05/14/2014

ALERT : STILL ON XP ? CHANGE Internet Explorer for Firefox NOW (not later)

as we have seen in the new announcements for the securitypatches from Microsoft for May there are

NO SECURITYPATCHES FOR XP (they say they meant it when they would leave several million pc's without securitypatches - maybe some-one should sue them for that)

there are several things you can do yourselfs offcourse

First and all ditch Internet Explorer and use Firefox (we don't like Chrome for several reasons and the Apple Safari is securitywise a total disaster)

With Firefox you activate the automatic updates and you can install a whole series of functions to block adware, scripts, protect your privacy and so on (everyone has its favourites)https://support.mozilla.org/en-US/products/firefox/privac...

https://support.mozilla.org/en-US/products/firefox/custom...

and if you have a proxy on your network or a firewall on your pc than you don't let your Internet Explorer on XP on the internet ever again (in the free zonealarm.com firewall is that with the application control)

to keep your xp safer 5 rules

1. install always the latest versions of adobe, flash and all other software updates still available (use the free secunia.com tool for that)

2. do not let internet explorer or office 2003 on the internet, ever

3 install a firewall (zone alarm), a free antivirus (for example avg or avast) and spybot search and destroy security tool (safer-networking.org)

4. do not surf on pornsites, don't use IRC or P2P with your XP as you will be too vulnerable in those dangerous environments

5. do not click without thinking (keep for example your email online instead of downloading it) and be very careful with downloads (for example download in a folder on which you have set a password or zip the files afterwards with a password so they can start doing things on their own)

in any case if you think about what you would like for christmas, think about a new pc or laptop (fuck the tablets, they are as expensive as a good laptop and your tablet is so minimal that you will get bored after a while)

Permalink | |  Print |  Facebook | | | | Pin it! |

this is why the CIA could inform Belgium that its Ministery of External Affairs was breached again

Accoriding to some information it sounds as if the CIA informed our country that there was a serious problem

there are a few reasons why the US saw it before we found out themselves

* they have attacks and infections with Snakeversions since a few years and know the tool all too well by now

* the CIA could have gotten the information from the NSA with which it closely works together

* the CIA is on the ground in Ukraine where an attack with the same tool infected a whole series of governmental networks

so the problem is not that the CIA-NSA are spying or monitoring the networks, it is that they are doing this on the wrong basis which is not acceptable and as we are nearling cold war 2.0 it becomes urgent to correct this before we are in warlike mindsets and some people want to start spying on everything for fear of the great russian invasion or fifth column

they should limit it to their goals and for our security not to know what each of us doing at some time online

Permalink | |  Print |  Facebook | | | | Pin it! |

in general new viruses are very seldom immediately detected

so waiting some time instead of downloading immediately that new file is not so stupid as it sounds

or put them in a folder on your desktop with a password on it so that it can't install itself on the disk without any knowledge

this is an example of the detection of some new virusfile by a specialist site (checks with virustotal.com)

http://malwaredb.malekal.com/

 

Permalink | |  Print |  Facebook | | | | Pin it! |

sometimes very few antiviruses protect against snake, uburos etc files

virustotal.com

Some of the infection packages are now quite good, like this one

hash  https://www.virustotal.com/en/file/bf1cfc65b78f5222d35dc3bd2f0a87c9798bce5a48348649dd271ce395656341/analysis/ 

but when the file was launched 3 years ago nearly no AV discovered it as a virus/trojan

source of picture above http://blog.cylance.com/infinity-vs-the-real-world-uroburos

this is the drivers signature (which is NOT checked because that process is bypassed by a vulnerability)

but than we take another one in which the same file was found

https://www.virustotal.com/en/file/897e301665cc4749c905be38e1f10653a6d29653a639e49f01543d83c23bbb2f/analysis/

and another one even worse

https://www.virustotal.com/en/file/aaeb9d2903047fdacf7102b2084711b725d1b497273b6ab7dfc7c3e2b1bc4ce9/analysis/

and the same for another infection package in zip

https://www.virustotal.com/en/file/c8a468ea53d46829aed0c4852923a6f33e12cfbb4b813183fcac6afce1add2d8/analysis/

