09/08/2011

#diginotar vasco.com never used their own CA for their certificates

ssllabs.com

they bougt diginotar in jnauari 2011

a good strong certificate - much better than diginotar was able to install for themselves

but if you don't eat the food your own gardens are producing, why should we eat it ?

Common names www.vasco.com
Alternative names -
Prefix handling Not valid for "vasco.com"   CONFUSING
Valid from Wed Feb 24 00:00:00 UTC 2010
Valid until Mon Feb 23 23:59:59 UTC 2015 (expires in 3 years and 5 months)
Key RSA / 2048 bits
Signature algorithm SHA1withRSA
Server Gated Cryptography No
Weak key (Debian) No
Issuer Thawte Server CA   TRUSTED
Chain length (size) 1 (1055 bytes)
Chain issues None
Validation type Domain-validated (DV)
Revocation Information CRL, OCSP
Revocation Status Good (not revoked)
Trusted Yes

Permalink | |  Print |  Facebook | | | | Pin it! |

#globalsign no compromise found untill now

"Puzzelstukje na stukje wordt ontrafeld. Momenteel worden al onze systemen wereldwijd onderzocht. We houden contact met alle operaties", meldt Ronald DeTemmerman, General Manager van GlobalSign België, aan Webwereld. "Er zijn nog altijd geen duidelijke aanwijzingen van een comprommitering. Maar we kunnen nog niets uitsluiten. De zaak is nog in onderzoek."

http://webwereld.nl/nieuws/107866/belgi---voorbereid-op-r...

freely translated

piece after piece we are investigating. For the moment we are investigating all our systems over the whole world. We are in permanent contact with all our operations worldwide. says Ronald De Temmerman, General Manager of Globalsign. For the moment we have no clear proof that there has been a compromise. But for the moment we can't exclude nothing. We are still fully investigating.

Permalink | |  Print |  Facebook | | | | Pin it! |

#globalsign and false rumors and misinterpretations

you have journalists who are jumping the gun and thinking that hackers win everything they say (and don't lie or overstate themselves) and so presume that Globalsign is the same as the amateurs from diginotar (but knowing that many of the people come from the securitybusiness that would surprise me because you have reflexes and instincts that you never lose again which is why security is a specific job)

you have journalists who are looking for the most spectacular but only don't understand what they are writing about and just writing something about a private key to the domain being stolen  hu ? 

you have other bloggers and tweeters who are adding a bit of salt to their messages, but by doing so extend what the attacker has written and so make the situation looking worse than it maybe is.

 * he doesn't talk about the CA database but a database (one of the many)

 * he doesn't talk about a huge cache, but a cache

 * and for the security people it is a linux server - in case anybody comes and tells you they should have used linux instead of windows .....

 * there is NOTHING in all of his texts on pastebin that says anything about certificates from Globalsign or access to the central systems who make those certificates

 * globalsign is one of the companies for the Belgian EID but it seems to use better certificates for its own domains than the two others or the way the EID people in Belgium themselves have implemented it (follow my twitter) and surely better than diginotar (ssllabs.com)

You are maybe not used to it, but let the specialists and analysts do their work and do it professionally and I am sure that Globalsign will respond in time with correct and controlled information that is not the kind of FUD and PR and blazé that we have seen from diginotar and their masters (who seem to have disappeared)

I think that soon we will have some news or details and that more will come after the weekend because everybody has to be sure that everything has been controlled and doublechecked and that every certificate and every businessproces in these complex semi-automated infrastructures of today is correct and that there is no unwanted interference somewhere.

have a bit of patience and you will have facts and let the rumors and extrapolations pass be as sand in the wind only blinding and hurting your eyes

Permalink | |  Print |  Facebook | | | | Pin it! |

#diginotar didn't know how to set up a secure certificate themselves

but they have sold them to Google (of all people)

and sold themselves to Vasco for 10 million Euro (ask it back :) )

