11/19/2014

SSL libraries of Microsoft Urgently patched again and when are you upgrading your servers ?

THe most important patch in the normal package of patches this month was in the SSL library although it wasn't clearly identified as such. It seems that Microsoft has decided to go through the code and processes and logic of its SSL library and processes and chains line by line (and discovered the 9 year old mistake).

Now the mistake they have discovered is in the Kerberos chain and makes it possible to forge a certificate. Kerberos is used by many enterprises as a cheap alternative to real certificates. But that it gets fixed fast - and out of band if there are reports that targeted attacks are being launched (without any attackcode being publicly available to this end) 

At one side you can say that it is worrying and the other side it is extremely comforting that they are putting so many resources in that (which is normal if you understand that Microsoft is in fact the only alternative to the openssl debacle). If you compare that to the one, two or three persons that will be going through all the code of openssl, you understand that Microsoft has a competitive advantage - even if some believed that all intellligent users of opensource software would check it for mistakes (as if they have nothing else to do). This dogma has to be proven totally wrong and will ask some fundamental rethinking 

"A remote elevation of privilege vulnerability exists in implementations of Kerberos KDC in Microsoft Windows. The vulnerability exists when the Microsoft Kerberos KDC implementations fail to properly validate signatures, which can allow for certain aspects of a Kerberos service ticket to be forged. Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability. Note that the known attacks did not affect systems running Windows Server 2012 or Windows Server 2012 R2. The update addresses the vulnerability by correcting signature verification behavior in Windows implementations of Kerberos.http://ma.ttias.be/yet-another-microsoft-cve-local-privil...

Permalink | |  Print |  Facebook | | | | Pin it! |

more shit we can do with the rijksregisternumber

when we have an emailadres of the person

than we can with his rijksregisternumber change the PUC access code to his EID

that simple

Permalink | |  Print |  Facebook | | | | Pin it! |

and why don't we fuck up the unemployment file of someone with his rijksregisternumber

we already have a thousand of them, there are probably more of them around

Permalink | |  Print |  Facebook | | | | Pin it! |

vlaamse examencommissie still uses rijkregisternumber to recuperate a password

so when we know - from for example social media that someone does the central exams

than we only need his rijksregisternumber to fuck it up for him

Permalink | |  Print |  Facebook | | | | Pin it! |

site with our rijksregisternumbers can be attacked because of bad certificate

Permalink | |  Print |  Facebook | | | | Pin it! |

this happens if someone types in a rijksregisternumber of the leaked mensura.be file

horrifying

this one is neutral, but there are some comments or some medical information

Permalink | |  Print |  Facebook | | | | Pin it! |

you can buy 32.000 belgian paswords from easypay for 40 euro

this is the price Rex Mundi asks for his list of 32.000 belgian paswords and emailadresses that he stole from easypay.be

in fact it is in bitcoins

and this is not new but more and more stolen datasets are being sold for small sums in bitcoins

well it would surprise me if he got 50.000 euro like he wanted from the firm and if he wants that kind of money that he needs  a lot of download but that he will only get if he can proof that they still work

now, easypay has changed the passwords - well some people have said that they have received today (about two weeks late) a new password but it is not clear if they have been advised (two weeks late) to change also their passwords for all other services where they have used the same password or something that looks like it

and it is not clear if some security agency in Belgium has bought the list or got the list from easypay to warn all the owners of big networks that they have to block some people - instead of going through a total pasword reset for everybody

and even if that is the case, if you are a client of easypay than you better change your passwords now if they are the same or look like the same

Permalink | |  Print |  Facebook | | | | Pin it! |

11/18/2014

et pour les flamand la même chose : bad certificate RRN

because they use the certificate for the french subdomain for the flemish subdomain

Permalink | |  Print |  Facebook | | | | Pin it! |

easypay.be also falls under Belgian law because it is hosted here

easypaywhere.PNG

Permalink | |  Print |  Facebook | | | | Pin it! |

updated : mensura.be is hosted in Spain

forgot to double check with ipgeo tools who seem to differ, it is not belgium, the hosting company is in Belgium but the hosting is in Spain 

this makes everything much more difficult 

it is an .be domainname but it is hosted in Spain which makes it much more difficult to do forensic research there and I am not sure what will happen now with the legality of it all, which law will be applicable under which circumstance and which law is better for the firm or for the victims

if you want to keep it simple, in future be sure that your data or that of your clients or users is in Belgium if you are a Belgian firm or work primarily with Belgians. This makes it much easier to work with belgian justice and belgian police and lawyers.

