#regin, Belgacom and the #nsa and what we should know

it is always the same song in Belgium. Once there is an attack or hack, they file a complaint with the FCCU as they should and than they can't say anything more. The justice department, the FCCU and the CERT will need to set up some technical information exchange to be sure that technical information about (identified) hacks gets distributed in time to other possible victims just to warn them that it can happen. 

There is for the moment even no Federal Cybercrime or Cybersecurity Center under the prime minister who could organize that and take responsability. 

The Belgacomvirus or #regin files - and it is not because some of the files are the same that the whole set is the same - were rumoured to be NATO secret level 3 and afterwards were said to be handed over with other information to the BIPT. Some people who should have known in Belgium tell me they didn't and were surprised to read in the newspaper that all critical infrastructure was informed about the technical details of the attack and which things to look out for in their firewalls and security appliances. 

Belgacom does repeat the same thing today.

So this leaves two questions. 

Or it are the same files and Belgacom has cleaned it up and found them and is sure that they didn't come back - even in their 2013 version. Than everything is fine for Belgacom and they just have to keep up the same vigilance and determination. But if Belgacom says that it are exactly the same files than it has to say this clearly so there is no doubt whatsoever. They will probably say that they can't say this because it would 'interfere' with the investigation which is stupid because we know a lot more technical details about any other criminal investigation before the trial starts (if there is going to be anyday a trial here). 

SO BELGACOM - IS IT OR ISN'T IT.  If it isn't you know you will have to go rechecking - although as a good securitypractice you will restart your checking anyway. 

When are we going to have that information ? I know a lot of people who are responsable for enormous networks and enormous sets of data who have no data about what they are talking about when the BIPT says that everybody has received the necessary information ? Does this means that all the banks, all the international organisations in Belgium, all the energy networks, all the governmental agencies that handle secret or important information were informed ? All the ISP and telecom operators ? 

SO BIPT as more and more information is in the open and some of the files are now being found online and will be assembled in the near time as now a whole community of people starts a hunt for them (for sure they are already at virustotal) when are you going to release more information. Or are there diplomatic or other reasons for which that information can't be published. By not publishing it you confirm this. 

Permalink | |  Print |  Facebook | | | | Pin it! |

#Regin and Belgacom what we know and what we don't

Some of the functions and protocols are explained in this earlier presentation at Hack.lu It is also important here to read how one gets information from an internetblocked computer (with probably highlevel information) to an internetconnected computer in a network. The extraction methods are also interesting because in Belgacom the extracted information was encrypted and went for that reason undetected as encrypted traffic was maybe just like in many network trusted - especially if they come from inside the network.

We know that the Regin files by Symantec are not complete and that they only have part of all the files.   

   Inside the Snowden files you find documentation about a bootkit that also works on Linux because it attacks the hardware and not the software on the machine. (This is why it is important to encrypt all the free room on your harddisk so you can't normally install nothing new on the machine - or not without alerting the securitystaff if you have installed those eventloggers). 

So it is not clear at the moment if there are Linux files somewhere. We know by now that it is not hard to take total control over a the root and boot of a Linuxserver and several viruses doing exactly that (and through USB in Apple) have done the rights the last couple of months. 

We know that the Microsoft Regin files had several urgent updates (2008 - 2011) and we know that there have been rumours about problems and infections and not being sure of the data of infection well before the official data that Microsoft officially said it was an infection when they came finally to examine the troubled mailserver.  We know that the Regin files had a 32bits version and a 64bits version and that around that from 2011 onwards many organisations and industries were moving to 64bits only (to kill all the 32bits viruses in one upgrade). This change has also an impact on the access to the root and may explain the problems. The Snowden files talk about 2008 as the data of penetration (which is also the first set of files). 

We know that the Reginfiles had falsified Microsoft certificates or signatures of some files and that for those for which that wasn't possible they posed as a help file of an official Microsoft file in the kernel-root and had access to the root through this helpfile who had access to the kernel-root file. We know that in Belgacom they were talking about Microsoft signed files.  This poses in fact huge problems for Microsoft and the way in which it wants to certifiy the files that are written by Microsoft and that are certified by Microsoft. 

