- Page 7

  • Update your Microsoft IE and Powerpoint IMMEDIATELY NOW (especially if you have confidential info)

    we didn't publish this list from the Internet Storm Center since long but this has to be seen as a critical update because the attacks based on these vulnerabilities have been going on for 5 years now and the zeroday (or should be say zeroyear ?) leaks have had a good newscycle yesterday with the securityfirm trying to make a name for itself ahead of the release of the protections to announce to the (black Under) world that this is how you can compromise a computer easily. They couldn't wait another week of two so that all the critical posts were patched meanwhile.

    If you are on a critical network or have critical information that you should do more security research in your logs based upon the articles that were published yesterday (but were very vague to say the least)

    Overview of the October 2014 Microsoft patches and their status.


    #AffectedContra Indications - KBKnown ExploitsMicrosoft rating(**)ISC rating(*)
    MS14-056 Cumulative Security Update for Internet Explorer (replaces MS14-052)
    Microsoft Windows, Internet Explorer
    CVE-2014-4123, CVE-2014-4124, CVE-2014-4126, CVE-2014-4127, CVE-2014-4128, CVE-2014-4129, CVE-2014-4130, CVE-2014-4132, CVE-2014-4133, CVE-2014-4134, CVE-2014-4137, CVE-2014-4138, CVE-2014-4141, CVE-2014-4123, CVE-2014-4124, CVE-2014-4126, CVE-2014-4127, CVE-2014-4128, CVE-2014-4129, CVE-2014-4130, CVE-2014-4132, CVE-2014-4133, CVE-2014-4134, CVE-2014-4137, CVE-2014-4138, CVE-2014-4140, CVE-2014-4141
    KB 2987107

    CVE-2014-4123 has been exploited.

    Exploitability: 1
    Critical Important
    MS14-057 Vulnerabilities in .NET Framework Could Allow Remote Code Execution (replaces MS12-016)
    Microsoft Windows, Microsoft .NET Framework

    KB 3000414 No. Severity:Critical
    Exploitability: 2
    Critical Critical
    MS14-058 Vulnerability in Kernel-Mode Driver Could Allow Remote Code Execution (replaces MS14-015)
    Microsoft Windows

    KB 3000061 Yes. Used in Limited Attacks Severity:Critical
    Exploitability: 0
    Critical Critical
    MS14-059 Vulnerability in ASP.NET MVC Could Allow Security Feature Bypass 
    Microsoft Developer Tools

    KB 2990942

    Publicly disclosed,not

    Exploitability: 3
    Less Important Important
    MS14-060 Vulnerability in Windows OLE Could Allow Remote Code Execution  (replaces MS12-005)
    Microsoft Windows

    KB 3000869 yes. against powerpoint. See iSight disclosure. Severity:Important
    Exploitability: 0
    Critical Important
    MS14-061 Vulnerability in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (MS14-034, MS14-017)
    Microsoft Office, Microsoft Office Services, Microsoft Office Web Apps

    KB 3000434 No. Severity:Important
    Exploitability: 1
    Critical Important
    MS14-062 Vulnerability in Message Queuing Service Could Allow Elevation of Privilege (MS09-040)
    Microsoft Windows

    KB 2993254 publicly disclosed but not exploited. Severity:Important
    Exploitability: 1
    Important Important
    MS14-063 Vulnerability in FAT32 Disk Partition Driver Could Allow Elevation of Privilege 
    Microsoft Windows

    KB 2998579 No. Severity:Important
    Exploitability: 1
    Important Important


    We will update issues on this page for about a week or so as they evolve.
    We appreciate updates


  • Update 13 last update about Noodle attacks and what you should know for now

    official reference http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566 here all the necessary official updates will be collected and published, this is the official reference for all technical information or the links to them for more information. For the moment there is NO information but normally that should change in the following hours (showing another effect of the going-alone attitude of Google in this)

    this is an older version of ssl but when a browser can't connect to the newer versions he falls back on this one which is already 15 years old and if you remember how malware and exploitcode writing has developed over the last 15 years than you will understand that such old code will be prone to all kinds of vulnerabilities

    so as long as browsers make it impossible to be (forced to) use this older and totally insecure protocol than we have now other solution than to patch and patch and patch

    when will the IT industry learn that someday we will have to throw definitely some code away and oblige people to upgrade or just say that it doesn't work anymore point final.

    well this is what Google has decided to do today - but I am not so sure that they have coordinated enough with the rest of the industry who doesn't seem so ready as in past discoveries which needed a vertical upgrade across the board of software and hardware.

