02/04/2013

'Le barreau de Bruxelles' if you are a lawyer you will now have to pull your info

as a lawyer you can now know that the site has been hacked

the administrator has in fact to contact you and inform you that the site was compromised and normally that some services are meanwhile closed down

but this isn't the case

as a good housefather to protect the confidentiality of your clients you will now have to retire all mails, clientinfo and other info that can do damage to people if that would be leaked  on the web after a real hack

you will also have to inform the site-owners that you want the site to close down any part that is interactive and bring all more confidential information offline to keep it secure untill the migration to a new updated and patched server has been done and that they are responsable if anything happens to your data if they don't do that - even if you try to pull all your data out of there

secure your data by sercuring your clients

the internet is no kids game and security is not for fools

and if you use other online tools and services and have yourself online sites - be sure about your security because there is a real storm of attacks going on over the whole internet (not only .be sites)

Permalink | |  Print |  Facebook | | | | Pin it! |

'Le barreau de Bruxelles' stupid limited actions that are not enough

what do you think

that when you change the webpage with the defacement that all your troubles are gone

can't you read the rest

if you are hacked, you have to go in close-down, you close down the services that are vulnerable

and you look for a more secure solution

you are not doing the things that you should be doing as a good housefather and as can be reasonable expected

you are not secure on IIS 6 and you will never be secure on IIS 6 (you should be IIS 7.5 now and hardened)

you are not secure when you don't use SSL to log on

you are not secure when you explain how to enter the extranet

and your administrator page is also a joke

this will be a good case for some of the lawyers who use your service to work on

this is so stupid stupid stupid and unresponsable

be ready to be hacked soon again and again and again untill somebody angry at some lawyer decides to really hack into it and release all the files on it - even behind your stupid logins

don't say you didn't know - this can happen and be just luckily if it didn't yet but you are gambling on it

Permalink | |  Print |  Facebook | | | | Pin it! |

the new spamprogrammes or unwanted programmes : foistware

Foistware is a term used for software that’s “foisted” on you, typically without your knowledge or explicit consent. Foistware isn’t technically malware, but it can range from marginally useful, to annoying, to malicious. Most often, foistware takes the form of browser toolbars, but it can also take over your browser homepage and preferred search engines. Some foistware pops up when you visit online shopping sites, and tries to steer you to certain vendors or offers.

 

Foistware almost always tags along when you download a program that you do want. Through various deceptive practices, the download process may try to add extra, unwanted software to your installation package. Usually it takes the form of a checkbox that’s already selected, and if you just click NEXT or CONTINUE without reading carefully, you’ll end up with this extra software clutter.
http://techtalk.pcpitstop.com/2013/01/29/foistware-warnin...

Permalink | |  Print |  Facebook | | | | Pin it! |

02/03/2013

two unsecure belgian e-healthservices hacked (with logons without encryption)

this hacked e-health service has an extranet for ehealthproviders no https

  • Mirror saved on: 2013-02-02 18:42:49

Notified by: Sejeal Domain: http://www.welzijnszorgkempen.be/sejeal.jpg

IP address: 193.202.110.174 

  • System: Linux
Web server: ApacheNotifier stats
  • This is a CACHE (mirror) page of the site when it was saved by our robot on 2013-02-02 18:42:49

http://www.zone-h.org/mirror/id/19214822

and here is another e-health online service with a loging no https

  • Mirror saved on: 2013-02-02 17:27:04
  • This is a CACHE (mirror) page of the site when it was saved by our robot on 2013-02-02 17:27:04

http://www.zone-h.org/mirror/id/19212723

Permalink | |  Print |  Facebook | | | | Pin it! |

02/02/2013

oprrn more unsecure belgian ehealthservices with only rijksregisternummer

http://www.digitalewachtkamer.be/%28S%28ul41ri453gyxuo55pi3ytp55%29%29/Users/newaccount2.aspx?D_ID=467

Permalink | |  Print |  Facebook | | | | Pin it! |

oprrn = unsecure e-health, get any medical file if you know the rijksregisternumber and some public info

http://opleiding.e-zorgplan.be/login/Directlogin.aspx?ReturnUrl=%2f

Permalink | |  Print |  Facebook | | | | Pin it! |

02/01/2013

no more blablabla do something - belsec in action mood

we will not hold back anymore waiting this and that and just telling it to the cert and hoping that somebody will do something about it

we will only hold back when we see that people are in danger and when we know that the service managers did before do something and are willing to do something fast

we will never access systems or log in

we will never steal files or change settings

we will never NEVER access systems with specialised PC software - google is our friend as are online services that anybody can use (securitymanagers of big systems or networks can send me their contactdetails so I can warn them if there is something that may concern them - but at one condition and that condition only - never ask for sources and never put me under investigation as I do nothing more than googling and watching the net)

we will not wait for the NEXT big ones (oh there was already a big one ?)

tips are always welcome - but respect the groundrules (do not log in and do not abuse the information and do not publish it before contacting me) The publication of the nmbs file online was done with good intentions but was quite badly executed and was a new dataleak an sich.