We know that the Belgacom operation was an intelligence operation and that only very limited information was effectively transferred as the datafiles were small (which was astonishing) It could be that they had larger files at the start of the operation (to have a list of all the employees or of the infrastructure) but as nobody is sure about the data of the first infection there is no way to be sure. As the GRX routers for the GSM traffic throughout the BICS-Belgacom network were the target, we presume it was the metadata for certain high profile GSM numbers that were on the terrorist target list. It is so no wonder that the software that is used in such an operation is built by spies for spies to be able to.... spy.

Permalink | |  Print |  Facebook | | | | Pin it! |


#regin if you are looking for the files to analyze

well there is a site that collects viruses and has some of the files


this one b269894f434657db2b15949641a67532


Permalink | |  Print |  Facebook | | | | Pin it! |

#regin some companies have a problem now with their name

couldn't they do a google search before searching for a name for the espionageware

Permalink | |  Print |  Facebook | | | | Pin it! |

#regin it took 3 years to discover first versions (2008 - 2011)


it was re-analyzed yesterday as the news came out but the creation data is in march 2008

now look at this

probably this will be because there has been some problems with some files during a migration to windows7 or server windows8 (launched in 2009 but companies mostly wait 2 years before introducing a new system - and this shows why this is in fact a securityproblem).

and this is probably why it had to be replaced urgently by a newer version as Symantec writes in her report - it is an DOS executable and in windows7 the access to the kernel is rewritten and limited and so all those files that before had unchecked access to the kernel like in Linux :) lost it ..... and sometimes were analyzed.  And this is also the reason that Belgacom started investigation its mailserver that after an upgrade was behaving strangely.

Permalink | |  Print |  Facebook | | | | Pin it! |

#regin Sophos saw some versions already in 2011

but not all the files

and in virustotal only 44 find them and some (even big ones) don't


I think that for such important espionageware antivirus companies that have some info but not all should work together. The whole is more than the sum of parts.

Permalink | |  Print |  Facebook | | | | Pin it! |

year old story of massive tapping and filtering of the internet by gchq comes back with Cable and Wireless

First it is said that this series of articles is based upon new documents. it would be interesting to know which kind of documents. Do they come from Snowden or from a part of his archive that is probably now in the hands of many more people than we can imagine ? Or is there another source in the UK ?

Secondly it builds upon something that we already know. The program the 'mastering the internet' and the role of gchq was already researched and written about a year ago.


this is one of the best articles if you want an overview and be sure that you take your time to read it because it is all legal according to British law and the new British laws on intelligence will even broaden these capabilities.

Now it seems that Cable and Wireless is one of the companies that was working closely with the gchq to give it all the possible means to filter and intercept as much information as was possible. We are talking about pentabytes of information.

Now Vodafone looks like to have inherited the program when it bought Cable and Wireless and it is not clear if they are fully informed about the topsecret programs. In such big companies such arrangements can also be made between people without the full knowledge of the hierarchy who sometimes just doesn't want to know.

and as this is probably the case everything you read in the article is a logical consequence of this. It is the same process when US firms work together with the NSA or other telecom companies with their respective intelligence companies

the fear to miss something and the absolute trust that is put into technology to give you that (false) assurance is sometimes much bigger than common sense and good intelligence strategies

Permalink | |  Print |  Facebook | | | | Pin it! |

war of words in France about VUPEN

There are for the moment two strategies that are confronting each other in the debate about the freewheeling seller of zeroday attacktools (that aren't covered yet by antivirus companies) VUPEN (in France)

The military say that VUPEN has crossed the red line and that that 'problem' should be revolved soon, meaning that the French state with all its power will come crushing down on them. Vupen understands that power and has announced that they will deplace their offices to Luxembourg and the US (probably because many of there biggest clients like the NSA are over there).