    For the technical people, this is the issue (in normal terms : the encryption is too weak so it can be broken and if the encryption can be broken everything can be read and that includes authentification like passwords)

    "With block ciphers, we have a second problem: What if the block to be encrypted is too short? In this case, padding is used to make up for the missing data. Since the padding isn't really considered part of the message, it is not covered by the MAC (message authorization code) that verified message integrity.  So what does this mean in real live? The impact is similar to the BEAST attack. An attacker may either play MitM, or may be able to decrypt parts of a message if the attacker is able to inject data into the connection just like in the BEAST attack. The attack allows one to decrypt one byte at a time, if the attacker is able to inject messages right after that byte that include only padding https://isc.sans.edu

    "Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.
    Google Chrome and our servers have supported TLS_FALLBACK_SCSV since February and thus we have good evidence that it can be used without compatibility problems. Additionally, Google Chrome will begin testing changes today that disable the fallback to SSL 3.0. This change will break some sites and those sites will need to be updated quickly
    http://googleonlinesecurity.blogspot.be/2014/10/this-poodle-bites-exploiting-ssl-30.html  (see more information later in this post)

    "Security experts said that hackers could steal browser "cookies" in "Poodle" attacks, potentially taking control of email, banking and social networking accounts

    In fact it is easier to do than the Beast attack and is in fact the practical realisation of some other theoretical attacks against the oldest versions of SSL which seem to take too many resources in the newer versions of SSL

    "This attack, called POODLE, is similar to the BEAST attack and also allows a network attacker to extract the plaintext of targeted parts of an SSL connection, usually cookie data. Unlike the BEAST attack, it doesn't require such extensive control of the format of the plaintext and thus is more practical.

    Fundamentally, the design flaw in SSL/TLS that allows this is the same as with Lucky13 and Vaudenay's two attacks: SSL got encryption and authentication the wrong way around – it authenticates before encrypting.


    " This code sends several requests to a target HTTPS website, where cookies are sent automatically if a previous authenticated session exists. This is a required condition in order to exploit this vulnerability. The attacker could then intercept this HTTPS traffic, and by exploiting a weakness in the CBC block cypher in SSL 3.0, could decrypt portions of the encrypted traffic (e.g. authentication cookies).

    So this means that when one authentificaties in for example Facebook and keeps it 'ALIVE' and then surfs to a vulnerable server that attacks the PC and than gets back to Facebook than the attack can start. So by NOT implementing KEEP ALIVE cookies. For this to work the attacker needs to send hundreds of transactions of handshakes but that the user won't see, things will maybe slow down but he will think that there are some problems on the server (even with a fake error message on his screen)

    they can do this with a middle in the man attack on the network or on the PC (while you connect to the internet or the PC)

    "Jeff Moss, a cyber adviser to the U.S. Department of Homeland Security, said attackers would need to launch a "man-in-the-middle" attack, placing themselves between victims and websites using approaches such as creating rogue WiFi "hotspots" in Internet cafes.

    Mozilla plans to disable SSL 3.0 by default in the next version of its Firefox browser, to be released on Nov. 25. (http://mzl.la/1DaxOwY).

    "SSL version 3.0 is no longer secure," Mozilla said on its blog. "Browsers and websites need to turn off SSLv3 and use more modern security protocols as soon as possible."

    Microsoft Corp issued an advisory suggesting that customers disable SSL 3.0 on Windows for servers and PCs.

    Representatives with Apple Inc could not be reached. An Oracle Corp spokeswoman had no immediate comment.

    and how widespread can these attacks become ?

