06/14/2011

Minister Crevits, the hacked website and Google accounts

So the website of one our ministers got defaced

nothing special, just a new page to say that the security of the website had some problems and that anyone could add whatever page he or she wanted to her official website of an elected official with huge responsibilities

the website was downed and 'corrections were made' and surprisingly - they probably used the Google administrator account to be sure that the Google cache was also refreshed so that you wouldn't find it in the Google cache

(go to Google, make a Google account and than go to administrators and follow the indications)

do you have have already a Google account and have you already placed the Google identification code on your website so you could ask Google to refresh your pages for your website when you got busted in this online game, SEO warfare or defacement-bombing because of something somewhere in the world makes someone somewhat unhappy

Permalink | |  Print |  Facebook | | | | Pin it! |

RSA gives another token, not an acceptable advice or responsable disclosure

we can't tell you more about the hacking of the RSA tokens that what has been published after the attack

most of the analysis was speculation and was never confirmed, although there was a big possibility that this would be the case

RSA offers now to give you a new token

does this mean that the cypher/code of the old tokens has been compromised

or that too many clients have lost their trust in their old tokens because there has been so little communication 

or both

if you are in a high-risk environment, the message is clear

change them - except if you get access (probably with a NON DISCLOSURE AGREEMENT) to the real incident report and analysis

for communication experts it is another ideal example of how the fear to communicate can kill the reputation of a firm - especially during a crisis

 

Permalink | |  Print |  Facebook | | | | Pin it! |

about the most stupid hack ever (ACER)

they have lost data about thousands of their users

and you wanna know why ?

because they published the login account for their FTP server online so people could download a patch

Yes, they didn't publish the patch on their website to download

no they left it on their FTP and published the login accounts in a public forum

we are talking about one of the bigger computer firms ....

ok so they played around a bit and found some stuff and some say that most of the stuff maybe old

but hey, when did you change your emailaddress ? (so yeah for spammers it is not so old)

 

Permalink | |  Print |  Facebook | | | | Pin it! |

12/16/2010

leaking hype : much buzz no fuzz

there are the guys from the openleaks.net initiative who want to restart wikileaks as it was meant to be and not became to be. Good intentions, sharp criticism but no website yet

there are the guys from the brusselsleaks initiative who want to get material about the European institutions and shadowy agreements published. Many articles online and in the press but not one document yet.

the bulgarians have published also one with some interesting material but you can't compare it with wikileaks.

When wikileaks started it already had a bunch of documents before it was announced.

oh and how can they be trusted ?

don't ask me if you want to risk your career because it can be that the version of the document you have in your hand has only one letter that has changed somewhere and that is your unique identifier.

also be assured that there will be much less notetaking, much less paperwork and much more logging and cleandesk policies coming your way

Permalink | |  Print |  Facebook | | | | Pin it! |

the gawker lifehacker total hack (passwords included) also Belgians compromised

A few days ago some hackers found it necessary to publish the total database and source code of some of the most influential techblogs around (like lifehacker)

they didn't only publish it online, they also decrypted a list with about 2000 users accounts and the logins and passwords that were used

this all can be found in a torrentfile that is quite popular for the moment - the http downloads are in fact advertising for payable piratehosters (who host pirated material that you can download for a monthly fee - incredible but true that they are still online after so many months)

In that list you can also find emailadresses for certain countries, but that list is only part of the global set.

Maybe you should control  if you have ever subscribed to their services in your life with one of your emailadresses

use this service http://www.didigetgawkered.com/

more information can be found here http://www.diigo.com/list/mailforlen/Security

and now some comments you will probably not read in many places

* how stupid can the gawkerpeople be to let people use passwords of one letter or combinations that have no security at all ? They publish all these articles about security and than you look at the list of passwords and you think 'what is this shit'

* how many times did the gawkerpeople clean out their list. If you ask all your subscribers at least once a year if they want to stay member, than you maybe a cleaner list but an active list (in which you will have to click to stay activated)

* how will those hundreds of thousands of ITpeople from all over the world be informed that their account has been compromised. Some may have used the same passwords (especially the more difficult ones) in other environments (good hunting)

* the sites have lost their total source code, up for the zeroday injections because now you can play with all the code of the whole environment (and infect thousands of visitors in a few days)

so yeah tech is fun and tech is around since long but that doesn't make it secure

Permalink | |  Print |  Facebook | | | | Pin it! |

11/25/2010

ALERT windows exploit(s) attack even kernel off latest versions - no patch but workaround

The attack bypasses all securitymechanism of windows (except if you have a good updated antivirus, Intrusion detection prevention on your network or your host and it is updated to stop this kind of attacks) and uses a bug in the registry to give the attacker the possibility to install any code on your machine with the privelege of the machine itself (god in fact).

