12/13/2014

#belgacomhack the source of the problem, the Belgacom mailserver was already known as a problem

"In the summer 2012, system administrators detected errors within Belgacom’s systems. At the company’s offices on Lebeau Street in Brussels, a short walk from the European Parliament’s Belgian offices, employees of Belgacom’s BICS subsidiary complained about problems receiving emails. The email server had malfunctioned, but Belgacom’s technical team couldn’t work out why.

 

The glitch was left unresolved until June 2013, when there was a sudden flare-up. After a Windows software update was sent to Belgacom’s email exchange server, the problems returned, worse than before. The administrators contacted Microsoft for help, questioning whether the new Windows update could be the reason for the fault. But Microsoft, too, struggled to identify exactly what was going wrong. There was still no solution to be found. (Microsoft declined to comment for this story.)
https://firstlook.org/theintercept/2014/12/13/belgacom-ha...

we found that the mailserver was an open relayserver which made it possible for anybody to send mails to anybody with any domain without being the owner of it (and that probably could have been used by the internal hackers to send internal mails)

and Belgacom found that normal ..... in march 2013

http://belsec.skynetblogs.be/archive/2013/03/19/belgacom-be-has-a-totally-open-mailrelayserver-and-finds-tha.html

the external mailserver was already several times blacklisted as spammer or was infected between 2008 and 2013 which makes it naturally a logical victims for attacks - as it seems that the security of the machine is not necessarily uptodate (wrong or not)

so we were as surprised that this was maybe the digital beachhead of the penetration as we were when we were told that the NMBS used a year later the same insecure platform to place the data of one million clients it had hosted internal data a year before (and didn't bring it down afterwards)

Permalink | |  Print |  Facebook | | | | Pin it! |

#belgacomhack the securityquestion for Cisco to answer

"The most serious discovery was that the large routers that form the very core of Belgacom’s international carrier networks, made by the American company Cisco, were also found to have been compromised and infected. The routers are one of the most closely guarded parts of the company’s infrastructure, because they handle large flows of sensitive private communications transiting through its networks.

 

"Earlier Snowden leaks have shown how the NSA can compromise routers, such as those operated by Cisco; the agency can remotely hack them, or physically intercept and bug them before they are installed at a company. In the Belgacom case, it is not clear exactly which method was used by GCHQ—or whether there was any direct NSA assistance. (The NSA declined to comment for this story.)

 

"Either way, the malware investigators at Belgacom never got a chance to study the routers. After the infection of the Cisco routers was found, the company issued an order that no one could tamper with them. Belgacom bosses insisted that only employees from Cisco could handle the routers, which caused unease among some of the investigators
https://firstlook.org/theintercept/2014/12/13/belgacom-ha...

so CISCO you can now explain what you have done lately to make it impossible to do the same attacks again because if you don't than we can't be sure that every CISCO router can fall victim to the same attacks and than we have only two choices

* install very strict securityrules and controls

* change the routers to another firm that can guarantee this security and is not from China

Permalink | |  Print |  Facebook | | | | Pin it! |

#belgacomhack this is the most important desastrous fact for Microsoft

"Before long, Fox-IT discovered strange files on Belgacom’s email server that appeared to be disguised as legitimate Microsoft software. The suspicious files had been enabling a highly sophisticated hacker to circumvent automatic Microsoft software updates of Belgacom’s systems in order to continue infiltrating the company’s systems.
https://firstlook.org/theintercept/2014/12/13/belgacom-ha...

this has been one of the most discussed possible attacks in the securityworld since

years and it was at the time giving the biggest scares at the thought that this would be possible

imagine that you would be able to circumvate this update process or inject it with malware, the possibilities are enormous because this is the most trusted updatechannel ever having access to all systems everywhere on the world on whatever network - even the most secret

the fact that they were able to do this and also falsify the Microsoft certificates poses enormous problems for Microsoft

the question is not if they knew this or if they wanted to help the NSA through this backdoor (or some-one in their organisation without telling anybody else)

the only question is what are they going to do to make it impossible that their updateprocess - which is of vital importance for the security of millions of computers and is the most efficient one in the world - is compromised again - even by an operation by the NSA

trust is total or there is no trust, there is no partial trust, you trust something or not and if you can't trust the update process of Microsoft totally than you can't trust it and than than you will have to put securitycontrols in place and they will at one time or another intervene with the updateprocess (false positives)

so Microsoft ?