With ssllabs.com their certificate for diginotar.com has red or 48  not because it is revoked but because it is full of gaping security holes nobody serious in this business is making anymore (not if you are responsable for root certificates)

SSL 2.0   INSECURE                                                                           Yes

 

Cipher Suites (SSLv3+ suites in server-preferred order, then SSLv2 suites where used)
TLS_RSA_WITH_RC4_128_MD5 (0x4) 128
TLS_RSA_WITH_RC4_128_SHA (0x5) 128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 168
TLS_RSA_WITH_DES_CBC_SHA (0x9)   WEAK 56
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA (0x64)   WEAK 56
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA (0x62)   WEAK 56
TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x3)   WEAK 40
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6)   WEAK 40
SSL_RC2_128_CBC_EXPORT40_WITH_MD5 (0x40080)   WEAK 40
SSL_RC4_128_EXPORT40_WITH_MD5 (0x20080)   WEAK 40
SSL_DES_64_CBC_WITH_MD5 (0x60040)   WEAK 56

Middle in the Man attack is quite possible here or breaking the ssl

https://www.ssllabs.com/ssldb/analyze.html?d=diginotar.com

Permalink | |  Print |  Facebook | | | | Pin it! |

#diginotar and #globalsign and unknown 3 are in fact digital 9-11

the heart of the certificate business which is the basis of a secure internet has been hit hard by what one could call a very efficient campaign that has destabilized a whole industry that was so confident before

when you are under attack - even if you are not sure from who - you have to take extra-ordinary decisions

the certificate business will have to take extra-ordinary measures to better secure itself as an industry and to lay the groundwork for an enormous explosion of new business as egov, ebiz and other e-things go or stay online but have ever more stringent laws and regulations to comply with

if we go back to 9-11 the following should be done

* halt all certificate business for a week the time necessary to turn everything inside out upside out

this should even be the case every year, for example 2 weeks in august worldwide

on 9-11 all planes were grounded to be sure that no more hijackers were somewhere

* set up a network of official exchanges of information about attacks and attackers

so that one can directly see if the same attackers or techniques are being used against your network and so if there is a concerted effort

after 9-11 intelligence services were obliged to share much more info

* limit the information that is published and that has no use

it is unbelievable but if you look up online the certificates for globalsign, verisign, rsa and others you will see a full description of the openssl version, IIs and all other technical information a hacker would need to know

they have to publish that information to be compliant

this kind of public compliancy is suicidial and should be abolished or registered and sealed somewhere else (in exchange for a specific ID for that server)

after 9-11 millions of public documents became sealed or disappeared from the web (technical details about bridges for example,....)

* all certified CA must be compliant with a whole set of rules and norms and should be monitored and audited by an external agency and investment in security shouldn't be less than 10% of the budget and they should have at least x securitypeople for x number of total staff.

these big central installations should become the bunkers, the castles and as little as possible should be connected or let in from the outside (you can federate presentation servers, not production servers)

after 9-11 a whole list of buildings and agencies were rebuilt and were re-concentrated (and made anonymous or secret)

* a central CERT should be set up as a central watchdog

the role of the CERT should be te collect information, to keep a watch on tendencies and information about the CA industry and products on the internet and to exchange information without the necessity of the different companies having to talk to each other, or to know where it did come from

as all aspects of the IT infrastructure has to be secured, their securitywatch would heighten the awareness and shorten the response of the industry against those new threats and lower the possibility of compromise through those new attacks

* duty and civil service

thousands of people became active after 9-11 to secure their environment and their workplace and other things

the CA business is that important that a call to the community to standby your certificate business is nothing extra-ordinary

duty and civil service should also be an important leitmotiv in the industry itself, even if you have to make money and will make a lot of money, you are still doing it to secure the internet that has become so important to so many people

