this is one example
but there are thousands of them
now the number of results doesn't really differ so it is not clear what was removed
so either you go to bing or to Google.com or google.ca but when you are doing some serious research, you can't use Google with an European domainextension because you will miss something out
maybe there is a tool to compare all the results of the two researches to find the differences
the differences between the two search terms would be very interesting (and it would make the decision to have only a right to forget in Europe as stupid as it was - even if for 70% of the searches in Europe it works because Google automatically tries to send you to their national portal and not their international one (you have to set Google.com in default to be sure that you aren't redirected).
The next move from the defenders of the right to forget is that anyone with an European IP address will automatically always see only the results of the European versions of the searchengine
that will be the day we can leave Google behind and go to Bing or any other searchengine who doesn't want to comply and still indexes the web - or a specialised search engine that only looks for the things that are deleted in Google. If you count the right to forget together with the millions of links to copyrighted files you have millions of links and so a very attractive database for a very large public (because those copyrighted files are still there and that is the only reason why they are retired from Google because for the firms it is the fastest way to limit access to these files)
yep, this is what this guy found out (and he is looking for a job as modem or code analyzer - so if you are looking for some-one, read this and be convinced you should talk to him). he was also on tv but he has an agreement with Telenet who is working at a responsable disclosure policy.
* there is an external telenet shell on the wan0 port which makes it possible to get into the modem from outside and listen to the traffic (sniffer tcpdump), record the telephone conversations and see the passwords that don't pass over encrypted connections
* there is the possibility to install a permanent backdoor that even survives the firmware upgrades
* one could install whatever code on the modem (so for example a forwarder of the telephone and internetlogs so you wouldn't have to look at your sniffer all the time)
* he installed wireshark on the modem that can listen to all kinds of traffic and keep it logged
* he has found the certificates so he could clone the code and make it look legit - even if it has changed ....
* he could change the rules in the firewall
* he could downgrade the firmware of the modem so that security updates would be retired afterwards
* he could read the wifi keys that were used - and if the modem is also usable by others (hey now it becomes interesting) you could read the wifi keys, traffic and passwords of others ..... WOW this is the perfect rogue router that will look like the real telenet router for all the telenet clients in the environment (place this in an airport or business center....)
some questions (here I go again)
* it is very strange to see that the people at telenet don't know the firmware of their homerouters inside out and haven't discovered or known that before. What does this mean for the testing and introduction of new modems ? Or will they introduce now a full codereview of all the code in their modems and adapt their modems so that certain dangerous functions or code is retired from the code - if they can because it is open software and sometimes the license doesn't give you the right to change the code without giving it back to the community or having the permission from the core developpers to do so (a discussion that is also going on in the Belgacom community about the way the belgacom boxes are configured)
* another question is how are they going to upgrade all these boxes because if I see all those functions and code that poses a potential problem than this won't be a simple update because it will go into the core or kernel of the code and I am not so sure that this an easy operation - even if now it is important that is being done as fast as possible
* if a box is already owned by some-one (take in this case not the intelligence agencies) than how can you assure that this upgrade will be enforced on the modem because the code-analyzer clearly states that he could downgrade the firmware updates, flash it or even put in a backdoor that wouldn't be detected by the upgrade
and what are you going to do in that case - if the upgrade doesn't work or if by an snmp or other indexing control one sees that these modems still don't have the perfect and full version of the upgrade and it seems after a telephone conversation with the owner that he or she has nothing to do with the manipulation of the box ? Exchange the box for a new one with all the new firmware ? And maybe better protected as there is a possibility that this box has been used ? And will Telenet file an complaint with the FCCU if it finds a higher or specific targeted number of its boxes has been hacked by external parties.
If you are a high security target working for sensitive services and you are a client of telenet than this article will interest you (and your infosecurity department who will pass the next day to control your homerouter in case and make changes in it to defend it because now everybody will now). Oh and yes, when you connect to the internet and you are posting online and so on it is clearly visible that you are from Telenet (take for example the IRC channels)
If you discover Telenet boxes that not only have been abused but were also used by other Telenet users as a hotspot and you find that the data has been sent to another source or datadump, will Telenet than have to file a complaint and if possible inform its users and if it knows who the users are they will the least give those people new WIFI keys.