    "a non-trivial number of SSLv3 servers still exist and workarounds for the bugs mean that an attacker can convince a browser to use SSLv3 even when both the browser and server support a more recent version. Thus, this attack is widely applicable.

    will this update also give a solution to all the different attacks against online (Financial) service that make use of the fallback mechanism in which the browser (without even informing the users) is forced back to an unsecure older version of a 'secure' protocol so that the attacker can use proven code and methods to get the authentification détails before they are encrypted ?  It says it does (it has to pass the hackers and securityresearchers test although)

    "fallback behaviour is bad news. In fact, Bodo and I have a draft out for a mechanism to add a second, less bug-rusted mechanism to prevent it called TLS_FALLBACK_SCSV. Chrome and Google have implemented it since February this year and so connections from Chrome to Google are already protected. We are urging server operators and other browsers to implement it too. It doesn't just protect against this specific attack, it solves the fallback problem in general. For example, it stops attackers from downgrading TLS 1.2 to 1.1 and 1.0 and thus removing modern, AEAD ciphers from a connection. (Remember, everything less than TLS 1.2 with an AEAD mode is cryptographically broken.) There should soon be an updated OpenSSL version that supports it.

    this oversight for now

    Microsoft : publishes information how to stop ssl fallback behaviour

       In Internet Explorer you have to disable sslv3 support manually (or with a networkscript) even in version 11

       Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 in Internet Explorer

    You can disable the SSL 3.0 protocol that is affected by this vulnerability. You can do this by modifying the Advanced Security settings in Internet Explorer.

    To change the default protocol version to be used for HTTPS requests, perform the following steps:

    1. On the Internet Explorer Tools menu, click Internet Options.
    2. In the Internet Options dialog box, click the Advanced tab.
    3. In the Security category, uncheck Use SSL 3.0 and check Use TLS 1.0, Use TLS 1.1, and Use TLS 1.2 (if available).
    4. Click OK.
    5. Exit and restart Internet Explorer.

    but  Internet Explorer 6 is broken but why the hell are you still using a version that is so buggy it can be hacked in over a minute

    Microsoft users should also connect reguarly to those two resources to secure their computer or to download free securitytools and upgrade their Windows (even if they are pirated they will get security updates)

    • Protect your PC

      We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. For more information, see Microsoft Safety & Security Center.

    • Keep Microsoft Software Updated

      Users running Microsoft software should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Microsoft Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have automatic updating enabled and configured to provide updates for Microsoft products, the updates are delivered to you when they are released, but you should verify that they are installed.

    Apple : No news

    Oracle : No news

    Google : only Chrome to Google services are secured, don't use another server, the rest will take MONTHS. ".
    In the coming months, we hope to remove support for SSL 3.0 completely from our client products" (see Googleblog)

    Servers on Opensll : No fallback patch yet

    Firefox : you have to wait untill the update of the 25th of NOVEMBER  (yeah)

    For the moment the Internet Storm center has tested the following

    You can test if your browser is vulnerable on this site https://www.poodletest.com/

    Unofficial patches to install

    For Chrome

    "I've just landed a patch on Chrome trunk that disables fallback to SSLv3 for all servers. This change will break things and so we don't feel that we can jump it straight to Chrome's stable channel. But we do hope to get it there within weeks and so buggy servers that currently function only because of SSLv3 fallback will need to be updated.

    Chrome users that just want to get rid of SSLv3 can use the command line flag --ssl-version-min=tls1 to do so. (We used to have an entry in the preferences for that but people thought that “SSL 3.0” was a higher version than “TLS 1.0” and would mistakenly disable the latter.)

    For firefox

    In Firefox you can go into about:config and set security.tls.version.min to 1. I expect that other browser vendors will publish similar instructions over the coming days.

    For server owners  (you won't have any IE 6.0 traffic anymore)

    As a server operator, it is possible to stop this attack by disabling SSLv3, or by disabling CBC-mode ciphers in SSLv3. However, the compatibility impact of this is unclear

    You can publish a message if you see that they are coming to your site with that very old browser in which you publish a link to upgrade their browser or to change their browser to Firefox or Chrome.

    You can test if your server is vulnerable here http://www.ssllabs.com (test a server)

    another test you can do with an openssl client 

    using the openssl client: (if it connects, it supports SSLv3)  penssl s_client -ssl3 -connect [your web server]:443 

    For Microsoft network managers

    Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 in Group Policy

    You can disable the SSL 3.0 protocol that is affected by this vulnerability. You can do this by modifying the Turn Off Encryption Support Group Policy Object.

