privacy - Page 3

  • the new complete Man in the Middle attack : Double Direct (and they get it all)

    "DoubleDirect uses ICMP Redirect packets (type 5) to modify routing tables of a host. This is legitimately used by routers to notify the hosts on the network that a better route is available for a particular destination[2]. However, an attacker can also use ICMP Redirect packets to alter the routing tables on the victim host, causing the traffic to flow via an arbitrary network path for a particular IP. As a result, the attacker can launch a MITM attack, redirecting the victim’s traffic to his device. Once redirected, the attacker can compromise the mobile device by chaining the attack with additional Client Side vulnerability (e.g: browser vulnerability), and in turn, provide an attacker with access to the corporate network.

     

    With the detection of DoubleDirect in the wild we understood that the attackers are using previously unknown implementation to achieve full-duplex MITMs using ICMP Redirect. Traditional ICMP Redirect attacks has limitations and known to be half-duplex MITM. Zimperium Mobile Security Labs researched the threats and determined that the attackers are able to predict the IPs being accessed by the victim. We have investigated the attacks and also created a POC tool to prove that it is possible to perform full-duplex ICMP Redirect attacks. ICMP Redirect attacks are not easy to emulate because the attacker must know beforehand which IP address the victim has accessed. (There isn’t a systematic way to forward all the traffic from the victim through the attacker.)
    http://blog.zimperium.com/doubledirect-zimperium-discovers-full-duplex-icmp-redirect-attacks-in-the-wild/

    so if they earn all the traffic from and to your machine because it goes through their servers than there is not a lot you can do to protect yourself and if you aren't fully encrypted from end to end than you just lose everything.

  • why should malware only take one password if it could copy all your passwords

    "IBM Trusteer researchers found a new configuration of Citadel that is being used to compromise password management and authentication solutions. It instructs the malware to start keylogging (capturing user keystrokes) when some processes are running.

     

    The relevant part of the configuration is shown below (in IBM Trusteer’s proprietary format):

     

    Snippet form the Citadel configuration file (in IBM Trusteer
    http://securityintelligence.com/cybercriminals-use-citadel-compromise-password-management-authentication-solutions/#.VG8L2YuUeT0

    so in fact this means that now with a passwordmanagement software but later with whatever identification file or system on your computer it can be intercepted or copied

    that is way in the safe portable (sophos) the identification files are not in root or kernel or system of windows but on a preboot encrypted seperated system (and this is why it doesn't work with the Belgian EID but only with a token from safenet)

  • Snowden and Greenwald are politically dead in the US

    "Now it looks very much like Greenwald is becoming a voice in the blogging wilderness again, and Snowden is watching from Moscow, once again isolated, as his explosive revelations fizzle out politically. On Tuesday, led by Republicans voting en masse, the U.S. Senate defeated a motion to vote on the USA Freedom Act, which would have curbed the NSA's bulk collection of Americans' phone records. The new, harder-line Republican Congress coming in January doesn’t seem likely to pass the bill either
    http://www.politico.com/magazine/story/2014/11/edward-snowden-nsa-reform-113073_full.html

    Now those two are lamblasting the system and the judicial system and the stupid public and whatever they can think off (the media for example) but they seem to forget - as we have said here months ago - that Putin has changed as much the perception of the discussion as 9/11 had when we were discussing Echelon in 2001.

    Putin has brought us to the brink of the cold war again and his permanent madness of sending bombers and submarines to our coasts - sometimes nuclear-capable - with all the risks of military incidents or collasions with civil airlines is just too mad to understand. It brought the possibility of military incidents right at our border instead of somewhere in some far part of Ukraine where there is everyday some shooting but nothing that could be really called a real big war.

    ISIS has helped also off course.

