very controlled updates from the internet (and has checked the function that are three wrong logins it will swipe all the information on the blackberry)

    that is real hard security, all the rest is securing a product which is good but that is not the same as a secure product (if you understand the difference)

    which is why in many workplaces people have a blackberry for sensitive communications and a samsung or ipad to play with and so they probably change their old samsungs for a new one but will they leave their blackberry ? I doubt it because the cost of losing sensitive information is not something you can calculate and the cost of a blackberry is peanuts compared to even the first hour of incident managment

  • FTC in the US after the HTC case now organizing major forum on mobile threats

    FTC to Host Public Forum on Threats to Mobile Devices on June 4


    Forum Will Address Threats to Smartphones and Other Devices from Viruses, Malware


    The Federal Trade Commission will host a one-day public forum on June 4, 2013 addressing malware, viruses and similar threats facing users of smartphones and other mobile technologies.


    As the use of mobile technology increases at a rapid rate and consumers take advantage of the technology’s benefits in large numbers, it is important to address potential threats that exist today, as well as those that may emerge in the future. The forum will bring together stakeholders such as technology researchers, industry members and academics to explore these issues.


    The forum will focus on the security of existing and developing mobile technologies and the roles various members of the mobile ecosystem can play in protecting consumers from these types of security threats. The forum will serve to inform the Commission about the current mobile security environment and facilitate an exploration of potential challenges that may arise as consumer use of mobile technology continues to grow.


    The Commission invites technology researchers and other interested parties to recommend topics for discussion and to submit requests to serve as panelists on a wide variety of topics affecting U.S. consumers. These could include emerging mobile security threats and trends, security challenges in the mobile environment and infrastructure, potential solutions to mobile threats, password and authentication strategies for lost or stolen devices, industry best practices for preventing or reducing risks associated with mobile devices and next generation products and services. 


    Recommendations for topics for discussion and requests to serve as panelists should be submitted electronically to mobilethreats@ftc.gov by March 28, 2013, and should include information about the parties’ expertise on the issues they propose to address, and complete contact information. The Commission will select panelists based on expertise and the need to represent a range of views about the issues. Panelists selected to participate will be notified by April 23, 2013.  For questions, contact Emily Cope Burton at 202-326-2728 or Colleen Robbins at 202-326-2548. The FTC also invites those interested to submit written comments to mobilethreats@ftc.gov on any of the topics mentioned above.

  • android has the same problem as Joomla, too many developers "hacking" it

    The Federal Trade Commission announced Friday that it had settled charges that HTC America had inadequately secured its smartphones and tablets, leaving sensitive user information vulnerable to malicious programs.

    Regulators said that HTC had modified the operating systems on its mobile devices, adding features that left customers vulnerable to applications that can secretly collect information such as call logs and location data. The case highlights growing concerns that the fractured nature of popular smartphone platforms, in which manufacturers customize Google’s and Microsoft’s operating systems, can leave an opening for hackers.

    the problem with android is that you have no simple secure root - a clean android version that hasn't been tweaked, adapted, changed for the 'good ideas' of some marketing people without checking with any security process afterwards.....

    and if you read what HTC has to do now, it is just good practices

    if HTC would have been carmakers, they would been sued out of business

    "The settlement requires HTC America to develop and release software patches to fix vulnerabilities found in millions of HTC devices. In addition, the settlement requires HTC America to establish a comprehensive security program designed to address security risks during the development of HTC devices and to undergo independent security assessments every other year for the next 20 years.

  • android wins the wireless OS race but will it lose the security race

    For the moment Android has won the installation race

    but that is only part of the story

    as mobiles are used more and more for payment and authentification people and businesses (for their workers) will become more and more securitysensitive and will start asking the hard question

    do I want to use that environment with my personal or professional information on ? Or having connections to it ?

    and than just as Gates did Google will have to call the security-army in and just as Oracle for Java will have to get a whole new security-infrastructure, marketing and testing and development infrastructure and campaign on off the ground

    it is good getting all that money in and spending it on servers and your shareholders but if you don't invest in security, you are not investing it in your future and so your success can melt away very fast

    and blackberry may come back in the picture .... if it stays as secure

  • ALERT for high security and sensitive networks : New Zeroday for Java that could be exploitable bypass ?

