and so you can see that there is medical data in it whatever mensura is saying
it will be deleted fast although
and so the cat and mouse game will go on and on and on
and the number of people having access to that data will increase increase increase
with the rijksregisternumber in it and why your employer didn't trust you and here and there which sickness you claim to have
Skynetblogs has asked me to suppress this image.
If you need this information as a lawyer to proof your case, you can contact me and please identify why you need it.
the dataset that rex mundi has found on the website of easypay which has some secure and some older very unsecure parts (without even encrypted logins) are passwords that are combined with emailaddresses as login
so this is one possibility especially because there is NO ENCRYPTION on that login (how is this still possible...) and there are other login pages and forms like that on this site without any encryption
we didn't test for any sql injection on any site as this would be illegal under Belgian law and we don't do anything illegal - because so many people hate us that they would love to prosecute us and silence us (to be able to keep on doing their work as if nothing happened and you would never know)
the biggest question is if all the users have been informed that their logins and passwords are compromised and should be reset and that they should change their password if they use it anywhere else with the same emailaddress
they are lucky it could have been much worse, but I have also thought that Rex Mundi was always in for a quickie and has not proven that he is for big complicated longterm operations using different entrees on websites or combining vulnerabilities and mistakes (at least this is not the impression I have untill know but he can also try to convince me of the contrary). At the other side why would you do such operations and take such risks of leaving so many traces behind in such an operation if there are so many websites who are so badly written and maintained that in a few minutes you just get the data.
It is like walking into a casino with rows of cash machines and sometimes you are lucky and sometimes you are not. We don't know how many websites have paid and we will probably never know because no data has been published about them. We only know of the hacked or breached sites because they don't want to pay or not immediately. But at the other side his price has gone up so enormously that paying has become something much more difficult for some companies. When we was asking only a few thousand dollars, most companies could keep it away from the board of directors and hide it in a consultancy or other contract. THis is with the stringent rules of financial rules much more difficult if you are asking 30.000 Euro or much more. But it also shows that some companies have paid so much without much resistance and that has increased the price for all the others as well.
As a reminder I have nothing to do with this group or guy and only know them through twitter.
it seems that some syndical organisations are beginning to move and are talking to lawyers to prepare official complaints
Belsec is available for help and advice
the recommendation of january 2013 by the privacycommission is very important
easypay.be a payroll company was the next victim of Rex Mundi and there are at least 10 databases that are not protected
from other tweets we know they have said that they had the logins that weren't well encrypted and we have already published that the certificate of the https protection is not worth one cent
developing story - follow us
and their page that calculated your loan has been retired
interesting links (with the same bad encryption)
https://payrolling.easypay-group.com/ remot desktop connection
http://easyweb.easypay-group.com/xhtml/router.jsp (login page without encryption)
http://eunomia.easypay-group.com/xhtml/com/easypaygroup/standard/view/authentication/authentication.xhtml (loginpage without encryption)
and the same site has a registrationpage with all kinds of personal data without encryption
it gets even better
http://www.easypay-group.com/fr_BE/guichet_d_entreprises/formulaire/ (no encryption :)
this is how it is done in one pic
the bigger the use of TOR or the TOR relays the better our protection
and it is obligated
only a few like silk Road really matter, all the rest are scam sites or criminal clones
but that is understandable as the operation didn't really take down tor sites, it took down servers in Bulgary hosting tor sites (9 in total was mentioned somewhere)
- Out of a total of 276 seized onion addresses found, we identified 153 of the addresses as belonging to either clone, scam or phishing sites.
- Of the 153 clone or scam sites, 133 were clones and 20 were scam or phishing sites.
- In a number of cases the FBI has seized the clone or scam version of a site while leaving up the real site.
- In May of 2014 a bot known as the “Onion Cloner” was discovered and became known to Tor hidden service operators. This bot would find Tor hidden sites and clone them on its own address in an effort to steal passwords or intercept Bitcoin transactions. Of the 133 clone sites that the FBI seized, a large number of them were clone sites produced by the Onion Cloner that were mistaken for the real copy.