    And it just doesn't seem the right time now to dismantle the NSA now. You never know what they may miss because of the reorganisation, the limited resources or capabilities. They missed an 9/11 once because they didn't have enough translators and analysts.

    as long as there is more oversight - for the moment not enough people care enough

  • Fake leaks, fake hacks but real leaks and possible leaks

    There are some fake leaks around and as an alert blog you will get caught by them. The reason that we can get caught by them is that we have no authority whatsoever to test them. If we would test them than we would be breaking the law and than every stupid lawyer or just some of all the decisionmaker over here which would rather see me go could land me in court so I could lose my job and so on. Because whatever you do or say the fact that you land up in court means that you lose and there is no way that you can correct this. People will always think that there is still something to it and that suspicion will always stay - even if you are looking for another or better job.

    So since ten years I have never been in court and I tend to keep it his way even if I was reporting and researching or discovering all kinds of leaks and breaches.

    So we never test those leaks because the only test would be that I would try to use the published credentials to get access and that is illegal whatever you say about it.

    It is up for the people who own these credentials or the services they use to do the tests and to take immediate measures of protection if that should be needed.

    There are also sometimes hacks that aren't hacks because as in the case of some forum the forum wasn't hacked but the old admin had copied all the information of the members and placed it online. It is maybe not a hack but it is a leak and as such it stays a big problem.

    So the information we publish here are possible leaks. Something some services need to check out and if it ain't a leak than it was worth testing it because if it would be a real leak than there would be a lot of trouble and work.

  • the Russian hacker showing thousands of unprotected webcams is looking for a job

    he is in all the itblogs and newsmagazines all over the world

    thousands or millions of people are visiting his site

    regreting they didn't change the standard password of their videocam and not encrypting the stream if it goes outside (imagine a smart-tv with reverse videocam)

    but hey, does he get your attention ? He is just looking for a job

  • After the DDOS on gamenetworks, here are the stolen passwords (also belgians)

    First there were the big DDOS attacks, but these were only the diversion, the real goal was to penetrate and to steal passwords and other stuff while all the staff was busy trying to keep the network up and the securitytools were being overwhelmed, downgraded or just set on hold to be sure that the traffic past fast enough 

    this is nothing new

    it has been done before by hackers and is in fact a very old military tactic 

    now there are thousands of logins (and some are from belgians) 

    • Dear Internet, the following is a very small portion of Lord Gaben and the rest of his crews glorious raids across the high seas of the Internet.
    •  
    • Portions of our raids include:
    • 2K Gaming studio user credentials
    • Windows Live Email user credentials
    • PlayStation Network user credentials
    •  
    • These usernames our bestowed upon you in the humble name of Derp.
    •  
    • @DerpTrolling - @GabenTheLord - @UGLegion
    •  
    • Let this be a warning to all.
    •  
    • Nothing is safe from Derp

    http://pastebin.com/WVzviPyp

  • detekt espoinageware on your computer with this new tool

    espionageware is not spyware because it is used to follow your political information and your political friends and it is not spyware because spyware wants just to make some bucks independently of your political views

    'Detekt is a very useful tool that can uncover the presence of some commonly used spyware on a computer, however it cannot detect all surveillance software. In addition, companies that develop the spyware will probably react fast to update their products to ensure they avoid detection.

    This is why we are encouraging security researchers in the open-source community to help the organizations behind this project to identify additional spyware or new versions to help Detekt keep up to date. Contact information is available here.

    It is important to underline that if Detekt does not find trace of spyware on a computer, it does not necessarily mean that none is present. Rather than provide a conclusive guarantee to activists that their computer is infected, our hope is that Detekt will help raise awareness of the use of such spyware by governments and will make activists more vigilant to this threat.
    http://www.amnesty.org/en/news/detekt-new-tool-against-government-surveillance-questions-and-answers-2014-11-20

    you can find the tool here : https://resistsurveillance.org/

  • mensura lek : ACV vraagt regering en sociale partners om onmiddellijk actie te ondernemen

    het is voor de eerste keer na zoveel lekken dat een vakbondsorganisatie zich openlijk inzet voor de privacyrechten van de werknemers en daar een plaats voor maakt in het sociaal overleg 

    For the first time a major labor union in Belgium has understood that the privacy rights of its members have a place in the social negotiations that they have on a national level. In ten years of security-activism, this is really the first time and a major change.