Let's make this interesting times (to make it less interesting for real hackers and criminals)

Permalink | |  Print |  Facebook | | | | Pin it! |

OPRRN : close down RRNlogin at solidariteit.be please

this is the most stupid thing I have ever seen and I still can't believe nobody has ever said to those organisations that this is the most stupid thing that they could every do but even than they do it  (and where is there securityofficer, doesn't he know that it is insecure and that this is NOT a way to do such things)

will somebody wake up around here - this is asking for dataleakage - there were RRN's leaked on the web before (Rex Mundi leaked some) and some other were or are published or are in insecure databases online (in a more complex operation you have to hack first these databases to get the numbers and be sure that there are numbers in it that you may use in another database)

stupid stupid stupid

close it down and get back with a real solution before it is too late and don't shoot the pianist

you are handling the most important files for your organisation for which you are legally the most responsable, those from your workers in a totally insecure way

http://personeel.solidariteit.be/    no https  only RRN needed to logon

but what is this than https://esol.solidariteit.be/secure/logon.aspx with password and certificate

you can do it differently

Permalink | |  Print |  Facebook | | | | Pin it! |

portal for EID authentification at vlaanderen.be uses insecure ssl

 

the reason is that they listen too much to marketing and not enough to securitypeople but the question is how can you market a program as secure if it isn't set up as a secure service ? People never like security when they first see it, untill they use it and become used to it and than begin to feel safe because of it and afterwards don't want ever to go back to the old insecure situation again

this is the report (time to get the specialists in I would say)

this means that it isn't that hard

* to bring the service down

* to intercept the data (from the EID and with the PC) if the PC is infected (banking or password or datastealing trojan, the most popular viruses nowadays)

Secure Renegotiation Not supported   ACTION NEEDED (more info)
Insecure Renegotiation Supported   INSECURE (more info)
BEAST attack Vulnerable   INSECURE (more info)

with this grade this means that they wouldn't be accepted in the US as complaint for egov services

Server signature Apache
Server hostname authentication.vlaanderen.be
PCI compliant No
FIPS-ready No

Permalink | |  Print |  Facebook | | | | Pin it! |

European commission puts ACTA ratification on cold ice (we can win sometimes)

 

 

 

On Wednesday, the European Commission suspended efforts to ratify the new international anti-counterfeiting agreement known as ACTA. Critics claim ACTA is a draconian measure that would effectively end freedom of the Internet, and fundamentally change the Internet as we know it.
The commission’s choice to suspend efforts to ratify ACTA is seen by many as a direct result of a relentless campaign directed by Anonymous hacktivists both in the streets of Europe and on the Internet.
http://www.examiner.com/article/anonymous-victory-eu-susp...

this doesn't mean that the battle is over

it can come by another name or in another agreement or something like that

Permalink | |  Print |  Facebook | | | | Pin it! |

het rijksregisternummer als Unique Identifier - in sommige gemeenten gaan ze daar ver in

dit is een klachtmail van persoon x over stad y maar dit is het geval bij steeds meer diensten

"Ik ben inwoner van de stad en maak geregeld gebruik van het digitaal loket van deze stad: 

 

Van het inschrijvingsformulier voor de kinderopvang maak ik meerdere keren per maand gebruik: inschrijven, annuleren, zowel voor voor- en naopvang als voor de vakantiewerking. Hiervoor gebruik ik het rijksregisternummer van mijn kinderen. En hier wringt voor mij het schoentje; enkel het nummer volstaat om deze zaken uit te voeren. Dus, elke persoon die op de hoogte is van het rr-nummer van mijn kinderen kan deze actie uitvoeren. Ik vind dit heel onveilig; mijn persoonsgegevens (of die van mijn kinderen) worden onvoldoende beschermd. Een bijkomende beveiliging, wat mij betreft liefst token of eID, is noodzakelijk.