- Of the 32 onion addresses mentioned in the DOJ seizure notice filed in US court, 3 are scam sites and 9 are clone websites.
- Of the 8 websites mentioned in the FBI press release, 2 are clones and 1 is a scam site.
- As far as our survey has revealed and based on prior data about the Onion Cloner, every single Onion Cloner clone site has been seized.
- Pink Meth, a revenge porn site and one of the most popular Tor hidden services was seized and not mentioned in any seizure notice.
- There are almost 200 sites that have been seized that are not mentioned in any seizure notice or press release.
- A number of websites were taken down with little or no legal justification, including personal websites and community forums.
- Scam or phishing versions of Silk Road 2.0, Agora, Real Cards Team, Evolution and many other sites were seized.
- For some of the onion addresses, being mentioned in the FBI press release or the seizure notice is the first and only ever public web mention of the address
- The seized website “GreenPaper Counterfeiters”, cited in the seizure notice as “Super Notes”, is a scam website.
- The website “Executive Outcomes”, which the FBI claims in seizure notices and press releases was a retailer of firearms was a well known scam site – it never shipped any weapons but took users funds.
- The website “Fake ID” is mentioned in the FBI seizure notice and press release as a shop that sold high quality passports and identifications. The FBI seized a clone copy of this website, not the real website.
if you aren't stupid you know how to find it
so if they get hacked you lose it and if you lose it together with the number of your EID than you are really busted
all the forms which have NO HTTPS have no certificate and no encryption at all and if they get attacked by an sql injection because they didn't check their code as their should have done, than all your data is gone inclusief the data that you will never be able to change again
you can not be prosecuted to give fake RRN numbers or EID numbers as long as the rest of the info is correct
http://belsec.skynetblogs.be/apps/search/?s=rijksregisternummer our previous actions
privacycommission, where are you ?
if you belong to these organisations you can ask them to change it in a form
https://www.mechelen.be/loket_files/605/contactformulier-vrijwilligers.html (bad certificate)
https://informatie.santander.be/BE_CONS_OFT_WEB/pages/nl/form2.jsp?sid=c0b19acb0fa71b511c0b18ae10c4886d (bad certificate)
1 Mensura was not hacked, they had an sql injection in a form which is a vulnerability that is known since the year 2000 and which could have been found out if they had checked the code or did a securitycontrol before they launched the site or the form
but they didn't
2 The biggest problem is that there are thousands of rijksregisternumbers linked to a name and linked to indications about the health situation of the people or the reason the employer wants a check of his medical leave
these Unique identifiers can't be changed and the fact that these numbers were obligatory in the form just showed how little they were interested in privacy because if you are privacyconscious you only ask the information you really need and nothing more and you absolutely never ask Unique Identifiers likes the Rijksregisternumber because they are used throughout your life (like the social securitynumber in the US)
we should take those rijksregisternumbers of the internet - or stop using them as Unique Identifiers - but you can't have it both ways
3. the victims themselves were not contacted only the firms or organisations for which they worked but I am not sure that anyone of these firms informed their members that there was medical information or some very negative comments about them online
and it is not the information of the companies that is compromised, it is the information of the persons, it is their rijksregisternumber, it is their reputations, it is their sickness which is in that file for some
4. Mensura is not very clear about what was stolen. We have access to a file with about 1100 lines but the numbers of the lines go up to 10.000 and more and in the first reaction in De TIJD mensura itself talked about thousands of files and Rex mundi say that they have MORE
5. Mensura has not communicated about the leak and the breach and there was no mention of it on the website and I reckon that if I didn't mention it and write about it and send this information to the press nobody would have talked about it and everybody would have forgotten about it - like all the other cases
There are those guidelines from januari 2013 (nearly two years old but a bit hidden in the website and happily forgotten by most of the industry and services) http://www.privacycommission.be/sites/privacycommis...
and in french (they aren't translated) Recommandation d'initiative relative aux mesures de sécurité à respecter afin de prévenir les fuites de données
based on this, any victim can go to court or place a formal complaint with the privacycommission (just send an email to email@example.com)
and in those guidelines we also read the following
about the notification
"Meer in het bijzonder moeten in geval van openbaar incident de bevoegde autoriteiten (Privacycommissie) binnen de 48 u geïnformeerd worden over de oorzaken en de schade.