At the other side of the table are the spies and the cyberattackers/defenders who say that in a war of shadows like this you can't let this kind of knowledge and these kind of tools leave to nations that could be your attackers some day (or already are attacking you).

this article in french is a really good read (use google translate) http://lexpansion.lexpress.fr/high-tech/les-mercenaires-de-la-cyberguerre

Permalink | |  Print |  Facebook | | | | Pin it! |

#ukraine the #maidan revolution by those who survived it

they were wise enough to organize elections and to have a real democracy a year later

meanwhile many of these #maidan defense units have now been fighting and dying in the donbass against the Russian invaders

but Ukraine has found back its unity, its history and its future

not all the people in the documentary are as 'nice' and democratic as we would like them to be - but in the face of death and violence you don't ask the political opinions of the person fighting next to you - that is for afterwards (and the elections have reduced the influence of the rightwing radicals to minimalist proportions)

even if Putin wanted it otherwise and hoped they would win a bigger margin or a majority because of his incursions and permanent bombardements

Permalink | |  Print |  Facebook | | | | Pin it! |

the most beautiful attack-art of digital attacks against the US (you couldn't make it up)

Embedded image permalink

and another one

Permalink | |  Print |  Facebook | | | | Pin it! |

more mediawar than war during first day of protests in Belgium

First the riots during the first big demonstration in Brussels were the result of two unforseen factors

* the riots broke out at the beginning of the demonstration and not at the end of it, as each playbook will tell and has always been the case in Belgium. This made it extremely hard for the police to intervene 'en force'.

* as there were no big riots in Belgium for the last 20 years nor the police nor the organizers had planned for this because the probabllity of such riots was minimal. What both didn't really understand - like the media - is how angry people are over here and that some people want to show this in some particular (but unacceptable) way..... The last three weeks we have been daily bombarded with bad news for people who earn their wages from working.

This was the reason that there was also no real internal 'service d'ordre' that could isolate such elements, coordinate with the police and try to push back onwatchers and keep a distance between the demonstration and the riots.

so since than the governmental parties and the media have kept up the pressure - letting it sound as if we are going to some kind of civil war and rumours without any substance about Hooligans from Holland coming over and other hardened groups were coming to Antwerp. The NVA mayor has mobilized all possible police forces and is awaiting anxiously the first incident 'to intervene' as he has declared in the press.

and the media went with it as some socalled political analysts playing megaphone

and comments in other papers as everything is calm but for how long, when will the street battles begin

how sad they will be that the whole of the big industrialised Port of Antwerp and other industrial zones are going nearly totally down being blocked where they should have been blocked (at the entrance) and there will be no riots (if everything goes to plan) except if DeWever sends his troops to clear the streets and break the strike.

He has set a trap for the unions in Antwerp (demonstrate and I will intervene with all my forces after the first stone) but there is now a trap for him (you have all those forces and we are blocking everything that is economically important in Antwerp, so come and show that you want to break a strike).

at the end of the day we will know who won or if it is just remise (chess)

we will have another 4 days of strikes before the holidays

the media and the public officials should tone down their wartalk. There is no war, there is a show of force and determination. War is in Ukraine. That is war. Every day since a year.

Permalink | |  Print |  Facebook | | | | Pin it! |


this is why financial and governmental institutions need a protected range of phonenumbers

"Pindrop Security today warned financial institutions and their customers about a telephone scam they've dubbed the "misdial trap."


Fraudsters buy phone numbers similar to legitimate businesses, and pose as that business's customer service line when customers misdial -- not unlike how some fraudsters buy domain names similar to legitimate online businesses and create sites that mimic them, according to Pindrop.


The numbers fraudsters typically choose will have the same first six digits as the legitimate business, with only the final digit changed, or they will have the same seven-digit number but a different area code -- a toll-free number area code, for example.When they hook a customer, they pretend they are customer service for the company in question and request sensitive data from customers -- sometimes offering a free gift card in exchange.