and

https://www.virustotal.com/en/file/e2709a57d4feaa999ede964a7295d7c9a76a1f711026f2ef988c42e6661943c5/analysis/

it means that about nearly two weeks ago when those packages were launched (Ukranian crisis by the way) it was not discovered by most of the antiviruses and the computers could be infected (if other circumstances were available)

this does not mean that all those antiviruses have not added this infection meanwhile to their library

but before you are going to think that fprot and fortinet are going to protect you against all the variants of snake you will have to look at the following file when it was discovered in the wild

https://www.virustotal.com/en/file/33460a8f849550267910b7893f0867afe55a5a24452d538f796d9674e629acc4/analysis/

 other samples

https://www.virustotal.com/en/file/6adf258bda09f0863eb6f1bea73c9b419add7cac7ed1149edaa08a65b2d5564f/analysis/   45/50

and the signature of the file (not checked) is interesting

maybe it is time for Microsoft to update its signatures so that signatures of files have to be from maybe at least 2012 or something like that

by updating the signatures one can say that everything older is buggy and not to be trusted

https://www.virustotal.com/en/file/ecfed4163f7058856e1d253a29d06d808c069670e4a06cad66f42e71cbc83a2e/analysis/  44/51  Microsoft signature

and so there are 100 of these files running around

 

Permalink | |  Print |  Facebook | | | | Pin it! |

updated snake espionagetool 4 more important documents to read

Uroburos Highly complex espionage software with Russian ...

https://public.gdatasoftware.com/.../GData_Uroburos_RedPaper_EN_v1....

the malware's code and following an ancient symbol depicting a serpent or ... malware and the supposed spying techniques used by it, we assume that this ..

Operation “Ke3chang” Targeted Attacks Against ... - FireEye

www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf
Sep 18, 2013 - The worldwide deployment of espionage-focused malware has made this .... seems to make sense, because it relates to 360 Chinese anti-virus software. ... In 2011 a campaign, labeled “snake” by the attackers, started using the theme of nude ...  (NOTE : This uses more or less the same techniques and strategies)

20140312Kaspersky Lab Press-release How Turla and ...

newsroom.kaspersky.eu/.../20140312Kaspersky_Lab_Press-release_How...
Mar 12, 2014 - espionage operation codenamed Turla (also referred to as Snake or Uroburos). ... Kaspersky Lab first became aware of the Turla cyber espionage campaign in ...
 
 
 

Permalink | |  Print |  Facebook | | | | Pin it! |

the abuse by snake espionagetool of free DNS services

these free DNS services give you the possibility to host on a server or pc different domains and to use their DNS service or redirect service

and if you want to block the service no-ip.com than you have to block the following domains

len is my testname so len.ddns.me should become *.ddns.me

off course most of the domains that used no-Ip.com are gone or blocked but they will need more pro-active monitoring and an automatic control of urlblockinglists to automatically receive reports for those that use their services

otherwise other snakes will bite them

the other ones they have used are these ones

 

 It makes it easy to get the domains of the web - if those services have permanent and fast security services but it makes it a cat and mouse game

in the versions that are discussed here it seems that some of the subdomains are hardencoded which is silly (and stupid) as the domains are gone but which means that putting those domains in a list and let it go through your logs of internetconnections to find any trace may be an interesting indicator (but not an absolute one)

we can presume that in future they will be able to change that

but it also means that the firms in question should not just block the domain and make it available after a few weeks of months or years because we have seen with other botnetinfections with dns.be that even when the domains were liberated three years later for sale they were immediately rebought by the operators (to the astonishment of DNS.be). But it was logical to me because as they had hardencoded the domainname in the botnet they would - at the low price of a domainname and some hosting - recuperate maybe some computers that weren't cleaned (don't be surprised because this is still very much the case in many networks)

you could off course decide to ask your webfiltercompany to get a category included to be able to block such free hosting and free dns services to limit the risks

some free dns and redirection services have lately closed doors or changed course into professional services for companies because the workload with all the criminal activity was becoming too big to bear

Permalink | |  Print |  Facebook | | | | Pin it! |

the new microsoft security Updates are a MUST to install (attacks likely)

In the columns below, "Latest Software Release" refers to the subject software, and "Older Software Releases" refers to all older, supported releases of the subject software, as listed in the "Affected Software" and "Non-Affected Software" tables in the bulletin.