* now if this was a backdoor for our securitypeople and the itpeople have not been informed by the people in the firm who are in contact with the intelligence services (which is normal anyway) than there is another problem. How will some-one now if he is being spied upon ? Well by seeing that there is no upgrade of his box or he will break his box and ask a new one with the new secured firmware or he will stop his subscription and get it on somebody elses name who isn't on the watchlist and so on ......
and if we have closed the backdoor and so on where will the securityservices go for their information ? On the central servers (but everybody knows that the closer you are to the source the better the information is).
and I want just also to repeat that Telenet has proven to do the good thing by listening to this guy and by taking him seriously and by giving him enough legal protection so he could persue his passion (and curiousity... that kills the cat). If somedoby is looking for modemhackers or modemspecialists, here is some-one who has proven his case.
this is not only about the data of the 100K one time members that is important - the unencrypted and badly protected data
no, the real question is the following - and this is VERY important for Belgium
What are the responsabilities of the hoster and what are those of the owner of the site and between the owner and the programmer or maintainder of the site ?
If a site is hacked because there is no application firewall or there is one and nobody looks at it and the hack could have been prevented if there had been an application firewall that was well manned and maintened than is there shared responsability or not ?
if the hoster has really set everything in place to prevent attacks and hacking and data-extraction and has given the siteholders all the tools to protect and monitor their site and to encrypt and seperate their data and so on and the site still gets hacked because the site is so badly configured than is the badly configured site responsable for all the damages, included the risk to the other sites on that host ?
or should the hoster control automatically the state of security of the hosts on its servers to be sure that some insecure servers don't do damage to other sites or the whole infrastructure and warn them that they are being so insecure that they could be a risk and that the legal and financial consequences if they would get hacked could be quite great ?
And if the hoster doesn't do that is he or she than irresponsable because he lets some very dangerous site put the security of the data of the others sites on the same site or network also in danger ?
and if the programmer does his job but asks for upgrades and support and some paid tools to secure better the data and the application and it is refused and he informs the owner of the site or the hoster of the possible consequences if these things aren't done and they still refuse, is he responsable if finally the site gets hacked and data is lost (in the best case))
these are the questions surrounding the 9lives case and this makes it for the privacycommission such an interesting case - one that only comes by from time to time - it is for such reason an opportunity
but it wouldn't surprise me if Telenet would do everything to put it away asking everybody to protect their brandname and the credibility of the business and its security
but maybe the organisation of hosting firms in Belgium can take themselves the initiative and sit together and set up different levels of security they could deliver at what price and that would be checked and certified by authentific external partners (bronze, silver, gold). If some-one with very important data or much data would still decide to pay for only bronze even if he doesn't have the resources to compensate himself and even if the legal department of the hoster informs him that he should take the gold contract because legally his responsabilities and risks are too high viewing the kind of data or the volume of data he has online ...... than there is a risk he takes and an insurance he should take (but he wouldn't because it is too expensive and much more expensive than just securing your site and data as you should)
* you can contact the CERT at cert.be
you send them the information and you get a number for your case. If it is really important they will contact you but they are understaffed and there is much more work than they handle and every day they have to prioritize.
* if your information is really highlevel and the information is really important and you think that nobody will listen, you can always contact me. I will use different contacts with contacts to get into contact so that there are enough levels of trust between the information (from you) and the person who has received the information.