Some 103 of the 600 financial institutions examined by Pindrop Security were affected by the misdial trap

just as domainnames should be forbidden to include the household names of banks and other financial services if they aren't operated by them (like mastercard, dexia, etc....)

otherwise the problem of vishing will only increase (phishing by phone)

but don't forget with VOIP it is possible to hijack numbers or to impersonate numbers because the only thing it takes is a server online (which will disappear once the money is taken)

Permalink | |  Print |  Facebook | | | | Pin it! |

#regin where does it come from and did it target Belgacom ?

first look at the countries that are NOT in this table

than which countries are NOT in that list ?

and which countries are enormously interested in what passes through Mobile towers and phone companies ?

Belgacom and some other telephone companies may have some scanning to do just to be sure that they aren't impacted. Belgacom is very interesting for a spy because it has so many telephone firms and alliances in so many countries of which a few are very interesting for any espionage agency that follows presumed or real terrorists and their networks and supporters.


Permalink | |  Print |  Facebook | | | | Pin it! |

#regin is a perfect example of why espionageware attacks are 'OPERATIONS'

they are not the one in and out attack

they are deliberate operations that consist of different stages with as only goal to get information on a longterm basis with all the necessary rights and in which it is paramount not to be discovered too fast and to have enough backdoors to get the information without being discovered

it is just like an espionage operation, nothing more - nothing less

1. you drop a file on the computer and wait to see if it passes the defenses and virusanalyses and if the user has enough rights to install it (that is why installing files should be the exception for users, not the rule)

2. than you load the files that are in the dropper and you start loading them with the next startup after which it drops its files in the kernel so that they won't be seen by the antivirus (or very rarely)

3. you start looking at the files of the user, his passwords, his connections and routines and you start working

The definition of the process by Symantec is a perfect description of an espionage operation

"As outlined in a new technical whitepaper from Symantec, Backdoor.Regin is a multi-staged threat and each stage is hidden and encrypted, with the exception of the first stage.  Executing the first stage starts a domino chain of decryption and loading of each subsequent stage for a total of five stages.  Each individual stage provides little information on the complete package. Only by acquiring all five stages is it possible to analyze and understand the threat.


this is why I personally think that securitypeople in highly confidential and strategic networks should read and learn more about espionage and espionage operations

this is no different

probably it is even made by an espionage agency and by people who are programmers but who are trained as spies and think like spies and have the same goals and strategies and reflexes like spies

and thus my last quote just proofs my case, it is espionageware written by spies for spies

"What makes Regin different is who it attacks. Instead of going only after high-worth targets, Regin attacks many different targets in an attempt to piece together contextual information. Of the 9% of Regin attacks in the hospitality industry, 4% targeted low-level computers, presumably for this information.

“The average person needs to be aware,” O’Murchu says. “A lot of the infections are not the final target. They are third parties providing some extra information to get to a final target. Lot of people think, ‘I don’t have anything of importance, why would anyone get on my computer?’ Ordinary people who may not think they’re targets in fact are.”http://fortune.com/2014/11/23/regin-malware-surveillance/...

this is nothing other but an operation - an intelligence operation

Permalink | |  Print |  Facebook | | | | Pin it! |

#regin these are the md5 files and the discovery rates of Virustotal (and some thoughts)

and this explains why some were not discovered anyway on 52 security tools analyzed 3 hours ago

https://www.virustotal.com/nl/file/7d38eb24cf5644e090e45d5efa923aff0e69a600fb0ab627e8929bb485243926/analysis/  30 discovery

https://www.virustotal.com/nl/file/40c46bcab9acc0d6d235491c01a66d4c6f35d884c19c6f410901af6d1e33513b/analysis/ 37 discovery

https://www.virustotal.com/nl/file/a7e3ad8ea7edf1ca10b0e5b0d976675c3016e5933219f97e94900dea0d470abe/analysis/  28/43  3 years 4 months (2011)

https://www.virustotal.com/nl/file/f1d903251db466d35533c28e3c032b7212aa43c8d64ddf8c5521b43031e69e1e/analysis/  4/42  2 years

https://www.virustotal.com/nl/file/9cd5127ef31da0e8a4e36292f2af5a9ec1de3b294da367d7c05786fe2d5de44f/analysis/  23/48  1 year ago

