12/07/2014

e-estonia, the showcase of egovernment worldwide has lost contact

monitoring ?

Permalink | |  Print |  Facebook | | | | Pin it! |

the pedoservice family4love.com has some interesting features for the law enforcement

the pedoservice has come into the news after an article in the British press in which it says that it links pedo's and families that want to give their children to pedo's.

First the site was free but in 2013 it became - like so many pedoservices because this is (big) business - based upon payment (follow the money I would say, this is the most simple method of investigation and in 2013 there was no bitcoin)

Secondly read this post (from the Google search  site:familiy4.com

F4L - Terms of Service

family4love.com/help/terms

All IP addresses are recorded for security reasons, and will be given to the correct authorized if requested. All photos uploaded should be owned to yourself and"

so here you may find a full list of the IP addresses, you don't have to ask it to the hoster or ISP

thirdly there is much of it in the Google cache because they are not upgrading the server - if it ever comes back up again

https://www.google.be/search?q=site%3AFamily4Love.com&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:nl:official&client=firefox-a&channel=sb&gfe_rd=cr&ei=9HuEVKeSA4fFVIuGgJAE

now if you insert for example France or another name of a country you may find the discussions between members from that country (in the cache of the link)

so happy hunting because it seems that there are some children that will need to be rescued from couples and swapps that were made through this site - in or between countries

Fourth I would also have a look at this information (referrals for one) oh and the webserver is in the US so it won't be that difficult to get a hand on the server and everything that there is on it. The server has also a mailserver on which you would have to lay your hands on.

and I would surely have an even better look at this site, which seems like a kind of index of incest and pedosite services online

Permalink | |  Print |  Facebook | | | | Pin it! |

12/04/2014

#sonyhack the filenames of the malware are known by the FBI but not online or by Virustotal

"“The FBI is providing the following information with HIGH confidence,” the note reads, according to one person who received it and described it to WIRED. “Destructive malware used by unknown computer network exploitation (CNE) operators has been identified. This malware has the capability to overwrite a victim host’s master boot record (MBR) and all data files. The overwriting of the data files will make it extremely difficult and costly, if not impossible, to recover the data using standard forensic methods.”

The FBI memo lists the names of the malware’s payload files—usbdrv3_32bit.sys and usbdrv3_64bit.sys.

It’s unclear if these files were found on Sony systems. So far there have been no news reports indicating that data on the Sony machines was destroyed or that master boot records were overwritten. A Sony spokeswoman only indicated to Reuters that the company has “restored a number of important services.” http://www.wired.com/2014/12/sony-hack-what-we-know/

it is also intriguing to see the names usbdrv - maybe that is an indication that they are using USB drivers or exploits to attack the system

the fact that they have been rewritten for 64bits shows that it is necessary nowadays for 32bits viruses to have a version in 64bits to make an impact 

the fact that it are .sys files show that they were infecting the program files, the systemfiles and probably the kernel and core of the system - they took the name of something that is used by other software to hide and as these files are not signed and not checked it is easy to do this 

the operation itself is probably done the same way the #Belgacomhack was done and that is through the accounts of the network operators (again). Only here it was not to get certain specific information from certain specific installations but to destroy and leak everything or as much as possible over a 6 month period (what is seen in the operative scenario's for total network compromise as a standard period to take over (own) a whole network). 

Permalink | |  Print |  Facebook | | | | Pin it! |

#sonyhack #belgacomhack #foreignaffairshack are probably intelligence operations

Intelligence operations have goals. If you want to understand them you should understand the goals of the intelligence operations otherwise you won't know what will happen next and you have no idea how to secure what data they were after. 

Also it are operations, this means that they have been prepared some time in advance and they have been executed in different phases and they were followed up and evaluated or changed to make sure that they had the maximum effect with the least possibility of discovery. Extraction and destruction of evidence is as important in such an operation as getting the information. 

