privacy - Page 45

  • facebook does not test its code sufficiently and has leaks as a consequence

    Facebook blamed the data leaks, which began in 2012, on a technical glitch in its massive archive of contact information collected from its 1.1 billion users worldwide. As a result of the glitch, Facebook users who downloaded contact data for their list of friends obtained additional information that they were not supposed to have.
    http://mobilebeta.reuters.com/facebook-admits-year-long-data-breach-exposed-6

    so if you read this, you think, how is it possible that they didn't see this during the testing of their code and their functionality, if those tests would have been done as they should have been done, than they should have seen it and there wouldn't have been a bug

    and secondly how do they know how many numbers and addresses were inappropiately downloaded and how can they put a specific number on it - except if they can see who downloads how much contactdata and from who (a scary thought for privacypeople but Facebook is scary)

  • privacymovie : enemy of the state

    the guy is a bit paranoid but the main rule he lives by is that nothing should be used of the digital or other infrastructure so that no traces are left

    google search site:youtube.com enemy of the state full film

    one example

  • Turkey wants to forbid fake accounts on facebook and twitter

    Deputy Prime Minister Bekir Bozdağ said many fake accounts had been set up and that this should be prevented. “If someone is opening up an account, everybody should know the person who opened the account. When we look into the recent incidents, there are many fake accounts opened for someone else. They don’t know this. Tweets are being sent from those accounts. Provocations are being done against people. To avoid all these things, there are some regulations being made to make this place used correctly. Regulations will be shared with the public when the time comes. There will be investigations about what kind of preventive measures are taken into consideration both in Turkey and internationally,” he said.

    http://www.hurriyetdailynews.com/fake-social-media-accounts-to-be-prevented-turkish-deputy-pm.aspx?PageID=238&NID=49189&NewsCatID=338

    this is like China and Iran, real examples of virtual or real democracy worthy of a country that wants to become a member of the European Union

    use a proxy and log in your social accounts from another country, so when the providers are obliged to adapt those laws (or being threatened with closure) they can not enforce these rules on you because you seem to be logging in from somewhere else (place another country in your profile (and city and language)

    you are a virtual exile in fact

  • Turkish government wants to ban Twitter

    “Twitter doesn’t have a legal basis in Turkey. They take ads but they do not pay tax in Turkey. It should establish a company compliant with the Turkish Commercial Code, like Facebook and YouTube,” the ministry officials told daily Hürriyet. Protestors are being held in custody for “inciting riots and conducting propaganda” on Twitter, and these custodies have been criticized as being contrary to the law. Amid these disputes, the ministry has indicated it is likely to examine Twitter’s activities in Turkey more closely.
    http://www.hurriyetdailynews.com/twitter-to-be-adjusted-amid-gezi-park-probe.aspx?pageID=238&nID=48750&NewsCatID=345

    If you can't beat them the legal way, than you can try to beat them where it hurts most, in their business

    so the Turkish government is blackmailing Twitter because they were not only being used to coordinate the protests but they were the main communication channel during the protests and they aren't getting the identities of even the people who were arrested

    remember this country wants to become a member of the European community and should therefor respect the European convention on Human Rights

  • China can see any encrypted connection or file on its infrastructure according to stratfor

    stratfor which lost all of its memberfiles and emailboxes to antisec-lulzsec in their latest enormous hack (although it was commandeered through a FBI informer Sabu) was-is the biggest private CIAlike operation on a worldwide scale (although most of her contacts don't necessarily know they are involved in such an operation because it looks like business-intelligence/consultancy except those that are paid for their information or invited to conferences around the world)

    INSIGHT – CHINA – Cloud Computing – CN64

    Date 2011-02-15 20:51:29
    From michael.wilson@stratfor.com
    To analysts@stratfor.com
    Others Listname: mailto:analysts@stratfor.com
    MessageId:
    InReplyTo: 4D5ACE22.2000406@stratfor.com

    Text
    **In response to what we just wrote on the CSM

    SOURCE: CN64
    ATTRIBUTION: Professional hacker
    SOURCE DESCRIPTION: Owns his own internet security company that consults
    with companies globally including China
    PUBLICATION: Yes
    SOURCE RELIABILITY: A
    ITEM CREDIBILITY: 1
    DISTRIBUTION: Analysts
    SPECIAL HANDLING: None
    SOURCE HANDLER: Jen