belsec has done this kind of operation in the past - several times (the EID leak for example) and recently
Not all information is published, some is never published and for the moment we are working on a case like this in which it is highly probably that if it gets resolved it will never be published - or the name will not be mentioned (and as always it is just a case of stupidity)
We adapt our strategy to the information we get - some goes public immediately, some never - and it always follows different ways - as long as it gets solved (for now)
but I myself I never hack - let that be clear
and in some cases it may not be me that will be downloading the information you are sending because I am a Belgian and the Belgian computercrimelaw is too strict
I only handle Belgian things and I prefer things that are also hosted in Belgium or under the .be domainextension because in this case there is no question that it will fall under the Belgian law
but just remember that these things can take time, especially if you want to keep out of the press, the courts, the police and you want to keep from being identified yourself
why the journalist did not do his job when he 'abused' a young hacker to penetrate a server at the KUL
okay this is an important discussion because this discussion has to be held because the last ten years I have been confronted with the same kind of demands by journalists or the same kind of attitude
first we are talking about the serverhacker - not the modemhacker (about which I am going to write in a minute but who is astonishing guy (and he is looking for a job for his passion)
and serverhacker is maybe a big word because they didn't show how he did it and it is not clear if he only used some standard methods or really had to prepare a whole strategy and mix different kinds of attacks to arrive finally at his goal (the data)
if you do a penetration test always define a goal that is worthwhile and that is always get the data from the machine because it is the only thing for which you can be condemed, it is the only thing that really matters and the only thing that afterwards make budgets and programmers move. Getting in or getting control over the server is bad but is not a CODE RED. Being able to extract important or personal data is always a CODE RED. So if you do a penetration test, tell them to get a certain dataset that is important to you.
but I was saying that the journalist did not do his job and this for the following reasons (and this must give you out there some thoughts if you are talking with or working with journalists)
* if you are a source and you want to have a life afterwards, you better keep out of the picture if you have to do or say things that could be illegal or that could get you in deep trouble. Never underestimate the immediate power of the media (it will blow over and you will after a while be forgotten (in jail maybe)) so while some journalists will be pushing to the limits of sensationalism you will have to keep in your mind that you have to live your life and keep your credibility afterwards. You could make enormous headlines for one day all over the news, but the next day you will be taken down by your opponents (and the press will also just report that even if they are talking totally nonsense).
NO picture NO video No name
* if you are going to be used to do illegal things (under our very strict computercrime law) than you should ask them in writing in how far you are going to be protected as a source. Because if you are a source of the journalist (and you are not in the picture and your name is not mentioned) than you fall under certain legal protection because the sources of the journalists are legally protected (except if you penetrate a nuclear installation or an armybase and set off a situation that falls under exceptional national security and so on).
He is not mentioned as a source, the reporter plays the game of reporting things, this is slightly different.
* if there is going to be trial and you will need legal defense, who is going to pay for that and because you did those things as a source for this media, than they should preview some participation in the financial costs of that trial (and if you are going in appeal against your probably first conviction than it will cost even more).
* You should get your own lawyer to assist you when this is all put into motion (and than they will probably go and start looking for somebody else because you are too difficult and than you know that their intention were nog clear, they just wanted some sensational shots from a marginal lone hacker from his bedroom to use and than forget all about the consequences for the guy they are leaving behind afterwards.
I speak from experience and I had to help friends during these ten years to stay out of trouble and I can assure you that this was not funny and we - and my friends - stayed out of trouble because we were sure we had everything covered before we went PUBLIC.
If the young hacker is to be interrogated by the FCCU he should absolutely bring a lawyer with him to assist him.
It is time for the organisation of journalists to set up guidelines to stop this kind of behaviour that is totally unresponsable in this case. The direction of the VRT is very proud that they are not explicitly mentioned in the case but they are definitely totally linked to the case, because if their journalist did his job as he should have done (protect the anonimity of his source-hacker saying only that he 'received those files during his investigation' than he hacker should have been safe and he would have been safe and the police would have no case to do a search and if everybody would have kept quiet - which would have been in the interest of everyone - than everybody would forget about this other case of hacking in Belgium of which many are to follow in the months and years to come (because of our securitysituation)).
okay we have found the server based upon the information that was leaked and published somewhere else (not very responsable for the journalists to do so because if the journalists in question kept the target to himself than that is because there is a good reason to do so)
one being that any other hacker may now directly go and try to hack the server himself and because of this he may or may be not faced with some-one who has lot more of knowledge and can do a lot more harm - especially if the network is interconnected and the rest of the University network may be compromised (it can also be some half drunk students doing it from inside the network because they will suppose they will have a lot more priviliges like that)
now we have found the server we have tried some things that we always do
we go to google - because that is the only thing that we can do if we want to stay inside the law and did some typical tests to find data - and with whoich we have found already lots of data
there was none
this shows that to get the data you have only two ways
* sql injection into a logon form (there are several - which is quite confusing and not a good security policy because you could centralize this and reinforce a strict security from there for all the logons for your server)
* an attack against the root of the server or the application which means that there are vulnerabilities
he could also use some stolen logons but that would take much more time (you will have to look for the names of everybody who works there and has access to the data (they are published online so that is no problem) and than you will have to infect them to get their password or you try to buiy their logons on the blackmarket
but I doubt this
so it was hacking, he couldn't have downloaded the information from the public web
so it is an infraction
so it is a crime
we have contacted the CERT and the university to tell them that we have found the server and to warn them that more attacks may be on their way as the name of server is easy to find (thank you Google)
The University Hospital of Leuven filed an complaint against the hacker to penetrate a server on their network (there is some discussion about the impact of the stolen data) based upon the law against computercrime.