It is one of the zeroday vulnerabilities that are being used by stuxnet but that wasn't patched (yet) by Microsoft. It wouldn't surprise me if they will get an automated workaround or patch out in the coming weeks.

There is a workaround but it is unofficial and it has not been tested yet (sophos)

There is one mitigation I discovered while researching this exploit. Unfortunately it is somewhat complicated. To prevent the flaw from being exploited you can perform the following actions:

  1. As an Administrator open Regedit and browse to HKEY_USERS[SID of each user account]EUDC
  2. Right-click EUDC and choose permissions
  3. Choose the user whose account you are modifying and select Advanced
  4. Select Add and then type in the user's name and click OK
  5. Click the Deny checkbox for Delete and Create Subkey
  6. Click all the OKs and Apply buttons to exit

Registry permissions for mitigation

The registry keys being changed by this mitigation should not impact a user's ability to use the system, but changing permissions related to Windows code page settings may cause problems with multilingual installations. In my testing it appears problem-free, but I have only had an hour or two to test. Use at your discretion.
http://nakedsecurity.sophos.com/2010/11/25/new-windows-ze...

The bad news is that not only can you use malware code to inject also this control on the targeted machine (if you can fool the antivirus if there is one in place) but you can also combine it with other non-patched attackroutes like CVE: 2010-3962 for Internet Explorer.

It could be nothing it could become big.

For all those under targeted attack or which are normal targets for such attacks, you better watch out for this one.

Permalink | |  Print |  Facebook | | | | Pin it! |

11/08/2010

New upgrade of the Belgian EID reader

As there is no automatic auto-update and no obligation in all applications that use EID and so on (you may call it the Firefox update-process) it will be a problem for network administrators to keep their EID middleware updated in an organised manner. There is talk that this would be integrated into the windows update process and that would be a good thing (and by the way, give the whole management of the code to Microsoft so they can implement their Secure Development Lifecycle and information processes around it)

The limited description of the updates does give few reasons to update for securityreasons by as security is treated Applewise by the EIDpeople (don't talk about it untill it hits you right in your face for everyone to see) there are maybe hidden securityfixes (DLL injection anyone ?).

You can find the patch here

http://eid.belgium.be/nl/Achtergrondinfo/De_eID_technisch/

By the way your EID is not a bank card - the securitystandards, technologies and support and monitoring are two totally different worlds. Using your EID as a bank card is like buying an electronic device that hasn't been tested and certified. Do it at your own risk.

And that your EID may hold information about your shopping, medical situation and more without additional certified encryption and protection of the data on the card and during the way they travel with and in EID enabled online applications is something you should be informed about. Do it at your own risk.

 

Permalink | |  Print |  Facebook | | | | Pin it! |

Belgian Electronic Identity cards - all masks fall off

They have been saying in the beginning that there was no reason to think that we should use the EID for banks, for payments, for social security and medical information. It would only be used for identification and authentification - so why are you making such a fuzz about the total lack of procedure, governance and oversight ? Because it will be used for other means as well.

The minister responsable for Economy has visited (and so he is supporting) the firms that want to make it useful for payment and soon banking.

There was the announcement that the social security card will be stopped and that we will use the EID in our pharmacy (instead of this card).

Another firm wants to use it for loyality points.

So with one card I will know

* your bank information

* your medical information

* your shopping information

* your egov information

* your personal addresses

* your access to all EID enabled access points

* in many cases your access at your local networks or EID protected systems

 

So stop calling all those with doubts about all of this rushing in unknown fields as paranoïds. It is not because it didn't happen that it can't happen. And if it can happen on paper than there are possibilities that it may happen. And the more information and uses you add to the EID, the higher the risk because the more it becomes a lucrative target.

Noboby thought in the US that the number of the social security was risky as identification untill it now has been the number one method of ID theft.