    1. Open Group Policy Management.
    2. Select the group policy object to modify, right click and select Edit.
    3. In the Group Policy Management Editor, browse to the following setting:

      Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Explorer Control Panel -> Advanced Page -> Turn Off Encryption Support

    4. Double-click the Turn off Encryption Support setting to edit the setting.
    5. Click Enabled.
    6. In the Options window, change the Secure Protocol combinations setting to "Use TLS 1.0, TLS 1.1, and TLS 1.2".
    7. Click OK.



    servers who want to pass to RC4 will find themselves the victims of other attacks so this is NOT a solution, you should finally start implementing a real stable secure encryption environment and configure it as such with security in mind and not the least secure visitor you can have to your site who would jeopardize the security of your users in the same way EBOLA does with humans

    Maybe it is time to give servers a certificate for the (in)security of their encryption and the way it is configured. Maybe it is time for proxy servers in networks to block access to totally insecure servers that we shouldn't let our users visit anymore for their own protection and that of our resources. That will make an impact on the server owners who will see much of their 'business traffic' fall and so become less interesting for advertisers (who could use the blocklists to see if that site is accessable to people with money (and that are people who work).

  • the up yours barricades in #hongkong

  • funrave.com hacked and data leaked online

    on pastebin

  • the definite guide about the complaints with the privacycommission against the hacking of 9lives.be

    First the FCCU has opened an investigation. This is a crminal investigation against the hacker. The only thing he can do is hide and run or try to negotiate some deal (but only with lower sentence) when he returns the data. Blackhat hackers are seldom hired in the industry and only when they have so many different compétences that they are very valuable. 
    They will collect all the possible data even the most small détails because it are the détails that gets hackers busted.

    Secondly the privacycommission has opened an investigation. This is normal because it has been in the press. In this investigation it will ask itself the following questions ?
    * which kind of data is lost and how was it lost ?  (this is not clear yet)
    * were all the victims informed of this ? (some say no on this forum)
    * was the data sufficiently protected ?  (according to the hacker the seeding of the data was not very strong and it was not encrypted)
    * was the application sufficiently secured and tested ? (well look at the versions and decide for yourself. If you are responsable for the data of 100.000 members than I am not sure you have been acting as a good housefather by not buying the paid licence that was updated)
    * did anybody send information about possible securityproblems and how were they handled by the network administrators, by the hosters and by the securitypeople of the network
    * was the server sufficiently secured ? (it is not sure that they came in by the application, they could also have used vulnerabilities on the server of the application
    * was the network secured enough ? this means is everything done to stop these kinds of attacks against my applications before they attack them (application firewall for example)
    *¨was there logging and monitoring and why didn't any alarms go off with the securitycenter that should be monitoring what is happening on the servers and the network ?
    * was the incident response sufficient when it became known or when the alarms started going off ?

    so if you see this will be a very interesting case and not only because of 9lives but because this touches a very fundamental question - especially in Belgium where everybody acts as if nobody is responsable for anything when shit happens - which part of the security should be taken care off by the hoster and which part by the applicationadmin and how should they work and interact together.

    Yoiu can file a complaint with the privacycommission by sending an email to commission@privacycommission.be and you mention that are or were a member of the 9lives community and that you want them to investigate what happened and who is responsable and what to do to make sure that this doesn't happen again

    You will get no money as long as your creditinformation or your EID information is not involved because the sums that would receive are there to compensate for all the administrative changes that you have to ask or to do

    But just as with the NMBS case it will force the major hosters in Belgium to take notice and to invest more in security for us and everybody else and that makes it a good thing even if it is only a small mail.

    This will probably not be an investigation or complaint against somebody and surely not against a volunteer (because in this case the commercial owner of the forum would be responsable to be irresponsable to use only unpaid volunteers to keep a forum with 30.000 daily visitors)

  • all critical windows stations should install the security updates as fast as NOW

    the reason is that there are several very critical zerodays that are or can be exploited by known or not yet known viruses. One is by the energybear or sandstorm worm that has received much press today because the firm had to keep quiet untill today

    "After the exploit was shared with Microsoft in early September, it was determined that the vulnerability is located in the Object Linking and Embedding (OLE) package manager and that it affects all versions of the Windows operating system from Vista Service Pack 2 to Windows 8.1, as well as Windows Server 2008 and 2012.