 

Ook de toegang tot de bibliotheek gebeurt op deze onveilige manier. Een rr-nummer volstaat om zicht te krijgen op welke boeken ik lees (daar heeft niemand zaken mee), om boeken in mijn plaats te reserveren, om de uitleentermijn te verlengen, ... Ook hier vind ik een bijkomende beveiliging noodzakelijk."

het schoentje past wie het past

het is niet omdat het rijksregisternummer op je EID staat dat het een PUBLIEK gegeven is dat zomaar kan gebruikt worden als ENIGE IDENTIFICATIE (soms zelfs zonder EID)

het wordt tijd dat de privacycommissie zich opnieuw publiekelijk hierover beraadt want het aantal formulieren met rijksregisternummers zonder noodzakelijke bescherming, het gebruik van het rijksregisternummer als login (vb bij het leger) leidt er langzaam maar zeker toe dat die dezelfde status begint te krijgen als het social security number in de VS en waar men daar nu zoveel problemen mee heeft dat men een EID wilt invoeren.

een nummer is maar een nummer en niet meer dan een nummer en bewijst niets anders dan dat je het nummer kent (omdat je het bent, het nummer hebt gevonden of het nummer hebt kunnen raden want het is GEEN GOED NUMMER als enige identifier want er zijn teweinig onbekenden)

en als je EID gebruikt, laat dit dan doen en controleren door specialisten en niet door mensen die het ergens op het net hebben gevonden, er zijn al genoeg onveilige EID oplossingen geïnstalleerd

 

Permalink | |  Print |  Facebook | | | | Pin it! |

01/31/2013

the difference between open data and dataleakage in Ghent

open data is data that is open for everybody and where all the people who are mentioned in that open data know and agree (or have to agree) to the specific data that is being made available

dataleakage is when data has been made public for which you don't have that permission or when you release a file that maybe public one by one but that is dangerous if you use it for other reasons like spamming and ID theft or harassement

an example is

http://data.appsforghent.be/kotatgent/data.xml

so yes, tell me do you have the permission of each of them to have in one file available to everyone or do you have the permission to show their individual data individually

this also means that if you make such data available you shouldn't just drop it on the internet as if was some garbish but protect it and be sure that you know who will use for what purpose (especially if there are personal GSM and emailaddresses in it)

think before you run and you will go far ....

Permalink | |  Print |  Facebook | | | | Pin it! |

more about cma.be the online medical defaced dataservice

you can get your medical results here

https://online.cma.be   (but that is also running IIS 6)

and what is the use of installing ssl encryption if you do it the wrong way 

https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2Fonline.cma.be%2Fonline%2FDefault.aspx

so whatever one says here there is no security blablablabalbal

Security of your Personal Information
Centrum voor Medische Analyse secures your personal information from unauthorized access, use or disclosure. Centrum voor Medische Analyse secures the personally identifiable information you provide on computer servers in a controlled, secure environment, protected from unauthorized access, use or disclosure. When personal information (such as a credit card number) is transmitted to other Web sites, it is protected through the use of encryption, such as the Secure Socket Layer (SSL) protocol.
http://www.cma.be/Home/tabid/36/ctl/Privacy/Default.aspx

and it is not conform the latest technologies as stated here

Na een volledige facelift en volledige hercodering van de software is de nieuwe webstek voor de online resultaten beschikbaar! De webstek is volledig conform de laatste ontwikkelingen op software gebied en werd gebouwd op het .net framework 3.5, microsoft visual studio 2008, XML- en CSS-technologie
http://www.cma.be/Arts/iLabOnlineHelp/tabid/268/Default.a...

because just as this documentation shows their website dates from 2008

see this documentation  http://www.cma.be/Portals/0/downloads/online.pdf

and Microsoft visual studio is already in version 2012 and IIS in 7.5 (so not the LATEST)

if this is e-health, than we can expect some things and we shouldn't be surprised to have found excell tables from a bloodbank online

Permalink | |  Print |  Facebook | | | | Pin it! |

another defacement in jobsindehandel.be (forem-vdab) and what forem does a litte better

this is one

 

but the french speaking forem does something right that the VDAB does totally wrong when you click on french and you click on information or to insert information, than you go to the site of Forem.be, you don't stay on this site with a shitty security

but this doesn't say that the forem encrypts its information (or your information)

http://www.leforem.be/particuliers/chercher/CV/creer-un-CV-simplifie.html

but it is already under its own domain making an xss attack or injection more difficult