    The firm that publishes its announcement said that it has sent two new zerodays in the last version of Java (and probably they will have to turn around the box inside out because I presume there will be a lot of others to be found because the fact that they are coming at this pace means that they were riddled with bugs that nobody found important because nobody was using them and they considered that hackers had other things to do)


    - Vulnerability Notice along with a Proof of Concept code are sent to Oracle corporation (Issues 54 and 55).
    - Oracle confirms successful reception and decryption of the vulnerability report. The company informs that it will investigate based on the data provided and get back to us soon.
    - Oracle provides a monthly status report for the reported issues. The company informs that Issue 51 is under investigation / being fixed in main codeline. The report does not mention Issues 54 and 55 yet.http://www.security-explorations.com/en/SE-2012-01-status.html

    what does this mean

    * that Oracle is now being attacked because of its enormous javapromotion campaign telling that it is totally cross and is the only one that works on all systems and on all browsers (except IOS where you have to install it) and what kind of an attackplatform does an attacker need ? that one .....

    * that firms and networks with highly critical information will have to block java on all their machines Java untill more information has been given because those zerodays have been used by hackers to penetrate systems like Facebook, Microsoft (Macintosh platform division) and a whole series of implied but not disclosed others. THe hackers may find soon the same mistakes once they have understood which tools and techniques those researchers use (and frequently publish about probably)

    * that Oracle if it is going to invest in Java as a secure product and platfrom will have to change from responsive security (responding to attacks and information) to offensive security (attacking yourselfs the problems and taking a very aggressive stand in getting the securityupdates out, the programmers and securitypeople informed and building an internal security 'army' that will set up a whole securityprocess from communication, development of protection tools to rechecking every line of code and bug and attack possibility)

    we should also remind our readers that on scumware.org you will see that java is one of the most popular tools nowaday to infect websites with so they can infect their visitors who haven't updated their java yet

  • US ISP's introduce punishment system for individual copyright breaches

    What happens after the first Alert?
    If the alleged behavior stops, no additional Alerts will be sent. If the activity continues, you will receive additional Alerts. Those Alerts will be more prominent and will inform you how to address the activity that is causing the Alerts. If you fail to stop the infringing activity, the Alerts will ultimately result in a “Mitigation MeasureActions that an ISP may take if allegations of copyright infringement persist. May include: a temporary reduction in Internet speed; a temporary step-down in Internet service tier; redirection to a landing page for a period or until the subscriber contacts their ISP or completes an online copyright education program. ” – an even more prominent notification and educational activity intended to further deter the behavior.


    How long will I continue to receive Copyright Alerts?
    Once the alleged behavior stops, no additional Alerts will be sent. If the behavior continues, you may receive up to six Alerts culminating with a Mitigation Measure.


    What is a “Mitigation Measure”?
    Mitigation Measures are intended to further emphasize the need to cease infringing activity over your Internet connection. The measures differ for each Internet Service Provider (“ISP”) but may, for example, take one of the following forms:


    • A temporary reduction of Internet speed;
    • Redirection to a landing page until the primary account holder of your account contacts your ISP;
    • Redirection to a landing page where the primary account holder must review and respond to educational information.


    While the ISPs can modify the Mitigation Measures in a manner consistent with their own policies, ISPs will not use account termination as a Mitigation Measure

    well this will be interesting because it will open a whole can of beans especially in the US with al their jurisdiction

    it is mostly a method to scare the newbies away from filesharing and to oblige them to learn how to do it as a pro and it will also make it totally notdone to open your accounts on youtube and others with identifiable accounts if you were using it untill now as a place for your files

    private sharing like mega.co.nz and others propose will be much more en vogue now and windows8 is in fact making it even more easy for the newbie .....

    it will be much more copy-and-run actions (you get on your mask - you grab what you can - and you lay down and do as if nothing happened)

  • this is also happening in Belgium - hacking emailaccounts to ask money from their friends

    this was with a defence correspondent for an English newspaper

    "Last week, I was in Limassol in Cyprus - allegedly - and had my passport, wallet and other essentials stolen.


    I say allegedly because I was at my office in London. However, hundreds of contacts were being told of my distress via my Gmail account, suggesting they should pony up to help me get back to Britain.


    Within minutes, the hackers were into a Yahoo! e-mail account - which I used to back up the Gmail account - and turned my identity inside out.