27. Een openbare informatiecampagne zal opgestart worden 24 tot 48u na kennisgeving aan de autoriteiten."
there was no public informationcampaign, there was nothing on the website about the hack - the news about the hack did the rounds because I have published it and NOT because the firm has published it. THe firm is in negotiation with the hacker since some time)
about filing a complaint (about time that a message is send to the market)
"Meer nog, in geval van niet-naleving ervan engageert de Commissie zich ertoe om alle wettelijk beschikbare middelen in te zetten waardoor de aansprakelijkheid van de verantwoordelijke voor de verwerking in het gedrang komt en deze het risico loopt te worden vervolgd. Immers, tenzij de wet anders bepaalt, doet de Commissie bij de procureur des Konings aangifte van de misdrijven waarvan zij kennis heeft (art. 32, §2 WVP).
35. Dit geheel van regels vormt dus de door iedere verantwoordelijke voor een verwerking na te leven regels van de kunst teneinde een optimale informatieveiligheid te verzekeren en bijgevolg de beveiliging van de persoonsgegevens van de betrokkenen te waarborgen.
36. De onderhavige aanbeveling zal de gerechtelijke autoriteiten, wanneer aanklachten bij hen aanhangig worden gemaakt of zij deze ambtshalve in behandeling nemen, toelaten ieder feit dat een inbreuk vormt op de WVP te beoordelen alsook de ernst ervan te evalueren.
37. Ten slotte herinnert de Commissie er aan dat de verantwoordelijke voor de verwerking verantwoordelijk is voor de schade die voortvloeit uit een handeling die in strijd is met de bij of krachtens de WVP bepaalde voorschriften. Hij is van deze aansprakelijkheid ontheven indien hij bewijst dat het feit dat de schade heeft veroorzaakt hem niet kan worden toegerekend (art. 15bis van de WVP). "
sql injection is known since.....2000 and can be tested and prevented with any terms
keeping all that data online even if you don't need it online (but you can transfer it back to a secured server behind the firewall with unidirection traffic (everything in, nothing out), full encryption, limitations on data-use and so on..... these are all normal standard things to do when you have to protect data and which are written about and advocated since years and doesn't cost a lot of effort or money.
so guilty as charged..... I rest my case
of his next victim of which we know the name but for the moment it is only shared with FCCU.be and CERT.be and there is no confirmation yet
we know the following
Rex Mundi said that the encryption of the login was very bad, it was cleartext (or nearly)
but they have https so they have encryption and they have a certificate so they are safe - aren't they
these should be deleted from all forms and should never be asked
don't trust them when they say it is safe, because you have no idea if it is safe and they probably don't either
the risk of losing your Unique ID linked to your emailaddress and other information about you is just too great and it ain't worth it
the Privacycommission is even totally against using the Rijksregisternumber online for identification or as data - that is what they said
Belsec has even launched actions together with the Privacycommission to get that number out of some registrationservices
So if you find forms or identificationprocesses that use the rijksregisternumber complain to the privacycommission, mail to the site owner, refuse to fill it or fill bogus information in
NEVER fill in your own real Rijksregisternumber in online
as long as there are no standards in Belgium for security, you don't known shit about security of your information in Belgium
First we know now that if Rex Mundi says that they have more data from Mensura than that is maybe only from that form (which we thought in the beginning) but that except for the thousand of lines that we have there are THOUSANDS more (so now I will have to inform my employer)
Secondly they have informed all their clients they said. But hey, those are NOT the victims. The victims are WE - because our emailaddress, our employment, and the suspicions of our employer, our sickleave or sickness may be in these files and they are coupled with our UNIQUE IDENTIFIER (NATIONAAL RIJKSREGISTERNUMBER)
Third - this doesn't give an answer to the most direct question
what is happening now ?