    -----------------------------------------------------------------------------------------------------------------------------------

    Privacy van honderden Belgische werknemers zwaar geschaad door Mensura leaks
    ACV vraagt onmiddellijke oprichting task-force

    Hackers hebben zich toegang verschaft tot een deel van de gegevens van  de dienst controle geneeskunde van Mensura. Hackers verkregen zo de identiteitsgegevens van honderden werknemers, onder andere hun rijksregisternummer. Ook de bemerkingen die de betrokken werkgever meedeelde aan Mensura over de betrokken werknemer werden gehackt: aanwijzingen over hun gezondheidstoestand, maar soms ook over hun gedrag in de onderneming, bemerkingen over hun familie, zwangerschappen, aantal ziektedagen, incidenten in de onderneming, evaluatiegesprekken, activiteiten op sociale media, …

    Na een mislukte chantagepoging tegen Mensura werden door de hackers een deel van deze bestanden online gezet. Daardoor zijn deze bestanden vrij beschikbaar op internet en werden ze  inmiddels honderden keer gedownload. De privacy-rechten van de betrokken werknemers worden daardoor zwaar geschaad. Deze gegevens dreigen hen voor eeuwig te achtervolgen op het internet.

    In weerwil  van de gedragscode maakte Mensura dit incident pas bekend nadat op een IT-blog dit voorval werd gesignaleerd . Mensura verwittigde tot nog toe enkel de betrokken werkgevers van dit lek, niet de betrokken werknemers. Deze zijn vaak nog steeds niet op de hoogte. Mensura beschikt nochtans over de precieze adresgegevens van de betrokken werknemers en over alle persoonlijke gegevens over deze werknemer die werden gelekt. Mensura vroeg de werkgevers om op hun beurt de betrokken slachtoffers, de werknemers, te informeren. Het is daarbij zeer de vraag of alle werkgevers de betrokken werknemers zullen informeren, en ook de info zullen meegeven die door de werkgever aan Mensura werd bezorgd. De aard van die commentaren brengt sommige werkgevers immers in een vrij gênante situatie. 

    We vragen dat Mensura onverwijld alle betrokken werknemers informeert  over welke informatie gestolen is. Dit is  de toepassing van de regels van de privacycommissie.  Tot nog toe publiceerden de hackers immers slechts een deel van de gestolen informatie. Werknemers hebben er recht op te weten welke persoonlijke informatie over henzelf in handen is gekomen van criminelen.

    Het ACV vraagt  aan Minister van Justitie Geens, de Minister van Werk Peeters en de Staatssecretaris bevoegd  voor Privacy Tommelein om onmiddellijk een taskforce samen te stellen met de sociale partners en de federale computer crime unit om deze crisis-situatie aan te pakken en de gevolgen voor alle betrokken werknemers zo snel mogelijk ongedaan te kunnen maken.  Deze Task Force moet ook een debat ten gronde voeren over de wijze waarop gevoelige informatie wordt opgeslagen en uitgewisseld.  In het kader van  de invoering van de medische enkelband kan het belang van duidelijke en goede afspraken niet onderschat worden .

    Ook de regelgeving dient aangepast zodat werknemers inzage krijgen in de gegevens die over hen aan derden worden bezorgd in toepassing van het arbeidsrecht. De rechten van werknemers op persoonlijke informatie indien ze het slachtoffer worden van incidenten dienen in de wetgeving ingeschreven en afdwingbaar te worden. 