Permalink | |  Print |  Facebook | | | | Pin it! |

#globalsign other certificate authorities try to pick big clients

while Globalsign is doing the investigation in a way that is best for the whole sector and stops this way the downgrade of trust in all certificates (as happened to the banks) by investigating first and bringing out reports only afterwards and stopping all rumors and possible ending the access the hacker eventually had to some infrastructure somewhere, it is being confirmed by different sources that some other CA's are trying to create Fear and Uncertainity with emails and calls to big customers from them.

this would only be acceptable if it would be clear that Globalsign has been owned like the other known victims but the hacker himself said that he wasn't capable to produce Globalsign certificates, he only has a cache (not huge) and some database of some linux server

you may steal a machine to print money but if you can't print money on it, the fact that you didn't produce money means that you have failed and that - if this is the case - the damage could be minimal - and the psychological effect of the hack can become more important than the hack itself

the other 3 CA's he has penetrated have now a real model to use when they are named without having the fear to be 'closed' down or 'rumored out' only because they have done the same thing Globalsign is doing now and that they can only do because Globalsign has done it also

First, you suspend business for a while (while the rest of the business leaves your clients alone) and investigate

secondly you take the necessary decisions

thirdly you re-open shop one step at a time re-connecting only the systems that are to be found totally trustful (whatever that means but you have to go forward)

The other CA in whatever identity business should be grateful for this chance - which the banks never got - and which may be instrumental in the survival of this crisis or any other

Trying to steal clients is a very low tactic

I hope that those doing it are not on the attacker's list

remember he said that he couldn't make GLobalsign certificates but that he can still make some now probably from the three others, this means they are in worse s.... than Globalsign and according to him, they are still owned by him today.

Globalsign is in better shape than the others because they know more or less what has and has not been done - based upon his own declarations and when everything is over, Globalsign can restart after a thorough inspection and a bill of certificate health and a clear vision for security that is up to the threat theatre of 2011

We know Comodo has been breached and owned (through a reseller), we know secure-ID from Rsa may have been breached, we now star.com was totally owned but luckily there were no certificates that left the server and we know that diginotar was breached and owned during at least a full month and that some server somewhere from Globalsign has been breached

but we don't know s.... about the others and so the heads will turn to them afterwards ? and you. They will say, everything is fine and well, but how can they proof that ?

Permalink | |  Print |  Facebook | | | | Pin it! |

09/07/2011

android developer hacked and user accounts leaked

http://www.mappn.com/index.html

mAPPn is a high-tech company which focuses on the development of new generation Android platforms.

all accounts and passwords are leaked on pastebin

Permalink | |  Print |  Facebook | | | | Pin it! |

#diginotar more explanations from the comodo-hacker

first he is Iranian and is what we call a patriotic hacker- this means pro-regime (or dictatorship) and doesn't care a bit if his actions could endanger the lives of the dissidents because they are only western spies

and he says he works alone but that "just I have shared some certs with some people in Iran" and that would probably be people close to the regime to catch the spies

and this "When USA and Israel can read all emails they want in Gmail, in Yahoo, data in Facebook, Twitter, etc. How my country should control those services? I'll help my own country for it as I did and you saw it. If my country get equal right as USA in controlling emails, I may share my brilliant unbreakable encryption system for replacement of SSL"

action :  if you don't need traffic from Iran - especially for administrative installations (and all proxied traffic) - block it and dump it or whitelist it

secondly he has he will use more ISP"s in the US and Israel and so on

LMI.NET Berkley's ISP, ask about user Todd and password loc!666

tip ; an administrative password today needs 12 characters at least

in fact it means that he says he is capable of poisioning the dns servers of those ISP's and sending users of for example google.com to another server with a false certificate

action : control your dns servers immediately on the versions, strength of passwords and the monitoring of your dns server and the changes

