security - Page 2

  • #rexmundi analyzing the Xtra-Interim.be leak WITH 1000 NATIONAL REGISTRY NUMBERS

    It is about 1000 persons

    they used sql injections (several) which means that the programmers have set a database and a form without any securitychecks making mistakes that should have been corrected if one has followed whatever professional book (if you are a professional programmer)

    it also means that the hosting of the site has no good application defense which means that it doesn't have a good firewall because otherwise even with these vulnerabilities it would have become more difficult to execute those attacks

    If I have a site with that site, I would check my forms and databases because this is the third one

    id,langID,hiant_id,cv,tel,naam,email,busnr,huisnr,straat,postcode,voornaam,gemeente,paswoord,

    opmerking,rekeningnr,creationdate,nationaliteit,geboortedatum,geboorteplaats,preferred_jobs,

    burgerlijke_stand,rijksregisternummer

    not everybody filled in all these fields in the form and I would continue to say that there is no obligation to fill personal information or correct information (the only thing that is needed is your emailadres)

    there are about 100 bankaccountnumbers (for the banks the files with the list is with the FCCU and the CERT.be if you would need to contact the people

    there is no guarantee that these files will not be downloaded combined with or sold to other (criminal) networks

    rex mundi didn't keep the promise to not publish the national registry numbers, this means that there are about 1000 of them leaked online (and to the underworld)

  • #belgacomhack this is why Belgacom was hacked in one pic

    hack Belgacom and have access to communications all over the world

    why hack hundreds of mobile companies if you need only one that has a passe-partout (masterkey)

    click to enlarge

    the only thing that was missing was the comprehension of BICS Belgacom that they were the keepers of the kingdom, the center of the Communication Networks and have to have a security that confirms the trust of all their international partners in their capability of securing the castle that is being stormed and attacked and penetrated every second

    bicsnetwork.PNG

  • Microsoft update is under repair (and things mess up) or needs some repair

    because there are some instances and incidents that are strange and they increase the pressure for Microsoft to re-secure (seeing updates before they are launched is not really secure because you could analyse the code if didn't have good intentions) and to make it more robust as it once was

    http://blog.norsecorp.com/2014/12/12/microsoft-issues-patch-to-fix-buggy-windows-root-certificate-patch/

  • #belgacomhack userpages of Belgacom users still infectable

    it means that there is not a good antivirus running on these servers so these servers can become infected

    source  scumware.org

    ps telenet has also a page infected like this

    but no, we shouldn't worry they don't need security-audits, they are safe, we should trust them without any independent oversight

  • #belgacomhack is belgacom still infected or not

    this is the wrong question

    it should reshape its securityculture as if they can be infected every day again and that every day when they discover attacks they should be sure that they go to the bottom of it

    they shouldn't take things for granted and should be

    * changing people from time to time so that they don't get used to the number of attacks

    * don't fall into the red traffic gap, it is also the green traffic that has to be looked at because it is not because it leaves the enterprises through accepted rules that it should have left the firm

    * get external people in from time to time to question everything

    * get other securitytools from time to time to re-analyse the traffic or a copy of it so you are sure that there is nothing that has passed your normal controls

    * get some paranoia as a basic part of your security culture, you will be attacked permanently and you will be infected, penetrated and maybe owned all the time over and over again - if they don't have that borderguard mentality they shouldn't be guarding the borders

    security is not having people with cv, it is not huge budgets for enormous expensive tools that show very impressive graphical securitymetrics

    security is finding that connection of that pc that looks normal to everybody except to the second auditor just going through the traffic for the 20th time with specific filters based on new information about infections and dangerous connections

  • #belgacomhack the source of the problem, the Belgacom mailserver was already known as a problem

    "In the summer 2012, system administrators detected errors within Belgacom’s systems. At the company’s offices on Lebeau Street in Brussels, a short walk from the European Parliament’s Belgian offices, employees of Belgacom’s BICS subsidiary complained about problems receiving emails. The email server had malfunctioned, but Belgacom’s technical team couldn’t work out why.