I will have more trust if

* there are public penetration and security tests

* there are public cerfitications and controls and published norms

* there are yearly tests

* there is an automated obliged upgrade process for the software

* every expansion is accompanied with new tests and obligations

* all code is made only available for 'certified EID developers'. Anyone can fuzz it now.

And don't say in a few years, I didn't know. Those who know don't want to do anything about it and those who can do anything about it don't seem to be interested and those who can report this want to wait untill something spectacular happens (and it is too late)

by the way

did you know that the software of the EID had probably some DLL injection vulnerabilities. I suppose they are fixed in the new update because I informed the CERT about it. I hope this is the case as the description of the updates is scarce.

You have to earn trust or you can lose it in a snap.

Permalink | |  Print |  Facebook | | | | Pin it! |

Securing XP and higher better against targeted zeroday no-defense attacks (IE, PDF, flash,....)

Microsoft gives some workarounds if you want to secure older versions of their Internet Explorer and windows XP and Vista and 7 and server2003 and 2008 in general

1. Define your own CSS file.

THis means that scripts that are defined in the CSS stylefile of the websites that are trying to install stuff on your computer or use vulnerabilities to take control are neglected.

To apply a custom cascading style sheet (CSS) for formatting documents loaded in Internet Explorer, save the following text to a file with a .CSS extension, such as KB2458511.CSS:


TABLE
{
    POSITION: relative !important;
}

Note The "" literal that appears between "POSI" and "TION" above is intentional.

Impact of workaround. Applying a user-defined CSS may cause Web site style sheets to malfunction.

My opinion : not usable in a network

2. Install the Enhanced Mitigation Experience Toolkit

What is it

The Enhanced Mitigation Experience Toolkit (EMET) is a utility that helps prevent vulnerabilities in software from being successfully exploited. EMET achieves this by using security mitigation technologies. These technologies function as special protections and obstacles that an exploit author must defeat to exploit software vulnerabilities. These security mitigation technologies do not guarantee that vulnerabilities cannot be exploited. However, they work to make exploitation as difficult to perform as possible. In many instances, a fully-functional exploit that can bypass EMET may never be developed.

How to install it

You will need at least  XP or windows2003

Configure EMET for Internet Explorer from the EMET user interface

To add iexplore.exe to the list of applications using EMET, perform the following steps:

1.

Click Start, All Programs, Enhanced Mitigation Experience Toolkit, and EMET 2.0.

2.

Click Yes on the UAC prompt, click Configure Apps, then select Add. Browse to the application to be configured in EMET.

For 32-bit installations of Internet Explorer the location is:
C:Program Files (x86)Internet Exploreriexplore.exe

Note For 32-bit systems, the path is c:program filesInternet Exploreriexplore.exe

For 64-bit installations of Internet Explorer the location is:
C:Program FilesInternet Exploreriexplore.exe

3.

Click OK and exit EMET.

Read and use : http://support.microsoft.com/kb/2458544

My opinion : It may not work with all software and you should test it before installing it in a network. In a network it may be very applicable if you have a very limited number of images or if you just limit it to those important departments or persons who have critically important information on their computers (also administrators)

Also there are already some attacks that bypass this protection, so it is not a perfect solution but one that makes the security situation of your computer better.

3. Enforce Data execution Protection in IE8 or install it in IE7

This means that drive-by attacks and downloads against vulnerabilities in the browser or some of its plugins can be stopped.

If you use IE8 you already have the database and you just have to activate it.

If you are still running IE7 for some odd reason you can install it

See Microsoft Knowledge Base Article 2458511 to use the automated Microsoft Fix it solution to enable or disable this workaround.

My opinion : a must for networks. It may crash some other plugins in the browser but this means that they were not sufficiently safe in the first place.

4. Setting secure internetzones the browser

That is so traditional that it probably will already be done since long.

Permalink | |  Print |  Facebook | | | | Pin it! |

It becomes impossible to defend old windows machines on the internet

It is strange to see when you are scanning the internet (through public available vulnerability scanners) that there are still windows2000 machines running public websites

It is also best to remember that XP is in fact being phased out and that Vista is just a messed up version of Windows7.