    "The vulnerability exists because Windows allows the OLE packager (packager.dll) to download and execute INF files," the iSight researchers said. "In the case of the observed exploit, specifically when handling Microsoft PowerPoint files, the packager allows a Package OLE object to reference arbitrary external files, such as INF files, from untrusted sources."

    Attackers can leverage this vulnerability to execute arbitrary code, but will need to trick users to open a specifically crafted file first by using social engineering techniques, something that was observed in this campaign.

  • the sandworm attack collects your certificates to become a trusted hacker in your network

    "Although iSight only has a small view of the number of victims targeted in the campaign, the victims include among others, the North Atlantic Treaty Organization, Ukrainian and European Union governments, energy and telecommunications firms, defense companies, as well as at least one academic in the US who was singled out for his focus on Ukrainian issues. The attackers also targeted attendees of this year’s GlobSec conference, a high-level national security gathering that attracts foreign ministers and other top leaders from Europe and elsewhere each year.


    It appears Sandworm is focused on nabbing documents and emails containing intelligence and diplomatic information about Ukraine, Russia and other topics of importance in the region. But it also attempts to steal SSL keys and code-signing certificates, which iSight says the attackers probably use to further their campaign and breach other systems.

    and we are not talking about some spammers or scriptkiddies these are targeted attacks against high value targets so you can not suppose that they are not going to do this, why wouldn't they if this was their main purpose of the attack, having access to the confidential and secret information that they were after in the first place

    with or without a certificate

    it makes it also much easier to infect other systems because your malware code is authentificated with a stolen certificate (and code seldom is signed by external institutions and it is seldom that you can see somewhere where it is installed and used)

    some other interesting information

    * the virus-attacker is known since 2008

    * it uses some process in powerpoint, so this is the entree point for the virus (some powerpoint files extremely popular with decisionmakers)

    * it wouldn't surprise me if the targeted western european government that is mentioned vaguely is Belgium because the European Union and NATO are also targeted so why shouldn't you attack also the government that is on the same networks ?

    * it is also interesting to note that they are talking about several European telecommunication firms ....


  • 7 million logins to dropbox hacked already a few thousand published (we have a list)

    the list is from the portions that are published on pastebin

    This is the accumulated list so far (6 postings) http://belsec.skynetblogs.be/hacked-dropbox-accounts-the-list-of-known-hacked-accounts.html they have already been downloaded more than 50.000 times so you can expect a lot of attacks against those addresses

    the hackers are publishing portions of the database from time to time depending if someone gives them a bitcoin or not (this is the first time that the crimecommunity can finance a dataleakage)


    As more BTC is donated , More pastebin pastes will appear
    To find them, simply search for "DROPBOX HACKED" and you
    will see any additional pastes as they are published.
    FIRST TEASER - [1] DROPBOX ACCOUNT Just to get things going...
    SEND BTC DONATIONS TO [redacted]
    there are rumours that downloaded data from those dropboxes are being sold or distributed but this is just rumour
    some other scriptkiddie is changing the passwords of the accounts that are published (using the password mentioned) but this will block the main user also out of the account
    "I am running a script to ``unhack'' dropbox accounts.

    I figure being locked out of your account is better than script kiddies snooping through your files.

    Don't donate to the script kiddy's bitcoin address, as the passwords leaked will not be valid for long.

     Password changed: benitaokagbue@hotmail.co

    Password changed: Benitesleo@hotmail.com

    Password changed: paulina@gmail.com

    Password changed: Benitez_ja@hotmail.com

    Password changed: Benitez11@hotmail.com
    Password changed: Benitez7288@hotmail.com
    Password changed: Beniteznadia@yahoo.com

    Dropbox says that third applications are responsable which is the same issue we had with snapchat. You are as secure as the connected services are ......

    They also said that they are asking those users to change their password ? So 7 million users have to change their password all of a sudden ?

  • ITAF.EU has no reponsability in the 9lives.be hacking debacle

    This is their official answer and it closes any issue one may have with them

    this leaves two to tango (hostbasket and the domain owners)

    the domain owner got the same questions

    so we are looking forward to his answers

  • privacycommission starts an investigation into the databreach of 9lives.be (and how to complain)

    It is confirmed that the Belgian privacycommission has opened an investigation into the databreach of 9lives.be

    hardly impossible not to do this

    and the second thing is

    it is confirmed that if you want to file a complaint (and we would say that this may have some impact as it will convince the Privacycommission that more action is needed and that this kind of thing may not happen again in this way if we are talking about such important social gateways on the web)

    you simply have to send an email to the privacycommission  commission@privacycommission.be 

    with the subject 


    Klacht hacking 9lives.be

    met je contactgegevens en dat je lid was van en dat je wilt dat de privacycommissie onderzoekt waarom je persoons- gegevens en het forum niet beter waren beveiligd


    each drop is important because together we can make waves....