     

    The glitch was left unresolved until June 2013, when there was a sudden flare-up. After a Windows software update was sent to Belgacom’s email exchange server, the problems returned, worse than before. The administrators contacted Microsoft for help, questioning whether the new Windows update could be the reason for the fault. But Microsoft, too, struggled to identify exactly what was going wrong. There was still no solution to be found. (Microsoft declined to comment for this story.)
    https://firstlook.org/theintercept/2014/12/13/belgacom-hack-gchq-inside-story/

    we found that the mailserver was an open relayserver which made it possible for anybody to send mails to anybody with any domain without being the owner of it (and that probably could have been used by the internal hackers to send internal mails)

    and Belgacom found that normal ..... in march 2013

    http://belsec.skynetblogs.be/archive/2013/03/19/belgacom-be-has-a-totally-open-mailrelayserver-and-finds-tha.html

    the external mailserver was already several times blacklisted as spammer or was infected between 2008 and 2013 which makes it naturally a logical victims for attacks - as it seems that the security of the machine is not necessarily uptodate (wrong or not)

    so we were as surprised that this was maybe the digital beachhead of the penetration as we were when we were told that the NMBS used a year later the same insecure platform to place the data of one million clients it had hosted internal data a year before (and didn't bring it down afterwards)

  • #belgacomhack the securityquestion for Cisco to answer

    "The most serious discovery was that the large routers that form the very core of Belgacom’s international carrier networks, made by the American company Cisco, were also found to have been compromised and infected. The routers are one of the most closely guarded parts of the company’s infrastructure, because they handle large flows of sensitive private communications transiting through its networks.

     

    "Earlier Snowden leaks have shown how the NSA can compromise routers, such as those operated by Cisco; the agency can remotely hack them, or physically intercept and bug them before they are installed at a company. In the Belgacom case, it is not clear exactly which method was used by GCHQ—or whether there was any direct NSA assistance. (The NSA declined to comment for this story.)

     

    "Either way, the malware investigators at Belgacom never got a chance to study the routers. After the infection of the Cisco routers was found, the company issued an order that no one could tamper with them. Belgacom bosses insisted that only employees from Cisco could handle the routers, which caused unease among some of the investigators
    https://firstlook.org/theintercept/2014/12/13/belgacom-hack-gchq-inside-story/

    so CISCO you can now explain what you have done lately to make it impossible to do the same attacks again because if you don't than we can't be sure that every CISCO router can fall victim to the same attacks and than we have only two choices

    * install very strict securityrules and controls

    * change the routers to another firm that can guarantee this security and is not from China

  • #belgacomhack this is the most important desastrous fact for Microsoft

    "Before long, Fox-IT discovered strange files on Belgacom’s email server that appeared to be disguised as legitimate Microsoft software. The suspicious files had been enabling a highly sophisticated hacker to circumvent automatic Microsoft software updates of Belgacom’s systems in order to continue infiltrating the company’s systems.
    https://firstlook.org/theintercept/2014/12/13/belgacom-hack-gchq-inside-story/

    this has been one of the most discussed possible attacks in the securityworld since

    years and it was at the time giving the biggest scares at the thought that this would be possible

    imagine that you would be able to circumvate this update process or inject it with malware, the possibilities are enormous because this is the most trusted updatechannel ever having access to all systems everywhere on the world on whatever network - even the most secret

    the fact that they were able to do this and also falsify the Microsoft certificates poses enormous problems for Microsoft

    the question is not if they knew this or if they wanted to help the NSA through this backdoor (or some-one in their organisation without telling anybody else)

    the only question is what are they going to do to make it impossible that their updateprocess - which is of vital importance for the security of millions of computers and is the most efficient one in the world - is compromised again - even by an operation by the NSA

    trust is total or there is no trust, there is no partial trust, you trust something or not and if you can't trust the update process of Microsoft totally than you can't trust it and than than you will have to put securitycontrols in place and they will at one time or another intervene with the updateprocess (false positives)

    so Microsoft ?