The Belgacomhack was probably an US intelligence operation to get information from some mobilephone installations from the Bics network because at that time - just a supposition - the US administration was going after Bin Laden and they had only ONE lead and that were the couriers between Bin Laden and the rest of the organisation. Those people used their mobile phones from time and time but under strict rules of operational security (for example only a few hundred meters after they had left the building and when they were not phoning they also retired the battery). Those couriers sometimes took also other calls from other countries. Not sure there is a link, but I can imagine (it just imagination maybe) that somebody said whatever the effort you have to get that data and if it is too risky for discovery to go through the courts or the local operators just go through the operators but just get that data. I won't ask how you got it. And some people went out to try to get it. But as I said that is just speculation (they may also needed some information about other networks or cells or important people on the wanted list)

The Foreignaffairshack was probably a Russian intelligence operation looking for information about how the European commission and the NATO were reacting to the continuing infiltration of Russian soldiers and tanks into Oekraine. In this highlevel powergame Putin wanted just as Stalin during and after the second world war to have some spies or intelligence operation so he could know what the mindset at the moment was of his friends and opponents and how their reaction would be and what they were saying behind closed doors but not at him when they were sitting at the negotiating table. He had to know the real red lines before. And where can you find the information about the European Commission and the NATO in one place ? In the country where both have their headquarters. And which Administration is responsable for treating all these documents between the host country and the international organisations it is member off ? The Administration of Foreign Affairs. There are also people who think they were after another database. 

The Sonyhack was probably a North Korean intelligence operation as a response to a film they didn't like about the great dictator who prefers to see himself as a father for his country. Well he got mad as hell and between the different options (throwing an atomb bomb on Hollywood, protesting diplomatically,....) destroying the company with a digital nuclear timebomb seemed like the best option. THis is exactly what is happening. THis operation started probaly in june or somewhat before and ended with the publication of the first dataset and the timed destruction of the internal computers and servers. Now every company in the world knows that if it angers the North Korean dictator he will destroy them digitally, so you better be prepared. If this was the goal, the message is received and understood. 

So if these presumptions are right, than every intelligence service in the world worthy of its name is setting up intelligence operations in the digital world with political and intelligence goals while respecting all the normal operative security rules of an intelligence operation (which makes it hard to attribute them). 

This is also the reason I think that for critical environments the security officer should not only have his medals of all his socalled exams and certificates but also a healthy dose of paranoia and be able to play mindgames or to think through how an intelligence operation against his network would be set up and what would be the weakest links or the moments that they still could be discovered or didn't clean up their tracks. 

It is only when you start reading books about informationoperations and intelligence that you start to really understand the Snowden files. For malware and IT analysts these are just processes, files, connections and incidents. For an intelligence operative these are phases in an intelligence operation that will lead to a specific goal and have been prepared long time before. (by the way some of the scanning traffic of our infrastructure is also done by other intelligence agencies to put in their database so when they want to set up an operation they already have all the practically important information)

Permalink | |  Print |  Facebook | | | | Pin it! |

12/03/2014

#sonyhack Sony has lost in fact all of its passwords for everything

yep they have lost it all

and this is only a very small part of the leaked password files today

and this datapackage was made in ....october

Permalink | |  Print |  Facebook | | | | Pin it! |

#sonyhack : Sony will have to change all its certificates

they are all in the wild and will be used and abused in viruses and spam and phishing

and so are there a few more folders with certificates

it also shows that they had access to the Network Administrator servers and to the root of the servers - except if these were organised centrally and only that server was compromised

Another question is what now the browsers and the others will do. If they are consistent with previous actions, they will now declare all the Sony certificates invalid which will make them invalid and so Sony will in fact have to close down all its encrypted protected logins and services untill they have replaced all the certificates with new ones - if they can prove the certificate provider that they have full control over their servers and the network

if the hackers really want to create havoc they steal the new certificates just to proof that they are master of the Sony network who even with the best cyberdefenses couldn't stop them from stealing that information without getting caught - except if it is a honeypot or trap off course

Permalink | |  Print |  Facebook | | | | Pin it! |

#sonyhack this was a digital Waterloo for network defense, these files show everything was taken

this is an example of the PC's that were taken over

this is part of 1600 linux unix VMware sometimes servers of all kinds

we said all the time that probably some backupservers were also impacted

well here it is

and this is from the list of windows servers  that were found on the network (of the 800)

you will see that there are even windows2000 still on the network and a lot of 2003 servers - this is really OLD

you also see an SMTP server

and what is also interesting is that the excell file for the computers is dated in JULY 2014 while those of the servers just seem to be made yesterday.

