- Page 5

  • #rexmundi their ssl certificate is soooo strange

    first we have this response in ssllabs.com

    to make a long story short : NO SSL protection No encryption, everything in cleartext also your passwords and logins

    and than we get this

  • #rexmundi z-staffing.org hacked and leak but finds security its trademark - HAHAHA

    really

    they have to follow a course in cybersecurity because without cybersecurity you don't have security at all (as cybersecurity without fysical security is just as insecure)

  • #rexmundi the dataleak with tobasco.be came from here - so STUPID STUPID STUPID

    when you have to make your online account with tobasco to be able to compete for a job, than you have to fill in a form without any SSL protection as we have seen in the previous post

    well it gets even better and that is because it is STUPID STUPID STUPID

    instead of just asking for your emailaddres and another identifier you have to fill in all your personal details ONLINE without any SSL protection instead of making your profile once you have logged in - without any ssl protection

    and instead of emptying the database each time somebody had made his or her account so that the data goes behind the 'closed extranet' it stays public and online (it is a good practice to empty your online public data from your database and migrate it every x hours to a private protected database so that the impact during a breach will be very minimal)

    and this is only part of the data of the form

  • spicy belgian online tempoffice tobasco.be hacked and leaked by #rex mundi

    well it is spicey allright

     

    First they have a logon to a secure space but it has NO ENCRYPTION (SSL) at all  so if this one is breached all the information (login and passwords) is in CLEARTEXT (just downloading)

    https://www.ssllabs.com/ssltest/analyze.html?d=tobasco.be&s=193.104.8.210

    and this another public form (with everything in cleartext)

    http://www.tobasco.be/content.php?id=875

    some forms or documents seem to have gone meanwhile

    but the best is yet to come ........

     

  • Refuse to fill in any national registry servicenumber in Belgian webservices period

    if they want all that information they should

    * protect it behind locked down webservices hidden after logins with double authentification

    if they can't give you that security

    you should refuse to fill it in or fill numbers in that are partly correct (the known numbers are your birthday and if you are a boy or a girl all the rest you can fake)

    just refuse it or fake it - that will learn them

    and in fact institutions and organisations that ask for information online should ask for as little as strictly necessary if they can't give you a secured environment behind a locked down extranet with double or hard registration (and not with the full explanation online of how to do that like the army did with its extranet for Human Resources)

    it is your power to refuse because they have no legal or other base to ask you for that number, none  and surely not if they can't secure it

  • we would ask one thing from #Rex Mundi - one thing only - don't publish the national registry

    do not publish the national registry numbers please they are the UID of every belgian

    and the only victims of you publishing this are the victims which will already be victimized again and not because you have published emails and telephone numbers and so on, but because you have also published the unique number they can't change and that will be the their UID for the rest of their lives

    and this is the only GOOD thing you can do - it is nearly christmas right ?

    it is only one column and won't make the difference in the leak but it will make a world of difference to all the people involved - the simple people that is

    nobody else in Belgium cares if you publish these numbers - the privacycommission don't want to ask the online webservices to stop asking them and the online webservices themselves are just thinking of amassing all the possible information without any more security controls

    I could ask you not to publish the information but that is something impossible to ask - not publishing the national registry number of the database is something you can do and

    something that you have already did before - not publishing the national registry number because we asked you

    if nobody in Belgium cares about the use and security of that number in Belgium, except me harrassing the privacycommission and some online webservices about it for years with not much effect I would say - than we could do just one thing good

    that is not to say that I agree with your methods or your criminal enterprise - but that you knew already

  • #Rex Mundi hacks two Belgian online Temporary work agencies with 6000 files to come online

    due to legal threats we can't give the source of the information - if you are smart you will find it yourself

    the sum is now 5000 Euro they ask - so nor the bitcoin enormous sum nor the let the curious pay something in some small bitcoin cent seem to have worked

    this is back to the beginning for Rex Mundi

    we were already sending alerts through different channels but to no avail - every one thinks that they won't be next - so if your security is so lax that you leave sql injections and other security mistakes - why in the hell do you think that you won't be next - do you have a guardian angel or something ?

    you are just an url in a database and an application that will test your defenses

    there is nothing more to it

    for all those not understanding this blog and jumping to conclusions

    * I am not Rex Mundi and I have no links to Rex Mundi

    * I do not hack nor do anything that is not strictly within the law

    * and if I didn't try to make people aware of the dangers with this blog and setting up an open intelligence network than it would even be much worse

  • #ukraine the Baltic states start re-arming themselves for what is to come

    and they have understood what Putin has said from the beginning

    it is about (anti)tanks - not airplanes or longdistance missiles - but tanks and troops

    so what do you buy to defend against such an enemy ?

    All US tanks have left the European Continent in 2013 although there are plans to send some back soon or they should lease them to the frontier states in the east

    in this tweet you see how many Russian troops there are in Kalingrad next to Lithuania - also re-arming themselves and the US starting to send some troops and planes

    the situation is becoming more nervous in the Baltic region the last week as the NATO has seen different Russian troop movements in Kalingrad and along the Baltic states increasing the tension

  • is this the future of global mobile internet access ?

    source http://www.cnbc.com/id/102231121

    it is still a plan and a project but it shows how mobile routers will look like in the future

  • #sonyhack should you set up your own corporate DDOS attack army online ?

    because this is what Sony is doing - some call it offensive security

    http://recode.net/2014/12/10/sony-pictures-tries-to-disrupt-downloads-of-its-stolen-files/

  • For those who still think that Gorbachev is a democrat and a pacifist.....