Permalink | |  Print |  Facebook | | | | Pin it! |

#belgacomhack and De Standaard the good and the bad

First we should honour the courage and persistance of De Standaard for several reasons

* to give its journalists the possibility to research, read and understand what has happened

* to contact the keepers of the Snowden cache of documents to get more documents about this operation

* to publish a story on 4 pages about this particular hacking

we are also very impressed that

* they have understood that this is NOT a hacking operation but an espionage operation and it is important to understand this because this needs another framework of interpretation and analysis

* they seem to have read a lot from this blog and have understood some of the points that we were and are making

but

* they seem to have misunderstood that with this Regin that was found at Belgacom the question of the certificates was also resolved. It were fake Microsoft certificates that signed the code as if it was from Microsoft. This also makes it necessary for Microsoft and others to think about some way to control those cerfiticates without any doubt

* the Belgacompeople said at their securityevent that they were suprised that only so few data effectively left the company. It were very small textpackages. This is understandable if you understand that both operations were according to the Canadians and the British Official Operations (which means that there will have been given permission to look for certain specific information and nothing more and that everything should have been programmed like that). We also know that it was not Belgacom but the mobile network of BICS that was targeted and more particulary certain networks that was used by certain telephone numbers. (nowadays one would install the IMTS spy mobilecatchers that were discovered in Norway today) This means that only certain metadata was extracted. The possible repercussions for all the other instances and organisations is maybe limited but we also don't know what some services or representatives have been telling all those people since than. The fact that so few of their important customers are protesting is maybe a sign that they have been briefed or informed that this operation was linked to the tracking of terrorists and some other people.

So that they have hacked the NATO and the European Union is a bit jumping to conclusions. As a legal spyoperation it could also have gone rogue this way and made some big problems for those involved and those who gave the permission.

and as we have said, we have moved on from Snowden, the real question is not Snowden but how we can incorporate the european intelligence services in the five eyes operations as we have to prepare for the new cold war (that may become hotter during some local wars in Eastern Europe and the baltics)

we don't have to wait too long to start those negotiations and to build a new extended framework for the democratic intelligence services to exchange information faster and more effectively with the necesary democratic oversight and the strict definition of rights and duties of those agencies.

this important question should also have been asked

Permalink | |  Print |  Facebook | | | | Pin it! |

#belgacomhack the 5 eyes are one and not so easy to seperate

source http://www.theguardian.com/uk-news/2013/aug/01/nsa-paid-gchq-spying-edward-snowden

there is no question that the attacks on Belgacom and others came from the UK and more precise from the GCHQ bases

but these bases although on UK territory are not necessarily totally under the control of the UK government because they are paid and led by also the NSA while people from the other partners are also working on these bases

so the question is more complicated than at first sight

the 5 allies after the second world war formed an intelligence alliance because they also discovered that the British and other intelligence agencies were deeply penetrated by Russian spies during the second world war (while they were concentrating on the nazis and saw the russians as allies) and needed the intelligence from the USA to help them keeping their secrets secret from the Russians which weren't the allies anymore but became the new enemies because they were occupying eastern europe and installing a strange form of people democracy

so the real question is if the new europe can have a place in the new 6 eyes intelligence coalition ?

In De Standaard they refer to the story about the spying on Merkel and the diplomatic row that followed but it now seems that the story is crap and that there are doubts about these specific documents so you can say that Di Rupo was only cautious because in Germany they are now embarrassed that they have made such a row with so little real evidence

Permalink | |  Print |  Facebook | | | | Pin it! |

#ukraine the best joke about the russian present stalinist propaganda world

Permalink | |  Print |  Facebook | | | | Pin it! |

#rexmundi announces third Belgian leak soon

they won't pay even if the sum is stupidly low

they won't pay because the police advises them not to pay

but there will be a reason why Rexmundi keeps on hacking here and elsewhere

because there are those who pay and we about which  we will never know about

oh and about novation.be

Permalink | |  Print |  Facebook | | | | Pin it! |

12/12/2014

from one #rexmundi to many .....

