10/26/2014

the fort Knox phone by Samsung can be broken says securityresearcher

Samsung launched a Fort Knox hypersecure phone approved by NSA but its security is according to securityresearchers still lacking some fundamental features (full encryption) and makes some other mistakes. Some may think this is unfortunate while others may suppose it is deliberate.

"Samsung really tried to hide the functionality to generate the key, following the security by obscurity rule. In the end it just uses the Android ID together with a hardcoded string and mix them for the encryption key. I would have expected from a product, called Knox, a different approach:

  • The fact that they are persisting the key just for the password hint functionality is compromising the security of that product completely. For such a product the password should never be stored on the device. There is no need for it, only if you forget your password. But then your data should be lost, otherwise they are not safe if there is some kind of recovery option.
Recommendation:
Instead of Samsung Knox, use the built-in Android encrpytion function and encrypt the whole device. Android is using a PBKDF2 function from the encryption password you choose and never persists it on the device. Obviously you can never access the data if you forget your password, but that's the point of a good encryption.

http://mobilesecurityares.blogspot.co.uk/2014/10/why-sams...

Permalink | |  Print |  Facebook | | | | Pin it! |

yahoo and facebook propose a new emailheader that makes it possible to clean memberbases

souce http://threatpost.com/facebook-yahoo-curb-identity-theft-with-new-email-ownership-header/109009

untill now nobody really wanted to clean up its membersbase and kill accounts that were inactive since a year at least. This makes that an enormous number of email- and other services have an enormous number of accounts sometimes with very attractive names that are just dead ducks. The biggest problem to take any action is the danger that if you liberate those accounts it will be possible for the people who were getting the old accounts to get access to other services that were authentificated through that emailaccount

this new header changes all that because it will be indicated in the new header if the emailaddress has changed hands or not and since when. This makes it possible for the other services to compare with their own database to compare the date at which their member became a member. It is not totally waterproof but it is a start.

It also gives numerous services a possibility to destroy accounts that have no sense of staying on their servers and limit also the damage if they have a breach.

Permalink | |  Print |  Facebook | | | | Pin it! |

ransomware spreading by SMS in android phones

"Koler is a piece of malware that blackmails users of infected phones by blocking screen with an intimidating fake law enforcement notification page, and scares the victim to pay a “fine” to unlock their phone. This type of malware was first spotted in May this year blackmailing victims on Android devices. In July new reports suggested a new version that can also target PC’s.

 

This time though we have detected a new strategy to spread the infection. In this new variant of Koler (Worm.Koler) we found that it is now capable of self-replication via SMS messages which are sent to contacts in the address book of an infected device containing a bit.ly URL.  This appears to be an attempt for the malware writer to improve the infection rate over earlier versions, which relied on hiding the malware in porn sites.

 

The attack starts with the victim receiving an SMS message from a phone number of someone they know that states:

 

someone made a profile  named -Luca Pelliciari- and he uploaded some of your photos! is that  you? http://bit.ly/xxxxxx
http://www.adaptivemobile.com/blog/koler-police-ransomwar...

clicking on links in SMS traffic - even from friends - is always stupid

surfing porn sites without having all your protection on (antivirus that is) is always stupid

Permalink | |  Print |  Facebook | | | | Pin it! |

thetorproject.org is a fake tor website - not the official one - why ?

go always only to torproject.org and only that website for your downloads of the tor browser and so on

this is the fake one - too obvious

Permalink | |  Print |  Facebook | | | | Pin it! |

10/25/2014

all services to financial services will have to have a totally secured ITenvironment in the US

"Nonetheless, the Treasury Department now plans to beef up oversight when it comes to outside vendors for financial institutions, including law firms, accounting and marketing firms and “even janitorial companies,” the Times said.

Another source said that New York State’s top financial regulator, Benjamin M. Lawsky, is mulling a new rule requiring banks to “obtain representations and warranties” from vendors about the adequacy of their cyber-security profiles. The Times said that Lawsky has already sent a letter on Tuesday to dozens of banks requesting that the firms provide “any policies and procedures governing relationships with third-party service providers.”

“It is abundantly clear that, in many respects,” Lawsky said in the letter, “a firm’s level of cybersecurity is only as good as the cybersecurity of its vendors.”
http://www.infosecurity-magazine.com/news/jpmorgan-hacker...

when the tough gets tough the tough gets going

so when the hacking gets past the tough defenses installed by the financial firms by hacking into the systems of financial, IT firms and others to these firms who are connected to these financial services, the tough controllers get tough with every firm that wants to deliver services to the financial services and connect to their network

no more low-hanging fruit

Permalink | |  Print |  Facebook | | | | Pin it! |

linux GNU Binutils has a 9 year old securityproblem finally getting some attention

"It is much less known that the Linux version of strings is an integral part of GNU binutils, a suite of tools that specializes in the manipulation of several dozen executable formats using a bundled library called libbfd. Other well-known utilities in that suite include objdump and readelf.