thirdly he says it wasn't easy, so this is his explanation

There was netHSM with OpenBSD OS, only 1 port open, totally closed/protected with RSA SecurID and SafeSign Token management systems, they had around 8 smart card totally (a company with a lot of employees, only 8 smart card for SSL generation), you see? It's not "simple DNN bug", ok? I had remote desktop access in last RSA Certificate Manager system which had no any connection to internet, all files was coded in XUDA (there is no reference to XUDA programming language, even a single line), no one can access those server via Remote desktop, there was enough firewalls and routers which even blocked their own employeee to access that network. That network had different domain controller with different users, man! There is so much thing to explain, I'll do it later,

he also says

my other skills in cryptography, cryptanalysis, binary analysis (assessment), reversing, kernel programming,

fourth about start.com CA

StartCOM (got connection to HSM, was generating for twitter, google, etc. CEO was lucky enough, but I have ALL emails, database backups, customer data which I'll publish all via cryptome in near future)

fifth about globalsign he says

GlobalSign (I have access to their entire server, got DB backups, their linux / tar gzipped and downloaded, I even have private key of their OWN globalsign.com domain, hahahaa)

comment : he has made no certificates ; he says that somewhere he had access to a linux server and a database

that is for the moment very important : he had access to a server in a very complex infrastructure but according to this information he wasn't capable - this is what he is saying - to make any certificates - otherwise he would have said so - like with comodo and start.com and diginotar. If he had the possibility to make certificates, he made certificates. If he says he didn't made them - than it was that he wasn't able to make them. Now it is up for Globalsign to find the server and to isolate it and to throw it in the dustbin and do some breachcontrol operations for the people who are in the database.

and finally he says he has the same from three more CA's

 

Permalink | |  Print |  Facebook | | | | Pin it! |

#diginotar #globalsign #comodo my four thoughts about attack techniques

when you go to some certificates and you ask an ssl quality check than you can get a lot of information

so for example for globalsign I would get this as information

Server signature Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.3.3

waah, the whole server infrastructure and all of the protocols - okay

the second thing I do - sorry I don't trust things like that it is stronger than me

I google this between "   "  and yes as I have thought people are looking for exploits against this kind of infrastructure (an exploit being a security hole you could abuse)

and what does Google bring me

people looking for exploits against exactly that kind of infrastructure

Abdurrahman

Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5

which exploit we use?? give a link

http://www.facebook.com/topic.php?uid=2336527175&topi...

and what does the hacker say in pastebin

that no firewall and no ids will stop him

so one possiblity for the other 5 may be a zero day exploit to come in (bypass as he says all the security and identification tools and installations)

because those zerodays are possible and exist against apache, openssl, php and maybe frontpage

can somebody tell me why you have to publish all that information for something that critical in a certificate that everybody can read ? You can indicate your server with a specific name or number that is accepted and known - without giving away what it is using to work.

secondly

there are 4 million accounts hacked - passwords and emailadresses

maybe someone used the same password for his vpn or his login

nothing wrong with the logs and it always takes a while untill the procedure for sending the bills and so on are sent (and if the person has lost control of his mailbox without knowing and the smart hacker changes only one thing so that all email from the certificate authority are treated like spam, he will not see a thing)

and sometimes you can find with a few googledorks enough information about the responsabilities of the person who has used the same password for his work as for his emailaddress at Yahoo. (or worse his professional emailaddress)

third

ever heard about pbx - modemhacking  - still very active (forgotten because not sexy for the press)

and very hard to trace because if he is smart - and let's suppose he is - he has set up a ring of hacked pbx phoneboxes that forward to call to each other 

and oh did you forget there were standby modemlines active on the pbx and that because in some country or with some old technology they still need modemtransfers (or as a backup)

fourth

social intelligence - he has been impersonating something that does exist but that doesn't know that it has been a client with several certificate authorities and as they don't do any cross-checking they won't find out

Permalink | |  Print |  Facebook | | | | Pin it! |

#diginotar : your mobile may still be unsafe

If your mobile operator uses certificates from Diginotar (for example in Holland) or if you are in a country like Iran where those false certificates were used (hundreds of them) than you have the same problem as with a computer

only your problem is much bigger

Apple decided after some delay to push an update to its iphones and ipads (installed it yet ?)

