THe most important patch in the normal package of patches this month was in the SSL library although it wasn't clearly identified as such. It seems that Microsoft has decided to go through the code and processes and logic of its SSL library and processes and chains line by line (and discovered the 9 year old mistake).
Now the mistake they have discovered is in the Kerberos chain and makes it possible to forge a certificate. Kerberos is used by many enterprises as a cheap alternative to real certificates. But that it gets fixed fast - and out of band if there are reports that targeted attacks are being launched (without any attackcode being publicly available to this end)
At one side you can say that it is worrying and the other side it is extremely comforting that they are putting so many resources in that (which is normal if you understand that Microsoft is in fact the only alternative to the openssl debacle). If you compare that to the one, two or three persons that will be going through all the code of openssl, you understand that Microsoft has a competitive advantage - even if some believed that all intellligent users of opensource software would check it for mistakes (as if they have nothing else to do). This dogma has to be proven totally wrong and will ask some fundamental rethinking
"A remote elevation of privilege vulnerability exists in implementations of Kerberos KDC in Microsoft Windows. The vulnerability exists when the Microsoft Kerberos KDC implementations fail to properly validate signatures, which can allow for certain aspects of a Kerberos service ticket to be forged. Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability. Note that the known attacks did not affect systems running Windows Server 2012 or Windows Server 2012 R2. The update addresses the vulnerability by correcting signature verification behavior in Windows implementations of Kerberos.http://ma.ttias.be/yet-another-microsoft-cve-local-privil...
when we have an emailadres of the person
than we can with his rijksregisternumber change the PUC access code to his EID
we already have a thousand of them, there are probably more of them around
so when we know - from for example social media that someone does the central exams
than we only need his rijksregisternumber to fuck it up for him
this one is neutral, but there are some comments or some medical information
this is the price Rex Mundi asks for his list of 32.000 belgian paswords and emailadresses that he stole from easypay.be
in fact it is in bitcoins
and this is not new but more and more stolen datasets are being sold for small sums in bitcoins
well it would surprise me if he got 50.000 euro like he wanted from the firm and if he wants that kind of money that he needs a lot of download but that he will only get if he can proof that they still work
now, easypay has changed the passwords - well some people have said that they have received today (about two weeks late) a new password but it is not clear if they have been advised (two weeks late) to change also their passwords for all other services where they have used the same password or something that looks like it
and it is not clear if some security agency in Belgium has bought the list or got the list from easypay to warn all the owners of big networks that they have to block some people - instead of going through a total pasword reset for everybody
and even if that is the case, if you are a client of easypay than you better change your passwords now if they are the same or look like the same
because they use the certificate for the french subdomain for the flemish subdomain
forgot to double check with ipgeo tools who seem to differ, it is not belgium, the hosting company is in Belgium but the hosting is in Spain
this makes everything much more difficult
it is an .be domainname but it is hosted in Spain which makes it much more difficult to do forensic research there and I am not sure what will happen now with the legality of it all, which law will be applicable under which circumstance and which law is better for the firm or for the victims
if you want to keep it simple, in future be sure that your data or that of your clients or users is in Belgium if you are a Belgian firm or work primarily with Belgians. This makes it much easier to work with belgian justice and belgian police and lawyers.
|City||Madrid, 29 -|
|ISP||NAP de Las Americas-Madrid, S.A.|
|AS Number||AS23148 Terremark|
|Distance||2252.09 km (1399.38 miles)|
so they made a mistake and disregarded everything that they should have known and that there developers should have done because as a big agency they have the money and the resources to do the necessary tests to be sure that there are no traditional OWASP 10 mistakes in their online forms for example (like sql injection)
this is one of the biggest agencies around here
which other websites did they forget to check for securitymistakes ?
so you can ask yourself what else was forgotten on mensura.be ?
I can't know because in Belgium you only can be prosecuted for that ....... If some of the complaintants wants an independent security check by real professionals I trust for my work and has money for it during the course of the investigation, I can put you into contact (also if you need forensic experts to look for proof that they are now trying to destroy of their fuckups)
use my linkedin please
please aks all your people who have logged in there to change there passwords elsewhere
* if it is the same
* if is has the same letters, structure, logic
take a totally different password from anything for your principal emailaddress
you will always need your principal emailaddress to contact services if things are compromised or have to be verified
all those firms and organisation have also to block all their accounts of their members who have logged in to easypay to be sure that they don't use the same password. You can't wait untill they say so or did so and you have to obligation as a good housefather and as a securityperson to protect your network and data and as you know now that their passwords are on sale online that you have to limit the risk by whatever means you have (and that means is to reset all the passwords of those people using your extranet or external protected services) and in some critical infrastructure like belgocontrol and isabel even their internal passwords (because I suppose that you don't have the cheap but effective double authentification methods)
you can't know when the data will be sold and to who
the costs of doing so you can eventually try to recuperate on easypay by filing a claim in court - enough evidence to do so - because they were really negligent
oh and if you are a bank or you use personal private data and so on - than not blocking all those passwords - makes you NEGLIGENT - and if something happens - YOU ARE IN COURT
some say I am paranoid.
