the airtraffic over baltic where tensions are increasing daily now http://www.flightradar24.com/RYR75LM/500f160
Naar aanleiding van het Mensura incident had ik voorgesteld dat ik de dossierbehandelaar zou ontmoeten om de verschillende elementen en mijn ontdekking te bespreken. Deze vraag werd in het directiecomité besproken maar om procedurale en juridische redenen afgewezen.
In de email legt de voorzitter van de privacycommissie - die me het recht geeft om hieruit te citeren - ook een aantal elementen voor van hoe de Belgische privacycommissie haar rol ziet.
We kunnen niet anders dan wachten op het Europees kader die deze 'poedel' (indien er geen minnelijke schikking komt kunnen we niets doen en we hebben geen enkel administratief sanctierecht) in een bulldog die alleen al door haar verschijning netwerk en websiteverantwoordelijken automatisch een betere beveiliging doet installeren om ze toch maar niet op bezoek te krijgen.
Dit wordt verwacht in 2015 -2017 of indien de staatssecretaris voor privacy eindelijk eens begint te begrijpen wat privacy is en hoe belangrijk dat wel is en met enkele kleine wijzigingen aan de wet de Privacycommissie opeens wel de nodige administratieve bevoegdheden geeft om op zijn minst waarschuwingen te geven en indien deze niet worden opgevolgd de stekker eruit te trekken. Net zoals we restaurants sluiten die niet hygiënisch zijn, auto's van de straat houden die niet veilig zijn en electriciteitswerken niet aansluiten op het algemene netwerk omdat ze gewoon slecht gelegd zijn of logische fouten hebben.
Wij zullen blijven met nieuwe zaken naar de privacycommissie te sturen iedere keer we dit nodig achten. Dit is onze rol. Volgend jaar nemen we trouwens een ander orgaan in het vizier - niet om het te bekritiseren maar om te proberen haar aan te zetten om de volheid van haar mogelijke bevoegdheden te gaan gebruiken.
Juridisch formalisme is niet iets wat ons voluntarisme zal tegenhouden. Indien dit zo was dan hadden we al 10 jaar geleden gestopt.
het blijkt dat sommige instellingen en organisaties geweigerd hebben om gebruik te maken van de online formulieren van Mensura voor het aanvragen van medische controles
Deze instellingen en organisaties zijn dan ook NIET getroffen door het datalek omdat ze enkel gebruik hebben gemaakt van email of van de veiliger fax
Het staat uw instelling of bedrijf ook vrij om NIET gebruik te willen maken van online formulieren of procedures die u onveilig of gevaarlijk lijken (test de site vb eens op https://www.ssllabs.com) of waarop teveel informatie wordt gevraagd die in feite niet nodig zijn of beter niet online staan
Verschillende andere instellingen hebben GEEN online formulier voor het aanvragen van een aanvullende medische controle.
U bent de klant, u kunt weigeren van een dergelijk online formulier in te vullen. Uw vakbondsvertegenwoordiger kan in uw bedrijf of organisatie eisen dat dergelijke online formulieren niet worden gebruikt (zeker niet als uw rijksregisternummer, persoonlijke informatie en medische informatie online wordt verzameld)
De enige uitzondering zou zijn wanneer de applicatie voor het invullen van de gegevens volledig is afgescheiden van de publieke website en achter een VPN met een sterke login staat.
"It wouldn’t be the least bit surprising to see the best bits of Bitcoin be grafted into new products and services (like facilitating international transfers),” said David Yermack, professor of finance at New York University Stern School of Business, to CNN.
“A lot of the breakthrough products tend to get taken over pretty quickly by improved versions and I think that’s likely going to be the fate of Bitcoin. It’s certainly played a role in raising issues and opening possibilities that people were only dimly aware of before. But if I owned Bitcoins, I would be a seller at the current market price as I think a year from now they may be all but worthless.”
first they seem to forget that some - even essential parts - of bitcoin (like for example the encryption) seem to have some fundamental logical mistakes which makes it insecure an sich. So incorporating parts of bitcoin into new digital currencies that are part of the normal financial systems can introduce some grave mistakes into the normal financial system.
secondly the biggest advantage of Bitcoin is that it is anonymous but governments all over the world are trying to limit the anonimity of money transfers because they want to receive the right amount of due taxes. So this fundamental part of bitcoin won't ever be incorporated without a backdoor for tax and law agencies. It will also be much easier to follow digital currencies through their CHAIN if there is such a backdoor than with our present ways of paying.
and last but not least
bitcoin has shown what the internet have shown in so many other industries and that is that if there is an unfair interference from businesses in a normal process it can and will be replaced by an internetbased direct system. It costs much too much to transfer money around the world - and even across accounts. But I don't see the bitcoin replace the dollar as an international currency. It will be much easier to have a 'digital dollar' with the possibilities of a digital bitcoin than a bitcoin with the financial trust of the dollar.