Running anything older than windows7 just makes you vulnerable for a high number of attacks that have more or less become impossible with DEP and Protected Mode (that you have to activate - especially on executive computers)

but I know it is not always that simple to explain

For those who have older code and applications that just works fine under xp, you have to remember that there is a virtualxp version in some Windows7 versions that may extend the lifetime of that older (probably messed up) code untill you have put it up for review and securisation (Secure Development Lifecycle)

The newest exploit against the older Internet Explorer shows this another time but it also shows that you should always lock down the browser and (as I pretend) have a sandbox policy for all internetdownloads. This means that all your internet installations and downloads should be done in one locked folder. It is only after a manual action that things may be installed on the computer.

 

Permalink | |  Print |  Facebook | | | | Pin it! |

Adobe the total mess with security-updates puts egov in danger

It is going from bad to worse with Adobe (flash, pdf, shockwave)

not only are the exploits following each other at an ever increasing speed and are they being used in more and more targeted attacks (lock down your executive computer even if you don't want to touch these you will have no choice if you want to protect them sufficiently)

but the update cycle that they did want to install is becoming a total mess in which even the security advisors don't know anymore what it latest available version

reading the posting about this total confusion is just staggering

it also says something for other firms who will have to go into security overdrive from a situation in which they presumed they had nothing to fear or didn't want to talk about it (apple, mobile firms)

you will have to set up an unique download center and a simple and unique information process

otherwise it will not work

it will also send waves through all these egov services that have been built around Adobe Forms. For one thing all these forms will now need certificates to be sure that people only open PDF forms and attachments that are proven to be yours (and safe). Yes, this makes another form of socially engineered and ssl and certificate attacks possible, but it can weed out some less complex attacks.

which stock to buy ? Certificate companies.

 

Permalink | |  Print |  Facebook | | | | Pin it! |

10/15/2010

the windows patches this month go after zeusbot/stuxnet - defend yourself

 So if you install them, the main securityproblems Zeus/stuxnet are using to infect computers are being closed

for networks it means that you can bring your network up to a next level. It is not just a patch you are installing, you are installing a defense against a high volume botnet (zeus) and a targeted attack botnet (stuxnet).

this means that you will have to control the level of installments and investigate why some of your computers didn't install them.

as you see there are no big problems with them - so you could suppose that they can be installed automatically

another tip : it is a good policy for a network to install these patches on their main infrastructure (servers) on the same day every month (for example every second friday for example) so the  rest of the users knows that this will be the maintenance time and they can organize other things (meetings for example). Another advantage is that other work on the servers could be done at the same time so instead of two moments of interruption you can only have one.

# Affected Contra Indications Known Exploits Microsoft rating ISC rating(*)
clients servers
MS10-071 Cumulative Security Update for Internet Explorer (Replaces MS10-053 )
Internet Explorer
CVE-2010-0808
CVE-2010-3243
CVE-2010-3324
CVE-2010-3325
CVE-2010-3326
CVE-2010-3327
CVE-2010-3328
CVE-2010-3329
CVE-2010-3330
CVE-2010-3331
KB 2360131 CVE-2010-3325 and CVE-2010-3324 have been disclosed publicly. Severity:Critical
Exploitability: ?,3,3,3,1,?,1,3,1
Critical Important
MS10-072 Vulnerabilities in SafeHTML (Replaces MS10-039 )
Internet Explorer
CVE-2010-3243
CVE-2010-3324
KB 2412048 CVE-2010-3324 has been disclosed publicly. Severity:Important
Exploitability: 3,3
Less urgent Important
MS10-073 Vulnerabilities in Windows Kernel-Mode Drivers (Replaces MS10-048 )
Kernel Mode Drivers
CVE-2010-2549
CVE-2010-2743
CVE-2010-2744
KB 981957 CVE-2010-2743 has been disclosed publicly and is currently being exploited in the Internet ecosystem. CVE-2010-2544 and CVE-2010-2749 have also been disclosed publicly. Severity:Important
Exploitability: 3,1,1
Important Important
MS10-074 Vulnerability in Microsoft Foundation Classes (Replaces MS07-012 )
Foundation Classes
CVE-2010-3227
KB 2387149 No known exploits. Severity:Moderate
Exploitability: ?
Important Important
MS10-075 Vulnerability Media Player Network Sharing Service
Media Player Network Sharing Service
CVE-2010-3225
KB 2281679 no known exploits. Severity:Critical
Exploitability: 1
Critical Important
MS10-076 Vulnerability in the Embedded OpenType Font Engine
OpenType Font Engine
CVE-2010-1883
KB 982132 No known exploits. Severity:Critical
Exploitability: 1
Critical Important
MS10-077 Vulnerability in .NET Framework Could Allow Remote Code Execution
.NET Framework
CVE-2010-3228
KB 2160841 No known exploits. Severity:Critical
Exploitability: 1
Critical PATCH NOW!
MS10-078 Vulnerabilities in the OpenType Font (OTF) Format Driver Could Allow Elevation of Privilege (Replaces MS10-037 )
OpenType Font (OTF)
CVE-2010-2740
CVE-2010-2741
KB 2279986 No known exploits. Severity:Important
Exploitability: 1,1
Critical Important
MS10-079 Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (Replaces MS09-068 MS10-056 )