    They not only changed my password but all my security details, so I can’t get into the account and I can’t close it. Those who replied to the distress call were told to e-mail via the Yahoo! account and asked to pay €500 into a bank account in Limassol. One person - a senior member of the Armed Forces - did, a man very knowledgeable about cyber-espionage.

    and the man so knowledgable about cyber-espionage didn't call the man first before answering the email and transferring the money - even if it says that the mobile has been stolen - it doesn't mean that is actually the case

    it is by effectively calling all the numbers we had of our friends "in need' that we discovered that they were not on holiday and were at home trying to keep their friends (hundreds of them online) from paying

    as they didn't have any access to the Yahoo account, they did their best but as these people weren't the same as their facebook contacts it was very difficult (and you have to pay to be able to download your mails and contacts)

    they couldn't get their yahoo account back so they just have set up a new one - and resecured their total digital environment

    Yahoo and others should take notice that a phone number is just one number and that there should be some offiical - through police complaints - way of recuperating or just blocking an emailaccount (awaiting further investigation) - just asking for a mobile number (Google) is giving a false impression of security

  • BOYD in a time of intensive commercial espionage ? Be pwned and sorry....

    The folks at security tools company Pwnie Express have built a tablet that can bash the heck out of corporate networks. Called the Pwn Pad, it’s a full-fledged hacking toolkit built atop Google’s Android operating system.


    Pwnie Express will be selling the cool-looking hack machines — based on Google’s Nexus 7 tablets — for $795. They’ll be introduced at the RSA security conference in San Francisco next week, but Pwnie Express is also releasing the Pwn Pad source code, meaning that hackers can download the software and get it up and running on other types of Android phones and tablets.


    Some important hacking tools have already been ported to Android, but Pwnie Express says that they’ve added some new ones. Most importantly, this is the first time that they’ve been able to get popular wireless hacking tools like Aircrack-ng and Kismet to work on an Android device.

    mini hacking tools with major made available on the open market

    they call it a service for pentesters because the hackers already know it

    why not ask for registration ? even if it is free....

  • thinkmedia.be and other .be sites infected with trojans that infect their visitors

     URLMD5IP Threat 
    2013-02-24 14:58:42 http://www.eurair.be/EN/35/0/belgium.aspx 4DFCDEF6296750D10FCBC103D933DC35 BE JS/iFrame.bzw.51
    2013-02-24 14:46:43 http://www.zandstraalshop.be/Verlichting-N_grp_8_15-1.htm
    984E2A8A96FE408677E77AF972CAAB4E NL JS/iFrame.bzw.56
    2013-02-24 14:04:29 http://www.shaw.be/Files/31e.html ABAB0212080B20F4D949083A5F58CC3D BE Trojan-Downloader.JS.Agent.gvn
    2013-02-24 14:02:42 http://nieuwsbrief.thinkmedia.be/che/123/ A9FEF50B844A171CEEA97E771339E517 MT Troj/Iframe-JG
    2013-02-24 13:49:57 http://www.sjbbasis.be/mainFrame.htm 2078A1B0B90C6874804278EA6E37AAD1 BE Troj/Iframe-JG
    2013-02-24 13:43:15 http://users.skynet.be/fc077696/pages_htm/cen.htm 7BF1873D78300AF387A5738C428FC5E6 BE Troj/Iframe-JG
    2013-02-24 12:36:38 http://www.maesenzoon.be/ - BE Trojan.Iframe.BMY
    2013-02-24 10:28:25 http://makeyourvideoviral.blogspot.be/2013/01/2k-vids.htm
    852B2ECCF680DCEC61E7678CE7671C7F US JS:Trojan.JS.Iframe.CU
    2013-02-24 09:45:17 http://www.pixx.be/calender/calendar.php D5683CDDC80D030E1C3C76F2BB3B733F DE Trojan.Script.KD
    2013-02-24 08:23:52 http://druk-rypens.be/ 84C069804853101DC397C2C5ABD82418 BE Trojan.Iframe.BMY
    2013-02-24 08:10:52 http://www.dansstage.be/components/com_rsform/assets/js/s
    21D81EA90AD706ACBACBC9C0133B8298 FR Troj/JSRedir-JU
    2013-02-24 07:59:26 http://users.telenet.be/on3pgo 114E6607F04B5FBDB66291BAB1E399F0 BE JS/Kryptik.CB trojan
    2013-02-24 06:44:52 http://www.faculte-islamique.be/js/maxheight.js BABDBF9B7D2DB00CC803BC78F9D8A8ED FR Trojan.Iframe.BZW
    2013-02-24 06:23:24 http://www.boxspringshop.be/promotie-de-voordeligste.html 4A553D0BB5D2B62CBDC803BBDBCA3C3C NL Trojan.Iframe.BMY
    2013-02-24 06:18:34 http://www.coursgestiondebase.be/ 677DFCFE040C744EB690EDE6A3C5A5E7 FR Trojan.Iframe.BMY
    2013-02-23 23:34:59 http://aqua-sport.be/ 9224ED0BB86C88BA10C56EFE77AE5F57 BE JS/iFrame.bzw.48
    2013-02-23 20:16:06 http://www.multituin.be/ 7DC601670E03C7FD731DD01BDBDF80C8 BE Trojan.Iframe.BMY
    2013-02-23 18:14:31 http://www.superplastic.be/uploaded/carte_livraison.gif 96B1FA773D13F28F2A2B6DE8BABDAAF1 BE PHP/PhpSpy.A trojan

