11/22/2014

the Russian hacker showing thousands of unprotected webcams is looking for a job

he is in all the itblogs and newsmagazines all over the world

thousands or millions of people are visiting his site

regreting they didn't change the standard password of their videocam and not encrypting the stream if it goes outside (imagine a smart-tv with reverse videocam)

but hey, does he get your attention ? He is just looking for a job

Permalink | |  Print |  Facebook | | | | Pin it! |

a very honest 404 error page

Permalink | |  Print |  Facebook | | | | Pin it! |

11/21/2014

happy birthday to #Euromaidan while Ukranian Mad Max are still fighting the invading Russians

looks like a Mad Max car if you ask me - they made it themselves in the factory based upon the battlefield experiences

meanwhile at Euromaidan people are now remembering the fallen 100 and the people they lost there

 

We have hundreds of posting about Kiev, Maidan and Ukraine they are all here in chronological order

and this is when it for us all began and we started to take notice and from that moment on we were hooked and chose our site, those of the people for the people and by the people (in all there are about 800 postings about Ukraine since than). Several times our frontpage was even changed to show the importance of the burning tyres resisting the attacks every night or the invading russian tanks that have been coming without an end the last months.

we have also a tweetlist about Ukraine and in our main tweetfeed Ukraine is always on our mind (and in our eye). We always keep a close watch on what is happening in this new Front for democracy.

and this was one of the first barricades to appear in Kiev

and this is how it ended - when even snipers couldn't end the protest are killing a 100 people and wounding several hundred - they fled and the regime with them

and since one year they had military battles with defeats and success and two elections and a lot of support but not enough of it and yet after one year Putin only occupies 5% of the territory and didn't accomplish his strategic goal.... or not yet

but if anybody would have told us that one year ago, nobody would have believed that that was possible

Permalink | |  Print |  Facebook | | | | Pin it! |

After the DDOS on gamenetworks, here are the stolen passwords (also belgians)

First there were the big DDOS attacks, but these were only the diversion, the real goal was to penetrate and to steal passwords and other stuff while all the staff was busy trying to keep the network up and the securitytools were being overwhelmed, downgraded or just set on hold to be sure that the traffic past fast enough 

this is nothing new

it has been done before by hackers and is in fact a very old military tactic 

now there are thousands of logins (and some are from belgians) 

  • Dear Internet, the following is a very small portion of Lord Gaben and the rest of his crews glorious raids across the high seas of the Internet.
  •  
  • Portions of our raids include:
  • 2K Gaming studio user credentials
  • Windows Live Email user credentials
  • PlayStation Network user credentials
  •  
  • These usernames our bestowed upon you in the humble name of Derp.
  •  
  • @DerpTrolling - @GabenTheLord - @UGLegion
  •  
  • Let this be a warning to all.
  •  
  • Nothing is safe from Derp

http://pastebin.com/WVzviPyp

Permalink | |  Print |  Facebook | | | | Pin it! |

9lives - een antwoord van de Privacycommissie (en enkele bedenkingen)

Dit is de brief die ik mocht ontvangen van de privacycommissie 9lilves1.PNG

9lives2.PNG

enkele opmerkelijke zaken 

First these are all the postings we did about 9lives

1. Telenet kan NIET zonder enige twijfel vertellen welke gegevens werden gecopieerd wat erop wijst dat de logging van haar database beperkt is terwijl er toch veel professionelere software bestaat die toelaat om te weten welke gegvens uit welke colomnen van de database werden gestolen (en dat in feite zelfs onmogelijk te maken).  Indien men natuurlijk zo goedkoop mogelijk wenst te werken zonder geld uit te geven dan kan men niet verwachten dat men veel informatie heeft. 

2. Niet iedereen werd geïnformeerd omdat de hacker waarschijnlijk niet zoals Telenet de data copieerde maar ze ook vernietigde. Hoe is het anders mogelijk dat Telenet in dezelfde brief zegt dat ze de mensen niet persoonlijk kon verwittigen omdat ze geen backup meer had. Je hebt een backup enkel en alleen nodig als je niet meer over het origineel beschikt.  Het doet tevens de vraag rijzen wat de hacker eventueel nog heeft vernietigd, logs vb ? Dit verklaart dan ook weer waarom breach notification rules of 48 hours were not respected tegenover een aantal personen. 