  • antwoord van de privacycommissie over mijn klacht tegen mensura (gelieve neer te zitten)

    anders zult u zelf moeten neerzitten want dit slaat echt alles 

    het was een klacht omdat mensura ook mijn gegevens bevat 

    en natuurlijk heeft de Commissie reeds mensura gecontacteerd 

    so what

    wat heeft ze ermee gedaan

    wat gebeurt er met mijn klacht

    moet ik nu echt naar het gerecht om klacht neer te leggen wegens onverantwoordelijk gedrag en niet naleving van de voorschriften van de privacycommissie zelf over de bescherming van data van januari 2013 ? 

    de mensen van mensura moeten wel lachen zeker

    geen boete, geen vermaning, een beetje pers maar dat gaat wel over (zolang geen van hun grote klanten naar het gerecht stapt en dan nog dan duurt het een paar jaar) en ondertussen doen we gewoon verder en de volgende keer (dan betalen we wel, dan zijn we van al die zever af die we nu hebben gehad en kunnen we tegen iedereen die tegen betaling was zeggen dat ze beter hadden betaald want zoveel gezever hebben we nog niet gehad en dat heeft ons veel meer geld gekost) 

    privacycommissie-mensura.PNG

  • ALERT (and evidence from victim from France) : If you were client of easypay : CHANGE ALL PASSWORDS NOW if your emailaddress has the same password

    I change the warning just to be sure 

    because all your passwords and the way to change passwords in other services go through your principal emailaddress

    this is why you should have at least an unique password for your principal emailaddress (and not one that has the same logic or words in another order as your compromised password)

    you can also activate in some online mailservices the double authentification with your mobile phone (although your mobile phone is as secure as a computer was 10 years ago so I am not sure that this is real futureproof solution) 

    these are two tweets that got my attention (maybe they want to show that the emailaddresses and passwords really work and give access to more than easypay which has changed its passwords lately) 

    In the press is mentioned that Belgocontrol (air traffic control) wasn't compromised by this leak. We never said they were. But if your authentification is ONLY based upon passwords for login than you are now faced with a big problem to secure your access. 

    some points 

    * smart hackers won't pay with bitcoin because it is not totally anonymous so don't trust the fact that it isn't sold yet according to the bitcoin indexes

    * I hope that easypay gave all of her clients also the very strongly worded advice to change their passwords now especially those from their email and social media and to contact the securitycell of their firm, bank or network if they use the password to access files or applications 

    * securitypeople from many networks, banks and organisations will now have to block a limited number of people (if they received a list of their members who were a client with easypay and are on the 32.000 list). They can't depend on the supposition that those people - even warned - will all do the right thing in time and should block their access to the extranet, files or applications for the time being and do some research (going back 2 weeks) and decide to give a new password  

    there are also french people involved so I hope that the cert and easypay have contacted the french clients, the french privacycommission and CERT to enable them to take all these measures as discribed above 

    otherwise even more complaints may be coming their way and the french privacycommission has the possibility to give an administrative fine (something our new secretary of state for privacy DOES NOT WANT to do - which is nonsense because Europe will enforce this in two years).

    r.marissal in France has so more possibilities of receiving a financial compensation than any Belgian victim

    Rex Mundi said that as a test they have at least accessed 2 mailboxes and one CMS of a website of a firm (so all firms should look at the CMS of their websites if one of their users is in the list). You could be in for a lot of trouble if some-one else infects it, uses it to attack another site or just downloads all the data on it

    some securitypeople in Belgium and France will have a lot of work these days .... but if they follow the best practices they should be able to tell their CIO's that today or tomorrow everything is checked and changed or blocked awaiting results of the analysis.

    if you didn't have received the client list for your network than you should complain to easypay or cert.be 

  • privacycommission was in 2013 against the use of rijksregisternumber as online identification

    a few cases were mentioned and they were resolved but as we saw yesterday is still the case with several flemish websites for example

  • privacycommission wanted in 2013 that rijksregisternumbers are secured online

    further in the letter they say that I give people bad ideas but it are the amateurs setting up websites withouit security that should be weeded out or brought inline

    we are now more than one year later and the same situation just goes on without any respect for the problems that arise if they lose a database with your rijksregisternumber

