- Page 2

  • we are going on strike - see you on tuesday

    what did you expect

    I am an activist

    and my fight for privacy and security is independent from my political views - always have been - because it is the only way to make coalitions that can change things

    but for now

    I am on strike

  • volgens de privacycommissie zijn de slachtoffers verantwoordelijk voor alle kosten van hun dataverlies

    dit staat er momenteel in wat er in de kennisgeving moet staan aan de getroffenen

     

    • naam van de verantwoordelijke voor de gegevensverwerking,

    • contactgegevens van een aanspreekpunt waar bijkomende informatie kan worden verkregen,
    • samenvatting van het incident dat de persoonsgegevens heeft aangetast,
    • vermoedelijke datum van het incident,
    • aard en strekking van de betrokken persoonsgegevens,
    • denkbare gevolgen van het gegevenslek voor de betrokken personen,
    • omstandigheden waaronder het gegevenslek plaatsvond,
    • de maatregelen die de verantwoordelijke heeft genomen om dit gegevenslek te verhelpen,
    • de maatregelen die de verantwoordelijke aan de betrokken personen aanbeveelt om de mogelijke schade in te perken.
    http://www.privacycommission.be/nl/melding-gegevenslekken-algemeen

    dus de kosten en het ongemak van het wijzigen van de bankrekening of de gsm zijn enkel en alleen voor het slachtoffer, men noemt dit in feite dubbele victimisatie zoals bij verkrachting

    want als er dan nadien toch misbruik gebeurt van de gegevens dan is het opeens de fout van het slachtoffer die niet alles heeft gedaan wat hij had moeten doen volgens de oorzaak van het lek (de onveilige dataverzamelaar)

    nee, het is volgens mij de oorzaak van het datalek, de onveilige dataverzamelaar die de banken moet informeren als daar bankrekeningnummers in staan, de mobiele telefoonmaatschappijen als daar mobiele nummers in staan enzovoort

    dit is zo in de VS en misschien moeten we dat voorbeeld maar eens overnemen

    dan zullen opeens veel meer bedrijven meer gaan opletten en veel minder gegevens vragen die ze via een veiliger weg ook kunnen verkrijgen

  • microsoft is fucking up it once so fantastic automatic update service

    do they understand how important this is for the security of the machines

    if people start not downloading automatically security updates than we are creating a situation in which we are going back to 2004

    we should be able to trust Microsoft to have put every needed resource in this process so that we can continue to trust it

    and interfering with updates and drivers from hardware that are generally so well known shows that there is something going totally wrong in the quality control

    source http://www.forbes.com/sites/jasonevangelho/2014/12/13/new-windows-7-patch-is-effectively-malware-disables-graphics-driver-updates-and-windows-defender/

  • #rexmundi why does he works in Belgium ?

    it is quite simple

    it is simple

    the minister for privacy doesn't want the privacycommission to have more powers and more resources and the privacycommission itself told me last week that they were not responsable for the security of the internet and that they don't have the resources - maybe once the European directive on the dataprotection will come into force

    so who is responsable for the security of the internet

    the prime minister, well the new federal center for cybersecurity has been announced for years but after a lot of talk about who should be the general and the colonels they finally may be deciding to set it up but they don't seem to make this a priority and announce it for somewhere in 2015 while not being sure they have any funding for it

    the cert, the cert is not responsable for the security of the internet, they try to handle the incidents that they receive, not the incidents they want to prevent from happening '(which is why you can't call them the firemen of the internet over here because they don't have those powers or resources)

    the national bank and the financial sector have some rules and controls (although at the national bank the cell that is responsable for the itsecuritycontrols of the banks - although this is becoming internationally a big responsability - are with few and have very few powers and resources and best of all - the online companies for credit and loans are explicitly excluded from these controls without naming who is responsable

    maybe the sector could do it ? yep, the sector could do it but there are some initiatives but you see that they don't work and if the same kind of controls were put into place in our fields of our economy or real life than it would be a quite bloody mess around here

    so this is worse than the titanic

    there is even a captain on board and the crew is underpaid, understaffed and doesn't really know what it is supposed to do

    so if you were rexmundi why should you make your life difficult ?

    you do some google searches and find the forms, you do some quick checks and you see if the form has an sql injection or not and once you see that there is one, you download and send an email and a number of cases you get paid and in another you get publicity

    should we keep quiet about Rex Mundi

    well no because if we give publicity or not, the data are there online and the data are data from our citizens who don't know that their data are leaked or are informed but that is it - they don't do anything more (not paying for another mobile number, the cost of changing your emailaddress and all your passwords, bankaccounts and so on)

    the people have the right to know that this is a mess and nobody is telling them and the people who should clean it up are with too few and have too few resources and too few rights to intervene to prevent accidents from happening

    it is all too well from ministers and parliamentarians of saying how bad it is

    DO SOMETHING ABOUT IT NOW

  • rs-krediet.be asks all your personal details but no encryption when you fill data in

    in fact this means there is no real certificate

    there is some encryption on the server itself but it is not clear if there is encryption when you transfer information

    part of their forms

  • ls-krediet.be wants all your personal data but doesn't protect it with real encryption

    another certificate that doesn't work

    and that certificate is expired and weak

    but they need from you all these personal data online without login

  • finalys.be asks personal details of belgians for a loan on badly encrypted french servers

    they have a strange ssl certificate

     

    and this certificate is not strong

     

