except for heartbleed that is, but that is so fundamental that you could close down the whole shit if it wasn't in order
but for the rest ?
the situation last year looked as if there was still some work to do after the Rex Mundi break in http://belsec.skynetblogs.be/archive/2013/01/25/rex-mundi...
and there still is if we do the same test with ssllabs.com today
but maybe they don't make enough money (except for their own salaries that is) or employ security or IT people who really don't know what they are talking about
and you know what is the most incredible thing
NO ONE IN BELGIUM IS RESPONSABLE FOR ONLINE CREDIT AND FINANCE FIRMS
yes, you read it right
After this hack (and several others of similar firms) I went to the National Bank which can control the ITsecurity of banks and they've said that these firms were EXEMPTED from their controls and that the Minister of Economy was responsable
So I went to the Minister of Economy and had several meetings with members of his administration and they didn't find any legal ground - except if they were willing to interpret consumer protection in a very large sense but they thought they were taking on responsabilities of the PrivacyCommission for which they didn't have a mandate and the Privacycommission themselves
well I went to a meeting with the Privacycommission and they get information from me from time to time and they are willing but they say they don't have the power nor the resources to do the controls they should do
so at the end
nobody is responsable to make sure that all those online credit- and financefirms that are handling millions of euro's and the Financial information of an enormous lot of people and small businesses have the appropriate security so that this data and their moneyflows can't be stolen or hijacked
even if some of them are linked to real banks and even if some have become so big that they can have an impact on the sense of security of the general population and markets or by which a Financial institution can be brought down through a hack of their Financial resources or data.
ps by the way, upgrading the security of your ssl certificate takes a day maxi
it can be that some consumer will have to upgrade their old browser but that is a good thing because so you obligate them to secure themselves better
letting customers with totally outdated operating systems or without any security or with virustraffic coming out from their PC's at the same time as their connection with your Financial services is for me like being an accomplish to the electronic theft that is bound to happen
and as there is nobody responsable to check you there is also nobody that can and will say that you are doing a bad thing if you are securing your transactions and protecting your customers this way
this is from a website for the registration of the Nepalese domainnames
just a defacement but if you can deface probably there are other security problems that are as important
The CEO of Domino Pizza said in a letter that they had encrypted and secured the passwords and that there was no way that RexMundi could have discovered them
in the two examples that were sent it was proven that the passwords were real (and too short) and that they could have been decrypted
so what happened
well, they simply used MD5 to encrypt their passwords but MD5 is broken since years and shouldn't be used for anything else than giving an Unique ID to a file (and even that is useless if there is some high security needed for the identification of files that are passing from one point to another)
it is a fake makebelieve solution that would never have survived a real ITsecurity review by a real ITsecurity Professional
it is off course possible that he only could decrypt the passwords of a some of the MD5 encrypted passwords and only used those (with simple passwords - passwords should have at least 12 characters now) - but this still proves that an ever increasing number of MD5 passwords can be broken (online you will find sets of thousands ofbroken and still to be broken MD5 passwords)
it is high time for the CNIL and the Belgian Privacycommission to make it illegal to use this MD5 encryption to be used for passwords and other personal or Financial information because it is no protection at all (just like cars have to be reviewed and some models can't go back on the road again)
well, the normal thing with Rex Mundi is that if there is no publication of data, than someone will have paid some money - eventually not the sum asked but something they agreed upon
It may even be that Pizza Domino is officially not aware that some-one or some firm has paid and it may be that you will find nowhere in the accounts that they have paid but somewhere some bills will have increased with a certain sum over a certain period
the only proof that they have been paid - or that negotiations are in process by some-one that some payment will be done - is that the data has not been published yet
officially Pizza domino may say whatever it says and it may not even be a lie because it can be that nobody in Pizza Domino may know that an agreement has been found
there are even grey ITsec operators and firms who do this kind of shadowy jobs without contracts or trace for firms (which can also be illegal undercover jobs)
the reason they have probably paid - or are in the process of paying - is very simple
type into Google Rex Mundi Domino Pizza hack and you will find a long list of articles and yesterday it hit Yahoo finance and the article is having now a second life around the world being translated by online newssites all over the world
for Domino Pizza it will have now a global impact and all its websites all over the world will be Under heavy attacks so they have no choice to close it down or to be 100% sure that there is absolutely no possibility that they can get the data (do not believe the word of a developer or hoster but only one of a real Professional penetration tester)
if there is an invasion it will be this night or tomorrow morning
but they may also await the Ukranian offensive tomorrow and decide to intervene at some point
and this will bring the whole crisis into a totally new level of decreasing tensions