Microsoft Word
CVE-2010-3214
CVE-2010-3216

KB 2293194 No known exploits. Severity:Important
Exploitability: 1,1
Critical Important
MS10-080 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (Replaces MS10-038 MS10-057 )
Excel
CVE-2010-3232
CVE-2010-3234
CVE-2010-3235
CVE-2010-3236
CVE-2010-3238
CVE-2010-3239
KB 2293211 No known exploits. Severity:Important
Exploitability: 1,1,1,1,1,1
Important Important
MS10-081 Comctl32 Heap Overflow Vulnerability
Comctl32
CVE-2010-2746
KB 2296011 No known exploits. Severity:Important
Exploitability: 1
Critical Important
MS10-082 Vulnerability in Windows Media Player Could Allow Remote Code Execution (Replaces MS10-027 )
Microsoft Windows
CVE-2010-2745
KB 2378111 No known exploits. Severity:Important
Exploitability: 1
PATCH NOW! Critical
MS10-083 Vulnerability in COM Validation in Windows Shell and WordPad Could Allow Remote Code Execution
Internet Explorer
CVE-2010-1263
KB 2405882 No known exploits. Severity:Important
Exploitability: 1
PATCH NOW! Critical
MS10-084 Vulnerability in Windows Local Procedure Call Could Cause Elevation of Privilege (Replaces MS10-066 )
Microsoft Windows
CVE-2010-3222
KB 2360937 This vulnerability has been disclosed publicly. Severity:Important
Exploitability: 1
Critical Important
MS10-085 Vulnerability in SChannel Could Allow Denial of Service (Replaces MS10-049 )
Microsoft Windows, IIS
CVE-2010-3229
KB 2183461 No known exploits. Severity:Important
Exploitability: 3
Important Important
MS10-086 Vulnerability in Windows Shared Cluster Disks Could Allow Tampering
Microsoft Windows KB 2294255 No known exploits. Severity:Moderate
Exploitability: ?
Important Important
We will update issues on this page for about a week or so as they evolve.


http://isc.sans.edu/diary.html?storyid=9736

Permalink | |  Print |  Facebook | | | | Pin it! |

10/13/2010

SMS spam on proximus and no security around

so someone found the GSM number of one of my family members who didn't know what to do with it

* she didn't ask for it

* she didn't fill in her GSM in some of the online 'phishy' games

* it was in english

* telling her that she won a British lottery

 

okay

where do we send it to block this spam ?

nobody at proximus.be because there is no security and fraud department on the frontpage

you have to find it out yourself

this is the stupid apple filosophy - hide insecurity and don't tell anyone

I like the microsoft filosophy -  insecurity is all around us - tell us and we will try to solve it

but the mobile companies still think that it won't happen to them

 

and even if there is no security-awareness and no security-alerts on promixus or any other mobile operator (even if mobile phones are being used for banking and paying and authentification) there is even no mention of any phonenumber you can send the SMS to. A general fraud and spamfunction on the phones for example.

If the phone companies say that they are blocking the numbers that are being used so that there is no problem for their users than they have to use the cooperation of their users-community to receive those sms-phonemails as fast as possible to be able to block them as fast as possible (in phishing the rule is that a phisher makes his money in the first four hours so time is really money).

and even that is reactive security which is a very old security concept in the online securityworld that has been abandoned since long as a standalone concept (except for Apple but they don't care a bit about security for now).

what the mobile operators need to do is to

* use "honeyphones" that will respond to those games and frauds and will be the first to receive new ones (active intelligence)

* cooperate in realtime with other phone-operators and exchange mobile and malware information and don't make the same mistake as the webworld where each company or network has developed its own description and naming system. Keep it simple. Start with the phone number used to send it, the other phone numbers involved and than a choice among a list of definitions (spam, malware, texting subscription, stealing logons, .......)