and there are more of them but we can conclude the following

because the antivirus and security industry doesn't work together and because they give different names to the same viruses and don't exchange technical information it takes years to get the full picture and so even if some of the files of the virus were found to be malicious not all the files were found to be malicious especially not by all the securityprograms at the same time

it also means that we have to change the general perception of an antivirus. People just install an antivirus and than look if it finds viruses (normally it does) and than make sometimes some general report about it but don't analyse what it is and what the consequences are that the file or virus has been found on a server or a pc and if there are other files that or traffic or behaviour for that machine that have to be researched and that have to be integrated in the report

it is intelligent analysis that will make the difference in high value environments, not putting just machine after machine after machine hoping that that will do the trick

Permalink | |  Print |  Facebook | | | | Pin it! |

federale wetgeving van het laatste jaar kan ongrondwettelijk zijn

""De Belgische grondwet voorziet niet dat een zetelende koning afstand kan doen van de troon en dat er dus een opvolger komt terwijl dat de koning in functie nog in leven is", legt grondwetspecialist Ghysels uit. Volgens hem zit koning FIlip dan ook ongrondwettig op de troon. Dat brengt natuurlijk ook heel wat gevolgen met zich mee waarschuwt de jurist. "Strikt genomen zijn alle besluiten die koning Filip ondertekent, die dat niet grondwettig geworden is, ongeldig.

dit betekent dat het federaal veiligheidscentrum niet kan worden opgericht en dat de directeuren er niet kunnen benoemd worden, maar zo zijn er 1500 andere wettelijke besluiten op federaal vlak (de koning tekent niet meer de regionale besluiten).

het is dus hoogdringend dat hierin klaarheid wordt geschept voor het voor de rechtbank komt en één of andere rechter het nodig vindt om hier al was het gedeeltelijk in mee te gaan en te vergeten dat het recht niet alleen gebaseerd is op formalistische regels maar op uiterst belangrijke principes zoals het verzekeren van de publieke dienstverlening.

Permalink | |  Print |  Facebook | | | | Pin it! |

why the new TOR drugmarket Evolution is even more advanced than Silk Road

"Evolution doesn’t just offer an escrow, but also takes advantage of a more advanced feature built into bitcoin known as multi-signature transactions. That feature is designed to prevent both scams and seizure of escrow funds by law enforcement. It requires two out of three parties—the buyer, the user, and the site itself—to sign off on a deal before the escrowed bitcoins can be transferred. Evolution has also had much faster pageload times than competitors, most of whom run painfully slowly thanks to Tor’s process of routing web traffic among randomly chosen computers around the world. (Just how Evolution managed those speeds despite running on Tor itself isn’t clear.) And it has been online far more reliably: The website Darknet Stats counts Evolution as online 97 percent of the time, compared with 83 percent for Agora and 93.5 percent for Silk Road 2 at last check in September.

I think the Achilles Spees of Evolution is how they arrive at these speeds because it may be that not all traffic is as TOR protected as is should or they have invested enormous money in SSL accelators and other hardware stuff on their servers.

The protection that is given to Bitcoin shows that not all bitcoins are equal and that some are even not that anonymous, it all depends on how they configurate it and that is something the receiver of bitcoins doesn't always has any control over.

Permalink | |  Print |  Facebook | | | | Pin it! |

openbank.ru hacked and leaked ?

find the link on my twitter account

some hacktivists are hacking and leaking giga's of information every month but withouit all the press attention that others got

Permalink | |  Print |  Facebook | | | | Pin it! |

new anonymous postings or blogging forum -

here http://www.thethoughtcrate.com/

Permalink | |  Print |  Facebook | | | | Pin it! |

the first lesson belgian insurance companies should learn is itsecurity and not getting hacked

this is their blablablablabla

and on the same site this is the real reality of belgian insurance companies and websites online (and no one is really responsable to control their security for the moment)

Permalink | |  Print |  Facebook | | | | Pin it! |