3. wij blijven bij onze zaak dat de gebruikte software wel kwetsbaarheden had want het was NIET de betaalde onderhouden software maar de gratis versie die al een geruime tijd niet werd onderhouden en waarvoor met een simpele zoekopdracht op het internet exploits voor konden worden gevonden. En we spreken hier wel over slechts 400 dollar, dit is gewoon al die miserie niet waard. Ook ik ben voor opensource software maar we nemen bijna altijd betalende of ondersteunde versies indien er belangrijke data mee gemoeid is. 

De privacycommissie noteert enkel dat Telenet dit ontkent. Ik begrijp dit niet. Dit is toch zo duidelijk. 

Trouwens wat is dit ? "Telenet kon door het onderzoek gedurende een week niet aan de servers van de site, maar heeft ondertussen een oplossing gevonden. Het lek zat naar verluidt bij software van een externe leverancier, maar Telenet heeft het probleem zelf opgelost. http://www.demorgen.be/technologie/telenet-zet-gehackte-g...  Dus toch een lek of een kwetsbaarheid, waar het ook vandaan komt, dat doet er niet toe, je blijft even verantwoordelijk voor je platform. 

4. De privacycommissie heeft haar onderzoek niet voortgezet om het juridisch onderzoek niet te hinderen, maar deze zijn in feite twee totaal verschillende zaken en misschien moet moet het FCCU en de privacycommissie hierover een aantal afspraken maken. De FCCU kan gerust werken op basis van een copie terwijl de privacycommissie haar 'feitenanalyse' kan voortzetten. De doelstelling van de FCCU is om de verantwoordelijke te vinden als enkel de firma klacht heeft neergelegd. Indien gebruikers of hun vertegenwoordigers klacht zouden neerleggen tegen Telenet en 9lives dan moet zij ook onderzoeken of wel alle nodige maatregelen zijn genomen.  In de toekomst zou ze zich hiervoor misschien moeten laten bijstaan door specialisten die de juiste vragen stellen en de antwoorden ook technisch kunnen beantwoorden. Het kan zijn dat de software veilig is maar 

En om af te sluiten kunnen we gewoon vaststellen dat deze ooh zo veilige server van 9lives na de veilige heropstart een zodanig onveilige encryptie en certificatie gebruikte dat er het aantal aanvalsmogelijkheden nog altijd groot genoeg was. 

Een andere reden waarom het voor de privacycommissie zo belangrijk is om het onderzoek naar 9lives toch weer op te nemen is om de sector van de hosting er toch zo op te wijzen dat zij ook bepaalde verantwoordelijkheden hebben en meer beveiliging van hun servers, hostingplatformen, netwerken en firewalls moeten voorzien - ongeacht de verantwoordelijkheden van de eigenaren van de websites zelf.

Permalink | |  Print |  Facebook | | | | Pin it! |

11/20/2014

detekt espoinageware on your computer with this new tool

espionageware is not spyware because it is used to follow your political information and your political friends and it is not spyware because spyware wants just to make some bucks independently of your political views

'Detekt is a very useful tool that can uncover the presence of some commonly used spyware on a computer, however it cannot detect all surveillance software. In addition, companies that develop the spyware will probably react fast to update their products to ensure they avoid detection.

This is why we are encouraging security researchers in the open-source community to help the organizations behind this project to identify additional spyware or new versions to help Detekt keep up to date. Contact information is available here.