    In concept this article is factually correct that it is possible (although
    the word “clouds” is probably not ideal – “cloud network” is better).
    Some might say things like “Well we only use SSL/TLS connections to the
    machines, and we have XYZ security in place to prevent direct tampering.”
    The problem is if the site is located within China, the Chinese
    governments can still intercept and see SSL/TLS encrypted traffic because
    they have root certificates in the browser. Once something is in the
    physical hands of the enemy there is virtually nothing that the end
    company can do. That is especially true if they manage the infrastructure
    and don’t just provide hosting. Overall I think it’s a bad idea for
    everyone but China. But I’m sure they’d say the same regarding the NSA’s
    spying activities, https://www.eff.org/nsa/hepting So it’s a bit like the
    pot calling the kettle black.


    Jennifer Richmond
    China Director
    Director of International Projects
    richmond@stratfor.com
    (512) 744-4324
    http://www.stratfor.com

    Related Links:

    http://wikileaks.org/gifiles/docs/1126742_insight-china-cloud-computing-cn64-.html

  • the 200 internetcable interception echelon spynetwork and P2P traffic

    We hear every so many days that the P2P download traffic on the web is more than half, that cables and services are breaking down because of it and so on

    well the first really objective numbers are now possible because there has never been such a filtering and intercepting operation on any scale every before (and it wouldn't even be legal to do it - except by extra-legal services under the umbrella of antiterrorism)

    The processing centres apply a series of sophisticated computer programmes in order to filter the material through what is known as MVR – massive volume reduction. The first filter immediately rejects high-volume, low-value traffic, such as peer-to-peer downloads, which reduces the volume by about 30%.
    http://www.guardian.co.uk/uk/2013/jun/21/gchq-cables-secret-world-communications-nsa?CMP=twt_gu

    for administrators of big networks this also shows that you can reduce your traffic with at least 30% if you block this kind of traffic (which means no upgrades of proxies, firewalls, monitors, routers, antivirus, backup, ......)

  • #belgoleaks first set sent

    passwords

    open servers

    lists of users

    open configuration settings

    cert and privacycommission (not everytime) have been informed

    the first set is gone

    next week we will start publishing some of them

    others will be archived in the leaks or insecure belgium lists

    there are also fundamental questions that we have asked

  • follow the small #belgoleaks

    we will not send masses of mails to the cert and the privacycommission

    we will send a few mails in which several problems or findings are taken together

    but the small daily belgoleaks in which you will find

    * old published emails and logins from Belgians (for example on pastebin)

    * listings of emailadresses that are published

    * information that is available in txt format while normally you should have to copy it one by one

    * interfaces that we shouldn't see

    * adresses and other information that people seem to have given themselves

    * websites that are hacked

    * non strategic websites with no ssl protection or one that is badly configurated

    * websites that are not falling under the Belgian jurisdiction even if many Belgians use it

    * dataleaks with only a few belgians

    and so on

    will be published here

    https://www.diigo.com/list/mailforlen/insecure-belgiumweb?order_by=0

    https://www.diigo.com/list/mailforlen/leaks?order_by=0

    We will not publish here

    * access to passwords

    * recently published pastebin and other publications of logins

    * non-strategic dataleaks but which may have a commercial impact

    these will be published on friday or wednesday when the CERT has had enough time to contact them to correct the situation - or close the site down (in maintenance)

  • #belgoleaks privacycommission receives identity of biggest dataleak ever in Belgium

    Ransomhacker Rex Mundi had access to half a million data about Belgians in september 2012 (if you type Rex Mundi in the searchform you will find all the information about that and other incidents)

    He wanted to publish the data on a friday but as we found that a bad idea we were able to convince him to say which was the victim (so they could take immediate action before somebody did something else), to get into contact with the official handlers of the case and to not publish the information of the (innocent) victims.

    At that moment we were totally alone and we tried to do the right thing but we weren't covered by any handler, contract as 'cybervolunteer' or 'law'. We took an enormous risk in doing this, but the possibility of having information about thousands of Belgians on the web on a friday was too big a risk (even if some said that that would have been better to advance security - which may be right but can you look all those innocent victims in the eye afterwards ?)