We would like to warn any computer- or securityexpert to refuse any question from any journalist to test or penetrate into any network or server in Belgium without having the written consent of the legal owner of that network or server. In that contract has to be mentioned what could and what shouldn't be done and what would be the channels of communication and the different tests that will be executed.
I had this question different time and I always refused them. Journalists always thought that when they had me in Camera they could ask me to do things that were illegal but looked exciting.
But you don't have to hack to proof that there are many vulnerable networks in Belgium, even with medical data. (but in fact it was not medical data from real patiënts but from a medical department of the university where files from a testgroup in an experiment were not enough secured (encryption anybody ?)
http://ssllabs.com has upgraded its tests and included the test to look if the Man In The Middle (MITM) attacks that can intercept all your authentification and transaction details is possible with the Noodle attacks.
There are other scanners like poodlescan.net but these are not that complete and the information they give is confusing. They only indicate what a hacker will see when he does a global scan (that is scanning if something is possible) before starting his real attacks. So if you have left the port open for sslv3 but have mitigated the use of it (when did you leave the port open) than you will have all that scanning and attack traffic afterwards.
an example of this is
belgium.be : not vullnerable but didn't desactivate protocol sslv3 https://www.ssllabs.com/ssltest/analyze.html?d=belgium.be they have
vlaanderen.be : not vulnerable but SSL configuration needs some work (how they are configuring openssl is openly documented on the web for everybody to read - and the freedom they leave to the local developers - https://mft-ti.vlaanderen.be/doc/en/MOVEitDMZ_SystemConfiguration_SSLAndSSH_SSL_SSLConfiguration.htm) https://www.ssllabs.com/ssltest/analyze.html?d=vlaa... (this is stupid because it indicates there may be other infrastructure that has used this freedom to downgrade and may be vulnerable) Well such technical documentation should never be published on the web for all to see, there is no reason for that.
taxonweb.be vulnerable they have a very badly configured certificate (since several years already) https://www.ssllabs.com/ssltest/analyze.html?d=taxonweb.be and they have a bad SSL configuration which makes several man in the middle attacks possible https://www.ssllabs.com/ssltest/analyze.html?d=ccff02.min...
oh yes and they will say there is double authentification with your EID and so on but what they forget to tell you is that that information on your EID and the login comes over a tunnel that is encrypted. Well if the information in that tunnel is only encrypted in ssl v3 than the malware in the computer can intercept it and decrypt it or interfere with the transaction during the transaction. It will probably have to interrupt the connection to oblige the user to restart and make suir that at that time the restart for the encryption is done in the vulnerable ssl protocol so that any information that goes through the tunnel (transaction between the EID reader and the portal) will be intercepted
in 2008 a proof of concept was developed that did just that (intercepting all the information that was on the EID that was read by an EID reader) by only changing something in the registry of the computer. It took 6 months of discussions to get it accepted as a securitybug and to get a patch out.