* filter incoming calls and text and mail-webtraffic on malicious code and those telephone numbers

* scan the mobile webpages for malware and scripts and block them if necessary

* give users mobile securitysoftware

* give them a simple 'forward to our fraud or security department' option

* have a clear frontpage announced securitywebsite with announcements, help pages and alerts and solutions

 

don't complain that you didn't know (you won't if you didn't read this blog :))

 

Permalink | |  Print |  Facebook | | | | Pin it! |

IRC server at blueline.be used for traditional botnet hosting and attacks

Strange but true, there are still many IRC based botnets around and they still find victims and they still make money.

Belgacom decided a few years ago to block the main IRC ports (now ported to http) after a series of attacks

But it is clear that not all the ISP's in Belgium have taken the same decision yet, although there is no reason to let those IRC ports open as IRC traffic can now be tunneled through port 80.

The advantage with closing this port is that you disable access for all those 'old' IRC based botnets. Because as they have fewer possibilities because more networks are closing IRC ports they will have to concentrate on the hosts or networks that still offer this service (at their own destruction).

The firm is a backup firm .....

http://www.cyber-ta.org/releases/malware-analysis/public/...

and more here

the other servers in this network are also interesting because

it shows that as long as trademarks like yahoo can be used by anyone in a domainname leads to confusion and malware

phonewire and phonelogin are two subdomains that are used

when found one vulnerable domain they install several hosts they control

  • zwnoo1.3322.org
  • cx10man.weedns.com
  • fx010413.whyI.org
  • gynoman.weedns.com
  • c010x1.co.cc
  • commgr.co.cc
  • g.0x20.biz
  • telephone.dd.blueline.be
  • phonewire.dd.blueline.be
  • phonelogin.dd.blueline.be
  • ufospace.etowns.net
  • theforums.bbsindex.com
  • phonewire.dnip.net
  • phonelogin.dnip.net
  • koopa.dnip.net
  • 58.49.58.20
  • whitehack.eicp.net
  • yahoo.com.cn

Permalink | |  Print |  Facebook | | | | Pin it! |

10/06/2010

SIPvicious VOIP attacks a constant plaque according to Arbor Networks

We have been writing about the continuous attacks against VOIP installations - and the possible links to be recherched with the VOIP DDOS attacks - around the world.

When looking a bit further at the numbers of the SIP attacks that are monitored/discovered by Arbor Networks there are a few things that become clear

the highest number of attacks come from the US, Brazil, Portugal and Czech Republic but in the present world of virtualisation and outsourcing and cloudmania this isn't not really important because for example the problem with one hoster in Brazil is with one domain with VOIPservice that in fact belongs to someone in Eastern Europe.

Are you monitoring your VOIP yet ?

 

 

Permalink | |  Print |  Facebook | | | | Pin it! |

arbor networks atlas : fastflux networks fleeing China to Russia and .com and .net domain

Arbor networks publishes for its clients and contacts since long a list of the most active domainnames that are used in fastflxu domains. I observe the list since a few years after having discovered the abuse of the .be domain by fastflux domains (that was mentioned in the report published).

It is clear that since the Chinese government has closed the access to the .cn domain unless there was clear personal identification and responsability (and not only a virtual one) the malware and botnetmasters are obliged to migrate their new operations to other domains. This is very clear in this listing. Several months ago you would find at least a third of that list being domains in the .cn zone (and .ru).

While the russian company responsable for the .ru domain has announced that it also will enforce new identification rules for new domains, this doesn't seem to have had much success yet - based upon the listing.

It is also clear from the listing that just as .be as re-introduced manual and other malwarelinked controls in its new domain salesprocess other domains are probably also maintaining a strict monitoring. The number of regional domainzones that are being abused for fastflux operations is minimal based on the listings.

The biggest problem now is for the organisations that are responsable for the international generic domains like .com and .net. It is clear that for the malware business this is their surest bet and their best investment for the moment. This is also normal as it is very easy for a networkadministrator with no business in Russia to block the .ru domain totally but impossible to do this for the .com and .net domains.