    We never divulged the name of the victim on this blog nor to the press - even if they were very curious. We didn't want to start a panick nor to bring it down.

    We have now informed the privacycommission of the name of the victim of the breach so it could invite the victim to hear if it has taken enough measures and has implemented enough procedures and has now enough resources to make sure that this doesn't happen again and that if something happens they may be able to respond better and be able to do what is in the new guidelines from the privacycommission

    and don't ask, we promised not to divulge the name, we hope that at the other side, they will be better than the NMBS and won't have the same problem again this or next year

    ok half a million data is not the same as 1.4 million (although there were many doubles in it) with the nmbs but we know that a part of that data is really in the hands of probably russian hackers and the victims were not informed and we are even not sure that enough is done to be sure that this doesn't happen again (this is why we infom the privacycommission now)

    because if you are hacked, you will be attacked again untill you are hacked again

  • #belgoleaks privacycommission receives new list of users (libraries for example) of RRN as login

    We have sent the privacycommission as an answer to their letter a new list of services that use the RRN as a login

    It are mainly public services from cities (like libraries and recreationservices) that are sometimes delivered by some serviceproviders and for libraries for example are based upon WOPAC.

    THe problem with the RRN is that if we want to keep that weak UID a bit safe we have to limit the distribution of it on the internet and through unsecured systems

    we haven't send a list of all the services who ask in a form for the RRN without proper protection because that list would be too long and it would be more productive to publish securitynorms if you want to ask for the RRN of something (and in my book it is better to ask for such specific information after a secured wall and not on the public part of a website - another advantage is that you can send and backup this information in a seperate environments that are protected by different securitytools according to the degree of protection that is needed)

    we know that the ball is now running and we will be patient :)

    maybe it would be a good idea to work with the organisations that regroup all of the cities so they could inform their members of the new standards and controls

  • #belgoleaks if some belgian webservice asks for your RRN as a login, let us know

    In the last post we mentioned that the Privacycommission has intervened in a few specific cases in which your RRN was used as the identifier for your LOGON to a website or webservice.

    THey have stopped this kind of practice which means that you may not use this anymore.

    If you are confronted with this kind of practice, please contact us so that we can collect this information, verify it and forward it to the privacycommission so that further action can be undertaken (and eventually formalised and generalised)

    #belgoleaks is also your business because it is to prevent the leakage of your data

  • #belgoleaks Privacycommission intervenes to stop use of RRN as single sign on

    #belgoleaks is the sole name of the different anti-leak and nosecurity Operations (the old OPS) that were hold before

    one of these operations was the #OPRRN about the use of the RRN as unique identifier as single sign. THe RRN is a unique identifier of each person like the SSN in the US but the number has so many known identifiers in it that only 4 numbers are unknown (and even that)

    the privacycommission is responsable for a the use and the rules and security of RRN by administrations and private firms and even if there was a debate in which several persons thought that the number should be public the majority thought that the risks of letting everybody use this number for everything were too great because the number is too weak as an identifier (it is too easy to find it) and also because the front- and backoffices have much too often not enough security and encryption to safeguard them

    but meanwhile organisations were using more and more the RRN numbers or asking it in unsecure forms (even without logon and without ssl)

    some even went further and used the RRN number as a sole identifier (libraries and sport clubs do this)

    Today I have received an official answer from the Privacycommission which says that in the specific cases that I have mentioned concrete actions were taken but maybe it is time for the Privacycommission to state clearly itself that you can NEVER use the RRN in a login and that the RRN can not be asked on a public form and that if the organisation wants to have the RRN that this has to be done after authentification and in a secure environment and that these data - as other identifiable and important data - has to be encrypted and so on....