Perhaps simply by the virtue of being a part of that bundle, the strings utility tries to leverage the common libbfd infrastructure to detect supported executable formats and "optimize" the process by extracting text only from specific sections of the file. Unfortunately, the underlying library can be hardly described as safe: a quick pass with afl (and probably with any other competent fuzzer) quickly reveals a range of troubling and likely exploitable out-of-bounds crashes due to very limited range checking, say:

$ wget http://lcamtuf.coredump.cx/strings-bfd-badptr2
...
$ strings strings-bfd-badptr2
Segmentation fault
...
strings[24479]: segfault at 4141416d ip 0807a4e7 sp bf80ca60 error 4 in strings[8048000+9a000]
...
      while (--n_elt != 0)
        if ((++idx)->shdr->bfd_section)                                ← Read from an attacker-controlled pointer
          elf_sec_group (idx->shdr->bfd_section) = shdr->bfd_section;  ← Write to an attacker-controlled pointer
...
(gdb) p idx->shdr
$1 = (Elf_Internal_Shdr *) 0x41414141

The 0x41414141 pointer being read and written by the code comes directly from that proof-of-concept file and can be freely modified by the attacker to try overwriting program control structures. Many Linux distributions ship strings without ASLR, making potential attacks easier and more reliable - a situation reminiscent of one of the recent bugs in bash. Interestingly, the problems with the utility aren't exactly new; Tavis spotted the first signs of trouble some nine years ago.
http://lcamtuf.blogspot.nl/2014/10/psa-dont-run-strings-o...

it looks like when you start really looking under the cap of the car in the motor of linux that there are some problems hidden that nobody found serious enough to fix

meanwhile the propaganda that open source is more secure because the source is available and many people use it is just propaganda because it is not important how many people have looked at it or use it, it is important how many securitypeople had how many resources and how much time to investigate the code and correct it and retest it

Permalink | |  Print |  Facebook | | | | Pin it! |

this is the #hongkong camping for the long battle

this will not be over in a week or two

the students will not storm the buildings and invite the chinese army to come and crush them down and the chinese army will only come if they think they will lose otherwise hongkong and have a terrible example for them for other cities and regions how to get from under the centralist dictatorship

the leadership in Hong Kong and China will not storm the camps because they have seen that even when they started to use some limited violence it only inflated enormously the number of protestors and the intensity of the protests and unless other protests now these protests can't be crushed while the whole world is watching

both are planning and playing for the long term

overday the camps of the protestors are mostly empty and most people join the permanent watchers when they have worked, taken a shower and eaten something (there is nothing more interesting on tv than to go out and discuss with your peers and stand together for democracy and freedom (while you still have that freedom)

and so we will see every so many days initiatives, proposals and actions from one side or the other while we will never be sure if this is now the endgame

and this is the same quarter by night, after working hours

Embedded image permalink

Permalink | |  Print |  Facebook | | | | Pin it! |

10/24/2014

Tripware Freeware Securecheq checks for vulnerabilities in Windows desktops and servers

"

WEAK WINDOWS CONFIGURATIONS

Free tests for typical and often dangerous Windows configuration errors. Microsoft is the backbone of many enterprise networks. Find out if you have weak configuration parameters exposing you to security threats.

REMEDIATION GUIDANCE

Tripwire® SecureCheq™ delivers twenty checks for different security configuration errors and includes detailed remediation guidance on findings.

HARDEN CONFIGURATIONS

Tripwire SecureCheq demonstrates how your systems need to be continually hardened against configuration errors related to OS hardening, data protection, user account activity and audit logging.

http://www.tripwire.com/securecheq/

Permalink | |  Print |  Facebook | | | | Pin it! |

VEGA freeware to find sql injections and xss vulnerabilities in websites and apps

source https://subgraph.com/vega/index.en.html

"Vega is a free and open source scanner and testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows.

Vega includes an automated scanner for quick tests and an intercepting proxy for tactical inspection. The Vega scanner finds XSS (cross-site scripting), SQL injection, and other vulnerabilities. Vega can be extended using a powerful API in the language of the web: Javascript."

Permalink | |  Print |  Facebook | | | | Pin it! |

this is how mobile networks can upgrade to make surveillance more difficult

"Wireless carrier T-Mobile US has been quietly upgrading its network in a way that makes it harder for surveillance equipment to eavesdrop on calls and monitor texts, even on the company’s legacy system.

 

The upgrade involves switching to a new encryption standard, called A5/3, that is harder to crack than older forms of encryption. Testing by The Washington Post has found T-Mobile networks using A5/3 in New York, Washington and Boulder, Colorado, instead of the older A5/1 that long has been standard for second-generation (2G) GSM networks in the United States. More advanced technologies, such as 3G and 4G, already use stronger encryption
http://www.washingtonpost.com/blogs/the-switch/wp/2014/10...

