- Page 5

  • SSL libraries of Microsoft Urgently patched again and when are you upgrading your servers ?

    THe most important patch in the normal package of patches this month was in the SSL library although it wasn't clearly identified as such. It seems that Microsoft has decided to go through the code and processes and logic of its SSL library and processes and chains line by line (and discovered the 9 year old mistake).

    Now the mistake they have discovered is in the Kerberos chain and makes it possible to forge a certificate. Kerberos is used by many enterprises as a cheap alternative to real certificates. But that it gets fixed fast - and out of band if there are reports that targeted attacks are being launched (without any attackcode being publicly available to this end) 

    At one side you can say that it is worrying and the other side it is extremely comforting that they are putting so many resources in that (which is normal if you understand that Microsoft is in fact the only alternative to the openssl debacle). If you compare that to the one, two or three persons that will be going through all the code of openssl, you understand that Microsoft has a competitive advantage - even if some believed that all intellligent users of opensource software would check it for mistakes (as if they have nothing else to do). This dogma has to be proven totally wrong and will ask some fundamental rethinking 

    "A remote elevation of privilege vulnerability exists in implementations of Kerberos KDC in Microsoft Windows. The vulnerability exists when the Microsoft Kerberos KDC implementations fail to properly validate signatures, which can allow for certain aspects of a Kerberos service ticket to be forged. Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability. Note that the known attacks did not affect systems running Windows Server 2012 or Windows Server 2012 R2. The update addresses the vulnerability by correcting signature verification behavior in Windows implementations of Kerberos.http://ma.ttias.be/yet-another-microsoft-cve-local-privilege-escalation-ms14-068/

  • more shit we can do with the rijksregisternumber

    when we have an emailadres of the person

    than we can with his rijksregisternumber change the PUC access code to his EID

    that simple

  • and why don't we fuck up the unemployment file of someone with his rijksregisternumber

    we already have a thousand of them, there are probably more of them around

  • vlaamse examencommissie still uses rijkregisternumber to recuperate a password

    so when we know - from for example social media that someone does the central exams

    than we only need his rijksregisternumber to fuck it up for him

  • this happens if someone types in a rijksregisternumber of the leaked mensura.be file

    horrifying

    this one is neutral, but there are some comments or some medical information

  • you can buy 32.000 belgian paswords from easypay for 40 euro

    this is the price Rex Mundi asks for his list of 32.000 belgian paswords and emailadresses that he stole from easypay.be

    in fact it is in bitcoins

    and this is not new but more and more stolen datasets are being sold for small sums in bitcoins

    well it would surprise me if he got 50.000 euro like he wanted from the firm and if he wants that kind of money that he needs  a lot of download but that he will only get if he can proof that they still work

    now, easypay has changed the passwords - well some people have said that they have received today (about two weeks late) a new password but it is not clear if they have been advised (two weeks late) to change also their passwords for all other services where they have used the same password or something that looks like it

    and it is not clear if some security agency in Belgium has bought the list or got the list from easypay to warn all the owners of big networks that they have to block some people - instead of going through a total pasword reset for everybody

    and even if that is the case, if you are a client of easypay than you better change your passwords now if they are the same or look like the same

  • et pour les flamand la même chose : bad certificate RRN

    because they use the certificate for the french subdomain for the flemish subdomain

  • updated : mensura.be is hosted in Spain

    forgot to double check with ipgeo tools who seem to differ, it is not belgium, the hosting company is in Belgium but the hosting is in Spain 

    this makes everything much more difficult 

    it is an .be domainname but it is hosted in Spain which makes it much more difficult to do forensic research there and I am not sure what will happen now with the legality of it all, which law will be applicable under which circumstance and which law is better for the firm or for the victims

    if you want to keep it simple, in future be sure that your data or that of your clients or users is in Belgium if you are a Belgian firm or work primarily with Belgians. This makes it much easier to work with belgian justice and belgian police and lawyers.