  • who is responsable for 9lives.be (we are talking about the data of thousands of people)

    well who is hosting it (because the hoster has to install the necessary security - like a good housefather so it becomes more difficult to attack and hack the sites that are hosted on its servers that itself it secures permanently)

    and who owns the domainname 9lives.be ?

    well it is a firm so they have insurance if they get sued ..... should have ......

    but who is itaf.eu, let's look at the propaganda

    okay so there are two more firms who could be held responsable - the owner of the domainname and the firm that was held responsable

    we have posed them some questions and we are looking forward to their responses .... if any

    because some-one will be held responsable


  • hacked 9lives.be if this a sensible breach notification, than this is a makebelieve operation

    from the new forum http://naajn.be/forum/viewtopic.php?f=1&t=2&start=150

    well there were 100.000 members according to some resources but some say that they never got any notification

    if this would have been a serious hacker, the dataset would have been already sold and the data would already been in use, or added to some other datasets to make profiles of people (future victims)

    but according to this post the notification was only sent to the people who were subscribed to their mailing list, not everybody who was impacted and for which they had an emailaddress

    if this is so, than there may be problem with the breach notification because the breach notification according to the Belgian Privacycommission has to be done to everybody that is impacted within 48 hours (that is 100.000 people if the rumours are right)

    if it was only sent to the people subscribed to the mailinglist (and in the absence of much other information from the serviceprovider) one can doubt that they have done exactly what had to be done

  • Dutch cert informs Dutch sites that are in the listing of 42.000 hacked sites of Holdon security

    This is the declaration from the dutch cert

    "Gezamenlijk met de responsepartners van het NCSC worden betrokken partijen geïnformeerd over de mogelijk kwetsbare websites. Zo informeert partner SIDN, Stichting Internet Domeinregistratie Nederland, via de .nl-registrars de houders van de kwetsbare .nl-websites. Gelijktijdig informeert de Informatiebeveiligingsdienst voor gemeenten (IBD) betrokken gemeenten, SURFnet de aangesloten onderwijs- en onderzoeksinstellingen en het ministerie van Defensie de aan hen gelieerde organisaties.

    So the Dutch cert will inform together with the organisation responable for the .nl domain if they are on the list of the vulnerable and hacked (or just lost datasets) of Holdonsecurity (out of 42.000). Probably this was a number of sql injections

    It also informs the securityofficers of the schools, the cities and the organisations of Defense about its websites that were vulnerable (because this is in fact what they are saying, that websites of the Dutch defense were vulnerable and if they were vulnerable lost some datasets)

    Now the question is what the Belgian CERT will do for the .be domains ?

  • 1 million .nl passwords and emails were sold on the darkweb ? Check yours (and what is the Belgian CERT doing for the .be emails)

    Dit is de verklaring van de Nederlandse CERT

    Het Nationaal Cyber Security Centrum (NCSC) heeft van Hold Security de beschikking gekregen over de domeinnamen en e-mailadressen met een .nl-extensie. Hold Security gaf eerder via mediaberichten aan een dataset met 1,2 miljard inloggegevens wereldwijd verkregen te hebben, afkomstig van 420.000 kwetsbare websites. Vanuit haar coördinerende rol en CERT-taak heeft het NCSC direct na ontvangst van de gegevens actie ondernomen en licht samen met partners getroffen partijen in

    So out of a database of 1.2 billion data from hold on Security a million had an .nl emailaddress which made it clear that you have some connection to Holland

    you can check if yours is here https://emailcheck.xs4all.nl/

    this is why it is important that emailproviders like Yahoo and Google nationalise their domains so that instead of hundreds of millions generic .com emailaddresses it would be easier to identify those that belong to a certain country (and so a certain CERT). 