they have been training and planning this for months so they can in fact go in immediately
if Putin wants to save the militias he has no choice but to go in because the Ukr is said to have received the full orders and support to crush the last cities they hold - if he waits too long there will be nothing left to defend and no reason to intervene at whatever moment because there will be no army, no local 'democratic republics or agitated manifestations
he also needs to invade now if he wants to invade that is before the Ukr army has more people trained and has new weapons, tanks and parts
what is different is that this time there are also engineering teams with the trops - like those necessary to lay bridges
this from one of the persons who are actually a victim of his hack and have sworn to get to the bottom of this
well this is stupid if you put an emailaddress as the major way way in which you can contact them if you have any question
it is time for the CNIL and Belgian privacycommission to investigate because the victims are now left into the cold waiting an answer
this doesn't surprise me a bit
it all sounded too simple
it is based upon one forged message that was used as propaganda
some just retweet the messages
others use the same picture but change the message
some just make sure it is retweeted to twitter accounts with high impact
that's prety careless because they could have expected all those attacks
columns of Russian tanks are moving again to the border
Ukr troops and National Guard are moving to the last cities held by the russian militias
Nato declared Russia an enemy today
the US has sent two stealth bombers to Eastern Europe for the first time since the fall of the Berlin Wall
tomorrow is also the day that Russia says that it would cut the gaz to Ukraine
this comment says it all
In fact this says that the goal was to grab the provinces or make them semi-independent (look at the Sudeten crisis in 1938 Ukranians should study this crisis in every possible detail to understand what is happening and not make the same mistakes during federalisation) so Ukraine could be undermined and destabilised for ever (and that is where the support of the local crime syndicats and industrialists come from)
but the longer the battle seem to endure the more support the militia's lose amongst their 'own' population and more impopular Russia (and its culture and language and everything Russian) becomes, the more federalisation is looking like surrender which won't solve the question in the long term and why because of this is looking more and more like something artificial at the best and not with real independence or autonomy and the more the population as a whole is becoming ever more united
Putin has not only done more for NATO and defenders of an even more close relationship with the US - rather than looking east to Russia - than any one could imagine. He is also the real father now of Ukranian nationalism - even more than a football championship.
the longer this will endure, the more Russia will be facing an unified Ukranian society that is not only Unified in a newly discovered and cherished culture and history but also in its hatred of Russia and all those that are failing to condemn it, help or support it and failed to help them when it was needed
they are all on theirselves more or less, so this battle makes them even more proud because they are now accomplishing the impossible, something that no consultant or diplomat thought that was possible several months ago. There is still one Ukraine, the military grabbing has stopped, the Russian troops are not crossing the border, a moderate president has been elected
Monday an offensive will start and the Ukr government has asked all civileans to leave the areas that are still occupied by the militia's. The Europeans are asking the government in fact not to but the Ukr government has no choice and how would each of those governments react if in their own country a military plane is shot down with military material from a neighborouring country
after the penetration of three russian tanks with independentists protected by a Russian helicopter above them (together with missile launching pads)
after the downing of an Ukranian plane with 49 soldiers who were killed
after the decision by the Ukr government that all civileans have to leave now within 36 hours the cities still occupied by the independist militia
after the claim by Putin that Ukranian troops have penetrated into Russian territory
we are back where we came from but now with an elected president - and who now doesn't seem to be afraid to take decisions - while the rest of the world say that they are 'concernend'
what will happen if the embassy is attacked, burned ......
you can follow of the demonstrations here https://www.youtube.com/watch?v=l4HeKFy2U8k
so we are back into the tension game again - only that meanwhile the militias have lost a lot of their credit of their popular support and didn't accomplish most of their military and political goals while the Ukr haven't used all their military power at their disposal to finish the occupation while the rest of the world is watching football
follow my twitter stream for more news
and to follow my resources, follow my twitter list about Ukraine
this is the letter that was send
and the second part
so they were hacked the 9th of june
they say that they have resolved the problem
and all the rest is blablablabla - maybe the privacycommission CNIL should investigate
if they are still using the same technology everywhere, than all the other domino pizza websites may also be hackable
it doesn't show a culture of security
First they have confirmed now that they have been breached and although they say that they had secured the data of the users, they said that protection has been broken (well if it was protection they surely didn't protect it sufficiently)
Secondly they have a real stupid security policy for protecting their password, because this was sent to me by some user
"After I realized I couldn't even order my damn pizza the way I wanted to, I wasn't able to delete my account...