or it is just a mindgame to make understanding it all much more difficult

or it are different groups who are only using the same methods (and that doesn't need so much exercise and knowledge)

but it is not up for me to say what is wrong and who is right

by the way these hackers are only the result of a situation, they are not the cause of the problem

the problem is that cybersecurity has been too lax in Belgium and as long as that is possible you will always have such attacks

by a rex mundi or by somebody else

for money or for espionage or for politics or just LOL

Permalink | |  Print |  Facebook | | | | Pin it! |

#ukraine Russian Santaclaus also hurrying to Mariupol to be in time for christmas

joke of the day in a place where there is hardly any time to joke because there is nothing to joke about

Permalink | |  Print |  Facebook | | | | Pin it! |

piratebay may be gone or having troubles, but its archive of links is already online again

source http://oldpiratebay.org/

Permalink | |  Print |  Facebook | | | | Pin it! |

#rexmundi hack we confirm Tobasco.be has lost numbers of bankaccounts (2000 or 100)

It wasn't with z-staffing.org but with the form of tobasco.be that there was the possibility to fill in your bankaccount numbers

they have lost about 2800 accounts

but the export of the data seems to be problematic, in the table it is shown as x.xxxxxE+13 where x is a number of an account that we have changed - so without the 13 other numbers we aren't sure what the number will be and it is not clear if he has been able to download the numbers of the accounts fully and is this a bad export to a table that could be posted on dpaste or if this is the form in which he has some bank accounts

if he has all the bankaccountnumbers in full than he has about 2000 bankaccounts with all the personal details of the people involved

if he has the bankaccountnumbers in the short manner than there are only about 100 bankaccountnumbers in full that were short enough to be downloaded or published in full

now, don't start crying victory because it would be a false victory

we don't know anything and because we don't anything and we live only on suppositions we should suppose only that all that data has been compromised and as it is compromised we shouldn't use and we should change it

period

and even if he doesn't publish the bankaccountnumbers in full than he can sell them or just upload the full dataset to a real fileserver

anyway, the Belgian banks should urgently start with organizing some methodology to respond to cases like this - informing the victims is not enough - you should help the victims and you should give them the compensation for having to change a lot of administrative things

Permalink | |  Print |  Facebook | | | | Pin it! |

#rexmundi hacked another online interim firm but no dataleak yet but real reputationdamage

so what is this

well the site seems to have been gone offline - the best thing to do under the circumstances

but it will go into the digital history for some time as being hacked and leaked

because if you look for xtra-interim in Google than you have got their website but just under it the news that they were hacked

Permalink | |  Print |  Facebook | | | | Pin it! |

#rex mundi is not from Belgium, but he came to belgium .....to hack

In this article in De Morgen Eddy Willems thinks that he or the group is from Belgium because he has been attacking Belgian targets lately. He thinks they are frenchspeaking.

Rex Mundi discovered Belgium. He was hacking in France, Netherlands and some other countries while by chance he discovered that the state of internetsecurity was so bad here that it was a piece of cake to hack websites of some specific sectors who have no oversight at all and where everybody can do on the web whatever he does well or bad and nearly nobody cares a bit about their responsabilities and the consequences because there is nobody who has the power or wants to effectively use his authority voluntarily to impose norms, audits and punishments.

I could be wrong because Rex Mundi seems to have learned a lot from the mistakes the Lulzsec people made and the fact that he is still out there hacking and changing the way he is operating seems to confirm this. Rex Mundi is a ghost.

Rex Mundi will never be caught if there is no dedicated international team that hunts him down like all other big or important hackers and cybercrime groups have been hunted down. This was never done by one country or one operation but by a coordinated international team with all the necessary resources, judicial powers and evidence.

Otherwise we they will never find Rex Mundi

I am not Rex Mundi and even not part of it. Never was.

But I don't understand what all that grandstanding about the digital Interpol is while here is one example of one experienced hackers ransacking Belgium for the moment but ready to go back to whatever countries he tried out first.