The cleanup operation of the .com and .net and other international generic domains is enormous and will demand a lot of manpower and financial investment but at the other side wouldn't it be possible to demand a few dollars a year more for a generic domainname so that you can guarantee to the real businesses and organisations around the world that the phishers, scammers, spammers and crooks will be stopped sometimes from buying a domainname in their zone and surely from keeping it active too long.

This could be done by integrating the different database from the different companies and calculating a 'riskfactor' to each domainname. If a certain domainname is registered by a known shell or malware connection and has a high riskfactor according to for example 10 database out of 14 than there is a reason to investigate and at least put it 'on hold.

There is nothing virtual about it. If in the real world you set up shell companies and identities to defraud and you are found out, than these names and organisations are blocked and disbanded. Point final.

And as there is no central authority to do that, it is up for each organisation that is responsable for its domaizone if they want to keep it safe and trustworthy or if they are just a 'scammer and spammerzone'.

I always compare the situation on the internet with the Middle Ages. When you are behind the walls of the Castle you have a certain form of protection. Once you leave the castle you are alone out in the open and nobody can be sure what will or can happen to you. You may be lucky or not. To keep the castles (and the villages in and around it) safe the masters of the castle have to organize an army, a police force and a court.  As long as the people are safe and have a relative form of privacy and freedom and enjoyment, they will be happy. They won't be if the insecurity from the outside world installed itself behind the walls.

Nobody will honestly complain if the organizers of a domainzone will take new necessary measures to keep the malware operators out or throw them out. For small domainzones this is just a question of survival, for the big international generic domainzones it is their civic online duty that should have been part of their contract.

Permalink | |  Print |  Facebook | | | | Pin it! |

10/05/2010

is the high level of attacks against VOIP and telephone systems linked to telephone DDOS

The telephone companies are not only entering the internet age - they will also open their networks to all the insecurities and hacking that has become epidemic on the internet but the problem is that the companies and their (business users) have become to trust the telephone system as something trustful - not something dangerous or something to be doubtful about. Vishing is one example, but the hacking and attacking of phone systems (VOIP and normal telephone systems) is something that is maybe linked to launching telephone DDOS.

As I have mentioned earlier - according to some security officials off the record hacked telephone installations (digital or not) are sometimes found to be interlinked to each other forwarding calls to each other.

This is a normal concept in a DDOS scenario. You would need different telephone numbers and centrals to phone a certain number just to be sure that you couldn't be blocked easily by just blocking one telephone number calling in (even if with VOIP software you could program as many telephone numbers as you would like they would still have a some general identical number ranges).

And Yes, the SIP attacks and the incalling and scanning of normal telephone centrals is just continuing and maybe this is one of the reasons why 

"Beyrouti, Babbo and Vitello worked with hackers who breached brokerage accounts at E-Trade and TD Ameritrade. The hackers then executed fraudulent sales of securities and transferred the proceeds from the sale to the mules’ accounts. The receiving accounts were set up in the names of shell companies and linked to the hacked accounts.

Meanwhile, the victims’ phones received a barrage of calls to prevent the brokerage firms from contacting them to confirm the legitimacy of the transactions. When the victims answered their phone, they would hear silence or a recorded message. About $1.2 million was transferred to shell accounts opened by the suspects, who then transferred the money to other accounts in Asia or withdraw the money from ATMs in the New York area.

Last May, authorities in Florida revealed a number of cases they were investigating involving similar telephony denial-of-service attacks. In one case, a Florida dentist had $400,000 taken from his Ameritrade retirement account while the thieves flooded his home, work and mobile numbers with repeated calls."
http://www.wired.com/threatlevel/2010/09/zeus-botnet-ring"

Maybe it is time to down the SIP and phonesystem attackers. The telephone companies would have to work with the internetproviders to go after them. It is better to kill a developing fraudesystem in the beginning than to have to start cleaning up a total chaos as some are trying with the internet nowadays.

Permalink | |  Print |  Facebook | | | | Pin it! |

US open source internetvoting by mail experiment stopped after hacking

Washington DC had a problem. Between the primaries and the general elections there was not enough time to follow the strict paper procedures to inform the and handle the voters overseas (for example Military). Voters overseas have always been the locomotive for the evoting train and some seem very open to the idea. By the way we shop online and do our taxes online, so why not vote online.