  • #rexmundi announces third Belgian leak soon

    they won't pay even if the sum is stupidly low

    they won't pay because the police advises them not to pay

    but there will be a reason why Rexmundi keeps on hacking here and elsewhere

    because there are those who pay and we about which  we will never know about

    oh and about novation.be

  • from one #rexmundi to many .....

    or it is just a mindgame to make understanding it all much more difficult

    or it are different groups who are only using the same methods (and that doesn't need so much exercise and knowledge)

    but it is not up for me to say what is wrong and who is right

    by the way these hackers are only the result of a situation, they are not the cause of the problem

    the problem is that cybersecurity has been too lax in Belgium and as long as that is possible you will always have such attacks

    by a rex mundi or by somebody else

    for money or for espionage or for politics or just LOL

  • #rexmundi hack we confirm Tobasco.be has lost numbers of bankaccounts (2000 or 100)

    It wasn't with z-staffing.org but with the form of tobasco.be that there was the possibility to fill in your bankaccount numbers

    they have lost about 2800 accounts

    but the export of the data seems to be problematic, in the table it is shown as x.xxxxxE+13 where x is a number of an account that we have changed - so without the 13 other numbers we aren't sure what the number will be and it is not clear if he has been able to download the numbers of the accounts fully and is this a bad export to a table that could be posted on dpaste or if this is the form in which he has some bank accounts

    if he has all the bankaccountnumbers in full than he has about 2000 bankaccounts with all the personal details of the people involved

    if he has the bankaccountnumbers in the short manner than there are only about 100 bankaccountnumbers in full that were short enough to be downloaded or published in full

    now, don't start crying victory because it would be a false victory

    we don't know anything and because we don't anything and we live only on suppositions we should suppose only that all that data has been compromised and as it is compromised we shouldn't use and we should change it

    period

    and even if he doesn't publish the bankaccountnumbers in full than he can sell them or just upload the full dataset to a real fileserver

    anyway, the Belgian banks should urgently start with organizing some methodology to respond to cases like this - informing the victims is not enough - you should help the victims and you should give them the compensation for having to change a lot of administrative things

  • #rexmundi hacked another online interim firm but no dataleak yet but real reputationdamage

    so what is this

    well the site seems to have been gone offline - the best thing to do under the circumstances

    but it will go into the digital history for some time as being hacked and leaked

    because if you look for xtra-interim in Google than you have got their website but just under it the news that they were hacked

  • #rex mundi is not from Belgium, but he came to belgium .....to hack

    In this article in De Morgen Eddy Willems thinks that he or the group is from Belgium because he has been attacking Belgian targets lately. He thinks they are frenchspeaking.

    Rex Mundi discovered Belgium. He was hacking in France, Netherlands and some other countries while by chance he discovered that the state of internetsecurity was so bad here that it was a piece of cake to hack websites of some specific sectors who have no oversight at all and where everybody can do on the web whatever he does well or bad and nearly nobody cares a bit about their responsabilities and the consequences because there is nobody who has the power or wants to effectively use his authority voluntarily to impose norms, audits and punishments.

    I could be wrong because Rex Mundi seems to have learned a lot from the mistakes the Lulzsec people made and the fact that he is still out there hacking and changing the way he is operating seems to confirm this. Rex Mundi is a ghost.

    Rex Mundi will never be caught if there is no dedicated international team that hunts him down like all other big or important hackers and cybercrime groups have been hunted down. This was never done by one country or one operation but by a coordinated international team with all the necessary resources, judicial powers and evidence.

    Otherwise we they will never find Rex Mundi

    I am not Rex Mundi and even not part of it. Never was.

    But I don't understand what all that grandstanding about the digital Interpol is while here is one example of one experienced hackers ransacking Belgium for the moment but ready to go back to whatever countries he tried out first.