Permalink | |  Print |  Facebook | | | | Pin it! |

see belsec blog through Google without going to belsec blog or bypass filters

https://www.google.be/search?q=site%3Abelsec.skynetblogs.be&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a#q=site:belsec.skynetblogs.be&hl=nl&newwindow=1&safe=off&client=firefox-a&hs=qGI&tbo=d&rls=org.mozilla:en-US:official&source=lnt&tbs=qdr:w&sa=X&psj=1&ei=LZAKUcD3EOaR0QXl-IGgDA&ved=0CB0QpwUoAw&bav=on.2,or.r_gc.r_pw.r_cp.r_qf.&bvm=bv.41642243,d.d2k&fp=b204c6e8007e1374&biw=1235&bih=791   (should give all the articles of the last week)

https://www.google.be/search?q=site%3Abelsec.skynetblogs.be&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a#q=site:belsec.skynetblogs.be&hl=nl&newwindow=1&safe=off&client=firefox-a&hs=Gwc&tbo=d&rls=org.mozilla:en-US:official&source=lnt&tbs=qdr:d&sa=X&psj=1&ei=NJAKUZO9JOOm0AWuzYGIAw&ved=0CBwQpwUoAg&bav=on.2,or.r_gc.r_pw.r_cp.r_qf.&bvm=bv.41642243,d.d2k&fp=b204c6e8007e1374&biw=1235&bih=791 (should give all the articles of the last day)

than you take the most recent one and you read it in the cache

and you look at the date of the last posting

than you go back to your google results and you get a posting for the day before that and so on

this way you leave less traces - if that is your goal

or It seems that I am blocked in some enterprises and administrations - but with Googlecache you can sometimes bypass them (translate is sometimes another way to do that)

this is easier if you have a Google account

Permalink | |  Print |  Facebook | | | | Pin it! |

another belgian online creditcompany defaced and unsecure

this is the hack- sending out the warning to everybody that they are vulnerable

this is them

and they have also an unsecure webform in which personal and financial data is in CLEARTEXT

and they are running NO HTTPS and still on ...... yeah   not IIS 7.5 but

Server:Microsoft-IIS/7.0Set-Cookie:.ASPXANONYMOUS=BVI6kFo2zgEkAAAAMjAwYjMxMmQtYjY1OS00MGUyLTgwNjctYzI5MGU5ODBjYjgy0; expires=Thu, 11-Apr-2013 02:16:23 GMT; path=/; HttpOnlyX-AspNet-Version:2.0.50727
http://www.web-sniffer.net   (better but not perfect enough to secure a website with that kind of data)

Permalink | |  Print |  Facebook | | | | Pin it! |

yahoo spamfilter too stupid to stop phishing for yahoo logins

first never use those messages

hoover with your cursor over the link and you will see that it is not the yahoo.com domain so it is false

but what is most astonishing

is that Yahoo spamfilter are normally very good

and the fact that they are so good people begin to think that yahoo estimates that arrive in their inbox are real messages from Yahoo because they see so few spam (and so much in their spambox) that they think that as it has passed the very good antispamfilters it is real

yes, really that is the biggest danger of nearly efficient spamfilters - that people think that the 1% that gets through is genuine

what should yahoo do

first you should educate the people with a banner or warning above the mailbox stating that yahoo or any other service will never ask for your logins by email or to change them by email

secondly you could make a servicewarning - together with other big operators - in a banner or servicepage in which you could place warnings (not about an email but that people have to relog to for example this website to change their credentials)

third you could make a special button in the mail in which you could send all emails asking for your yahoo logins that comes in the mailbox of a 24H team that will immediately put them into the filters for the future ones (and set up the procedure to kill the phishing page online)

fourth you should augment your spamfilters with everything that is yahoo service or login message or in which the link that message has doesn't belong to the yahoo domain (even if the link is in text)

fifth you should make spamfilters refilter the last 100 messages or so to empty the box from spam that has only be identified as such afterwards

fifth never trust emails instantly, take your time, nobody is going to kill you if you have waited a day, to see it disappear into the spambox

Permalink | |  Print |  Facebook | | | | Pin it! |

hacked medical labo website asks belgians a lot of medical information (close it down)

so when a website is defaced it doesn't mean that it is penetrated and hacked but it means that automated vulnerability scanners have found a way to inject information but this doesn't necessarily mean they have rooted the server and have access to the database

but it does mean that there are a few problems with the server and that if the defacement is old enough that nobody is watching over the security of the server and so it indicates that those servers are like house without strong frontdoors or who have windows open on the groundlevel when everybody leaves for holiday (which doesn't mean that they will find the juwels)

but that on the same server there is an UNENCRYPTED LOGIN and an UNENCRYPTED FORM that asks all that information in CLEARTEXT is just enormous

imagine all that information being in a database and that database being leaked on the internet

but that information can be hackable because it is running a very old server version against which we are campaigning (like Microsoft itself) as being totally undefendable (meteokust.be uses it)

oh and this is the hack

and Google cache says this dates from "Dit is een momentopname van hoe de pagina eruitzag op 31 dec 2012 19:01:20 GMT"  exactly one month old

and even more there is a second page - they also didn't see

http://www.cma.be/Portals/0/ulow.txt

this is the reason why

Connection:closeDate:Thu, 31 Jan 2013 14:52:32 GMTServer:Microsoft-IIS/6.0MicrosoftOfficeWebServer:5.0_PubX-Powered-By:ASP.NETX-AspNet-Version:2.0.50727
http://www.web-sniffer.net