    For the dutch speaking people

  • #belgoleaks 1 the internal open Admin systems tesamen.org

    above we could change the password

    here we can change the date of birth - we didn't

    we could see and change anything we wanted

    it is now only seeable in Google cache

    and as the administrators say that there was and is no problem, we have proof of the Google Cache of 25th of march showing what we could do but didn't effectively do

    but if you seen the links and the information, than you know that there is much more to it and much more that could be found out

    the cert was informed last week but tried to descredit me with some journalist who luckily knows that I am not playing around. More dangerous is that the CERT was saying that they didn't control my information that I send to them because otherwise they would be breaking the law, which is implying that I am breaking the law, which I am not because I change nothing, I log in to nothing and I only use Google to find the information

    this means privacycommission that these are all public dataleakages

  • hacked and dumped http://www.europeanspermbank.com

    http://pastebin.com/2peZTrSx

    info@europeanspermbank.com      0b2699059648ed3bdfd61687e0a6fb8c
    d.eigenbrodt@arcor.de   9091d30ec0bb749382558d7066bafff4
    kerrogn@hotmail.com     ce0b40140c9b35e51dd5df2cf94a7bb9
    janne@europeanspermbank.com     c9bdcfc820a71413f7b2e9337379dbf8
    +49 302946494   c76fd392edf11a053d3cb385cf3f75a1
    rosellinis@yahoo.com    fabe6af2d5624e6a98c2ba363f49107c
    dedeunddani@arcor.de    865ab997c73e3595347880b591fa6ead
    abigail007@live.fr      f80c211bf2b7e7441c73c22f46d7f4cb
    lydia.klikovac@yahoo.fr         75ede9ac4137be7e537a40267d64205b
    heikos39@arcor.de       cd91b3acd65ffd61d794ffa156470e04
    berglindbaldurs@hotmail.com     f167b08778e525d231a693656abf2794
    lottebuc@hotmail.com    722f96d992476169f96a9d79ac1fc6dc
    roz.firth@hotmail.co.uk         d08a6a194942f0955f4227edcbc1cc99
    sis2008@web.de  0b58fe1eeaed86825b2b520944a25f40
    Feli.Schurian@gmx.de    efd3bdd023e0238b7f7a58e00781fcce
    s.sjong@online.no       48e0790e206efbaa2c0be02067f770ed
    s.sjong@online.no       48e0790e206efbaa2c0be02067f770ed
    anj_cowan22@hotmail.com         f20bd6531bb5975c29f700de4af7fa26
     
    in flemish we would call this 'een druiper'
  • belgian public leak 3 http://www.hardwareshop.eu hacked and dumped

    http://pastebin.com/4DxypkGm
     
    http://www.hardwareshop.eu/nl/zoek.php?id="><script>alert("ESCOBAR.BLACKER")</script>
    Host IP: 188.93.83.2

    there are md5 passwords for the logins

    and these are a part of the members of which the accounts are compromised- the emailaddresses have been altered

    Address         City    Zipcode         Email
    Brugstraat 93   Aalter  9880    kurt.v@t
    Wiedauwkaai 6   GENT    9000    dirk.dekeys dv-cons
    Frans Van Ryhovelaan 325/327    Gent    9000    jurgen
    ST.-Elooistraat 81      Merelbeke       9820    info@g
    Herlegemstraat 89       St. Amandsberg  9040    alain.m
    St Elooistraat 81       Merelbeke       9820    info
    Begijnhoflaan 452       Gent    9000    els.bracke
    Zandstappenstraat 63    Schoten         2900    emanue
    Ruiseleedsestraat 3b    Aalter  9880    peter.van
    President Kennedypark 30        Kortrijk        8500    Tree
    Victor Oudart Street, No7       Brussels        1030    s
    Knokstraat 19   RUISELEDE       8755    nico.dep
    Vossekotstraat 46       MEULEBEKE       B -8760         annic
    Kortrijksestraat 398    WAARDAMME       B -8020         koee
    Hille 18B       ZWEVEZELE       B -8750         filiptech.be
    Hoge Wei 1      ZAVENTEM        B -1930         dirk.van.hooyd
    Leopoldlaan 202-204     MIDDELKERKE     B -8430         tania
    Frans Van Ryhovelaan 325        Gent    9000    norepl
    Sint-Godelievedreef 20 - 1ste verdieping        Brugge  8310    coordin
    Schoolstraat 54         ZWEVEZELE       B -8750         stockpla
    Bedelfstraat 11         WINGENE         B -8750         info@van
    Industrielaan 4         MALDEGEM        B -9990         info@alu
    Rijselseweg 162         Voormezele      8902    servic
    Marialoopsesteenweg 2H  TIELT   B -8700         diet
    Beernemsesteenweg 61    WINGENE         B -8750         kri
  • read facebook profiles and postings without loggin in thanks to Google cache

    step 1  look up in Google  for example  site:facebook.com  hotmail.be (or any other emailaddress) 