    It is not clear what the other CERTS are doing and it is not clear if the 42.000 hacked domains have been notified and if the generic domains are participating also (Google.com and Yahoo.com for example among many others)

    as we have said before when he made this press declaration, the firm doesn't have the right to keep that data, that data should have been transferred to the dataprotectors (the CERT and the other institution to set up a coordinated action to notify the victims and to block their accounts if necessary to limit the damages)

    they even set up an online form in which you could check if your personal logindetails were sold online or not (even if this may be very late as the information was made public in august and the 42.000 emptied

    but there are other questions

    * Holdon security said it was finding every week new datasets they were adding to their database, does this mean that the Dutch cert will receive new .nl logins if they find them ?

    * what happens with the data about the .nl people that Holdon security has - and that now has been officially recognized that they have ? Because they are holding on to illegal information they have from citizens who didn't give them the right to keep that data for themselves. If I interpret the privacy régulations that I didn't give them any right to collect and surely not to keep this information.

    And what is even more incredible is that they are asking money for it to check for me if my emailaddress is in the old and new datasets they are colleding

    Reminder : if we take all the datasets together that have been stolen the last 2 to 3 years than yes we arrive at nearly a billion (what is more I even know there are several older Datadumps online on TOR). But we should also mention some quality information with the information. If it is an old leak from 2011 than there is little you can do, if the leak is from last week, than there is a big problem and you can still do some things.

    at the other side, Holdon security has been the biggest lowhanging fruit on the internet, collecting all that data. I hope that their security is so strict and monitored that they can keep that information.

  • the hack of 9lives.be shows how important datadestruction is

    this is something that firms don't want to do ever

    destroy the data from people who didn't log in the last year

    or destroy the data from people that just ask for it because they prefer you do that

    or to publish what to do if you are family of the person and the person is dead and you want to keep a copy, mention that he or she is dead or destroy the data because it has no sense anymore

    destroying data over time will make many databreaches much smaller and less important

    at the other side it will make the job of the identifythieves easier because the dead wood is no longer in the database but these professional datathieves have enough other tools to clean their datasets - if it was only because those datasets are only worth some real money if they are cleaned wihich makes the datacleaning worthwhile

    DESTROY that data

    No logins for a year and just block the account or just destroy it

    and imagine how much less data you would have to backup, keep running on your servers, protect and transfer

    after the right to forget the duty to forget

  • what should people do who used 9lives.be and lost their data now ?

    First nor Telenet nor the FCCU has your data, it is still in the hands of the hacker and I am not sure that Telenet and the hacker will find an agreement and that he will be able to show the necessary forensic proof that he didn't copy or forward the data (and if he is a hacker how can he give sufficient proof that would be trustworthy)

    Secondly there is enough information of neglect on basis of which you could go to the Privacycommission and file an complaint so that there will be an investigation and at Telenet they will have the visit of some-one of the privacycommission who will go through every other private information they have and the security of the other databases they keep. This will probably oblige them to do the necessary investments and personnel changes.

    A complaint with Telenet for negligence with the privacycommission will also give the privacycommission the means to go to court for damages.

    Third you should change all your passwords that are the same or that sound like the one you have lost. Your emailaddress may be attacked also with spam and viruses.

  • hacker of 9lives.be is the most stupid hacker ever (in my view) and Telenet has the wrong priorities

    from De Morgen today

    he doesn't know that the Belgian computercrime law is very though and that the FCCU has very wide powers and that he can be convicted to many years because he can't show that his original intent was to show that he only wanted to show that there were securityproblems and he never intended to get any money from this hack

    Telenet and the FCCU should also put their priorities right because the first priority should be to get the data and if you have to negotiate with the hacker for that - than you should negotiate some deal to get the data back before he thinks that it all stinks and just dumps it or gets a deal he can't refuse.

    I remember the rex mundi negotations I did for half a million belgians who lost their data from VOO and the first interest was getting the data safe and not online, all the rest was at that time secondary. After that it is up for the FCCU to decide what to do but you can't compare this hacker to Rex Mundi who has really launched campaign against our country and was a real bounty-hacker.