inami.be vulnerable https://www.ssllabs.com/ssltest/analyze.html?d=inami.be the central station of ehealth
University hospital of Antwerp VERY VULNERABLE https://www.ssllabs.com/ssltest/analyze.html?d=uantwerpen.be (they probably will have to go offline for maintenance)
securemyethias.ethias.be vulnerable https://www.ssllabs.com/ssltest/analyze.html?d=securemyethias.ethias.be
homebanking.santander.be vulnerable and very very BAD ssl configuration https://www.ssllabs.com/ssltest/analyze.html?d=homebanking.santander.be+
this means that
* if clients are infected with bankingtrojans that are capable of doing a MITM attack they can interfere with the SSL protocol and downgrade it to ssl V3 so they can break it and get the authentification and all other information necessary
* if the servers are compromised they can oblige the clients which haven't upgraded their browsers or blocked the ssl v3 to reset their encryption to ssl v3 and transfer the authentification data to the datadump where it can re-used or sold to somebody else
For the servers it is important the keep-alive function is also activated and possible because the attacker will need to have this to make his attack work (with the knowledge at the present time). It proves another time that the keep alive in authentification services is something that will be on its way out..... (and in fact it is so insecure if you think about it that you wonder why it was introduced in the first place except for the only reason any unsecure method or protocol was introduced and that is because of the clientpeople who think that servicability is more important than security (while in fact it is the other way round and people will respect that))
First the Belgian computercrime law is pretty clear is some-one has not the permission to attack your computer or your network than it is illegal. Even for securityresearchers and reporters like me it is extremely difficult to do much more than to google or use external sources and copy them. The moment we would test the real possiblities to get at the data it is possible for the subject of our article to attack us. The fact that they wouldn't hesitate for one moment to do so makes it extremely difficult to do so and has resulted in the last ten years in sometimes very difficult and extremely stressful situations for me and some other securitybloggers. In the end we could prevent the complaints and investigations but the very vague terms of the Belgian computercrime law makes it the most efficient censor after all. I know that some securitytests in Brussels against public wifi-installations were abandoned because - contrary to the situation in other European countries - the legal hurdles were so great that it wasn't worth it. Because in the end it all depends on the interpretation of the judge of your intent and there is no way that you can foresee how any judge would react, even if you think that on paper you have done everything possible to proof that all your intentions were good.
This is also the reason why we need to have a 'responsable disclosure policy' for which normally the CERT would have to be responsable but for the moment I don't think they are doing anything. It would change a lot of things and it would for example make it easier to disclose to the people responsable for the security the things they have to fix and if they don't answer or take much too long than you have the right to disclose it to the public - putting the pressure on the securitypeople to respond and act on the problems. We don't even want any money for it (for now) - just the possiblitiy to give this kind of information and to be sure that it would be treated would already be a great improvement.
So the hacker on TV was illegal and the journalist was illegal because he was an accomplish and the fact that it was on TV shouldn't make it legal. Every time a journalist decides to get a hacker and tries to hack something would make it legal and all right ? This is not journalism. A journalist can't try to rob a bank just to see if it is possible. He would be arrested and prosecuted. Well this is the same. Maybe it is time for the Organisation of Journalists to have guidelines about this because this isn't the first and won't be the last incident.
But anyone of the 26.000 victims of which the personal information was downloaded, the hospital and its IT-firms or any other victim can go to the FCCU and file an complaint because some-one who wasn't authorized entered the ITsystem and got access to his files and received them on a computer that wasn't authorized to have them.
And maybe some-one ought to do this, this will make it mandatory for the big newsorganisations, for the organisations of journalists to have guidelines and for the hospitals and those responsable for itsecurity to get their act together.
The action of the tv-programmers was also stupid stupid stupid
Stupid because how can you really guarantee that by this hacking or penetration no things were changed so that the installation at the hospital or the other installations became more vulnerable, that the hacker created other backdoors, that there is a copy somewhere of the data and that not all data has been destroyed ? The only way to be sure is that the hacking is done on a special computer and that the transport of the data is under full control. The other thing is that if you do a penetration test (because this is in fact what it is - only you don't really download 26.000 datasets over the network to proof your case, the moment you can show that you have the data and that from the whole database you can download one testset with dummydata that has the same rights as the other data is proof enough of success). It is also for this reason that penetration tests are always done in the presence of security and Networkpeople of the infrastructure that will be tested because you are never sure that something that isn't foreseen will happen or will have unforeseen consequences. In this case the people at the other end who are watching the network and the securityinstallation (and see the penetration happen but won't intervene) will be able to contact the penetrationtester and the securitypeople if there are such problems or when it is interfering with other situations. It makes it also possible to intervene if one see that at the same time another hacker is penetrating or trying to penetrate the network with the same methods (that weren't monitored before). In this case the test can be called off and the operation changes in a discovery and cleanup operation because you have a real incident and eventually hacking. When the resecurisation has been done afterwards, you can do a new test - even if this one should be harder.