well this can mean that the operation started in july somewhere or earlier and that between those date the operation was set up, one step at a time, patiently working through each server, each filestack and each connection, preparing the next step and hiding your tracks

so this could mean that this wipe-attack was just the explosion of thousands of time-bombs that were placed to set off now - coinciding with the film which confirms the possiblitiy that it were the North Koreans as they mostly want their cyberattacks or hacks (becoming public) at certain specific dates or linked to certain events

you have to look through my other open intelligence sources to find the links, sorry guys I have the lawyers from mensura on my neck seeking revenge

it also means that there is no secret information more about the internal network of Sony and it also shows that their internal network was enormously outdated which makes it somewhat responsable for what has happened. If you don't have bunkers to isolate and protect your valuable data inside your network you can as well place it online for everybody to download if your network itself is not secured or is penetrated (or your staff is infiltrated).

Permalink | |  Print |  Facebook | | | | Pin it! |

NATO defense expenditures for 2013 and what will surely change soon

some countries with borders with Russia or not that far from Russia will have to increase their budgets and some are already annoucing these new investments and new military strategies and cooperation agreements

if you look at the table you will also understand better some of Putin's diplomatic efforts from the beginning and lately

the biggest question is if the NATO will stay united throughout this difficult period because anytime a coalition of countries has been faced with a persistant and overwhelming adversary who doesn't have to agree with anyone and doesn't have to comply with anything, there have been different strategies which are defended rightly or wrongly by different groups which gives the dictator at the opposite time the opportunity to win time and at first to achieve his goals without a real war - just by small wars and destabilisation with the right dose of diplomacy

Embedded image permalink

Permalink | |  Print |  Facebook | | | | Pin it! |

the world of corruption in our world in one pic

Permalink | |  Print |  Facebook | | | | Pin it! |

#sonyhack : hackers use sony playstation servers to distribute 27GB of leaks

http://www.theregister.co.uk/2014/12/03/strange_things_afoot_with_great_sony_pictures_torrent_data_leak/

it means that they do have the keys to the castle and for the moment they can just walk in and out at free will

that is because you have no double authentification but only passwords

passwords are not security

Permalink | |  Print |  Facebook | | | | Pin it! |

US police services are using laws from the 18Th century to oblige Apple and Google to give them your decryption keys

"Now court documents have emerged showing just how far the Feds are willing to go to decrypt citizens' data.

 

 

The paperwork has shown two cases where federal prosecutors have cited the All Writs Act – which was enacted in 1789 as part of the Judiciary Act – to force companies to decrypt information on gadgets.

The Act, which was signed into law by none other than George Washington and later revised in the 20th century, gives the courts the right to...

issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.

That's a pretty broad remit, but the Feds think it's just the thing to force Apple and others to break down privacy protections.http://www.theregister.co.uk/2014/12/01/feds_turn_to_1789...

Permalink | |  Print |  Facebook | | | | Pin it! |

#sonyhack : 30.000 salaries of unnamed deloitte consultants (2005) published

if you take 11 terra of files of one of the biggest companies and you have probably a copy of not only the intranet and some mailboxes but also of a backup server, than this is the kind of things that will happen

http://fusion.net/story/31227/sony-pictures-hack-spreads-to-deloitte-thousands-of-audit-firms-salaries-are-leaked/

expect attacks in the future to go more often after these backupservers (if it is from a backupserver but even if it isn't it is there that you can find the biggest collection of unencrypted files without much protection)

Permalink | |  Print |  Facebook | | | | Pin it! |

#sonyhack : it is nearly official :North Korea hacked Sony in the US into destruction

north korea kim jong un

Yes he has won against 'the interview', a film that should never have been made and even if it was made, never would have been made public. I salute you hackers, you have shown what a small country like ours can do with so little cyberresources. It is the best example yet of the power of asymetric warfare

Putin must be wondering if he shouldn't pull back his tanks from Oekraine and just start some permanent cyberwar. It costs less and it is very difficult to point the finger to him.

https://recode.net/2014/12/03/sony-to-officially-name-north-korea-as-source-of-hack-attack/

but do not underestimate them 

https://recode.net/2014/12/01/heres-what-we-know-about-north-koreas-cyberwar-army/

and read also this report

http://h30499.www3.hp.com/hpeb/attachments/hpeb/off-by-on...