    source scumware.org

    thinkmedia.be is on the stockmarket :)

    there are userpages from Belgacom and telenet which shows that they will have to protect and inspect better their userwebsites

    there are online shops included

  • some infected and dangerous belgian sites to clean up (telenet and others)

    from scumware.org

     URLMD5IP Threat 
    2013-02-22 21:40:46 http://www.shaw.be/Files/16.html D3DFB1F168395BFEC8770C49428F66E8 BE Trojan-Downloader.JS.Agent.gvn
    2013-02-22 21:06:29 http://www.eurair.be/EN/33/0/jobs.aspx E9F1A4946F45D7DE851249C63547877B BE Troj/Iframe-JG
    2013-02-22 21:01:19 http://www.shaw.be/Files/38c.html 7DC94A57BA0696AF61427EB1D4C58662 BE Trojan-Downloader.JS.Agent.gvn
    2013-02-22 20:53:27 http://www.shaw.be/Files/41.html 942F4B45A2D88FF32AE3BB34DD8F4930 BE Trojan-Downloader.JS.Agent.gvn
    2013-02-22 20:08:16 http://www.shaw.be/Files/33b.html 0A79F4260AC68240FD05DD5D953FBCB0 BE Trojan-Downloader.JS.Agent.gvn
    2013-02-22 19:00:34 http://www.tan-tra.be/fr-links.htm 75BCBCACF12FFF356F8BC988C86B97C8 BE Troj/Iframe-JG
    2013-02-22 18:34:42 http://www.shaw.be/Files/35d.html 5B6738A82C397A43E73998D20231F3FD BE Trojan-Downloader.JS.Agent.gvn
    2013-02-22 18:29:22 http://www.holidayrent.be/main.html 439F7014F950F74BB3BC7CBC2BC81585 BE Troj/Iframe-JG
    2013-02-22 18:27:53 http://www.shaw.be/Files/37d.html AE5947EE82AD41957DFE1CFED4542E35 BE Trojan-Downloader.JS.Agent.gvn
    2013-02-22 18:24:19 http://www.shaw.be/Files/55.html D2DA217DA6C90515888E8EBA4B7F7BE8 BE Trojan-Downloader.JS.Agent.gvn
    2013-02-22 13:47:18 http://vgv.be/foto/20081122/album/index.html BCCE35AD12F2FF8E88DDD241533BEA0D BE JS/TrojanDownloader.Pegel.AA trojan
    2013-02-22 12:28:05 http://media.130kg.com/it/pdv/grosse/index.html?id=20792r C223B696913E3A3C632104FC43E5DC0E BE HTML/Infected.WebPage.Gen2
    2013-02-22 12:28:04 http://media.130kg.com/it/pdv/grosse/index.html?id=51514 C223B696913E3A3C632104FC43E5DC0E BE HTML/Infected.WebPage.Gen2
    2013-02-22 12:28:04 http://media.130kg.com/it/pdv/grosse/index.html?idq514 C223B696913E3A3C632104FC43E5DC0E BE HTML/Infected.WebPage.Gen2
    2013-02-22 12:26:16 http://media.130kg.com/it/pdv/grosse/index.html?id=19036 C223B696913E3A3C632104FC43E5DC0E BE HTML/Infected.WebPage.Gen2
    2013-02-22 08:18:58 http://users.telenet.be/dna19 7902A459E63CB589A585C0619EB61626 BE Trojan-Downloader.JS.Gumblar.af
    2013-02-22 01:31:22 http://prochile.be/js_slideshow/index1.html 93A65127DC8D41D4B24E98278EC0F7D1 BE JS/TrojanDownloader.Pegel.BH trojan
    2013-02-22 01:31:22 http://prochile.be/js_slideshow/js/behaviour.js 4DDCBCB1B4ED20674859AA840D125B83 BE JS/TrojanDownloader.Pegel.BO trojan
    2013-02-22 01:31:22 http://prochile.be/js_slideshow/index3.html 96DEEF63634E334FC1AD2CD8BFA99CC7 BE JS/TrojanDownloader.Pegel.BH trojan
    2013-02-22 01:30:49 http://prochile.be/js_slideshow/js/slideshow1.js B60BC640778327E992056536E4A45939 BE JS.Redirector.based.2