     

    IP Address 46.34.93.67
    Host www.mensura.be
    Location ES ES, Spain
    City Madrid, 29 -
    Organization Terremark
    ISP NAP de Las Americas-Madrid, S.A.
    AS Number AS23148 Terremark
    Latitude 40°40'86" North
    Longitude 3°69'22" West
    Distance 2252.09 km (1399.38 miles)

      

     

  • mensura.be was not designed by a small firm

    so they made a mistake and disregarded everything that they should have known and that there developers should have done because as a big agency they have the money and the resources to do the necessary tests to be sure that there are no traditional OWASP 10 mistakes in their online forms for example (like sql injection)

    this is one of the biggest agencies around here 

    which other websites did they forget to check for securitymistakes ? 

    so you can ask yourself what else was forgotten on mensura.be ? 

    I can't know because in Belgium you only can be prosecuted for that .......  If some of the complaintants wants an independent security check by real professionals I trust for my work and has money for it during the course of the investigation, I can put you into contact (also if you need forensic experts to look for proof that they are now trying to destroy of their fuckups) 

    use my linkedin please 

    mensurawhois.PNG

  • these organisations have to block all their passwords because of easypay.be

    please aks all your people who have logged in there to change there passwords elsewhere

    * if it is the same

    * if is has the same letters, structure, logic 

    take a totally different password from anything for your principal emailaddress

    you will always need your principal emailaddress to contact services if things are compromised or have to be verified

    all those firms and organisation have also to block all their accounts of their members who have logged in to easypay to be sure that they don't use the same password. You can't wait untill they say so or did so and you have to obligation as a good housefather and as a securityperson to protect your network and data and as you know now that their passwords are on sale online that you have to limit the risk by whatever means you have (and that means is to reset all the passwords of those people using your extranet or external protected services) and in some critical infrastructure like belgocontrol and isabel even their internal passwords (because I suppose that you don't have the cheap but effective double authentification methods) 

    you can't know when the data will be sold and to who

    the costs of doing so you can eventually try to recuperate on easypay by filing a claim in court - enough evidence to do so - because they were really negligent 

    oh and if you are a bank or you use personal private data and so on - than not blocking all those passwords - makes you NEGLIGENT - and if something happens - YOU ARE IN COURT 

    some say I am paranoid.

    I prefer to be a bit paranoid and not end up in court. 

    @belgocontrol

    @isabel 

    @abvv

    @fgtb

    @socmut

    @acv-csc

    @familiezorg

    @libmotov

    @multipharma

    @continentalfoods

    @maredsous

    @home-market

    @ocmwsintmertenslatem

    @generali-international

    @fedasil.be 

    and so and so on 

    1000 of the 32.000 are here 

    http://paste4btc.com/wVtizDaG

     

     

  • my personal complaint with the privacycommission against mensura.be

    they will have my data somewhere in their database 

    so I filed a personal complaint

    in my postings you or your lawyer will find enough information that Mensura did not inform us and didn't protect our data as it should and was lying about the data that it lost (there is medical information in some of the files) 

    I am not sure that my data is lost but that doesn't matter, they had my data and they don't do enough to secure it

    you can as an organisation representing people (syndicat) or as an organisation or firm that is a client with mensura.be or easypay.be file a complaint with a simple email to commission@privacycommission.be  

    you have to mention three things 

    * why you do you it and which is your interest or who do you legally represent 

    * about which data we are talking that is leaked and what is the effect (some medical privacy, some clearly reputational damage, in all cases loss of your Rijksregisternumber)

    * the rules and recommendations of the Recommendation of the Privacycommission of january 2013 that were and ARE not respected about security before the leak, about breach notification and about taking the necessary measures AFTER the leak 

    remember if we didn't publish this information, you wouldn't even have known

    mensura still demands for the rijksregisternumber and (bad) comments 

    easypay still has her UNPROTECTED loginpages online 

    don't just be angry, use the system, wake up the system, send an email - this is enough

    what has to happen next for the politicians and the administrative controls and the patronal organisations to DO something (and it is in the interest of the business that only those who really invest in security and service are 'certified' and not whatever cowboy with a cheap programmer and a cheap server who tries to undercut your price in exchange for no security and in fact no service)

    mensura2.PNG

  • easypay.be doesn't pay so rex mundi puts 32.000 passwords up for online sale

    there are no passwords in this file

    these are just some of the emailadresses linked to the passwords

    http://paste4btc.com/wVtizDaG

    so 32.000 people will have to be alerted TODAY that if they have an account there they should change

    * the same passwords

    * passwords that look the same or have the same structure 

    for any service on the web that can be directly or indirectly linked to you even if they seem innocent at first

    skynetblogs has asked me to suppress the image with the proof

    If you are a lawyer and you need this information for your courtcase against easypay, you can contact me. 