Therefore, I changed my password to the most basic thing. Luckily I don't use this password anywhere else. I hope they don't have the old password stored somewhere else."
which proves that their passwords were stored in CLEARTEXT
thirdly we are talking about PROFILES with real names, real addresses and so on so this is in fact much more dangerous
and if it is so that the firm won't pay, will they pay for all the costs to change emailaddresses, phone numbers and eventually the adresses - imagine that their are adresses of judges, policemen and other people in it which have a protected address which shouldn't be published anywhere without their consent (this was the case in the 1 million SNCB dataleak)
they have sent an email to all their clients but have they shut down their services pizza.PNG
and they didn't mention anything about that on their site
I don't think they can have resecured their site that fast or they must have made such a stupid mistake that it was possible to correct it immediately and if that was the case, than they were negligent
we knew it before and tried to contact the different responsable services in Belgium
they wanted money before today
but Rex Mundi will probably have remembered that you never get anything done on a friday with that kind of possible impact - except if you have a kind of cyberemergency management service that can coordinate those kinds of operations
this is the information that he has
Earlier this week, we hacked our way into the servers of Domino's Pizza France and Belgium, who happen to share the same vulnerable database. And boy, did we find some juicy stuff in there! We downloaded over 592,000 customer records (including passwords) from French customers and over 58,000 records from Belgian ones. That's over six hundred thousand records, which include the customers' full names, addresses, phone numbers, email addresses, passwords and delivery instructions. (Oh, and their favorite pizza topping as well, because why not).
We immediately sent various emails to both Domino's Pizza France and Belgium. We also used the contact forms on their websites to let them know of this vulnerability and to offer them not to release this data in exchange for 30,000 Euros.
So far, Domino's Pizza has not replied to our demands. We would also like to point out that both of their websites are still up and vulnerable.
Domino's Pizza has until Monday at 8PM CET to pay us. If they do not do so, we will post the entirety of the data in our possession on the Internet.
published somewhere online
Sample data from the French website:
First name/Last name/Address/City/Telephone Nr/Email address/Password
Sample data from the Belgian site:
First name/Last name/Address/City/Telephone Nr/Email address/Password
we can confirm that those data are correct but we have decided to retire the data because the people are being harrassed by press and jokers so this promises for monday............
Three important things
* this is the beginning of a perfect profile with which you can collect a lot more information online with which you can do a lot of things because all security questions will be bypassed (and with VOIP even your phonenumber)
if it is combined with other information than it can even become better
* too many people use the same passwords all over the web (and for real important services passwords are in fact dead because only double authentification can proof that you are the person who says who you are)
* it proofs another time that websites
* should not ask information they don't need (day of birth for example)
* shouldn't keep information longer than they need to and should destroy inactive data every x days, weeks or months
* should ask every x months people to change their passwords and block those who don't after x days or weeks
* if proofs for people that
* never fill in correct data that they don't need to do business with you (my day of birth is different for every website that asks me)
* never use the same passwords for important services and use garbage passwords for other services
* you should never expects that things on the internet are safe, they are more not (the technique he is using is not that complicated and it says more about the insecurity of the sites than about his skills and yes it is quite easy and standard to protect your websites and databases against those attacks and leaks)
and yes Rex Mundi is being traced and tracked and hunted down by police services of all the countries where he did some hacking and everybody is waiting for him to make his first mistake
it will be interesting to know how the privacycommission will re-act, looking at her new guidelines who obligates the operators of websites that have been compromised to inform their victims within 24hours
Microsoft, one of the world’s largest e-mail providers, is resisting a government search warrant to compel the firm to turn over customer data held in a server located overseas.
In what could be a landmark case, the Redmond, Wash., company is arguing that such a warrant is not justified by law or the Constitution. Microsoft and other tech firms also fear that if the government prevails and can reach across borders, foreign individuals and businesses will flee to their non-U.S. competitors.
The materials sought by the government are e-mails held in a Microsoft data center in Ireland and connected to a drug-trafficking investigation.
it isn't the best case to win because nobody will have much sympathy for a drugs case, if one wants to have the big principal fight about principals it is better to chose a better fight
even if they win the case, they will lose some sympathy
so let's finish off with three things that we have been accepting to be the undisputed truth for too long
* that merely because a product is opensource makes it more secure because they suppose without any proof that many people are really working and looking at the code to make it safer (in most cases they are just adding code and functions without even thinking about security with the endresult is that masses of new vulnerabilities are added to the core code like in Joomla and Wordpress)
there is no proof for that so that dogma should be sent now to the dustbin of garbage
a code is secure because it has been tested by different means and doesn't have any bugs or exploitable vulnerabilities after all the tests have been tried
* that merely because many people use an opensource product it makes it more secure because they suppose that all those people are testing the code or are reporting bugs and problems - in most cases they don't and they just piggybag on the product being free without giving something back anytime
* that because of those two reasons opensource products don't need security officials, security communication procedures and websites and best practices. They don't need penetration testing and they don't need certification of secure installations and permanent quick nearly automatic patching channels.
this makes them even more insecure because as with Openssl if there is a big security issue - which also gets other attackers interested to search for other exploitable bugs because if there is one there will be more of them - they are not prepared to inform their communities quickly of the problem and organize a quick response and follow up on the consequences and eventual mistakes in these patches
I like opensource but when I install opensource I also recruit an Opensource platform manager who will be responsable for keeping the platform secure, patched and is sure that all the different applications are installed following the best practices, documentation and inspection of the code