 

Bulletin ID

Vulnerability Title

CVE ID

Exploitability Assessment for Latest Software Release

Exploitability Assessment for Older Software Release

Denial of Service Exploitability Assessment

 

MS14-021
(Released out-of-band on May 1, 2014)

Internet Explorer Memory Corruption Vulnerability

CVE-2014-1776

1 - Exploit code likely

1 - Exploit code likely

Not applicable

 

MS14-022

SharePoint Page Content Vulnerability

CVE-2014-0251

1 - Exploit code likely

1 - Exploit code likely

Not applicable

 

MS14-022

SharePoint XSS Vulnerability

CVE-2014-1754

1 - Exploit code likely

Not affected

Not applicable

 

MS14-022

Web Applications Page Content Vulnerability

CVE-2014-1813

Not affected

3 - Exploit code unlikely

Temporary

 

MS14-023

Microsoft Office Chinese Grammar Checking Vulnerability

CVE-2014-1756

1 - Exploit code likely

1 - Exploit code likely

Not applicable

 

MS14-023

Token Reuse Vulnerability

CVE-2014-1808

3 - Exploit code unlikely

3 - Exploit code unlikely

Not applicable

 

MS14-024

MSCOMCTL ASLR Vulnerability

CVE-2014-1809

Not applicable

Not applicable

Not applicable

 

MS14-025

Group Policy Preferences Password Elevation of Privilege Vulnerability

CVE-2014-1812

1 - Exploit code likely

1 - Exploit code likely

Not applicable

 

MS14-026

TypeFilterLevel Vulnerability

CVE-2014-1806

1 - Exploit code likely

1 - Exploit code likely

Not applicable

 

MS14-027

Windows Shell File Association Vulnerability

CVE-2014-1807

1 - Exploit code likely

1 - Exploit code likely

Not applicable

 

MS14-028

iSCSI Target Remote Denial of Service Vulnerability

CVE-2014-0255

3 - Exploit code unlikely

3 - Exploit code unlikely

Temporary

 

MS14-028

iSCSI Target Remote Denial of Service Vulnerability

CVE-2014-0256

3 - Exploit code unlikely

3 - Exploit code unlikely

Temporary

 

MS14-029

Internet Explorer Memory Corruption Vulnerability

CVE-2014-0310

1 - Exploit code likely

1 - Exploit code likely

Not applicable

 

MS14-029

Internet Explorer Memory Corruption Vulnerability

CVE-2014-1815

1 - Exploit code likely

1 - Exploit code likely

   


https://technet.microsoft.com/library/security/ms14-may

Permalink | |  Print |  Facebook | | | | Pin it! |

ex belgian pornproducer fires back through twitter with his backstage information

https://twitter.com/dennisburkas

he is now in prision but his press attaché (does this man know that for some of these tweets there is a possibility that people can go to court for slanders and lies and things like that - the fact that they didn't implicates some kind of guilt it seems)

just a few

a major newseditor of one the two major tvnewsprograms made before during an documentary (tv makers and press agencies were wildly enthusiastic to follow or report this 'belgian pornproducer' of a 'new kind') a lot of private pictures of an anal 'event' on stage

how do you explain that ? Deny.... pfff .... where smoke is, is fire

 

this tv producer exchanged tv work for sex in the office

you got the picture (and there are some pictures :)) although I think the most important ones he is not putting online (maybe in case he needs some money)

He is now in prision for four years for assaulting a minor of 15 years

how to get that offline and out of the digital memory is a totally different much more complicated matter ....

Permalink | |  Print |  Facebook | | | | Pin it! |

Russian virus attack on the network of the Belgian Ministry of External Affairs is an atombomb

The big problem is that on the same network there are several other very secret services or very important information that is very classified.