there will always be anonymous digital currencies because there is a reason for them to exist and if you use them for that reason (to give anonymously to support causes by example) whatever the value of the bitcoin at any moment. But it will never become a real investment product (except as pure speculation with the risk of losing nearly everything) because it is insecure, prosecuted by law agencies and not supported by any financial institution.
if you use bitcoin, use it to do something with the same value you have bought it
"According to the security firm, the flaws can be exploited by attackers to achieve a complete Java VM security sandbox escape, as well as to execute an arbitrary code. The researchers estimate that the number of issues is "30+ in total."
it is a bit cloudy with heavy storms expecting in some programming and security departments while it will be icy in the managmentsdepartments of Google App Engine
sunshine is expected later this week when the securityresearchers and Google exchange their results and start working on solutions
I never liked Java because I think it is too open and too insecure and maybe I will like it when they change course the way Microsoft did one day and become more closed, better monitored and with a huge security infrastructure and a set of clear procedures and frequent updates
"Prins, the researcher whose company was hired to investigate the Belgacom hack, has no doubts. Based on Snowden documents leaked last year and the analysis that his company has done of the Regin malware, Prins said he is fully convinced that the NSA and the GCHQ are behind Regin.
Both UNITEDRAKE and STRAIGHTBIZARRE are part of the Regin framework. You can find them in the ANT catalog. https://t.co/TFsdlI8JOW
— Ronald Prins (@cryptoron) November 24, 2014
UNITEDDRAKE and STRAIGHTBIZARRE are codenames of NSA programs, according to leaked documents. While those codenames are not mentioned in the malware, Prins explained that their description in the Snowden documents matches with "the functionality of parts of the Regin framework."
Kaspersky researchers, however, did find codenames of a somewhat similar style inside parts of the Regin malware.
#Regin internal module codenames: LEGSPINv2.6, WILLISCHECKv2.0, HOPSCOTCH.
— Costin Raiu (@craiu) November 24, 2014
except if this is done to fool everybody and it is the Russians installing it to follow the mobile phones of NSA agents in the Middle East
it seems logical but it is not because it seems logical that in the spyworld this is the right answer - it is a normal and a fast answer but not necessarily the only possible answer
exceot in this case these infections at Belgacom coincide with the Snowden files that come from the intranet of the NSA - so there are two independent sources
"This is why the recent disclosure of Regin is so disquieting. The first public announcement of Regin was from Symantec, on November 23. The company said that its researchers had been studying it for about a year, and announced its existence because they knew of another source that was going to announce it. That source was a news site, the Intercept, which described Regin and its U.S. connections the following day. Both Kaspersky and F-Secure soon published their own findings. Both stated that they had been tracking Regin for years. All three of the antivirus companies were able to find samples of it in their files since 2008 or 2009.
So why did these companies all keep Regin a secret for so long? And why did they leave us vulnerable for all this time? To get an answer, we have to disentangle two things. Near as we can tell, all the companies had added signatures for Regin to their detection database long before last month. The VirusTotal website has a signature for Regin as of 2011. Both Microsoft security and F-Secure started detecting and removing it that year as well. Symantec has protected its users against Regin since 2013, although it certainly added the VirusTotal signature in 2011.
Entirely separately and seemingly independently, all of these companies decided not to publicly discuss Regin’s existence until after Symantec and the Intercept did so. Reasons given vary. Mikko Hyponnen of F-Secure said that specific customers asked him not to discuss the malware that had been found on their networks. Fox IT, which was hired to remove Regin from the Belgian phone company Belgacom’s website, didn’t say anything about what it discovered because it “didn’t want to interfere with NSA/GCHQ operations.”
My guess is that none of the companies wanted to go public with an incomplete picture. Unlike criminal malware, government-grade malware can be hard to figure out. It’s much more elusive and complicated. It is constantly updated. Regin is made up of multiple modules—Fox IT called it “a full framework of a lot of species of malware”—making it even harder to figure out what’s going on. Regin has also been used sparingly, against only a select few targets, making it hard to get samples. When you make a press splash by identifying a piece of malware, you want to have the whole story. Apparently, no one felt they had that with Regin.
we have information that there are newer versions of Regin and that there would also be a Regin version for Linux and Unix machines - but as you should have understood from the article above - our sources are not allowed to talk nor to give us such versions
but fox-it said so also because it calls Regin something that is made up of modules and something that is a platform and that nobody has all the different parts
this is why a working group Regin would have have to be formed between the different biggest security companies
the sensationalistic stories from the AV companies that have come out with some information pose more questions than they give answers and should make us feel safe because they discover some files, some destinations or some functions of the virus
at the same time some antivirus softwares seem to be much stricter about the process of normal software and are giving in a complicated network with an enormous list of different old and diverse software big problems because they are starting to block processes and files that they didn't even look at before
this means that the functionality of whitelists and program management is a necessary part of any securitypackage that you would install nowadays in your businesscritical environment
first they used open and vulnerable networks of universities and hotels to attack, extract and publish
"An Internet Protocol address the malware used to communicate with the hackers was also located at a university in Thailand, this person said. Hackers often take advantage of open university networks in initiating attacks. Katie Roberts, a spokeswoman for Starwood Hotels & Resorts Worldwide Inc. (HOT), which owns the St. Regis Bangkok, didn’t respond to emails seeking comment.