  • #rexmundi analyzing the Xtra-Interim.be leak WITH 1000 NATIONAL REGISTRY NUMBERS

    It is about 1000 persons

    they used sql injections (several) which means that the programmers have set a database and a form without any securitychecks making mistakes that should have been corrected if one has followed whatever professional book (if you are a professional programmer)

    it also means that the hosting of the site has no good application defense which means that it doesn't have a good firewall because otherwise even with these vulnerabilities it would have become more difficult to execute those attacks

    If I have a site with that site, I would check my forms and databases because this is the third one

    id,langID,hiant_id,cv,tel,naam,email,busnr,huisnr,straat,postcode,voornaam,gemeente,paswoord,

    opmerking,rekeningnr,creationdate,nationaliteit,geboortedatum,geboorteplaats,preferred_jobs,

    burgerlijke_stand,rijksregisternummer

    not everybody filled in all these fields in the form and I would continue to say that there is no obligation to fill personal information or correct information (the only thing that is needed is your emailadres)

    there are about 100 bankaccountnumbers (for the banks the files with the list is with the FCCU and the CERT.be if you would need to contact the people

    there is no guarantee that these files will not be downloaded combined with or sold to other (criminal) networks

    rex mundi didn't keep the promise to not publish the national registry numbers, this means that there are about 1000 of them leaked online (and to the underworld)

  • #rexmundi publishes the dataset from Xtra-Interim.be

    no links due to lawyers but if you know to search Google you will find it

    "Dear friends and foes,

    Here is the full data leak from Xtra-Interim.be, another Novation.be project with numerous SQL injection vulnerabilities. Our advice to Xtra-Interim: ask Novation for a full refund. And damages, if possible.

    Just a quick note: a little bird told us that the Belgian police's new stance is to advise victims not to pay, in the hope that we would eventually quit hacking Belgian websites if there was no money to be made out of it.

    In truth, we won't stop regardless of whether we get paid or not.

    It is just too damn fun.

    Rex Mundi


    id,langID,hiant_id,cv,tel,naam,email,busnr,huisnr,straat,postcode,voornaam,gemeente,paswoord,opmerking,

    rekeningnr,creationdate,nationaliteit,geboortedatum,geboorteplaats,preferred_jobs,

    burgerlijke_stand,rijksregisternummer

  • #belgacomhack this is why Belgacom was hacked in one pic

    hack Belgacom and have access to communications all over the world

    why hack hundreds of mobile companies if you need only one that has a passe-partout (masterkey)

    click to enlarge

    the only thing that was missing was the comprehension of BICS Belgacom that they were the keepers of the kingdom, the center of the Communication Networks and have to have a security that confirms the trust of all their international partners in their capability of securing the castle that is being stormed and attacked and penetrated every second

    bicsnetwork.PNG

  • Microsoft update is under repair (and things mess up) or needs some repair

    because there are some instances and incidents that are strange and they increase the pressure for Microsoft to re-secure (seeing updates before they are launched is not really secure because you could analyse the code if didn't have good intentions) and to make it more robust as it once was

    http://blog.norsecorp.com/2014/12/12/microsoft-issues-patch-to-fix-buggy-windows-root-certificate-patch/

  • #ukraine this is an example of the present tension in the Baltic-Nordic airspace

    trying to prevent collissions from civil aircraft with unidentified Russian military aircraft flying without transponders (sending signals to know what they are doing like the 9-11 terrorists did) and not responding to any demand for identification or information from the airtrafficcontrollers

    madness

    one day there will be a collission and what will happen than

     

  • #belgacomhack userpages of Belgacom users still infectable

    it means that there is not a good antivirus running on these servers so these servers can become infected

    source  scumware.org

    ps telenet has also a page infected like this

    but no, we shouldn't worry they don't need security-audits, they are safe, we should trust them without any independent oversight

  • #belgacomhack is belgacom still infected or not

    this is the wrong question

    it should reshape its securityculture as if they can be infected every day again and that every day when they discover attacks they should be sure that they go to the bottom of it

    they shouldn't take things for granted and should be

    * changing people from time to time so that they don't get used to the number of attacks

    * don't fall into the red traffic gap, it is also the green traffic that has to be looked at because it is not because it leaves the enterprises through accepted rules that it should have left the firm

    * get external people in from time to time to question everything

    * get other securitytools from time to time to re-analyse the traffic or a copy of it so you are sure that there is nothing that has passed your normal controls

    * get some paranoia as a basic part of your security culture, you will be attacked permanently and you will be infected, penetrated and maybe owned all the time over and over again - if they don't have that borderguard mentality they shouldn't be guarding the borders

    security is not having people with cv, it is not huge budgets for enormous expensive tools that show very impressive graphical securitymetrics

    security is finding that connection of that pc that looks normal to everybody except to the second auditor just going through the traffic for the 20th time with specific filters based on new information about infections and dangerous connections