Google had more problems with its androids (looks like Google is messing Android up badly lately with all the malware that is around for Android) and has yet to push the update

there is no news yet from other mobile platforms but if the online serviceproviders change certificate to a still trusted certificate authority that won't be a big problem

the big problem in fact is that the mobile networks and operators aren't reacting as fast as the online network and that this creates a window of opportunity that can be abused

if you start from the idea that you must be able to surf the net wherever you are with whatever appliance or phone you have in your hand or before you, than you must also take enough precautions that everybody is using the internet under the same secure conditions

only while many parts of the internet have a security anno 2011 it is as if the mobile world is still living in 2000 securitywise while there are many lessons that have been learnt in between and could be practical to implement and would make it much easier to go from the fixed to the always-available internet wherever you are (a virus is a virus and a datatheft is a datatheft where-ever you are and whatever you were using).

Permalink | |  Print |  Facebook | | | | Pin it! |

#diginotar after the dutch some local Belgian Notaires are hacked (since long)

In Belgium and France and Holland we have 'Notaires'. I think it is something from Bonaparte long time ago. Their main job is to assure that documents are certified and that everybody agrees that the same things are written in the contracts and property papers. They are quite expensive and it is a quite closed profession and in Belgium there have been several times initiatives to abolish their necessity.

In Holland they were responsable for the diginotar scandal and in Belgium they are pushing to be responsable for controlling the validity and use of digital signatures. There were it is quite simple to show that in the real world you can have your use as an independent certifier.

this is the cache of the hack


Maison du Notariat is committed to protecting your privacy and developing technology that gives you the most powerful and safe online experience.

and these people want to be responsable for digital signatures and are pushing all kinds of laws to give them the same status as paper versions ?

Permalink | |  Print |  Facebook | | | | Pin it! |

#diginotar how to protect your mac (instructions)

These instructions in PDF form for printing or download here

Download a package that will delete the DigiNotar Root CA certificates and will revoke the trust on the two root certificates and the four DigiNotar intermediate certificates. The package is now at version 2.1. Please use this version instead of versions 1.0 and 2.0. 

Update (7-Sep-2011 1:26 AM EDT): Installer package updated to delete the two bad root certificates and mark the two root certificates and four intermediate certificates as untrusted. Step-by-step instructions on HTML page and PDF updated. Text, info, and links updated with info on number of compromised certs. 

Update (6-Sep-2011 11:10 PM EDT): It's been a long day for me doing business-type work that pays the bills, but it turns out that you actually need to mark the DigiNotar root certificates as untrusted as well as deleting them from the SystemRootCertificates.keychain. I will be updating the instructions and package later tonight. Fortunately, the package is built so that adding the two root certificates to the list of certs to be marked as untrusted is very easy. My thanks to Ryan Sleevi for assistance and insights. 


http://ps-enable.com/articles/diginotar-revoke-trust

Permalink | |  Print |  Facebook | | | | Pin it! |

the stupid state of some wikileaks search-engines (more in the weekend)

they wanted the fame, the money and the content but not the effort

 

1. statelogs has only 7605 cables out of the total package

Statelogs helps you browse, comment, rate the 7605/251.287 diplomatic cablegate.

Statelogs is proudly designed and developed by OWNI.  

 

2.  in 14,469 of 251,257 cables - Wikileaks

 

this is much better

http://cablesearch.org/   all and user friendly

http://wikileaks.org/cablegate.html   less user friendly but closer to the source

 

for the moment we are closely following the pearl harbor of the certificate business in Europe but it is true that those cables have astonishing things to tell and that hundreds of volunteers are putting them in context. We will get deeper into that during the weekend - if nothing else major happens

Permalink | |  Print |  Facebook | | | | Pin it! |

familyphishing : using hacked emailaccount to defraud family-members

You receive this in your mail from a mailaddress from your friends or family

and it is from their real address from the real yahoo servers

 

"Hello,

  I'm writing this with tears in my eyes,my family and I came down here to Las Palmas/Spain for a short vacation unfortunately we were robbed at the park of the hotel where we stayed,all cash,credit card and cell were all stolen from us but luckily for us we still have our passports with us

We've been to the embassy and the Police here but they're not helping issues at all and our flight leaves in few hrs from now but we're having problems settling the hotel bills and the hotel manager won't let us leave until we settle the bills the amount needed now is just €2,500..I am so confused right now and thank God we weren't injured because we complied immediately.