If the hackers were indeed at the St. Regis Hotel in Bangkok, they were essentially hiding in plain sight by using a busy wireless network available to hundreds of guests.
this also says something about the security of the networks they are offering their clients if hackers can get inside and out and abuse it at their own will
secondly after they have penetrated the network and after they have extracted the information (just look at the dates of the different packages they are leaking) they have decided to destroy as much as possible and they have launched that attack real fast
"Kurt Baumgartner, principal security researcher at Kaspersky Lab in Denver, Colorado, also found similarities. As in South Korea, the destructive programs were compiled less than 48 hours before the attack, he said. In both instances, the hackers also defaced websites with skeleton images and vaguely political messages
this means that your incident response team should have the resources and the instruments and the authority to intervene immediately on the whole of the network if such a 'wiperattack' is happening and doesn't have to wait for other people to begin to understand what is happening and holding on to some authority while the whole network is just disappearing at an ever increasing rate
get a snort in your network
let's hope that this will foce Putin to come back to his senses
" After making public release of DAVOSET (http://lists.webappsec.org/pipermail/websecurity_lists.we...), I've made next update of the software. At 23rd of October DAVOSET v.1.2.1 was released - DDoS attacks via other sites execution tool (http://websecurity.com.ua/davoset/). Video demonstration of DAVOSET: http://www.youtube.com/watch?v=RKi35-f346I Also yesterday I opened a repository for DAVOSET: https://github.com/MustLive/DAVOSET Download DAVOSET v.1.2.1: http://websecurity.com.ua/uploads/2014/DAVOSET_v.1.2.1.rar In new version there was added support of attacks via WordPress, based on XML support since v.1.1.2 (released at 31.07.2013). After vulnerability in XML-RPC PingBack API in WordPress was found last year, I added support for XML in DAVOSET (to use with XXE vulnerabilities, but it also can be used with this vulnerability). After that people many times asked me to add this support, but nobody wanted to do it by himself, so I added it. Also there were added new services into both lists of zombies and removed non-working services from lists of zombies. In total there are 175 zombie-services in the list. I added 3 and removed 18 zombie-services. I removed a lot of vulnerable sites from the lists, because admins became fixing holes at their web sites in summer - after significant increase of use of my tool.
which means that if your site or webservice is vulnerable it can now not only be hacked but also be abused to attack other sites with an DDOS and abusing about your traffic (if you don't have an unlimited account or just getting your blog or site of the web because it is being abused in such an attack)
this has only any sense if somebody who knows the russian language makes sense out of it all and translates it in english
just as anybody else in the intelligence business I think
more can be found here https://www.youtube.com/channel/UCAXdfFRi-lhKqlKV1JLSCsQ
somebody is increasing the gamble looking how far he can go
"Earlier this month a new paper by Naomi Benger, Joop van de Pol, Nigel Smart, and Yuval Yarom hit the news. The paper explains how to recover secret keys from OpenSSL's implementation of ECDSA-secp256k1 using timing information from "as little as 200 signatures"; ECDSA-secp256k1 is the signature system used by Bitcoin. The timing information is collected by an attack process running on the same machine, but the process doesn't need any privileges; I don't see any obstacle to running the attack process in a separate virtual machine. Earlier papers by Yarom and Katrina Falkner and Yarom and Benger had explained how to carry out similarly efficient attacks against various implementations of RSA and binary-field ECDSA.
These attacks are what I call "cache-timing attacks": they exploit data flow
- from secrets to load/store addresses and
- from load/store addresses to attacker-visible differences in timing between different addresses.
For comparison, conventional timing attacks exploit data flow
- from secrets to the program counter (i.e., the instruction address as a function of time) and
- from the program counter to attacker-visible differences in timing between different instruction addresses.
In both cases the second part of the data flow is built into chips, but the first part is built into the software.
Did the software designers have to allow data flow from secrets to addresses? "Obviously not!" say the theoreticians. "Everybody knows that any computation using branches and random access to data can be efficiently simulated by a computation that accesses only a predefined public sequence of instructions and a predefined public sequence of memory locations. Didn't you take a course in computational complexity theory? If the software designers had done a better job then this attack would never have worked."
I have a different view. I blame this attack on the ECDSA designers. Every natural implementation of ECDSA makes heavy use of secret branches and secret array indices. Eliminating these secrets makes the code much more complicated and much slower. (The theoreticians are blind to these problems: their notion of "efficient" uses an oversimplified cost metric.) The ECDSA designers are practically begging the implementors to create variable-time software, so it's not a surprise that the implementors oblige
if the design is insecure everything that follows and uses it will be insecure and you only have to wait untill it is discovered, manipulated and made so easy that it can be automatized
userid, password and emailaddress
and meanwhile at the front where there is daily fighting