It is important to underline that if Detekt does not find trace of spyware on a computer, it does not necessarily mean that none is present. Rather than provide a conclusive guarantee to activists that their computer is infected, our hope is that Detekt will help raise awareness of the use of such spyware by governments and will make activists more vigilant to this threat.
http://www.amnesty.org/en/news/detekt-new-tool-against-go...

you can find the tool here : https://resistsurveillance.org/

Permalink | |  Print |  Facebook | | | | Pin it! |

mensura lek : ACV vraagt regering en sociale partners om onmiddellijk actie te ondernemen

het is voor de eerste keer na zoveel lekken dat een vakbondsorganisatie zich openlijk inzet voor de privacyrechten van de werknemers en daar een plaats voor maakt in het sociaal overleg 

For the first time a major labor union in Belgium has understood that the privacy rights of its members have a place in the social negotiations that they have on a national level. In ten years of security-activism, this is really the first time and a major change.

-----------------------------------------------------------------------------------------------------------------------------------

Privacy van honderden Belgische werknemers zwaar geschaad door Mensura leaks
ACV vraagt onmiddellijke oprichting task-force

Hackers hebben zich toegang verschaft tot een deel van de gegevens van  de dienst controle geneeskunde van Mensura. Hackers verkregen zo de identiteitsgegevens van honderden werknemers, onder andere hun rijksregisternummer. Ook de bemerkingen die de betrokken werkgever meedeelde aan Mensura over de betrokken werknemer werden gehackt: aanwijzingen over hun gezondheidstoestand, maar soms ook over hun gedrag in de onderneming, bemerkingen over hun familie, zwangerschappen, aantal ziektedagen, incidenten in de onderneming, evaluatiegesprekken, activiteiten op sociale media, …

Na een mislukte chantagepoging tegen Mensura werden door de hackers een deel van deze bestanden online gezet. Daardoor zijn deze bestanden vrij beschikbaar op internet en werden ze  inmiddels honderden keer gedownload. De privacy-rechten van de betrokken werknemers worden daardoor zwaar geschaad. Deze gegevens dreigen hen voor eeuwig te achtervolgen op het internet.

In weerwil  van de gedragscode maakte Mensura dit incident pas bekend nadat op een IT-blog dit voorval werd gesignaleerd . Mensura verwittigde tot nog toe enkel de betrokken werkgevers van dit lek, niet de betrokken werknemers. Deze zijn vaak nog steeds niet op de hoogte. Mensura beschikt nochtans over de precieze adresgegevens van de betrokken werknemers en over alle persoonlijke gegevens over deze werknemer die werden gelekt. Mensura vroeg de werkgevers om op hun beurt de betrokken slachtoffers, de werknemers, te informeren. Het is daarbij zeer de vraag of alle werkgevers de betrokken werknemers zullen informeren, en ook de info zullen meegeven die door de werkgever aan Mensura werd bezorgd. De aard van die commentaren brengt sommige werkgevers immers in een vrij gênante situatie. 

We vragen dat Mensura onverwijld alle betrokken werknemers informeert  over welke informatie gestolen is. Dit is  de toepassing van de regels van de privacycommissie.  Tot nog toe publiceerden de hackers immers slechts een deel van de gestolen informatie. Werknemers hebben er recht op te weten welke persoonlijke informatie over henzelf in handen is gekomen van criminelen.

Het ACV vraagt  aan Minister van Justitie Geens, de Minister van Werk Peeters en de Staatssecretaris bevoegd  voor Privacy Tommelein om onmiddellijk een taskforce samen te stellen met de sociale partners en de federale computer crime unit om deze crisis-situatie aan te pakken en de gevolgen voor alle betrokken werknemers zo snel mogelijk ongedaan te kunnen maken.  Deze Task Force moet ook een debat ten gronde voeren over de wijze waarop gevoelige informatie wordt opgeslagen en uitgewisseld.  In het kader van  de invoering van de medische enkelband kan het belang van duidelijke en goede afspraken niet onderschat worden .

Ook de regelgeving dient aangepast zodat werknemers inzage krijgen in de gegevens die over hen aan derden worden bezorgd in toepassing van het arbeidsrecht. De rechten van werknemers op persoonlijke informatie indien ze het slachtoffer worden van incidenten dienen in de wetgeving ingeschreven en afdwingbaar te worden. 