Waiting to hear from you.

Thanks."

but hey, they would have written it in another language

just to be sure, we call and hear the name we should have heared

seems her emailaddress was hacked and she wasn't in spain (and asking so much money)

like 4 million others the last months.....

but how would you get your mailaddress back if with double authenfitication via mobile (Google) your mobile is stolen or lost or in the hands of the fraudsters

why do they think that by working with mobiles the problem is resolved (some in some cases but not always and what than)

Permalink | |  Print |  Facebook | | | | Pin it! |

#diginotar doubts about replacement firm for digi-id in Holland

the certificates from diginator for the dutch egov installation and processes are being replaced by another firm

but on security.nl there is the following comment (probably from a specialist) saying that their application servers aren't enough hardened and their certificate reseller application has been already hacked 2 years ago and that thousands of personal certificates with all the personal information was published

Vandaag,2
00:39 door
Anoniem
Gaat nog even iemand echt CONTROLEREN of "Getronics-Pinkroccade Nederland BV." wel afdoende beveiligd is, of nemen we weer domweg aan dat 't wel goed zou zijn. Zie "vriedjes politiek"

Zijn we de niet zo fraaie geschiedenis en reputatie van Getronics & Co gemakshalve alweer vergeten!?

Om te beginnen zouden ze eens kunnen beginnen met de servers wat serieuzer te hardenen. Bijvoorbeeld die www.pki.getronicspinkroccade.nl staat er bijzonder default install bij, zo te zien. En als normale reseller gebruiken ze nog steeds de niet zo fraai geprogrammeerde Xquery.exe om het Verisign DB te bevragen, dat appje is 2 jaar geleden al eens flink misbruikt om duizenden personal certificates te plunderen, met de contact gegevens er bij.

Lijkt er sterk op dat er voor de zelfde 'oplossing' gekozen is als die voor de finaciele crises, zijnde: gewoon zo door gaan maar met een andere groepje uit de zelfde school.


http://www.security.nl/artikel/38383/1/Digid_overgestapt_...

Permalink | |  Print |  Facebook | | | | Pin it! |

#diginotar the dedicated lone attacker

our intelligence and security services observe

they observe organisations, forums, mails and manifestations

they select organisations, forums and people to investigate and to follow up

if that is for hacking, terrorism or crime

this is the only possible way to prevent crime, terrorism and hacking

they can't protect us agains the lone hacker - attacker

who had contact with no one, who didn't show up in forums or groups and who is keeping his privacy as intact as possible and for most of the people around him is just a simple normal person

the lone very specialised and intelligent hacker - attacker is something that is worrying more and more security services (self-radicalisation it is called in terrorism terms) - sidestep - the lone terrorists who wanted to blow up a plane or who went on a killing spree in a military base had before contacts online with muslim extremists in Yemen so they were not so 'lone' and could have been 'discovered' as a risk at a certain level.

take for example the Unabomber

we have now our digital unabomber who claims to be Iran and claims to be working alone - but in the virtual world everything is virtual :)

for some it is the masterhacker sabu (Lulzsec) the islamist hacker coming back - and he seems to be as specialised as the Unabomber was in his field

but are we going into a police state for this because there are some 'lone wolfs' around us- watch out for post9-11 need a new paranoia cyberwar talk from military and policy influencer with vested interests (their goal is to protect our democracies not overtake it)

Maybe Iran can exchange him for some Uranium :)