 

IP Address 46.34.93.67
Host www.mensura.be
Location ES ES, Spain
City Madrid, 29 -
Organization Terremark
ISP NAP de Las Americas-Madrid, S.A.
AS Number AS23148 Terremark
Latitude 40°40'86" North
Longitude 3°69'22" West
Distance 2252.09 km (1399.38 miles)

  

 

Permalink | |  Print |  Facebook | | | | Pin it! |

mensura.be was not designed by a small firm

so they made a mistake and disregarded everything that they should have known and that there developers should have done because as a big agency they have the money and the resources to do the necessary tests to be sure that there are no traditional OWASP 10 mistakes in their online forms for example (like sql injection)

this is one of the biggest agencies around here 

which other websites did they forget to check for securitymistakes ? 

so you can ask yourself what else was forgotten on mensura.be ? 

I can't know because in Belgium you only can be prosecuted for that .......  If some of the complaintants wants an independent security check by real professionals I trust for my work and has money for it during the course of the investigation, I can put you into contact (also if you need forensic experts to look for proof that they are now trying to destroy of their fuckups) 

use my linkedin please 

mensurawhois.PNG

Permalink | |  Print |  Facebook | | | | Pin it! |

these organisations have to block all their passwords because of easypay.be

please aks all your people who have logged in there to change there passwords elsewhere

* if it is the same

* if is has the same letters, structure, logic 

take a totally different password from anything for your principal emailaddress

you will always need your principal emailaddress to contact services if things are compromised or have to be verified

all those firms and organisation have also to block all their accounts of their members who have logged in to easypay to be sure that they don't use the same password. You can't wait untill they say so or did so and you have to obligation as a good housefather and as a securityperson to protect your network and data and as you know now that their passwords are on sale online that you have to limit the risk by whatever means you have (and that means is to reset all the passwords of those people using your extranet or external protected services) and in some critical infrastructure like belgocontrol and isabel even their internal passwords (because I suppose that you don't have the cheap but effective double authentification methods) 

you can't know when the data will be sold and to who

the costs of doing so you can eventually try to recuperate on easypay by filing a claim in court - enough evidence to do so - because they were really negligent 

oh and if you are a bank or you use personal private data and so on - than not blocking all those passwords - makes you NEGLIGENT - and if something happens - YOU ARE IN COURT 

some say I am paranoid.

I prefer to be a bit paranoid and not end up in court. 

@belgocontrol

@isabel 

@abvv

@fgtb

@socmut

@acv-csc

@familiezorg

@libmotov

@multipharma

@continentalfoods

@maredsous

@home-market

@ocmwsintmertenslatem

@generali-international

@fedasil.be 

and so and so on 

1000 of the 32.000 are here 

http://paste4btc.com/wVtizDaG

 

 

Permalink | |  Print |  Facebook | | | | Pin it! |

my personal complaint with the privacycommission against mensura.be

they will have my data somewhere in their database 

so I filed a personal complaint

in my postings you or your lawyer will find enough information that Mensura did not inform us and didn't protect our data as it should and was lying about the data that it lost (there is medical information in some of the files) 

I am not sure that my data is lost but that doesn't matter, they had my data and they don't do enough to secure it

you can as an organisation representing people (syndicat) or as an organisation or firm that is a client with mensura.be or easypay.be file a complaint with a simple email to commission@privacycommission.be  

you have to mention three things 

* why you do you it and which is your interest or who do you legally represent 

* about which data we are talking that is leaked and what is the effect (some medical privacy, some clearly reputational damage, in all cases loss of your Rijksregisternumber)

* the rules and recommendations of the Recommendation of the Privacycommission of january 2013 that were and ARE not respected about security before the leak, about breach notification and about taking the necessary measures AFTER the leak 

remember if we didn't publish this information, you wouldn't even have known

mensura still demands for the rijksregisternumber and (bad) comments 

easypay still has her UNPROTECTED loginpages online 

don't just be angry, use the system, wake up the system, send an email - this is enough

what has to happen next for the politicians and the administrative controls and the patronal organisations to DO something (and it is in the interest of the business that only those who really invest in security and service are 'certified' and not whatever cowboy with a cheap programmer and a cheap server who tries to undercut your price in exchange for no security and in fact no service)

mensura2.PNG

Permalink | |  Print |  Facebook | | | | Pin it! |

easypay.be doesn't pay so rex mundi puts 32.000 passwords up for online sale

there are no passwords in this file

these are just some of the emailadresses linked to the passwords

http://paste4btc.com/wVtizDaG

so 32.000 people will have to be alerted TODAY that if they have an account there they should change

* the same passwords

* passwords that look the same or have the same structure 

for any service on the web that can be directly or indirectly linked to you even if they seem innocent at first

skynetblogs has asked me to suppress the image with the proof

If you are a lawyer and you need this information for your courtcase against easypay, you can contact me. 