Permalink | |  Print |  Facebook | | | | Pin it! |

antwoord van de privacycommissie over mijn klacht tegen mensura (gelieve neer te zitten)

anders zult u zelf moeten neerzitten want dit slaat echt alles 

het was een klacht omdat mensura ook mijn gegevens bevat 

en natuurlijk heeft de Commissie reeds mensura gecontacteerd 

so what

wat heeft ze ermee gedaan

wat gebeurt er met mijn klacht

moet ik nu echt naar het gerecht om klacht neer te leggen wegens onverantwoordelijk gedrag en niet naleving van de voorschriften van de privacycommissie zelf over de bescherming van data van januari 2013 ? 

de mensen van mensura moeten wel lachen zeker

geen boete, geen vermaning, een beetje pers maar dat gaat wel over (zolang geen van hun grote klanten naar het gerecht stapt en dan nog dan duurt het een paar jaar) en ondertussen doen we gewoon verder en de volgende keer (dan betalen we wel, dan zijn we van al die zever af die we nu hebben gehad en kunnen we tegen iedereen die tegen betaling was zeggen dat ze beter hadden betaald want zoveel gezever hebben we nog niet gehad en dat heeft ons veel meer geld gekost) 

privacycommissie-mensura.PNG

Permalink | |  Print |  Facebook | | | | Pin it! |

Update 2 : releak by Rex Mundi (pizza domino.fr)

Rex Mundi said he was looking at some new targets yesterday 

so we published an alert for the financial, HRM, ISP sectors 

today he is publishing a file claiming to come from pizzadomino.be/fr  ----- NO they retract it is their old file 

they say that they have also hacked the NL database - maybe the database with France or Domino Pizza is in the backoffice one big mess but so what .... 

I need confirmation or more proof to announce belgian dominopizza.be as officially hacked and leaked 

now pizzadomino.fr was hacked (with a file of half a million people - now disappeared again) 

but there is something strange with that file - there are french addresses in it (in the total of 3000 addresses) amongst Belgian adresses and the biggest bunch that can't be localised 

the passwords are encrypted and salted and so I don't see the big securityproblem in this one for the moment except that you have some mobile numbers and some emailaddresses together which make a fine combination for a combined attack 

it also shows why big data is a big risk and why you should never keep data that is old 

tweets 

@mailforlen Just 2 b clear, this data is from our old hack. On the same server, Domino's had 3 DBs: FR, Be-FR and Be-NL

@mailforlen Yes, as we said, this one is from the French-speaking version of the Belgian website of Domino's. We also have NL version.

 

 

Permalink | |  Print |  Facebook | | | | Pin it! |

securitymarketeers are abusing the easypay and mensura database ... phishers may follow

Do not 

* click on links that are send in mails about your data in the easypay and mensura database (especially if you are not in the public database of 1100 out of the 32.000) 

* think twice before you are responding to these emails - it is a very lousy marketingpractice that doesn't show a clear sense of ethics.  Or they are desperate (and any securityfirm that is desperate nowadays is doing something terrible wrong because it is a booming business) or they are just moneygrabbers out for an opportunity 

* I am not sure of the it but I think the use of stolen data - even published - for marketingpurposes may be something the privacycommission doesn't like (because the purpose is to get that data OFF the internet and not in as many databases and emaillists as possible .....) 

I hope that everybody keeps their calm and do the things that you know you should be doing (and that doesn't cost any money like changing passwords) and go to real professionals with clear business and professional ethics for solutions for problems that you seem to have discovered now (double authentification being one of them, centralised logging another, WAF and securitychecks another and encryption and so on) 

if you receive such an email 

commission@privacycommission.com where you can also file an complaint about the way things are going 

you have also the right to file a complaint - if you are a bigger customer - at the local court (maybe some of the bigger ones should do this - to send a clear message to all their other outsourced serviceproviders that they better take datasecurity seriously)

there is already enough evidence on this blog of all the reasons why the the best principles weren't followed before, during and after the incident

I filed a complaint against mensura for these reasons with the privacycommission. 