CLOSE THIS DOWN AND UPGRADE

Permalink | |  Print |  Facebook | | | | Pin it! |

http://mega-search.me the copyrighted files search machine on mega for pirates and cops and mega

In fact if you look at the site and you go through the files you will see that most of the files are gone before the day is over

which means that

or mega is indexing the files that appear on this searchmachine and is checking automatically if there is a high probability that they are copyrighted or not (for example a file with the name of a film uploaded on a folder that is not owned by the producer of the film is for 99% copyrighted)

or mega has already its own search machine in place (like scribd.com has for books for example) and eliminates automatically these files

or the copyright cops are watching this search machine or others indexes and are sending complaints through a more or less automated process that is being followed up more or less automatically and executed very fast

which means that the complaint in the US against mega for some copyrighted files on her systems is a non-issue (and in the worst case is legal harrassment and nothing else) because all hosters work on this system (even youtube eliminates hundreds of videos each week this way) because the proof is here for all to see that these complaints are being followed up actively

the copyrightholders should also thank mega because each file that is more or less the same (not based upon name but based upon the bits and dots of a file) has the same ID which means that if you get a complaint against one copy, all other copies will also disappear. I imagine that their lawyers won't be too happy but the cost of applying their copyrights is much easier. In fact you have to look for all copies of your file (for example the hobbit) that have the same number of bits and file one complaint for each of them

this means that for copyrightbreakers or pirates changing the name of the file is not sufficient to make your file survive, you should also change the number of bits of a file (for example by encrypting, hashing or zipping it or by adding other files or cutting parts of it). You can expect software to be developed quite soon (take one file of xbytes and get 5 files with a totally different number of bytes)

the best thing to do is not to use mega for public P2P but to do what people have always done throughout history, exchange personal copies for personal use knowing that in nearly all the countries of the world they will break some law with that (you should better go to the library or the secondhand shop if you can't buy the shopversion)

Permalink | |  Print |  Facebook | | | | Pin it! |

01/30/2013

printers connected to the internet without a good password do get hacked

an example

"A hacker infiltrated Duke’s online, campus-wide printing system Sunday, which resulted in the printers feeding out multiple copies of a cheeky message when students attempted to use select printers in Perkins Library, said Circulation Desk Assistant Kristin Brunn, a sophomore. Students swiped their DukeCards and selected their printing jobs, causing “thousands of copies of the papers” to print out, Brunn said. The message offered advice to the Duke authorities responsible for ePrint.

 

“Perhaps you dumb-asses should password protect a printer you directly connect to the Internet,” the message read, signed, “—Bored university student in Texas :)~.”

 

A postscript advised a shuffling of Duke’s information technology staff.

 

“P.S. Maybe you should fire your IT department,” the message concluded.

 

The Office of Information Technology said the hacking incident was contained, and staff members are taking measures to prevent future incidents.
http://www.dukechronicle.com/article/duke-eprint-hacked-a...

well, aside from the nuisance and all the time lost explaining everything there are some other things a more active hacker could have done if he wanted to be more than just a bored joke

* print a book of thousand pages all over again - untill the toner is empty (if you have only one printer connected the loss if a few thousand pages and toner but if you have a network of internetconnected printers the cost will be a few thousand bucks plus all the administrative and technical working hours to replace the printers and all the workers who are angry that they can't print anymore and all the working hours lost)

* change the passwords on all the printers - which will block access and will make a human direct administrative access necessary - costing x numbers of hours of administrative and technical work - which is not free

* take possession of documents (maybe confidential) in the cache of the printer - maybe sending them around internally (and if they are big you can resend them a 100 times so they will block mailboxes and if you are lucky the antivirus (blocking all mailtraffic because the antivirus is overwhelmed)) imagine if it is an internal evaluation of some workers sent all over the office....

* changing printer routes and setting so documents are printed ad random in different colours, at different locations, in the wrong format and so on (eventually putting a password on it so a simple user can't change it). Before they have understood what happened several working hours have passed.

modern printers connected to the internet without protection ? you are mad

didn't you hear about VPN's and access management ?

Permalink | |  Print |  Facebook | | | | Pin it! |