Permalink | |  Print |  Facebook | | | | Pin it! |

update2 the portal of wallonie on the internet has some serious securityleaks (defaced page)

You can say that if you can add an image 

you can add code (malware) or a snoopingware or a redirect or popup 

this is not enormous but it is a signal that there is something wrong 

and what is more 

it wasn't even noticed so this is even more alarming because it means that you can do these things without being noticed 

it wasn't even noticed by CERT or any securityservice (undermanned and underpaid) 

oh and it isn't the first time that parts of the wallonie.be portal have been defaced which shows that there are too many parts to be managed and too few people and resources to do this securily

click on the link for more information http://www.zone-h.org/mirror/id/23337578

oh and just a reminder zone-h.org has a free alerting service for your domain and it is about 600 euro for such a service for all the .be domains but never found the money for that (they prefer giving thousands of euro's for papers and studies)

 

wallonie.PNG

we have found the reason why 

it is an old server and nobody looks at it

but they have made a very stupid mistake

if the site doesn't exist

you make a redirect in your dns server 

and you take down everything that is old and no longer maintained on that server

so you don't get defacements and other attacks 

because even if this subdomain is old, I am not sure if it isn't connected to the new servers because it is in the same masterdomain wallonie.be 

spw wallonie.PNG

but that domain isn't that old 

spw.wallonie.be itself has hundreds of other subdomains like  xyzw.spw.wallonie.be  with logins and etc...

site:http://spw.wallonie.be/

so this is a very strange page to destroy 

and the hack become important again because it was in the main page that there was the upload, so the main page of hundreds of subdomains of the subdomain spw of wallonie.be 

it looks like the chain got broken somewhere and somebody will have to fix it - FAST

one question for example is why one needs to have so many different login systems as they are all made in the wallonie.be domain ? I have the impression that this is begining to look like an impressionistic painting but in which you see you figures 

Permalink | |  Print |  Facebook | | | | Pin it! |

as Scada developers refuse to sign their files, some think this is an alternative

"A prominent security researcher has put together a new database of hundreds of thousands of known-good files from ICS and SCADA software vendors in an effort to help users and other researchers identify legitimate files and home in on potentially malicious ones.

 

The database, known as WhiteScope, comprises nearly 350,000 files, including executables and DLLs, from dozens of vendors. Among the vendors represented in the database are Advantech, GE, Rockwell, Schneider and Siemens. The project is the work of Billy Rios, a former Google security researcher who has worked extensively on ICS and SCADA security issues. WhiteScope is a kind of reverse VirusTotal for ICS and SCADA files, allowing people to determine which files are known to be good, rather than which are detected as malicious.

 

“While participating in a few incident response engagements, I realized it’s fairly difficult to know what is a ‘legitimate’ ICS/SCADA file and what is not. Given the overwhelming majority of ICS/SCADA vendors refuse to sign their software, we’re stuck with determining whether files like ‘FTShell.dll’ or ‘WFCU.exe’ (both legitimate files btw) are really supposed to be there. With this problem in mind, I started a database of all the files I’ve seen on ICS/SCADA systems, so that others can compare notes,” Rios wrote in the FAQ for the site.https://threatpost.com/researcher-releases-database-of-kn...

well, the governments will need to oblige the developers to sign their code and to make it possible to control the signatures of these signatures

otherwise this makes no sense

what if this database gets hacked, penetrated or is impersonated ? 

this is an enormous honeypot 

and even if you don't hack it, you can penetrate the server or any other routing installation before it just to get network and other for the people who are responsable for those highly critical networks

Permalink | |  Print |  Facebook | | | | Pin it! |

general attention points from the Iranian #Cleaver cybercampaign

"The report also contains more than 150 indicators of compromise. In most cases, once Operation Cleaver has infiltrated an organization, it has deep access via Active Directory domain controllers and credentials and compromised VPN credentials. In most cases, they’re exploiting vulnerabilities in Windows, Adobe products, Apache, and Cisco VPNs, switches and routers. Its most successful campaigns via these avenues, Cylance said, have been against South Korean transportation networks, including airports and airlines. To date no zero day exploits have been found, Cylance said.