  • a wordlist of 240 million possible passwords in the world for 13 dollars

    You can use this to crack passwords that don't have a timeout (like icloud before the fanning) or to find passwords that look like those that were used once or have the same logic (to limit the number of tries) 

    the beauty of it is that it is based on the biggest leaks since 2011 (this makes about 1 billion accounts, so this means that out of these an unique list of 241 million is constructued leaving out 3 out of 4 because they are double or because they are so unique that they don't matter much) 

    ps I didn't test it and I don't earn a cent with this but you should know that this is now available out there 

    or to crack a folder or a laptop that is offsite 

    UNIQPASS Specifications

    Version 14 released on September 30, 2013 with 241,584,732 entries
    1. For use with JtR wordlist mode with --rules set
    2. All passwords are unique and listed in sorted order according to their native byte values using UNIX sort command
    3. 192,916 of the passwords (UNIQPASS v1) came from English dictionary
    4. The remaining passwords were collected from leaked databases from various websites (including major sites e.g. Sony Pictures, Gawker)
    5. Max. password length is 30 characters long
    6. Password may consist of a-z, 0-9, spaces and special characters ` ~ ! @ # $ % ^ & * ( ) _ - + = { [ } ] | : ; " ' < , > . ? /
    7. UNIX end-of-line character is used as the newline character
    8. Trailing spaces, trailing tabs and NULL bytes have been removed from all passwords
    9. List compressed size is 428.0 MB, i.e. the downloadable size
    10. The total entries, 241,584,732, is based on UNIX wc -l output


    http://www.dazzlepod.com/uniqpass/

  • more shit we can do with the rijksregisternumber

    when we have an emailadres of the person

    than we can with his rijksregisternumber change the PUC access code to his EID

    that simple

  • and why don't we fuck up the unemployment file of someone with his rijksregisternumber

    we already have a thousand of them, there are probably more of them around

  • vlaamse examencommissie still uses rijkregisternumber to recuperate a password

    so when we know - from for example social media that someone does the central exams

    than we only need his rijksregisternumber to fuck it up for him

  • this happens if someone types in a rijksregisternumber of the leaked mensura.be file

    horrifying

    this one is neutral, but there are some comments or some medical information

  • mensura.be was not designed by a small firm

    so they made a mistake and disregarded everything that they should have known and that there developers should have done because as a big agency they have the money and the resources to do the necessary tests to be sure that there are no traditional OWASP 10 mistakes in their online forms for example (like sql injection)

    this is one of the biggest agencies around here 

    which other websites did they forget to check for securitymistakes ? 

    so you can ask yourself what else was forgotten on mensura.be ? 

    I can't know because in Belgium you only can be prosecuted for that .......  If some of the complaintants wants an independent security check by real professionals I trust for my work and has money for it during the course of the investigation, I can put you into contact (also if you need forensic experts to look for proof that they are now trying to destroy of their fuckups) 

    use my linkedin please 

    mensurawhois.PNG

  • my personal complaint with the privacycommission against mensura.be

    they will have my data somewhere in their database 

    so I filed a personal complaint

    in my postings you or your lawyer will find enough information that Mensura did not inform us and didn't protect our data as it should and was lying about the data that it lost (there is medical information in some of the files) 

    I am not sure that my data is lost but that doesn't matter, they had my data and they don't do enough to secure it

    you can as an organisation representing people (syndicat) or as an organisation or firm that is a client with mensura.be or easypay.be file a complaint with a simple email to commission@privacycommission.be  

    you have to mention three things 

    * why you do you it and which is your interest or who do you legally represent 

    * about which data we are talking that is leaked and what is the effect (some medical privacy, some clearly reputational damage, in all cases loss of your Rijksregisternumber)

    * the rules and recommendations of the Recommendation of the Privacycommission of january 2013 that were and ARE not respected about security before the leak, about breach notification and about taking the necessary measures AFTER the leak 

    remember if we didn't publish this information, you wouldn't even have known

    mensura still demands for the rijksregisternumber and (bad) comments 

    easypay still has her UNPROTECTED loginpages online 

    don't just be angry, use the system, wake up the system, send an email - this is enough

    what has to happen next for the politicians and the administrative controls and the patronal organisations to DO something (and it is in the interest of the business that only those who really invest in security and service are 'certified' and not whatever cowboy with a cheap programmer and a cheap server who tries to undercut your price in exchange for no security and in fact no service)

    mensura2.PNG