Permalink | |  Print |  Facebook | | | | Pin it! |

#ISIS went to the hill to be closer to god and the US helped a bit with that

Permalink | |  Print |  Facebook | | | | Pin it! |

10/23/2014

why they will never find who was the commander of the Bende Van Nijvel

* Nobody can speak in Belgium without getting convicted, you can't make a deal here and even if this was the case, Belgium will need to have some partner countries where you could start a new live because belgium is too small to have people live a totally new live without being discovered at some moment in time. 

* as it was clear during the documentary of the RTBF and said time after time again, it is too dangerous to speak because you will be killed, this is what the participants said. If this was the message the gangsters were sending to the world and the people who knew them with their bloodbath it was really efficient. 

* There are at least a million of files of which not all are digitalized (some say that a about a third is) which means that you can't use the computer and the programs to analyze everything that is in the files to look at the 'big data' to get some anomalies out of them or contradictions 

* As it was said during the documentary, the proof has been re-opened and re-used so many times that it is not secure enough anymore to stand up in a court of law. 

* As it was clear in the documentary different factions within the judiciary and within the police departments have different opinions about which way the investigation should go which makes it difficult to make your case in court. 

* Many people have died or have lost memory and it is not clear what is corrrect and what has been deformed, maybe by reading too many articles and books. 

* WNP was initiated by something but nobody had any idea what is was and there seem to be enough layers between the decision-makers and the operatives. So no operative knows enough to have any idea who he may be.  Maybe they should look at it as a spy operation. 

http://www.rtbf.be/video/detail_devoir-d-enquete?id=1965459

Permalink | |  Print |  Facebook | | | | Pin it! |

Azerbaijan embassy in Belgium hacked by Armenian hackers

there is a kind of war or nearly war again there

Permalink | |  Print |  Facebook | | | | Pin it! |

site of Anderlecht (in France) hacked by Syrian opposition

cleaned now

several embassies were also the victim of this attack

Permalink | |  Print |  Facebook | | | | Pin it! |

senniorennet defaced .... next time a virus ?

something with a linkinject that redirects people from the frontpage to this page on which there is an advertisement to win a trip to Spain (for the hackers who got all your passwords in your browser or on your machine)

if you can do this you can do anything

a problem with your apache and administrator rights

Permalink | |  Print |  Facebook | | | | Pin it! |

websites of flemish schools can easily be hacked (on tv) because they are not secured

On VTM there was a documentary how youths were hacking servers from their schools to change their results and other notes. The teachers themselves were overwhelmed because they have hardly dedicated ITstaff and they can't keep up with the necessary Itsecurity budgets and tasks. The minister was talking about awareness and blablablablabla

The advantage of this documentary is that the hacker was better protected  than on the VRT in which you could see his face clearly. As he is protected he is a source and as a source the police will find it very difficult to get his name - except if he left somewhere a trace to his own IP address (that is why it should have been done through an IP address of a computer from the Mediafirm).

Secondly VTM said several times during the documentary that this was illegal and that students could go to jail for a few years if they do it again after their first conviction and that it was in fact very dangerous. But at the other time it presented hacking as something very easy. You only had to download some programs and than you attack the site of your school. It looks easy but if you want to erase all your traces to not get caught if somebody files a complaint, than it takes a lot of time and preparation.

Schools do not have at present safe platforms for a number of schools that are managed by professionals. Only these platforms have the scale and the resources to keep the individual sites from being hacked. A cert with a few people for all the schools wouldn't be bad either. They could notify a school then their site is hacked or send practical information out if a patch is necessary and so on.

Secondly schools need to know which information shouldn't be on the web or the network if it ain't worth the risk and they don't have the money to protect it. This is just a very healthy cheap principle. It is maybe not as easy but it is safe and secure and that is what is important.

Third double authentification is the future, the time of passwords is over. There are 1 billion passwords to download on the internet so passwords have no security anymore as a security.

Permalink | |  Print |  Facebook | | | | Pin it! |

if you are paranoid enough, this is how to hide from the NSA

"Strong, non-NSA backed crypto primitives. I’m a big fan of NaCl because it’s fast, constant-time, secure crypto that doesn’t rely on anything backed by the NSA. To make it easier to use, it’s made portable (and extended) in libsodium. I won’t promote anti-NIST FUD, but some things should be questioned, such as the NIST ECC curves.