    TD Objektiv | Facebook
    www.facebook.com/TDobjektiv
    3 dagen geleden - Email or Phone, Password. Keep me logged in. Forgot your password? .... tdobjektiv@hotmail.be. Photo: Model: Iris Geuens Locatie: Fotostudio MUA: TD ...

    than you click to see an example of the site

    you will see this appear next to it

    TD Objektiv | Facebook

    www.facebook.com/TDobjektiv - In cache

    than you click on In cache

    and you see this

     

    than you scroll down and you see the rest of the postings

    and maybe they have put this to public and this is their way of making publicity but maybe not everybody knows that their facebookpostings are set to OPEN for Google and the rest of the world

    but you can add whatever searchterms you would like to find specific public profiles, postings, friends or links without logging in to anything and leaving no trail whatever because you google cache is your proxy (and if you use a proxy yourself they can't even do anything with the Google logs)

  • (sponsered) Privacycommissie publiceert nieuwe aanbevelingen

    Naar aanleiding van een stevig aantal “high-profile” gegevenslekken, waarover ook uitgebreid bericht op deze site, heeft de Privacycommissie een nieuwe set aanbevelingen rond informatieveiligheid gepubliceerd voor eenieder die gegevensverwerkingen uitvoert en daarbij met computerbestanden werkt.

     

    In het begeleidende artikel op de site van de Privacycommissie benadrukt zij dat concrete beveiligingsmaatregelen voor iedere organisatie specifiek beoordeeld en geïmplementeerd moeten worden in een zogeheten informatieveiligheidsbeleid. Er is echter een gemeenschappelijke basis die voor iedere organisatie – die persoonsgegevens verwerkt – geldt en die de Privacycommissie door deze nieuwe aanbeveling nog eens extra in de verf wil zetten: de privacywet, meer bepaald de artikelen die handelen over informatiebeveiliging en de verantwoordelijkheden die daarmee gepaard gaan.

     

    De aanbeveling leunt aan bij de reeds bestaande referentiemaatregelen en richtsnoeren alsook de ISO27002 norm en geven heldere aanknopingspunten voor de opzet van een effectief informatieveiligheidsmanagementsysteem en informatieveiligheidsbeleid.

     

    Waar de Privacycommissie tot op heden steeds een louter adviserende rol heeft rond de bescherming van persoonlijke levenssfeer gaan er steeds meer stemmen op om de Privacycommissie een minder vrijblijvende rol te geven. Dit in navolging van bijvoorbeeld de ICO (Information Commissioners Office, de Engelse Data Protecton Authority (DPA)) die geregeld het nieuws haalt met boetes aan ziekenhuizen, politiediensten en gemeenten als gevolg van persoonsgegevenslekken.

     

    Een daadkrachtigere Privacycommissie kan overigens sneller werkelijkheid worden dan gedacht: de aankomende Europese verordening rond de bescherming van persoonsgegevens dreunt gestaag doorheen de Europese legislatieve molen naar een verwachte ratificatie vóór de Europese verkiezingen in juni 2014. Eén van de aspecten die deze verordening bekrachtigt is de mogelijkheid van DPA’s om boetes uit te delen.

     

    Overzicht van de publicaties door de Privacycommissie omtrent informatiebeveiliging:

     

    http://www.dp-institute.eu/privacycommissie-publiceert-nieuwe-aanbevelingen-rond-informatiebeveiliging/

  • public belgian leak 1 ? Hacked & Leaked Data jcpapillon.be By GrenXPaRTa

    http://pastebin.com/u0RWmuVE  17th of march

    when we go to the site it is still in Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group (6 years old that is)

    but the number of users that are mentioned on the site "Totaal aantal berichten 255 • Totaal aantal onderwerpen 108 • Totaal aantal leden 40 • Ons nieuwste lid is Lien"

    while the hackers says that he has 1286 logins (and there are some Lien in that list

    or the site had an archive list of all the old members and in 13 years they had 1286 logins in total

    or there is dummy data and other data between these because the hacker knows that the other hackers will test all the logins in the list no matter where they come from (some also are doubles)

    so maybe the privacycommission should ask them to research this and confirm this or not

  • your cookies will not die if you don't delete them yourself

    It means that the cookie/session ID for an authenticated session is available even after the session has been terminated. There are examples where cookies can be accessible to hijack authenticated sessions. And these cookies are days (sometimes months) old. As a result, someone can successfully access accounts that belong to individuals from different global locations. Even if they would have logged-in/logged out many a times, theirs cookie would still be valid.