    infections at Telenet

    Safe Browsing

    Diagnostische pagina voor AS6848 (Telenet Operaties N.V.)

    Wat gebeurde er toen Google sites bezocht die in dit netwerk werden gehost?

    Van de 3437 site(s) die we in de afgelopen 90 dagen in dit netwerk hebben getest, leverde(n) 291 site(s), waaronder bijvoorbeeld pia.be/, users.telenet.be/meeussenjohan/, groupverbaet.be/, inhoud die resulteerde in het downloaden en installeren van schadelijke software zonder toestemming van de gebruiker.

    Google heeft het laatst een site in dit netwerk getest op 2013-02-22 en verdachte inhoud is het laatst aangetroffen op 2013-02-22.

    Heeft dit netwerk sites gehost die functioneren als tussenstadium voor verdere distributie van malware?

    In de afgelopen 90 dagen hebben we in dit netwerk 27 site(s) aangetroffen, waaronder bijvoorbeeld retoucheatelier.be/, cresens.be/, life-plan.be/, die leken te functioneren als tussenstadium voor het infecteren van 25 andere site(s), waaronder bijvoorbeeld search-belgium.com/, dirkhofman.be/, zeilen.nl/.

    Heeft dit netwerk sites gehost die malware hebben gedistribueerd?

    Ja, dit netwerk heeft in de afgelopen 90 dagen sites gehost die schadelijke software hebben gedistribueerd. We hebben 41 site(s) aangetroffen, waaronder bijvoorbeeld retoucheatelier.be/, cresens.be/, users.telenet.be/janoyens/, die 43 andere site(s) hebben geïnfecteerd, waaronder bijvoorbeeld search-belgium.com/, users.pandora.be/janoyens/, zoekeensop.be/.

    and Belgacom

    Wat gebeurde er toen Google sites bezocht die in dit netwerk werden gehost?

    Van de 3834 site(s) die we in de afgelopen 90 dagen in dit netwerk hebben getest, leverde(n) 238 site(s), waaronder bijvoorbeeld users.skynet.be/bs600635/, schoonbroodt.com/, users.skynet.be/esperanzapatrofriends/, inhoud die resulteerde in het downloaden en installeren van schadelijke software zonder toestemming van de gebruiker.

    Google heeft het laatst een site in dit netwerk getest op 2013-02-22 en verdachte inhoud is het laatst aangetroffen op 2013-02-21.

    Heeft dit netwerk sites gehost die functioneren als tussenstadium voor verdere distributie van malware?

    In de afgelopen 90 dagen hebben we in dit netwerk 27 site(s) aangetroffen, waaronder bijvoorbeeld users.skynet.be/fb919329/, users.skynet.be/sb131406/, users.skynet.be/marctapage/, die leken te functioneren als tussenstadium voor het infecteren van 48 andere site(s), waaronder bijvoorbeeld mediawatchers.be/, zangtalent.be/, firstmusic.be/.

    Heeft dit netwerk sites gehost die malware hebben gedistribueerd?

    Ja, dit netwerk heeft in de afgelopen 90 dagen sites gehost die schadelijke software hebben gedistribueerd. We hebben 54 site(s) aangetroffen, waaronder bijvoorbeeld users.skynet.be/bs600635/, users.skynet.be/sb131406/, users.skynet.be/marctapage/, die 74 andere site(s) hebben geïnfecteerd, waaronder bijvoorbeeld beweeg.info/, circodans.be/, campings-international.com/.