I prefer to be a bit paranoid and not end up in court.
and so and so on
1000 of the 32.000 are here
they will have my data somewhere in their database
so I filed a personal complaint
in my postings you or your lawyer will find enough information that Mensura did not inform us and didn't protect our data as it should and was lying about the data that it lost (there is medical information in some of the files)
I am not sure that my data is lost but that doesn't matter, they had my data and they don't do enough to secure it
you can as an organisation representing people (syndicat) or as an organisation or firm that is a client with mensura.be or easypay.be file a complaint with a simple email to firstname.lastname@example.org
you have to mention three things
* why you do you it and which is your interest or who do you legally represent
* about which data we are talking that is leaked and what is the effect (some medical privacy, some clearly reputational damage, in all cases loss of your Rijksregisternumber)
* the rules and recommendations of the Recommendation of the Privacycommission of january 2013 that were and ARE not respected about security before the leak, about breach notification and about taking the necessary measures AFTER the leak
remember if we didn't publish this information, you wouldn't even have known
mensura still demands for the rijksregisternumber and (bad) comments
easypay still has her UNPROTECTED loginpages online
don't just be angry, use the system, wake up the system, send an email - this is enough
what has to happen next for the politicians and the administrative controls and the patronal organisations to DO something (and it is in the interest of the business that only those who really invest in security and service are 'certified' and not whatever cowboy with a cheap programmer and a cheap server who tries to undercut your price in exchange for no security and in fact no service)
there are no passwords in this file
these are just some of the emailadresses linked to the passwords
so 32.000 people will have to be alerted TODAY that if they have an account there they should change
* the same passwords
* passwords that look the same or have the same structure
for any service on the web that can be directly or indirectly linked to you even if they seem innocent at first
skynetblogs has asked me to suppress the image with the proof
If you are a lawyer and you need this information for your courtcase against easypay, you can contact me.
and so you can see that there is medical data in it whatever mensura is saying
it will be deleted fast although
and so the cat and mouse game will go on and on and on
and the number of people having access to that data will increase increase increase
with the rijksregisternumber in it and why your employer didn't trust you and here and there which sickness you claim to have
Skynetblogs has asked me to suppress this image.
If you need this information as a lawyer to proof your case, you can contact me and please identify why you need it.
the dataset that rex mundi has found on the website of easypay which has some secure and some older very unsecure parts (without even encrypted logins) are passwords that are combined with emailaddresses as login
so this is one possibility especially because there is NO ENCRYPTION on that login (how is this still possible...) and there are other login pages and forms like that on this site without any encryption
we didn't test for any sql injection on any site as this would be illegal under Belgian law and we don't do anything illegal - because so many people hate us that they would love to prosecute us and silence us (to be able to keep on doing their work as if nothing happened and you would never know)
the biggest question is if all the users have been informed that their logins and passwords are compromised and should be reset and that they should change their password if they use it anywhere else with the same emailaddress
they are lucky it could have been much worse, but I have also thought that Rex Mundi was always in for a quickie and has not proven that he is for big complicated longterm operations using different entrees on websites or combining vulnerabilities and mistakes (at least this is not the impression I have untill know but he can also try to convince me of the contrary). At the other side why would you do such operations and take such risks of leaving so many traces behind in such an operation if there are so many websites who are so badly written and maintained that in a few minutes you just get the data.
It is like walking into a casino with rows of cash machines and sometimes you are lucky and sometimes you are not. We don't know how many websites have paid and we will probably never know because no data has been published about them. We only know of the hacked or breached sites because they don't want to pay or not immediately. But at the other side his price has gone up so enormously that paying has become something much more difficult for some companies. When we was asking only a few thousand dollars, most companies could keep it away from the board of directors and hide it in a consultancy or other contract. THis is with the stringent rules of financial rules much more difficult if you are asking 30.000 Euro or much more. But it also shows that some companies have paid so much without much resistance and that has increased the price for all the others as well.
As a reminder I have nothing to do with this group or guy and only know them through twitter.
it seems that some syndical organisations are beginning to move and are talking to lawyers to prepare official complaints
Belsec is available for help and advice
the recommendation of january 2013 by the privacycommission is very important
easypay.be a payroll company was the next victim of Rex Mundi and there are at least 10 databases that are not protected
from other tweets we know they have said that they had the logins that weren't well encrypted and we have already published that the certificate of the https protection is not worth one cent
developing story - follow us
and their page that calculated your loan has been retired
interesting links (with the same bad encryption)
https://payrolling.easypay-group.com/ remot desktop connection
http://easyweb.easypay-group.com/xhtml/router.jsp (login page without encryption)
http://eunomia.easypay-group.com/xhtml/com/easypaygroup/standard/view/authentication/authentication.xhtml (loginpage without encryption)
and the same site has a registrationpage with all kinds of personal data without encryption
it gets even better
http://www.easypay-group.com/fr_BE/guichet_d_entreprises/formulaire/ (no encryption :)
this is how it is done in one pic
the bigger the use of TOR or the TOR relays the better our protection
and it is obligated