  • #leak boitajeux.fr with also many Belgians published

    no link due to lawyers

    passwords seem encrypted but can't even try to decrypt

  • #rexmundi leaks what we see and what we don't

    • first we don't see the national registry numbers which is good if that was the intention - we say that you should never fill that in online or any other personal or financial information if you don't have all the necessary security settings (like https, like being protected behind another login screen, etc....)
    • Secondly we see that some people have not filled in all the information which shows that people sometimes begin to think like we do - if you don't need it, you shouldn't get it
    • third the passwords are protected somewhat

    but we see

    id	langID	hiant_id	cv	tel	naam	email	busnr	office	huisnr	straat	diploma	
    postcode voornaam gemeente
    paswoord opmerking creationdate nationaliteit geboortedatum geboorteplaats burgerlijke_stand

    we have emails and if somebody is still married and the address and so on

    and we see

    id eid hiant_id video_id arbeidsstelsel cv tel naam type email active straat
    statuut bedrijf postcode paswoord
    voornaam gemeente opmerking loginnaam fiscale_code creation_date nationaliteit
    geboortedatum rekeningnummer geboorteplaats burgerlijke_stand fiscale_code_temp

    not everybody filled in their NR of their banc account (wise) but some did and they may have to get some
    special protections and maybe change their number of their account viewing the number of personal details
    that are published and makes it easier for fraud and phishing


  • microsoft accepts bitcoin but will it learn it also how to secure itself ?

    It is Gates who inspired the decision

    https://smallbusiness.yahoo.com/advisor/microsoft-now-largest-company-world-accept-bitcoin-165400324.html

    but Microsoft should go further than that and learn the Bitcoin community who is now awash with managers and investors about how to (re)secure the bad code, the bad libraries, the bad practices in development which makes it today to vulnerable too be a good platform that will survive hack and other attacks

  • Belgian Mobile Networks used for Mobile attacks from Inception espionage network

    the following Belgian mobile networks were used in these Inception attacks and had mobile malware MMS files being sent over

    this shouldn't surprise anybody as Brussels is the diplomatic capital of Europe

    we should also remember that in Belgium NOBODY is responsable for MOBILE attacks because the CERT (already underfinanced and understaffed) is NOT responsable for the MOBILE networks, they say that the Belgian mobile operators themselves are responsable

    the belgian mobile operators are shouting every so many months about the successes of the mobile data revolution blablabla but there is NO MOBILE CERT and the latest news from PROXIMUS is that the securityteam is responsable for FRAUD but not for malware

    this seems to be the responsability of the mobile users but he doesn't know that the mobile datatraffic is not filtered and protected and scanned as is the case with the normal traffic and that there is no securityteam that is looking at and investigating attacks in the mobile traffic

    and in any case, very few mobiles are in se secure, they are as secure as computers were 10 years ago (and the same for tablets)

    Proximus 197

    Mobistar 78

    BASE 33

    but these are targeted attacks against certain specific targets, so these numbers can't be high

    You should read the Inception report - see previous post because there is so much information in it

    it is time that somebody in Belgium starts worrying about mobile attacks while our ministers use all kinds of insecure mobiles

  • new international cyberespionagenetwork Inception with new techniques discovered

    you will have to read the whole file if you are a specialist

    the points to remember are the following

    * they use webdav so you will have to look at webdav traffic coming to that - eliminate everything you don't know

       go from free for all to only those you know and look at the logs of the things that were blocked

    * they use infected files of which RTF and docs so sandboxing attachments or opening them on specific servers with no connections to any workstations (scripts, installations etc...) and no links to the internet

    * they use routers they overtake which haven't been hardened which means that you will have to take the security of your routers more seriously and look at what happens to them and who has access as an administrator to those routers (they own hundreds of them)

    * nothing can protect you once you are infected because all processes take place in memory - it is game over

    * there is also a mobile element with infected multimedia messages but I never believed that mobiles were secure anyway

    the targets are mainly russian for the moment but everybody will be reading and analyzing these files and this will just become another method used by everybody with enough knowledge or sold to anybody willing to apy for it

    https://www.bluecoat.com/documents/download/638d602b-70f4-4644-aaad-b80e1426aad4/d5c87163-e068-440f-b89e-e40b2f8d2088

     

  • before the #sonyhack there was the wipe-attack against Las Vegas Sands Casinoservers

    same methodology http://www.businessweek.com/printer/articles/239652-now-at-the-sands-casino-an-iranian-hacker-in-every-server

    extract and destroy the rest while the victim tries to hide the damage from the public