Permalink | |  Print |  Facebook | | | | Pin it! |

mensura.be data is online again

and so you can see that there is medical data in it whatever mensura is saying 

it will be deleted fast although

https://dpaste.de/VXuB

and so the cat and mouse game will go on and on and on 

and the number of people having access to that data will increase increase increase

with the rijksregisternumber in it and why your employer didn't trust you and here and there which sickness you claim to have 

Skynetblogs has asked me to suppress this image.

If you need this information as a lawyer to proof your case, you can contact me and please identify why you need it. 

Permalink | |  Print |  Facebook | | | | Pin it! |

easypay.be is lucky it only has to reset all paswords that use email as login

the dataset that rex mundi has found on the website of easypay which has some secure and some older very unsecure parts (without even encrypted logins) are passwords that are combined with emailaddresses as login

so this is one possibility especially because there is NO ENCRYPTION on that login (how is this still possible...) and there are other login pages and forms like that on this site without any encryption 

http://easyweb.easypay-group.com/xhtml/router.jsp

we didn't test for any sql injection on any site as this would be illegal under Belgian law and we don't do anything illegal - because so many people hate us that they would love to prosecute us and silence us (to be able to keep on doing their work as if nothing happened and you would never know)

the biggest question is if all the users have been informed that their logins and passwords are compromised and should be reset and that they should change their password if they use it anywhere else with the same emailaddress

they are lucky it could have been much worse, but I have also thought that Rex Mundi was always in for a quickie and has not proven that he is for big complicated longterm operations using different entrees on websites or combining vulnerabilities and mistakes (at least this is not the impression I have untill know but he can also try to convince me of the contrary). At the other side why would you do such operations and take such risks of leaving so many traces behind in such an operation if there are so many websites who are so badly written and maintained that in a few minutes you just get the data.

It is like walking into a casino with rows of cash machines and sometimes you are lucky and sometimes you are not. We don't know how many websites have paid and we will probably never know because no data has been published about them. We only know of the hacked or breached sites because they don't want to pay or not immediately. But at the other side his price has gone up so enormously that paying has become something much more difficult for some companies. When we was asking only a few thousand dollars, most companies could keep it away from the board of directors and hide it in a consultancy or other contract. THis is with the stringent rules of financial rules much more difficult if you are asking 30.000 Euro or much more. But it also shows that some companies have paid so much without much resistance and that has increased the price for all the others as well. 

As a reminder I have nothing to do with this group or guy and only know them through twitter. 

 

 

paymail.PNG

Permalink | |  Print |  Facebook | | | | Pin it! |

mensura.be rumours about parties preparing official complaints

it seems that some syndical organisations are beginning to move and are talking to lawyers to prepare official complaints

Belsec is available for help and advice

the recommendation of january 2013 by the privacycommission is very important

Permalink | |  Print |  Facebook | | | | Pin it! |

11/17/2014

easypay.be a payroll company was the next victim of Rex Mundi and there are at least 10 databases that are not protected

 from other tweets we know they have said that they had the logins that weren't well encrypted and we have already published that the certificate of the https protection is not worth one cent

developing story - follow us

 and their page that calculated your loan has been retired

interesting links (with the same bad encryption)

https://payrolling.easypay-group.com/  remot desktop connection

http://hosting.easypay-group.com/

http://easyweb.easypay-group.com/xhtml/router.jsp (login page without encryption)

http://eunomia.easypay-group.com/xhtml/com/easypaygroup/standard/view/authentication/authentication.xhtml (loginpage without encryption)

and the same site has a registrationpage with all kinds of personal data without encryption

http://eunomia.easypay-group.com/xhtml/com/easypaygroup/standard/view/registration/registration.xhtml?lang=nl

http://194.78.71.164/dimona2/   login

it gets even better

http://www.easypay-group.com/fr_BE/guichet_d_entreprises/formulaire/  (no encryption :)

 

Permalink | |  Print |  Facebook | | | | Pin it! |

lowtraffic entry and exit tor servers can be used to intercept and analyse traffic

this is how it is done in one pic

but read this https://blog.torproject.org/blog/traffic-correlation-usin...

the bigger the use of TOR or the TOR relays the better our protection

Permalink | |  Print |  Facebook | | | | Pin it! |

mensura still asks for the rijksregisternumber online - didn't learn a thing

and it is obligated

Permalink | |  Print |  Facebook | | | | Pin it! |