For the moment it is the Ministery of External Affairs that distribute the Security clearances that were controlled by our Internal Intelligence service (why they don't keep that data on their network - would be safer)

in fact - as the virus is a P2P worm that distributes itself on the network it is necessary to in fact to suppose that all secret information could be compromised unless you can proof 100% otherwise

so unless one could proof 100% otherwise all people with security clearances will need new ones or will need to be replaced

this - and other kinds of information shouldn't be on a network that has been hacked twice

this is the atombomb

imagine that all Belgians lose their securityclearance - if it is with an international firm or organisation because the organisation considers the information or person compromised now independently what the Belgian administration says (based on which forensic evidence - if there is any forensic evidence that can be accepted without any doubt)

the one thing that is clear is that that information can no longer be on that network - for the security of everyone who needs a security clearance

Permalink | |  Print |  Facebook | | | | Pin it! |

#NSA has a good collection of the info on Facebook

and they are quite proud of it

Permalink | |  Print |  Facebook | | | | Pin it! |

#NSA picture of adaption of not-yet-delivered computer

well your firm or organisation has bought a computer or several and is awaiting their deliverance. Well the process is without your knowledge (and that of the firm in question) intercepted at the border and led to a special office where they place espionagetools on the computer so that you won't find them

this is a picture of the installation

Permalink | |  Print |  Facebook | | | | Pin it! |

#NSA following closely investments and situation of international SCADA infrastructure

if it would be of partners one could say that it was to warn them of certain dangers and to help to secure their critical networks but if this isn't the explicit goal there is a problem

targeting electricity and gas networks of countries will be hurting the civilean population and should for that reason be prohibited

Permalink | |  Print |  Facebook | | | | Pin it! |

#NSA has Belgium and other countries as economic targets

this is against all international rules and against all the declarations made by officials the last months that espionage shouldn't be used for purely economic advantages

the reason the US says it does economic spying is to be sure that there is no corruption in international trade deals and secondly to be sure that there wouldn't be a new international financial crisis of which they wouldn't be informed long time ago (and so could take all the necessary precautions)

Permalink | |  Print |  Facebook | | | | Pin it! |

#NSA this is all the metadata your telephone gives away

Belgium will now buy unhackable telephones - whatever that is

Permalink | |  Print |  Facebook | | | | Pin it! |

05/13/2014

#NSA Belgium has a focused cooperation with the NSA (privileged)

look at the table

you have first the five historical allies of the second world war who have put afterwards together the echelon cooperation which is also called the 5 eyes or ears working very close together

than you have a few countries in the second group with which there is a focused cooperation whatever that means but which is clearly not something that has been established with many countries

but in the list of approved sigint partners which is longer Belgium is also mentioned

Permalink | |  Print |  Facebook | | | | Pin it! |

#NSA has a backdoor in the encrypted Outlook.com webchat

an intelligence backdoor in encrypted services ? what is more scary than that ......

this definitely needs some follow-up ....

Permalink | |  Print |  Facebook | | | | Pin it! |

#NSA now also collects stored communications from Skype

logical

Permalink | |  Print |  Facebook | | | | Pin it! |

#NSA now also collects data from Skydrive with Prism

what did you expect

Permalink | |  Print |  Facebook | | | | Pin it! |

NSA has a partnership with 80 major IT and telecom firms

the file is top secret so the cooperation is also top secret so it is possible that very few people in the firm will now about this partnership

the same is for example the case in France where people work in telecommunication firms who are linked to the intelligence service and have nearly no contact with their co-workers or fall under some-one authority

and this will be the case all over the world - and the direction will say that they don't want to know (or someone working for them has made sure that they weren't officially informed so they can pretend that they didn't know)

Permalink | |  Print |  Facebook | | | | Pin it! |

new NSA documents : global surveillance reached 1 trillion metadata intercepted

http://glenngreenwald.net/pdf/NoPlaceToHide-Documents-Compressed.pdf

and they brought about 35 million tips - staggering numbers because how do you treat 35 million tips ? how do you analyze them, organize them, get them into usable intelligence ? 35 million tips (filters in fact to search for so it becomes a self feeding machine growing out of control)

Permalink | |  Print |  Facebook | | | | Pin it! |