Permalink | |  Print |  Facebook | | | | Pin it! |

ALERT (and evidence from victim from France) : If you were client of easypay : CHANGE ALL PASSWORDS NOW if your emailaddress has the same password

I change the warning just to be sure 

because all your passwords and the way to change passwords in other services go through your principal emailaddress

this is why you should have at least an unique password for your principal emailaddress (and not one that has the same logic or words in another order as your compromised password)

you can also activate in some online mailservices the double authentification with your mobile phone (although your mobile phone is as secure as a computer was 10 years ago so I am not sure that this is real futureproof solution) 

these are two tweets that got my attention (maybe they want to show that the emailaddresses and passwords really work and give access to more than easypay which has changed its passwords lately) 

In the press is mentioned that Belgocontrol (air traffic control) wasn't compromised by this leak. We never said they were. But if your authentification is ONLY based upon passwords for login than you are now faced with a big problem to secure your access. 

some points 

* smart hackers won't pay with bitcoin because it is not totally anonymous so don't trust the fact that it isn't sold yet according to the bitcoin indexes

* I hope that easypay gave all of her clients also the very strongly worded advice to change their passwords now especially those from their email and social media and to contact the securitycell of their firm, bank or network if they use the password to access files or applications 

* securitypeople from many networks, banks and organisations will now have to block a limited number of people (if they received a list of their members who were a client with easypay and are on the 32.000 list). They can't depend on the supposition that those people - even warned - will all do the right thing in time and should block their access to the extranet, files or applications for the time being and do some research (going back 2 weeks) and decide to give a new password  

there are also french people involved so I hope that the cert and easypay have contacted the french clients, the french privacycommission and CERT to enable them to take all these measures as discribed above 

otherwise even more complaints may be coming their way and the french privacycommission has the possibility to give an administrative fine (something our new secretary of state for privacy DOES NOT WANT to do - which is nonsense because Europe will enforce this in two years).

r.marissal in France has so more possibilities of receiving a financial compensation than any Belgian victim

Rex Mundi said that as a test they have at least accessed 2 mailboxes and one CMS of a website of a firm (so all firms should look at the CMS of their websites if one of their users is in the list). You could be in for a lot of trouble if some-one else infects it, uses it to attack another site or just downloads all the data on it

some securitypeople in Belgium and France will have a lot of work these days .... but if they follow the best practices they should be able to tell their CIO's that today or tomorrow everything is checked and changed or blocked awaiting results of the analysis.

if you didn't have received the client list for your network than you should complain to easypay or cert.be 

Permalink | |  Print |  Facebook | | | | Pin it! |

ISIS grabs city in....Libya 2OO km from Europe

source http://www.ibtimes.co.uk/black-flag-isis-raised-over-libyas-derna-just-200-miles-eu-coast-1475600

Permalink | |  Print |  Facebook | | | | Pin it! |

privacycommission was in 2013 against the use of rijksregisternumber as online identification

a few cases were mentioned and they were resolved but as we saw yesterday is still the case with several flemish websites for example

Permalink | |  Print |  Facebook | | | | Pin it! |

privacycommission wanted in 2013 that rijksregisternumbers are secured online

further in the letter they say that I give people bad ideas but it are the amateurs setting up websites withouit security that should be weeded out or brought inline

we are now more than one year later and the same situation just goes on without any respect for the problems that arise if they lose a database with your rijksregisternumber

Permalink | |  Print |  Facebook | | | | Pin it! |

11/19/2014

maybe nobody bought the Belgian database yet of Rex Mundi (with Bitcoins that is)

you can follow that publicly (and with more private tools :)

those who think that bitcoins are private and anonymous don't understand bitcoins and all the very interesting metadata that goes with them 

also there are sometimes major securityproblems and infoleaks with the exchanges, with the protocol and with the bitcoins themselves 

even the IP address of every transaction (so you need a proxy and/or VPN before you go on a Tor Relay (only one with lots of traffic and everything else closed down-updated and an updated TOR browser) 

if he wants to sell and earn some money he will have to do it differently - but than you may have the same thing happening as many amateur darkweb sellers who are getting caught (you never know who is in front of you)

your fast underground buck may not necessarily bring you luck and may get stuck (hihi)