 

"Cylance’s report also cautions that Operation Cleaver could have a special interest in airline and SCADA networks present in most critical industries. Overall, the campaign could be retaliation for Stuxnet, Duqu and Flame, Cylance said.

 

“Within our investigation, we had no direct evidence of a successful compromise of specific Industrial Control Systems (ICS) or Supervisory Control and Data Acquisition (SCADA) networks, but Cleaver did exfiltrate extremely sensitive data from many critical infrastructure companies allowing them to directly affect the systems they run,” Cylance said in its report. “This data could enable them, or affiliated organizations, to target and potentially sabotage ICS and SCADA environments with ease.”

https://threatpost.com/report-connects-iran-to-critical-i...

first there is still some hesitation to really attack the critical infrastructure of other countries 

secondly the importance of the Active Directory and its security is shown another time

third without double authentification you have no real secure authentification 

read this 80page report  http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf 

Permalink | |  Print |  Facebook | | | | Pin it! |

#sonyhack : DDOS attack against PC clients hosting Sonydata on Torren

"Multiple sources are reporting that the links to the torrents for the stolen Sony internal data were posted on Pastebin late Monday morning. Less than an hour after that post went live, the individual hosts that were sharing copies of the Sony data came under sustained denial-of-service attacks apparently aimed at keeping the files from being shared with other torrent users. http://krebsonsecurity.com/2014/12/sony-breach-may-have-e...

If you know how P2P or bittorrent works than you know that if you don't delete the torrent in your client after you have downloaded it, you are sharing it with the whole world. You are becoming a publisher, a website in fact. 

In this case it makes it enormously difficult for Sony to get the data off the web, but it seems that some operatives (it is hardly Sony itself because this is illegal in some countries even if you can't file a complaint because you are hosting illegal stolen files) are using the DDOS weapon to slow down the computers or sharers of their files to limit the spread.  

This is an interesting development in the Torrent world because it can inspire others and because it will also have effects on routers and other installations not only of ISP's but from customers. You can start a DDOS but you will never because of the nature of the internet control all the fall-out of a DDOS attack

Permalink | |  Print |  Facebook | | | | Pin it! |

#sonyhack : this is the only sure thing that discovers the wiperware beacon (snort)

the advantage of having a snort on your network - or if it is too big on the most important part of your network - is that it can discover botnets and viruses before the identities of your antivirus have been updated and distributed 

there is for the moment no virustotal check for the file so there is no way of knowing if your network was attacked with it 

"“The following Snort signature can be used to detect the beacon traffic, though by the time the beacons occur, the destructive process of wiping the files has begun,” the alert warned.

 

Here’s the Snort signature, in case this is useful for any readers who didn’t get this memo:

 

Alert tcp any any – > [88.53.215.64, 217.96.33.164, 203.131.222.102] [8080, 8000] (msg: “wiper_callout”;
dsize:42;  content:  “|ff  ff  ff  ff|”;  offset:  26;  depth:  4;  sid:  314;http://krebsonsecurity.com/2014/12/sony-breach-may-have-e...

but that you understand it rightly 

if that kind of traffic arrives than you have to take down the machine immediately because the beacon has started destroying all data on that disk and you are not sure that you will be able to recover it - there is absolutely no guarantee 

and this is as important for your servers as for your desktops or laptops

Permalink | |  Print |  Facebook | | | | Pin it! |

#sonyhack : a multistrategy attackplan combining the best of everything

There was a massive DDOS attack but nobody is sure where that came from.

There were infections through emailattachments

There seems to be some physical penetration.

There seems to be some employees that have helped the hackers. 