  • Minimal metadata. The amount of information that can be extracted from messages should be at a minimum. Anything that’s exposed (username, user ID, public keys, etc.) can be used when collected en mass to begin mapping relationships and undoing the veil of anonymity.
  • Encrypt everything in transit. As with metadata, anything in the clear going over the network can be captured, stored, analyzed - and in targeted cases, altered in various ways. Using TLS is a great start to this, as it removes the option for simple passive monitoring, though it shouldn’t be assumed to be enough. Active attackers can man-in-the-middle the server, passing a forged/stolen certificate. Certificate pinning, and additional layers of encryption help protect against these attacks.
  • Server knows as little as possible. The more the server knows, the more the provider(s) can divulge - either by court order, or by more clandestine means. Even the simplest HTTP server logs can provide valuable information to such an attacker, especially when combined with other data sources.
  • Encrypt everything in storage. When at rest, everything should be encrypted - if a device is compromised, it should reveal as little as possible. By encrypting everything based on the user’s password, only the user is able to access the data (though may be by force).
  • Hide everything. The CIA at least once used a weather application to hide a communication system; it was only available when looking up weather for a certain city. Such techniques make it harder to spot the use of secure communication tools. This may seem a bit extreme, but there are good reasons to do it.
https://adamcaudill.com/2014/10/19/on-nsa-proof-security/

Permalink | |  Print |  Facebook | | | | Pin it! |

this is how big and completed a fake celltower doesn't look like to intercept your phones

You can place it anywhere in fact as long as you have power

http://www.newsobserver.com/2014/10/18/4245744_charlotte-police-investigators.html?rh=1

it is used in the US by several police stations and explains in some states that researchers have found rogue telephone towers that asked you to connect to them as if they were the real cell towers.

so next time why would they have to hack Belgacom to trace some cellphones ? Why bother ?

The Belgian privacycommission has been informed by Belsec that several of these installations are in Belgium according to international reports and that is illegal according to Belgian law if they haven't been certified for that.

Permalink | |  Print |  Facebook | | | | Pin it! |

the oldest hacking method brings in enormous cash because everybody forgot about his phones

"Hackers had broken into the phone network of the company, Foreman Seeley Fountain Architecture, and routed $166,000 worth of calls from the firm to premium-rate telephone numbers in Gambia, Somalia and the Maldives. It would have taken 34 years for the firm to run up those charges legitimately, based on its typical phone bill, according to a complaint it filed with the Federal Communications Commission.

The firm, in Norcross, Ga., was the victim of an age-old fraud that has found new life now that most corporate phone lines run over the Internet.

The swindle, which on the web is easier to pull off and more profitable, affects mostly small businesses and cost victims $4.73 billion globally last year. That is up nearly $1 billion from 2011, according to the Communications Fraud Control Association, an industry group financed by carriers and law-enforcement agencies to tackle communications fraud.
http://www.nytimes.com/2014/10/20/technology/dial-and-red...

these attacks on your pbx also happen in Belgium and there is very little you can do about it if you didn't place a firewall or some very specific infrastructure before it and strict controls and real-time alerts on it

we always forget about our telephone infrastructure but we forget that they also can be used to penetrate networks and they can be used to deroute communications (sometimes in a circle so that investigators will never find who is the real victim or target) and telecom operators don't pay back and you aren't insured for this either so all that money is lost

Permalink | |  Print |  Facebook | | | | Pin it! |

#ukraine denies Der Spiegel desinformation about BUK missiles and #MH17

we have published here time and time over again all the information that has been published by specialists since long time that the BUK came in from Russia and there is all the photographic evidence to proof it.

But the propaganda and intox campaign of the masters of the Kremlin is as good as even when it comes to the western press who just copy-paste without verifying or critically researching information before researching it.

And this strategy was even foreseen from the beginning directly after the disaster.

“We have clearly stated that all our missile systems, including their personnel, were not present in the area of the tragedy,” Ukraine’s Ministry of Foreign Affairs spokesman Yevhen Perebyinis told DW on Monday, October 20.  “Statements that  militants had seized Ukrainian missile complexes do not conform to reality since all these systems had actually been moved in advance. We find it strange to hear conclusions that the militants had used Ukrainian missiles,” he said.

 

Similarly, Ukraine’s Ministry of Defense in an official statement posted on its website, October 20, has categorically denied claims that terrorists had seized the BUK-M1 (NATO code: SA-11 Gadfly) anti-aircraft missile system from a Ukrainian military unit.

 

“Certain media citing the German magazine Der Spiegel have been disseminating information that the Malaysian passenger plane, flight MH17 , flying over the Donetsk Oblast had been downed by a BUK anti-aircraft missile system seized by pro-Russian separatists from one of the Ukrainian military units. The Command of the Air Force of the Armed Forces of Ukraine officially states that information on the seizure by terrorists of the BUK-M1 anti-aircraft missile system from a military unit of the Air Force of Ukraine is not true,” the Ministry’s statement said.


http://euromaidanpress.com/2014/10/22/ukraine-asks-german...

Permalink | |  Print |  Facebook | | | | Pin it! |