  • 100.000 members of 9lives.be for sale with poorly protected passwords and website

    this tells it all

    the question is not if it is encrypted but how it is encrypted

    the Telenet website was running version Vbulletin 4.2 because they didn't want to pay for version 5

    and the site was updated the 1st of October but was in fact not ready for production because according to the users there were still an enormous number of bugs and even securityproblems

    op tweakers verchijnt de volgende commentaar op het bericht van de hack

    en in De Morgen staat volgend commentaar van Telenet

    and so what is this

  • it seems as if #snowden is desperate for attention while he should better shut up

    Now with a new film coming you shouldn't be surprised that superhero Snowden the symbol for his followers will be releasing new documents through his proxies (which we will examine as always) and will be making appearances from his safehome in superdemocracy Russia where the intelligence services are fully democratic and transparant and the democracy and libertyloving people are not fleeing to the West (or getting a second passport if they have the money for it so they can get out in time).

    so today he declared that the English intelligence services have no transparent overview or whatever of democratic control (by the way they never had also because of their primordial role in the second world war which gave them an auro that the CIA or NSA never had and because of their close cooperation (or even integration) with the US intelligence services since the second world war (when they asked for US help because of the deep (and later proven) infiltration of their services even at the highest level by the KGB at the time of the coming of age of the Cold war and the dissolution of the antiNazi alliance shortly after the second world war).  It was this postwar intelligence crisis in the UK, Canada and Australia which became the basis of the Echelon cooperation which in fact is the basis of the worldwide intelligence operations by the NSA and their Echelon partners which became public in 2000 (because of an investigation in 2000 by the European Parliament which ended without any results after the attacks of 9-11-2001) but are now put on public stage by Snowden.

    I would just like to say that less is more and that talking all the time about everything will let you say things that make no sense.

    If you would like to lose all public influence like Wikileaks have done over the last 2 years, you just continue like that from your Putin Safehaven.

    Even if your intelligence services have very few oversight (and they should have more to say the least) than they are not acting like the Russian and Chinese intelligence services which are an active part of the nearly total surveillance and suppression aparatus of the whole Spectrum of democratic opposition (supported by laws that could never be accepted here and were even at the height of 9-11 not even proposed in the US).

    as much as I do not agree with some of the operations by our national intelligence operations and as much as I would like them to be more transparant and self-critical (to be able to escape from a tunnelvision in which operations and technical possibilities become more important than the democratic values and the oversight one should place first) - I do not accept this criticism coming from some-one hiding in the autocratic surveillance state of Putin

    and as much as you may be right - by saying so from Putin country - you are making it harder for the democratic opposition in our countries (of which too many are still blindly following you waiting for every word you speak) to say exactly the same things

    and what you also don't understand from your cocoon is that just as 9/11 killed the enchelon invasion, the enormous Financial and military-terroristic capabilities from ISIS and the Russian military exponentialism and slavic ideology is changing the Framework of this discussion totally

    because if the western democracies (yep, up to some point) don't have access to enough intelligence about the terrorist threats and the military capabilities and intentions of the Russians, how are we going to defend ourselves or being sure that we have enough and the right kind of forces to do so ? And where will we get this kind of information and how can we be sure that his information is correct if it isn't checked with information from a number of other sources ?

    in case, you didn't notice, nobody sensible in Europe is asking anymore for breaking the cooperation with the intelligence services in the US and Echelon (by extension), the points of debate here are more the following (and this is not bad)

    * better protecting our own infrastructure, data and leaders against foreign surveillance whoever it may be

    * a better oversight of our own intelligence agencies and how they cooperate with other services without putting these in danger if the cooperation is essential for our national security

    * having a new and more transparant Framework in which intelligence agencies set up operations in each other countries or against targets of each other countries

    The advantage of these three action points is that they are crisis-resistant so that if a new major terrorist attack happens or more military incidents at Europe's eastern border with Russia occur we can still have a democratic and somewhat transparant Framework in which the intelligence agencies can continue to function (even in extra-ordinary times) and work together

    by the way, Snowden between all your words the last week you didn't explain one minute where are all the missing very important operational documents that also went missing

  • the twofold attacks on your personal information and pics have begun

    these are the two kinds of attacks that are beginning to gather interest as they seem to give good results

    source http://cyberwarzone.com/fappening-snappening-teached-us/

    so in the first case they create their own third service for example snapchat telling that they are giving a service the service itself doesn't provide for or making managing it more easily or integrating it with other online webservices

    but nobody really checks who are those hundres or thousands of external parties willing to connect to the service and use the API to acc