  • mensura.be data is online again

    and so you can see that there is medical data in it whatever mensura is saying 

    it will be deleted fast although

    https://dpaste.de/VXuB

    and so the cat and mouse game will go on and on and on 

    and the number of people having access to that data will increase increase increase

    with the rijksregisternumber in it and why your employer didn't trust you and here and there which sickness you claim to have 

    Skynetblogs has asked me to suppress this image.

    If you need this information as a lawyer to proof your case, you can contact me and please identify why you need it. 

  • easypay.be is lucky it only has to reset all paswords that use email as login

    the dataset that rex mundi has found on the website of easypay which has some secure and some older very unsecure parts (without even encrypted logins) are passwords that are combined with emailaddresses as login

    so this is one possibility especially because there is NO ENCRYPTION on that login (how is this still possible...) and there are other login pages and forms like that on this site without any encryption 

    http://easyweb.easypay-group.com/xhtml/router.jsp

    we didn't test for any sql injection on any site as this would be illegal under Belgian law and we don't do anything illegal - because so many people hate us that they would love to prosecute us and silence us (to be able to keep on doing their work as if nothing happened and you would never know)

    the biggest question is if all the users have been informed that their logins and passwords are compromised and should be reset and that they should change their password if they use it anywhere else with the same emailaddress

    they are lucky it could have been much worse, but I have also thought that Rex Mundi was always in for a quickie and has not proven that he is for big complicated longterm operations using different entrees on websites or combining vulnerabilities and mistakes (at least this is not the impression I have untill know but he can also try to convince me of the contrary). At the other side why would you do such operations and take such risks of leaving so many traces behind in such an operation if there are so many websites who are so badly written and maintained that in a few minutes you just get the data.

    It is like walking into a casino with rows of cash machines and sometimes you are lucky and sometimes you are not. We don't know how many websites have paid and we will probably never know because no data has been published about them. We only know of the hacked or breached sites because they don't want to pay or not immediately. But at the other side his price has gone up so enormously that paying has become something much more difficult for some companies. When we was asking only a few thousand dollars, most companies could keep it away from the board of directors and hide it in a consultancy or other contract. THis is with the stringent rules of financial rules much more difficult if you are asking 30.000 Euro or much more. But it also shows that some companies have paid so much without much resistance and that has increased the price for all the others as well. 

    As a reminder I have nothing to do with this group or guy and only know them through twitter. 

     

     

    paymail.PNG

  • mensura.be rumours about parties preparing official complaints

    it seems that some syndical organisations are beginning to move and are talking to lawyers to prepare official complaints

    Belsec is available for help and advice

    the recommendation of january 2013 by the privacycommission is very important

  • easypay.be a payroll company was the next victim of Rex Mundi and there are at least 10 databases that are not protected

     from other tweets we know they have said that they had the logins that weren't well encrypted and we have already published that the certificate of the https protection is not worth one cent

    developing story - follow us

     and their page that calculated your loan has been retired

    interesting links (with the same bad encryption)

    https://payrolling.easypay-group.com/  remot desktop connection

    http://hosting.easypay-group.com/

    http://easyweb.easypay-group.com/xhtml/router.jsp (login page without encryption)

    http://eunomia.easypay-group.com/xhtml/com/easypaygroup/standard/view/authentication/authentication.xhtml (loginpage without encryption)

    and the same site has a registrationpage with all kinds of personal data without encryption

    http://eunomia.easypay-group.com/xhtml/com/easypaygroup/standard/view/registration/registration.xhtml?lang=nl

    http://194.78.71.164/dimona2/   login

    it gets even better

    http://www.easypay-group.com/fr_BE/guichet_d_entreprises/formulaire/  (no encryption :)

     

  • lowtraffic entry and exit tor servers can be used to intercept and analyse traffic

    this is how it is done in one pic

    but read this https://blog.torproject.org/blog/traffic-correlation-using-netflows

    the bigger the use of TOR or the TOR relays the better our protection