    "The former Soviet Union president further said Russia had experienced difficult times after the Soviet Union's collapse and the U.S. had taken advantage of it. Gorbachev said but today was different because Russia is well-armed. He mentioned that it was good to see Russian President Vladimir Putin taking care of security, strengthening the military and developing weapons. He has no doubt that if anything happens, Russia can "hit back."  http://au.ibtimes.com/articles/574603/20141202/russia-gorbachev-ussr-cold-war.htm

    not much different from what Putin is saying

    maybe he is afraid of his status and his pension in this virtual democracy in Russia (it seems it is there, but it isn't, like with the virtual environment you only have to pull the cable out to end it all)

  • #Sonyhack this is why emailboxes should be encrypted and protected if they are businesscritical

    "he hackers said the email boxes belong to Steve Mosko, president of Sony Pictures Television, and Amy Pascal, co-chairman of Sony Pictures Entertainment.

    The Microsoft Outlook mailbox files run to several gigabytes and apparently contain thousands of messages sent to and by both executives over several months.

    A handful of the emails, seen by IDG News Service, appear to include discussions between company executives, lists of phone messages that include contact details for executives at other companies, business information, and personal messages to family members http://www.computerworld.com/article/2857272/legal/hackers-contacted-top-sony-executives-before-attack.html

    There is nothing as critical as a mailbox from an engineer or businessmanagement 

    but they hardly get an double authentification, password or encryptionprotection or to say automatic archiving to another protected environment if it is put in for example a folder secure archive

    this is what I personally think : if one puts a mail in a folder 'secure archive' the exchange server takes them once a day and puts them in an archived but secured mailbox that the owner can only access online and only if he uses specific procedures (eventually password, specific hardware or decryption key and so on....) 

    so no more old mails that are lost during a hack or leak 

    and for the mails of today - one should use the same protection as for important files. Sometimes files are secret on the server and hard to reach but are send around in mailboxes as if it is candy 

     

  • windows10 will be the perfect platform for securitymanagement for networks

    "The new Windows will also offer a unified user experience across all devices, from PCs to tablets to phones. Microsoft drew closer to that with Windows 8, but Windows 10 will complete the vision. The new OS will also offer a universal platform for developers to deploy apps. That's something even Apple lacks, as its Macs, iPhones, and iPads all operate on different -- albeit similar, in the case of the phones and tablets -- operating systems.

     

    Offering a universal experience in which a phone app closely resembles its tablet and PC counterparts should provide a seamless experience for Windows users as they switch between devices. This will actually expand beyond phones, tablets, and PCs: Nadella said he expects Windows 10 to power even "the smallest Internet of Things devices," offering the same experience across the board. http://www.fool.com/investing/general/2014/12/09/microsoft-wants-shareholders-to-know-these-2-thing.aspx

    now read this from a security point of view 

    you can have in your network the same patching, logging, antivirus and other controls for whatever tool the person is using (desktop, server, laptop, tablet, phone) as long as it is windows10 

    imagine that, collecting your logs from all the different tools and putting them in one database being able to follow the attack on a pc, the penetration of his phone and extracting of his address book and than the attack on some-one else in the office or on a server .... 

    imagine having one antivirus, one patchmanagment, one application or softwaremanagment for all your tools 

    it is not only developers and programmers who may be able to re-use more or less the same code for apps on tablets that become software on desktops or serverbased applications on servers but in the first case it makes it possible for the security-industry to now make real platform for the platform that will give the network- and securityadministrators the possibility to englobe their whole network whatever the tool or the location with the same securitysolution as long as it works on windows10

    this change is as big as the famous memo by Bill Gates about security because this changes security in the networks fundamentally from a fragmented always too late solution to a global solution that after the migration and the knowledge management can start to think more preventive and make attacks from taking place instead of trying to stop or correct them

    off course, there will be new holes, new strategies and new mistakes but that won't offset this revolution that is now only theoretical but - if the security industriy has any vision left in their immediate salesvisions - also practical. If they don't than I think that Microsoft will develop and integrate its own solutions for its platform and than you will have all those shortvision norisktakers cry to the European Union and the US administration about a new monopoly and so on. If they want to be ready for this revolution - and help make our digital world much more safer than it will ever be possible to make it today - they should start today 

    just as Mozilla browser crashed when Microsoft put all of its intelligence and power behind their IE - now much less attractive than at the time - and the linux desktop that was going to replace windows crashed when windows7 came it may be a time of adapt or crash for the too fragmented security industry 

    the future is in overview of everthing digital in your network or enterprise and that overviewplatform is in the making and it is not the totally fragmented unixmarket or the confusing Applemarket or the even more individualized androidmarket 

    imagine, whatever phone or tablet or desktop you take you have the same stringent security that can be updated anywhere anytime anyhow 

    this is also a new securityservice opportunity for ISP's and other operators 

  • #tor buy stolen bitcoin wallets

    they are being stolen

    not sure if this is a scam or not but it is being advertised

  • the only reference to Belgium in the US Senate torture study

    it is a known as a fact since long time that torture does only very rarely bring real information

    just reading a book about the Great purges under Staline (nothing Great among them)

    but sometimes people just don't want to listen to real specialists who will tell you that it won't work with people who are really convinced of their case and willing to die for it and that other people will just invent thing only to make you stop

  • new #luxleaks from new sources about Skype, Koch brothers and Disney

    you can read more here http://www.icij.org/project/luxembourg-leaks/new-leak-reveals-luxembourg-tax-deals-disney-koch-brothers-empire

  • #sonyhack digital signatures of sony used on malware

    source https://securelist.com/blog/security-policies/68073/destover-malware-now-digitally-signed-by-sony-certificates/

    the same that was used earlier by North Koreans against South Korea

    it means that all certificates from Sony will have to be changed - what we said earlier