Permalink | |  Print |  Facebook | | | | Pin it! |

#diginotar comodo hacker proof it is his job

  1. a) My LAST PROOF for being hacker of DigiNotar:
  2. http://www.multiupload.com/EHI7YZAF4G
  3.  
  4. In case of Comodo there was also so many stupids who never beleived it, I don't have time, this time, to negotiate it.
  5.  
  6. I signed windows calculator using Google Cert, you have to have private key of cert to be able to sign calculator. It's enough reason/proof.
  7.  
  8. b) To person who sent me an anonymous email and telling me that what I do have no effect in real life and suggest me to read more, sorry as you didn't use a real email, I have to send your reply here:
  9.  
  10. "What I do have enough effect on people of Netherlands, they lost so many e-gov services, Dutch gov. already paying so much for my hack, DigiNotar deleted from entire trusted CAs list of worlds, you see? It effects entire world even your PC which you waste it by using it. You need to study more, study more about Srebrenica, study more about how Serbian soldiers was wild animal, how they was killing innocent people of Bosnia, it was 16 years ago, but nothing is changed, today see how Israel is killing Palestinian children. Yes, I can't do so much in real world against Israel, Dutch or any anti-Islam country, but I can destroy their IT infrastructure as I do, isn't it?"
  11.  
  12. BYE
  13.  
  14. You are so far from being able to talk with me"
and more
  1. Hi
  2.  
  3. I have received around 25 interview requests, I'll give response to all requests, I'll give interviews to all.
  4.  
  5. Just to make some points which I see around in internet about me and in some interview questions:
  6.  
  7. a) I'm single person, do not AGAIN try to make an ARMY out of me in Iran. If someone in Iran used certs I have generated, I'm not one who should explain.
  8.  
  9. b) This attack was really more sophisticated than simple Stuxnet worm. 0-days? I already have discovered similar bugs, trojan? I already wrote most sophisticated undetectable ring0 and ring3 rootkit (works together), signing certificates? huh, man! I have around 300 code signing certificates and a lot of SSL certs with again code signing permission, look at Google's cert, I have code signing privilege! You see? I owned an entire computer network of DigiNotar with 5-6 layer inside which have no ANY connection to internet, I have so much to explain, but later... You have to wait!
  10.  
  11. c) I still have access to 4 more CAs, I just named one and I re-name it: GlobalSign, StartCom was lucky enough, I already connected to their HSM, got access to their HSM, sent my request, but lucky Eddy (CEO) was sitting behind HSM and was doing manual verification.
  12.  
  13. d) I'm able to issue windows update, Microsoft's statement about Windows Update and that I can't issue such update is totally false! I already reversed ENTIRE windows update protocol, how it reads XMLs via SSL which includes URL, KB no, SHA-1 hash of file for each update, how it verifies that downloaded file is signed using WinVerifyTrust API, and... Simply I can issue updates via windows update! You see? I'm so smart, sharp, dangerous, powerful, etc. huh?
  14.  
  15. I'll talk about more stuff later. May I also start a web hacking course for Anonymous and Lulzsec and friends of them, Rootkit development for Stuxnet developers, 0-day vuln. assessment in Windows and Linux environment for Stuxnet developers and other hackers too. huh? What do you think?
  16.  
  17. Dutch government is paying what they did 16 years ago about Srebrenica, you don't have any more e-Government huh? You turned to age of papers and photocopy machines and hand signatures and seals? Oh, sorry! But have you ever thought about Srebrenica? 8000 for 30? Unforgivable... Never!
  18.  
  19. I heard also that Dutch government tries to gather documents and make a compliment against Iran, really? Shame on you man! Have you been in court for Srebrenica? Who should file compliment for Srebrenica? You should pay, these are consequences of Srebrenica, just know it! This is consequence of fighting with Islam and Muslims in your parliament.
  20.  
  21. WOOOOORLLLLDDD! Wait for me, you have so much more SHOCKINGS to see from me! From a person who came to this world just 21 years ago! JUST WAIT!