Because there is no worse election than a rigged election or when there are doubts about the results of the election. And I don't say that paper elections are without mistakes but in Holland they are going to concentrate on a scanning technology for the paper ballots so that it is easier to count and less mistakes could be made. The paper elections have some mistakes but except in small local elections were every vote counts (and recounts are part of the process) these don't have a real influence on the number of elected representatives. The problem with electronic elections is that a manipulation of the system and the tendency is possible. You could manipulate in theory an electronic voting process with only a few machines and complices. 

But the advocates of this industry say that they will use different checks and controls throughout the process so that the electronic process itself will be safer. The problem with that is - as the Dutch concluded after years of research - that when you do that as it should be - the total cost will be enormous and even than that it won't be futureproof - as hacking and attacktechnology advances faster than defensive technologies.

So a test in Washington DC with a mailbased evoting system was suspended after whitehat hackers penetrated the system and showed that it could be manipulated. One should also take into account that with the number of Americans serving or living overseas and that the presidential elections in the US were very narrow (or according to some even stolen) victories a possibility of rigging a few thousand votes from overseas could make a state or district (and an election) fall into the hands of the other party.

The hackers just changed the website, but according to change the evoting website they had access to everything and could change anything (for example the operations behind the voting buttons).

The system was open source (the myth of secure open source) and was tested internally but not by independent institutions - as is the case with the voting booths (even if those sometimes also pose big problems).

The 300.000 $ are down the drain because some stupid security mistake could be manipulated by a student.

The dutch rest their case again - invest in technology to treat the paper ballots so the humans make less mistakes.

And to hell with the news that wants election results right after the closing of the voting stations.

It is not because we have a result that we have a government :)  from Belgium

Permalink | |  Print |  Facebook | | | | Pin it! |

10/04/2010

Google malware alerts now available for administrators and ITsecurity people

Safe Browsing Alerts for Network Administrators allows autonomous system (AS) administrators to register to receive Google Safe Browsing notifications. The goal is to provide network administrators with information of malicious content that is being hosted on their networks.

So go to your google account - your administrator functions and test this

it is surely worth the small effort - if not for your own image, than for that of your clients who have more or less put their trust in you (and a lousy programmer)

Permalink | |  Print |  Facebook | | | | Pin it! |

10/01/2010

AC Law email loss : 5 essential questions that arise

First they downloaded and distributed the whole database and backup and didn't filter only those emails that were relevant to their cause. This means that personal and other emails (about other cases) are also compromised. This could have an influence on clients, trials and the confidential relationship between clients and their lawyers.

Secondly there are very few personal emails in the mailboxes. This can be used by organisations to show the advantages of strictly seperating personal and official mails in different mailboxes.

Thirdly not all mailboxes are full. Which means that some persons kept their mails on their PC or iphone or whatever. In a more legal environment ( sic ) this would become a big problem. They say that the emails are not official and so on, but many things are organised and decided or confirmed by email and I suppose that there was no official letter confirming all the emails.

Fourth there is a legal disclaimer that says that if the email is not intended to be read by you that you should destroy it. Legally the firm can now go after each publisher or distributor of the emails. Even if those disclaimers mean nothing, they could be the argument that gives legal departments at blogging and filehosting firms to destroy the files with or the postings-blogs about these emails. It would also be hard to use these emails during trials and hearings as legally they don't exist - unless they are handed over during a legal discovery process.

Fifth - and not last - the quantity of information that is in fact compromised is enormous and the work that will have to be done to limit privacy and securityproblems that could arise from them - especially against targeted attacks will ask very detailed planning and follow up during an extended time.

Finally I think their business model and their agency is down the sink with this. How can you trust your legal business with a firm that is not capable of even ensuring your security after a stupid DDOS attack. This means that legal businesses (lawyers, researchers and that kind of legal mercenaries) will have to invest heavily in highly secured encrypted email- and filesystems and make encryption and datadestruction of information after loss of a laptop of smartphone an obligation. Also they will have to show - once again - at all their employees that they have to follow strictly the procedures because otherwise the firm could be hit fatally after a security incident.

Permalink | |  Print |  Facebook | | | | Pin it! |