  • the story behind the hacking of the agency responsable for checking the security of our nucleair powerstations


    Bel V, is a subsidiary of the FANC (Federal Agency for Nuclear Control) and has since April 14th  2008 taken over the regulatory controls in nuclear installations formerly carried out by the Authorized Inspection Organization AVN. The FANC is the competent authority in the field of nuclear applications. It relies on the technical expertise of its subsidiary Bel V for carrying out inspections in nuclear power plants and other nuclear installations in Belgium (hospitals, universities, radiological installations,…).
    Bel V :
    • acts as expert for the safety assessments of nuclear projects
    • participates actively in meetings and working groups that are organized in the framework of international organizations (EC – OECD – IAEA)
    • exchanges information and experience feedback with Belgian and foreign colleagues
    • contributes to the emergency plans called in for nuclear accidents.

    they have a website that was built in 2008 with a php version that dated from 2007

    Apache/2.2.9 (Win32) DAV/2 mod_ssl/2.2.9 OpenSSL/0.9.8h mod_autoindex_color PHP/5.2.6

    and just as any other website that has such vulnerable website they were defaced on thursday

    http://welcome.belv.be/x.txt  (disappeared now it seems)

    with a login pop-up which gave all the technical details of the server if you clicked on cancel

    it was discovered by zone-h.org http://www.zone-h.org/mirror/id/18824116 (but the server is having problems right now)

    and than began a very long process of trying to warn to those people to get them to respond to this situation and to do the necessary thing

    we phoned and mailed the cert thursday and friday who said that they had alerted them and asked them to do the necessary but profound securisation but friday it became clear during friday that

    * the page with the hack stayed online

    * the only update at 15h was to a php version that was as vulnerable as the first on
    02/22/13 15:40:32
    Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i mod_autoindex_color PHP/5.2.8

    so than we got really angry and contacted the federal minister responsable and the federal crisis center and mailed them all the information that was necessary to get something changed before the weekend because everybody knows that weekends are the most dangerous periods - as most people are on holiday not watching over websites and networks

    but now we see at this evening some first necessary things have been done

    Server:Apache/1.3.34 (Ubuntu) mod_vhost_online/1.2 mod_fastcgi/2.4.2 mod_log_online/0.1X-Powered-By:PHP/4.4.9-1.standardSet-Cookie:44b92d8f8b40c0de7e6fc0afde54fbe9=-; path=/Set-Cookie:lang=deleted; expires=Thursday, 23-Feb-12 20:55:31 GMT; path=/

    and that the hacked page has disappeared

    but as a conclusion

    in times of indirect cyberspionage and informationtargeting sites as these should understand that the whole of their webinfrastructure should be secure because unsecure websites like these could be used to intercept information (from unsecured webforms) to infect undercover visitors and administrators or to install backdoors and sleeping accounts that can be activated at any moment

    am I paranoid

    maybe, but it is still the controlagency for the nucleair industry

    it also seems that the vulnerable part of the website with the login has been taken down

    I hope that they will now recognize that they are very interesting targets and shouldn't be so vulnerable

    so with this I can end my day :)

  • when high security environments need to protect their printers and voipphones



    security should be incorporated into the firmware, in fact the firmware should have been built in a more secure way from the start - but untill that happens, there is this solution

  • new securityframeworks is for people who want to talk, not to change things

    IF businesses were serious about critical infrastructure protection, then they would already be making sweeping changes. Unfortunately, it seems clear that either IT risk isn’t being adequately factored into operational risk analyses, OR… maybe the asserted risk levels really aren’t there. In either case, what is clear is that these businesses have not been properly incentivized to make necessary changes (likely due to a fundamental human resistance to change – humans only change if they want to or they’re forced to do so due to trauma).


    Whatever the reasons, what’s clear here is that a) a meaningful framework will almost certainly take a year or more to write and enact, and b) it’s impact will be negligible at best unless there are major legal penalties for failing to change. If the US Government really wanted to get the ball moving here, then they would put in massive penalties (monetary and criminal) and give businesses 90 days to show a plan AND progress. Failing that, pull the trigger to demonstrate the seriousness of the situation. The alternative is waiting for a traumatic event to naturally occur, which is something we likely can’t afford to wait on. Instead, it seems far preferable to inflict a bit of trauma to shock the recalcitrant out of their staid ways.

    there is already enough written about frameworks

    implement them, work and shut up

    this is also for those Belgian security-experts who want to write best practices and frameworks again. Sorry guys but they are already all written or are being written (NIST , OWASP, ....) and maybe you could just translate them and change contact addresses and so on, but no we don't need more paperwork