 

rexmunidbitcoin.PNG

Permalink | |  Print |  Facebook | | | | Pin it! |

how to detect sql injection mistakes on your websites and databases and keep Rex Mundi away

It is illegal to do this against any other site in Belgium without approval of the victim and under control of the victim. Even as a white hacker because that doesn't exist - even if you are coming on tv :). The victim or his lawyers can come after you at any time and you won't know what hit you (or your parents like the hacker on VRT). 

this is for the programmers and the owners.

But this is just the beginning and not the finish. You really need to limit the online access to forms (put it behind a proxy on a server seperate from your contentserver), you need to limit the data behind the database (destroy old data and don't let people 'download whole datastacks, so only download from the user no big uploads to the user), encrypt it sufficiently (not md5 even if it is salted), place a vulnerability checker (to update all the different things that you are running) and put a patchpolicy in place, install a WAF firewall or policy (make it yourself easy, only accept normal commands and block all the rest) and activate an alarmprocedure to get a warning when an sql injection has some success and is downloading datastacks or too many attacks are happening (even if they don't succeed). Have a takedown procedure in hand so you can take down the site or only the datasets if this doesn't help. (attacks mostly happen with metasploit)

and let this test yearly by a penetration tester but with a clearly defined goal : get the information out of that datase whatever the way (while he is doing these tests someone from security and the network should sit next to him so that he has a contact if something can go wrong or to take immediate action if this is needed (finding a hardencoded password for example) 

LESS data is MORE security (and less costs and responsabilities and fines)  so if people want to add more data or combine data you should ask youirself if it is WORTH all that 

and the best way is to write in every contract that the code has to repond to OWASP 10 or OWASP 20 and that the programmers have to show the results of their tests certifying that they don't have those mistakes in their code (enfin your code) 

Testing for SQL Injection (OTG-INPVAL-005) - OWASP

How to Detect SQL Injection Attacks - The Hacker News

How do I check if my website has an SQL Injection?

Practical Identification of SQL Injection

sqlmap: automatic SQL injection and database takeover tool

Basic Tests for SQL-Injection Vulnerabilities 

Understanding SQL Injection - Cisco Systems

Automated SQL Injection Detection – Arne  (many good links) 

and so on 

 

 

Permalink | |  Print |  Facebook | | | | Pin it! |

some introductory links about sql injection attacks (rex mundi likes this :))

1. SQL Injection Prevention Cheat Sheet - OWASP

2. Prevent SQL Injection: Tutorial, Cheat Sheet

3. SQL Injection - W3Schools

4. How To: Protect From SQL Injection in ASP.NET

5. Preventing SQL Injection Attacks 

6. PHP: SQL Injection

7. MySQL - SQL Injection Prevention - Tizag Tutorials

8. bobby-tables.com: A guide to preventing SQL injection

9. What is SQL Injection and How to Fix It 

10. Prevent SQL Injection Attacks 

11. Preventing SQL Injection Oracle 

12. SQL Injection Prevention - ProgrammerInterview.com

 

Permalink | |  Print |  Facebook | | | | Pin it! |

what we learn about the data rex mundi placed online

it has been uploaded twice 

the first one was uploaded to pastebin and downloaded more than 300 times 

it was destroyed but not good enough because with a search you could find some data (from the internal cache I suppose) that is how we saw that there has been data about Belgians 

we just search pastebin for @skynet.be and seperately @telenet.be and whatever address - a software could do that but everybody that I proposed this found this 'not interesting' even if I got around 50.000 belgian data during the Lulzsec campaign by only doing this 

than it was uploaded to another pastesite but it didn't stay online very long - but was downloaded again several times

than it was uploaded again to another pastesite and after 24h it is offline again (but not from Google cache - forgot that) 

at first view the data is not being uploaded elsewhere 

this protects the individual victims but not the file that has been downloaded (count 400 times) 

it means that once the data has been stolen and the mails with the question of payment has been sent and the cat and mouse game start, you will have to have a legal team ready with the necessary forms to block the content (although it will be much more difficult with some hosters) 

in fact the EC should subsidise a center like that that the hosters can trust that it is not used for censorships but just to keep illegal leaks with personal data from the internet (even if one can ask how pastebin can't do this from the beginning and be more pro-active)

now, for the networks that have members on that list, that doesn't mean that the risk is gone. The list with passwords and emailaddresses is still in his hands and you can never know what they will be doing with this. 