Permalink | |  Print |  Facebook | | | | Pin it! |

#leak boitajeux.fr with also many Belgians published

no link due to lawyers

passwords seem encrypted but can't even try to decrypt

Permalink | |  Print |  Facebook | | | | Pin it! |

#snowden the NSA document showing the phone of Merkel was tapped seems in doubt

"Harald Range launched an official investigation in June, believing there was enough preliminary evidence to show unknown U.S. intelligence officers had tapped the phone, although there was not enough clarity on the issue to bring charges.

 

On Wednesday he said however, "the document presented in public as proof of an actual tapping of the mobile phone is not an authentic surveillance order by the NSA. It does not come from the NSA database.

 

"There is no proof at the moment which could lead to charges that Chancellor Merkel's phone connection data was collected or her calls tapped."

 

Range said neither a reporter for German news magazine Spiegel who presented the document, nor Germany's BND foreign intelligence agency, nor Snowden had provided further details to his office. The investigation continues, however. http://mobile.reuters.com/article/idUSKBN0JP1QG20141211?i...

if that document is in doubt, than there can also be some doubt between other documents - even more now there seems to be several caches or selections of documents that are being used by different people in different places

the effect of course will be that the real journalists will now ask more guarantees from the NSAjunkies to proof that their documents are really coming from a real Snowden cache and are really from the NSA

Permalink | |  Print |  Facebook | | | | Pin it! |

#ukraine Russian troops are on the move.... to Mariupol

this is what they are writing on their tanks

this is what they are saying on their social media

this is one of the several columns rumored to be heading to Mariupol

or somebody thought that Putin didn't want to take Mariupol and gave up on the idea ?

what will the rest of the world do if he starts attacking Mariupol ?

Permalink | |  Print |  Facebook | | | | Pin it! |

#rexmundi decides not to publish the national registry numbers but what about the bank account numbers

thanks for that

they are in any case compromised

and together with the bank account numbers this would have been mortal

the other question stays what will now happen with the people who have their personal contactdetails, some personal and financial information and their bankaccounts published

in the US the firm or service responsable for the protection of the data has to pay for a year of monitoring or the costs of changing the bankaccounts and other details

 

Permalink | |  Print |  Facebook | | | | Pin it! |

#rexmundi leaks what we see and what we don't

  • first we don't see the national registry numbers which is good if that was the intention - we say that you should never fill that in online or any other personal or financial information if you don't have all the necessary security settings (like https, like being protected behind another login screen, etc....)
  • Secondly we see that some people have not filled in all the information which shows that people sometimes begin to think like we do - if you don't need it, you shouldn't get it
  • third the passwords are protected somewhat

but we see

id	langID	hiant_id	cv	tel	naam	email	busnr	office	huisnr	straat	diploma	
postcode voornaam gemeente
paswoord opmerking creationdate nationaliteit geboortedatum geboorteplaats burgerlijke_stand

we have emails and if somebody is still married and the address and so on

and we see

id eid hiant_id video_id arbeidsstelsel cv tel naam type email active straat
statuut bedrijf postcode paswoord
voornaam gemeente opmerking loginnaam fiscale_code creation_date nationaliteit
geboortedatum rekeningnummer geboorteplaats burgerlijke_stand fiscale_code_temp

not everybody filled in their NR of their banc account (wise) but some did and they may have to get some
special protections and maybe change their number of their account viewing the number of personal details
that are published and makes it easier for fraud and phishing


Permalink | |  Print |  Facebook | | | | Pin it! |

microsoft accepts bitcoin but will it learn it also how to secure itself ?

It is Gates who inspired the decision

https://smallbusiness.yahoo.com/advisor/microsoft-now-largest-company-world-accept-bitcoin-165400324.html

but Microsoft should go further than that and learn the Bitcoin community who is now awash with managers and investors about how to (re)secure the bad code, the bad libraries, the bad practices in development which makes it today to vulnerable too be a good platform that will survive hack and other attacks

Permalink | |  Print |  Facebook | | | | Pin it! |

#rexmundi leaks thousands of personal contact details of the hacked tempjob agencies

due to legal reasons no direct links

 

and Z-staffing.org

Permalink | |  Print |  Facebook | | | | Pin it! |