BUT

before reading the quote you have to remember the following thing before jumping to conclusions

If this comes from North Korea, than it is an intelligence operation.

If this is an intelligence operation, than the operative methods of intelligence operations have to be taken into account.

One of the most important aspects in this is to hide your sources, your methods and your identity.

Secondly if by sending false information you can get an organisation to become totally paranoid and begin investigating every possibility and so to lose attention for the real sources, methods and you because they are investigating tens or hundreds of internal employees looking for the mole - than you have hit the organisation a second time and this time big time because it will be gone into purges and paranoia and even in total disintegration (like MI5 when they were hunting for the 5th Russian spy who was never found if there was ever one)

so this is the quote, but it can be just a diversion 

I hope some people helping Sony have some intelligence background and are capable of playing the mindgames that the hackers seem to be playing 

nevertheless, the physical security has to be integrated into the total securityplan of your organisation and people should wander freely around the building or offices (as is the case in some military headquarters.....)

"In a statement to The Verge, 'Lena' referenced the need for equality once again, adding that Sony didn't want such a thing, and that it was "an upward battle."

"Sony doesn't lock their doors, physically, so we worked with other staff with similar interests to get in. Im sorry I can't say more, safety for our team is important [sic]," 'Lena' told The Verge.

"If the claims are true, and the GOP had help from the inside in order to accomplish their aims, this is a disaster for Sony. It's one thing for an attacker to gain access from the outside; it's another when they can physically touch the environment. http://www.csoonline.com/article/2851649/physical-security/hackers-suggest-they-had-physical-access-during-attack-on-sony-pictures.html

in the article the claim is that some disgruntled people from Sony helped the hackers because she wanted more equality which means that probably some female employees are really pissed off and were manipulated by the hackers (intelligence operatives) to lend them some information (without really knowing what the impact would be and probably thinking it would be like another lulzsec attack). That is, if this is not a diversion.

if you take one and one together, you are at disgruntled female employees with high credentials who can bring external people inside the building without being double checked and with access to the backup 

if this is the case, than some-one has taken or a server of a number of tera of several harddisks and copied this directly (at the high rate of the internal networks and not through the firewall so this explains why they didn't see it) If this is the case (I repeat, to be sure).

in such environments you would have to work with the information you have and make some assumptions about the possible scenario's and sometimes you can eliminate some of them immediately while other continue to be working scenario's for which you are looking for evidence to close it down as a dead end or something that is still plausible

if we go from a multistrategy attackplan than it is even possible that the infectionattacks are seperate from the copying of the backup and the intranet - even if they seem to be done by the same group

Permalink | |  Print |  Facebook | | | | Pin it! |

#sonyhack : medical and financial information of personnel leaked on TOR

"another file being traded online appears to be a status report from April 2014 listing the names, dates of birth, SSNs and health savings account data on more than 700 Sony employees. Yet another apparently purloined file’s name suggests it was the product of an internal audit from accounting firm Pricewaterhouse Coopers, and includes screen shots of dozens of employee federal tax records and other compensation data.
http://krebsonsecurity.com/2014/12/sony-breach-may-have-e...

now leaking on TOR makes it very hard to destroy the data online because it is being hosted on hundreds or thousands of computers

now it is possible to contact the people in several western countries to destroy that data because of the legal issues of sharing publicly such data but that can't be the case for the computers in other countries

you can also easily repackage the data in another file or make it a secret torrent that you only share on certain networks which makes cleaning it up very difficult

this means that it is impossible to do anything else than to consider it definitely lost and that for the respective persons they will have to get new numbers, new accounts and so on and that the cost of this has to be taken on by Sony 

it is clear that it is the clear intent of the hackers to hurt and eventually destroy Sony who can do little to stop the leaking and the disastrous effects of it 

as so much information has been copied Sony will have to consider that all internal information is compromised and will have to take these measures for all their employees which had any kind of information on the affected networks and installations

this distinction hasn't been made by the Belgian privacycommission in her guidelines of january 2013 about dataleakages and I am not sure that the European directive also makes this distinction. 

Permalink | |  Print |  Facebook | | | | Pin it! |