Permalink | |  Print |  Facebook | | | | Pin it! |

if Rex Mundi finds his next target what will happen ?

first he will look for the most vulnerable and download the data

than he will send you an email asking you for payment (as we hear it is now between 30K and 50K depending the data) 

he will give a data  or period in which you can respond 

than he will send another mail threatening to publish some data at some date 

he will announce the release of a new dataset on twitter without mentioning who is the victim 

if he didn't receive anything nor any feedback, he will publish some data 

than the real shit starts 

* most firms didn't even upgrade their security during that period - you should do that from the moment you have received that mail (it also means that you will have to get in securityconsultants, new securityappliances, forensic advisers,......) 

* most firms didn't start contacting the authorities and the privacycommission during that period - you should in the 24hours from the moment that you were informed that you would be breached (this doesn't mean that they publish that information)

you probably can start looking for a firm specialised in crisiscommunication 

if it is heavy like easypay and mensura than you can start looking for a lawyer in case you will have complaints with the privacycommission or the courts from victims (and the longer you wait with doing the things above the longer the list of complaints will be and the more you at least will look guilty) 

* the number of attacks against your network and data will increase because rex mundi is not the only one in the digital universe knowing how the push the button examine and extract if vulnerable (as that is all one has to do with modern sql injection software - I didn't use it - I just looked at it) 

So if there are new targets being attacked in the next days than we will know in 2 to 3 weeks - in time for him to buy his christmas presents 

Even if you decide to pay you still have to go through a total password reset and a total resecurisation of your internetconnections, data and webservices 

meanwhile if you have some budget for next year, there are two essential things : stop sql injection (WAF and handmade tests) and use strong encryption and if you have enough money seperate your access to your backoffice totally from your newsportal (seperate server with seperate IP and seperate access rules and firewall protections and other dataflowrules (no downloads of data for example, only uploads). 

Permalink | |  Print |  Facebook | | | | Pin it! |

a wordlist of 240 million possible passwords in the world for 13 dollars

You can use this to crack passwords that don't have a timeout (like icloud before the fanning) or to find passwords that look like those that were used once or have the same logic (to limit the number of tries) 

the beauty of it is that it is based on the biggest leaks since 2011 (this makes about 1 billion accounts, so this means that out of these an unique list of 241 million is constructued leaving out 3 out of 4 because they are double or because they are so unique that they don't matter much) 

ps I didn't test it and I don't earn a cent with this but you should know that this is now available out there 

or to crack a folder or a laptop that is offsite 

UNIQPASS Specifications

Version 14 released on September 30, 2013 with 241,584,732 entries
1. For use with JtR wordlist mode with --rules set
2. All passwords are unique and listed in sorted order according to their native byte values using UNIX sort command
3. 192,916 of the passwords (UNIQPASS v1) came from English dictionary
4. The remaining passwords were collected from leaked databases from various websites (including major sites e.g. Sony Pictures, Gawker)
5. Max. password length is 30 characters long
6. Password may consist of a-z, 0-9, spaces and special characters ` ~ ! @ # $ % ^ & * ( ) _ - + = { [ } ] | : ; " ' < , > . ? /
7. UNIX end-of-line character is used as the newline character
8. Trailing spaces, trailing tabs and NULL bytes have been removed from all passwords
9. List compressed size is 428.0 MB, i.e. the downloadable size
10. The total entries, 241,584,732, is based on UNIX wc -l output


http://www.dazzlepod.com/uniqpass/

Permalink | |  Print |  Facebook | | | | Pin it! |