Everybody says that they shouldn't pay the blackmailer - I don't like blackmailers either and I have no link whatsoever to this guy or group
BUT HE HAS THIS KIND OF INFORMATION ABOUT US WITH OUR NATIONAAL RIJKSREGISTERNUMBER AND THAT CAN'T BE CHANGed LIKE THAT
IF HE PUBLISHES THIS ON SERVERS THAT WONT TAKE DOWN THE INFORMATION OR HE REPUBLISHES IT LATER ON _ THOUSANDS OF PEOPLE ARE PUBLIC ON THE INTERNET WITH ALL THAT INFORMATION
AND NOBODY WILL LOOK AFTER US _ LIKE MICHAEL jACKSON SAID THEY DONT CARE ABOUT US
tonight he will be releasing more information they claim of another online Human Resource Firm (we know the name and will be contacting the different agencies)
We know that logins at least are totally compromised for this firm
they also claim that they have much more information from Thomas Cook and Mensura but we didn't see it yet - but if we have to count on our experience with this group - they do have information if they say they have (but sometimes it is only much older - but that doesn't make it less damaging)
sorry, we have now backoffice work to do :)
by the way mail the privacycommission, call your political representatives, the only way to stop this is to get real responsabilities for these firms
if they want to use our data online, they have to secure our data online
even if there are no hackers online or sending threats or having breached them and published information
For Thomas COOK : it seems that all the contact and administrative information for all of your partners and travel companies has been leaked and some of it may be used (if sold online) to make fake payments or to breach your networks with that kind of administrative and contactinformation
changing the name of your emaildomain wouldn't be a bad idea for example :) upgrading your defenses with anti-APt and upgrade your antispam and to stop downloads of attachments neither
we have about 64 pages of information that was leaked (about 1100 people) so this information is from a totally different page than the one we have extracted the emailadresses from
"betrokkene wil niet meer komen werken en heeft aangekondigd zich op ziekenkas te zetten. "
"Heel veel ziek thuis.Werkt deeltijds met toestemming adviseur."
"est malade depuis 2 semaines et veut se faire virer (avec indemnite"
"Betrokkene is de afgelopen periode meermaals ziek geweest:"
"Werknemer heeft te hoge bloeddruk"
"Werkt in de nacht en is deze nacht om 1 uur naar huis gegaan"
"Nous avons un doute sur les absences"
there are many others that are just neutral
but remember, this information is forever linked with their UNIQUE NUMBER (rijksregisternumber) somewhere in 300 places (and where-ever it may be backed up or distributed)
mensura.be lost the recent medical absent control complaints for these companies (for example - not exhaustive)
based upon the file that we have in our hands delivered to us by another activist anti-breach portal
there are 1100 recent complaints with names, email addresses, rijksregisternumbers and medical information and a complaint if the person is faking or abusing it
these have been downloaded more than 300 times before it was taken offline (this information may be in some 'dark' databases nobody knows that exist but are used by some 'headhunters' or 'insurance companies' rumours that those are collecting that kind of data have been online)
this is just a small sample - just to give an idea
and there is lots lots more ........
first we can confirm that the published data from Mensura has to do with its online form with which their tens of thousands of clients could ask the doctors of Mensura to control if some one is really sick
about a thousand names with email adresse and medical information and their NATIONAAL RIJKSREGISTER were published
the biggest problems is that if this recent data is published a 1000 persons will exist on the internet as if they had tried to defraud their employer with fake sickness leave or they publish medical information that shouldn't be on the internet anyway
imagine that a message like this is published on the internet
employer name and email asks to control you with your emailaddress and your national rijksregister and with a mention that they think you have taken a fake sickday leave or that you have some sickness or accident
and that has been downloaded 300 times at least
we have a copy of the pastebin of Rex Mundi with the samples of the data that has been published and has been destroyed now
THIS HAS BEEN DOWNLOADED AT LEAST 300 times according to our information
there were effectively 2000 netflix accounts - of which Belgian leaked but Belgacom has asked me to suppress the image.
I don't think anybody else is trying to inform you that netflix accounts are being published on pastebin (you know how to search for that in the searchbox, don't you ?)
oh and the leaking goes on .....