So no, I don't think that those conditions were met and so I think there are multiple risks with this operation.
Another question I have in my mind is if the securitypeople at the VRT were informed and if they have been consulted for advice because if this test is not following the standards and the VRT is responsable and brought before the courts than this is another of the questions that will be asked. As a good journalist and as a good housefather have you taken advice from different people from different perspectives to be sure that enough care and time has been given to the different operational aspects of this investigation.
And if the securitypeople of the VRT didn't give the advice as described above when they were contacted than the VRT has a problem .....
but it shows another time that itsecurity in Belgium is build upon the fear for a very vague law and a very powerful and competent FCCU and investigations that make a headline to disappear afterwards totally. Everybody thinks that our medical data and ehealth networks are safe because we suppose that this is the case and we suppose that this is the case because we suppose that there is enough money, enough ITsecurity people, enough external controls and enough guidelines and laws to make it secure.
it is another proof that this is NOT the case (and now I will hear all the ehealth defenders and businessinterests say that this is the new world, that this makes it more efficient, that they are doing everything that is possible, that I am paranoid and so on.... (hurting Belgian industry interests and jobs is another one)
but I know three things
* medical data is for the moment the most valuable data on the black market (and a real business in the US where certain firms buy or consult them without leaving any fingerprints in the official explanations (for example why you don't get an insurance)
* medical installations are as buggy and full with securityleaks as any other new technology or hardware because nobody worries in the beginning about security, that comes always much later
* I only believe what I see and the e-healthprocess is not transparant and there are not enough external controls and audits (and if there were, they surely didn't go to this place)
we already mentioned to the privacycommission that there are websites with a logon from doctors and pharmacies that were hacked or hackable and we have found some Belgian medical information online and transferred that to the cert and the FCCU. (this was a file from a bloodtransfusion center)
because of the law on computercrime we didn't test anything and didn't go any further and wouldn't advise you to do so to (because you aren't protected by a camera) - even if this leaves our medical data and infrastructure vulnerable because there are not enough mandatory independent audits and tests.
and there is even worse on the second image
but if you thought that it couldn't be worse, there is also a paga online from the same agency that let's people make their online profile to post for certain jobs in oiur new European army
only it is made for IE6 and has a certificate that is selfsigned and is totally unacceptable
probably this is an old forgotten server or a testserver but this shows that the securityofficers over there have no control over the infrastructure which is worrying because if they didn't see this, what else there is that they don't know about (just a reminder in Belgium we also found a badly in fact not protected Gateway for the Human Resources department)
we didn't go further than this but we think that it is time that they pull some things down and pull some défenses up and control some logs and adapt some levels of security
and meanwhile stop talking about cyberwar because if there is a cyberwar this infrastructure will just be blown away
would you bet that you would get attacked over it ? How much
snooping anyone ?
and they are working with very very big accounts
this is not very secure
this is the same used for a whole lot of 'secure' online services .......
as they are still using or accepting older ssl standards and protocols which are in fact totally unsafe (but you know those guys from the marketing and the helpdesk)
than you first get a first downgrade
later this year if you don't change anything, you will be going to B and so on
SSL configuration is a work that needs rethinking every so many problems and attacks
more than 90000 posts
more than 1.2 million visitors
and no commercial crap
the only source in town about things nobody wants to talk about in Belgium
twice in Parliament
working with dns.be, cert, fccu and now the Privacycommission to keep data safer in Belgium
with EKZ.SKYNETBLOGS.BE before that started in 2004 we will have 10 years (together more than 2 million visitors, thousands more posts,.......)
and there were naturally the blogs that don't exist anymore but had some sense and use at the time like virus.skynetblogs.be, spam.skynetblogs.be and so on or blogs that aren't maintained anymore like insecure.skynetblogs.be (insecure infrastructure in Belgium), scams.skynetblogs.be (that arrived in my mailbox) and be-hacked.skynetblogs.be off course
if anyone has any ideas let them come (but don't start hacking it is illegal :))