     

    Though the cookie expiry date is mentioned still the cookies are valid post log-out. Why do the websites keep the cookie active even if the user has "logged out" and closed the session? Worse, when the same has been done a hundred times! Why do they keep ‘all the sessions maintained’ even when the log-out page has been accessed? I can’t think of a valid justification, and thus it makes a vulnerability. Now, let us go through some famous websites that are vulnerable –
    https://www.wtfuzz.com/blogs/old-cookies-die-hard/

    so you will have to delete your cookies yourself daily if you don't want to run the risk that some virus of online script will scrape your cookies and use them for real logins in your real accounts

  • dns.be wins a battle, but nothing more than that

    as the champagne flows in the offices of dns.be after it has become clear that the proposals of minister Vande Lanotte have been efficiently blocked by their partners in the government, the reformers have not retreated or given up, but will only await the first big incidents to refer to this shortsighted conservative defensive attack against their proposals as the reason that these incidents can happen

    which incidents are we talking about ?

    * cybersquatting : anyone in the world can buy whatever domainname under .be without any verification (except once in a while of the emailaddress - which may be a general one and not necessarily one linked to the ISP or a firm). Some porn or malwaredistributor can buy whatever name who has gone broke or who has forgotten to pay in time for their domainnames

    * botnethosting : botnets need real domains that will pass enough filters to keep on collecting the information from the infected hosts, update their viruses and give them new instructions. One way to do that is to have websites with the domainextension of a low-risk country (like Belgium) or from trusted domains like .edu. Even if dns.be says that it is monitoring the number of .be domains in the listings of securityservices that monitoring is far from complete.

    * spamhosting : what is important for botnets is also important for spammers who also need 'trusted' domainextensions to host their spam for their fake products, pharmacies and so on. THese are clearly illegal services but dns.be doesn't clearly implement the local Belgian laws (for example when sellling domains for pharmacys or gambling services) which gives these crooks a window of opportunity

    which problems are we talking about ?

    * identitytrust : it is important that visitors of a website should be sure that the website is being owned and operated by a known firm, organisation or person and that they are authorized to operate such a website under such name. With webservices it would be easy to install already some filters and controls without going back to the days of declarations and other paperwork dns.be likes to refer to (playing in fact foul with the facts)

    * real price : the goal should not be to sell more more more domains at ever lower prices (for the resellers) but to have a high quality domainzone with trusted domains that are monitored and defended by tools and security-installations. Dns.be itself shows in her statistics that the price for their domains (for the resellers that is) is way too low - which means that the possible and necessary investments in resources and materials are not easily made available

    * no community input or oversight : dns.be is in the hands of a small bunch of organisations like beltug (the fathers of the .be domain in fact) and of the resellers which are their main area of intrest. I don't think that they are discussing much about the societal and economic impact of their choices. I don't think they have a naysayer who looks at an issue in every possible way - even if it doesn't please the stakeholders. There is no real internetcommunity or political or other oversight of dns.be and the choices they are making.

    and why is this so important

    Your domainname is your digital identity and your digital identity should only be available to you. Just as nobody can get my real name nobody should be able to get my digital name and the same goes for a school, a firm, a business, a trademark. Point final.

    Because if this is not the case, it ends in blackmail and extorsion. If you don't buy your name under an ever increasing number of domainextensions you may have the risk that anybody can buy your name and can do whatever he wants with it (except from presenting himself as if he was you and this is what the visitors to his site will suppose to be be the case).

    This has nothing to do with nationalisation or the other laughable ideological cheap tricks that were played during this debate. It has everything to do with the premise that your digital identity online is only available for you because you are the only one who can be you in real life and in the digital world.