Permalink | |  Print |  Facebook | | | | Pin it! |

#globalsign helped by Belgian CERT

the Comodo hacker claimed yesterday - after some poking - that he also has entrances in 5 other certificate businesses of which Globalsign

the managment of Globalsign - which has been in the pure certificate business since the start and knows the businesses (it is not just a sidebusinesses) - took the enormous decision to stop the presses and to start turning everything inside out upside down

they are being helped by external partners and by the Belgian Cert who has dedicated staff working around the clock

the decision from Globalsign is the only one that can be taken and we should expect that in the following hours or days the other certificate businesses will also stop production and start a total revision process - it should even be better that they have a certain period like this each year in which security and certificate specialists and lawyers go through the whole bunch of certificates and processes and ameliorate the processes and defenses (for example two weeks in august). As the whole business sector has closed down for review and upgrades and business processmanagement nobody will lose business to anyone else.

the only thing in security is

I believe what I see not what you tell me to see (and if I am not specialised enough, than what you tell me that you see (not what is present or how the process has been written but how it is present and how the process has been used or abused)

If you can proof that - you have trust

the trust me  is not enough anymore, you have to earn trust

and we should give them time, there are hundreds of machines, networks and processes and thousands of certificates to control and recheck and this has to be done calmly and systematically leaving no stone unturned and not the slightest doubt

the real question is now : what will the others do and do they really think that they are really 100% totally secure in these times

Permalink | |  Print |  Facebook | | | | Pin it! |

09/06/2011

#diginotar : dutch politicians want a breachnotification law NOW

when something as major as a certificate agency has been broken into and taken over during one month and says nothing and than when found out declares that it is just a minor problem than you have a big problem

the penalty has been the internet penalty of death (nobody wants your service or connection or trust anymore)

but meanwhile the main problem stays the same

hundreds of sites are obviously hacked and hundreds more that we know nothing about - even if it is a very important network

and as long as that is the case, there is no incentive to invest more in security and resources and procedures

the European Union is all for it and wants to use the example of the Us and the UK

now the dutch want to go faster and to implement this as fast as possible in Holland

in times of crisis mountains can be replaced and that is what they are doing because there are vested important interests that have no interest in such a law, but if they don't do it now it will be much harder later to let pass something even 100 times lighter than what they have in mind through parliament

another reminder is that we are nearing the number of 4 million webmails and accounts that have been compromised the last months - of which a number of dutch sites and dutch emailadresses (.nl)

Permalink | |  Print |  Facebook | | | | Pin it! |

#diginotar : vasco and diginotar : give it back

after the stalling

after the newsspeak

it is maybe time for some creative thinking about how to do the best thing for anyone

as an enterprise diginotar is worth zero (the certificates aren't trusted by anyone for the moment)

even if Vasco has paid 10 million for it (maybe it should sue someone for false declarations that will probably be have made during the acquisition process about the security and stability of the internal processes) a year ago

it is worth zero euro

and it only represents 2% of the total yearly turnover of Vasco

but could and will probably cost more because it is owner of this firm and Vasco's Core business is trust in the form of double authentification tools

meanwhile some political parties in Holland are asking that the government takes ownership of such an important part of their e-gov project

so why would Vasco not just give Diginotar to the dutch government as a kind of compensation for all the trouble it is making (probably not exclusing other compensations)

but it would give the possibility for the dutch government to throw all the garbage out, to isolate the trusted environments and certificates and to set up the necessary security installations, resources and procedures to be able to get at least some local trust again and to use it only for what it should have been used (certificates for dutch egov processes and digital signatures)

and Vasco will have done one good thing and can say that it is no longer the owner

like a bank, instead of going broke with all the consequences, you are nationalized (and maybe some time in the future you will be privatized again but not untill the mess is totally cleaned up)

Permalink | |  Print |  Facebook | | | | Pin it! |