10/01/2014

lokale website van gezinsbond gehacked (met login)

nog zo'n site die zo fier is op haar login

en die beter zou gebruik maken van een centrale secured service van de centrale gezinsbond in plaats van overal te lande te gaan prutsen met code waar men maar de helft van begrijpt

 

Permalink | |  Print |  Facebook | | | | Pin it! |

hacked ocmwzomergem with login

these are the online services they are so proud of

this is the shit somebody else is even more proud of

Permalink | |  Print |  Facebook | | | | Pin it! |

free testexample without backdoors of darkcomet malware

if you can install this on your computer without being detected you have a problem

because it will take over your webcam, microphone as all the rest of the machine

source http://cyberwarzone.com/darkcomet-rat-sample-dc_mutex-m69pz1m/

Permalink | |  Print |  Facebook | | | | Pin it! |

09/30/2014

Shellshock or Bashbug : the 5 essential things you have to know (or don't want to know)

what you have to know (forget the hundreds of articles that are polluting the internet and hiding the essential information)

1. the code we are talking about is 22 years old and has been written without keeping into mind any standard or control or securitytest or whatever

if you can't replace it you are in big trouble

2. the attacks have started the 2nd of september, the vulnerability was discovered around the 10th and the patching started 2 weeks later (and will be an ongoing process)

there are for the moment millions of scans and attacks going on so if you have a reason to worry about your infrastructure or data, than you should follow this up

if you don't have an IPS and WAF you are just naked, waiting to be raped digitally by some attackers

3. we are now at our 2nd patch because the first wasn't working but at the same moment we are for the moment at 6 official vulnerabilities of which 2 are SECRET (which doesn't mean that they aren't being used for the moment but it is better to keep them secret for the time being before they become common knowledge of the attackers)

you should receive a permanent immediate update from your essential information sources for your products and the general internet security sources like https://isc.sans.org because the situation can change or calm down at first to explode afterwards at any moment (as you are reading this)

4. there is for the moment not much coordination so information is going around at an ever increasing speed and not everybody understands the difference between the different kinds of attacks, vulnerabilities, exploits and that a vulnerability that even if it can be attacked doesn't mean that it always can be exploited

5. there is nothing like this and we are not prepared because you can't be prepared for situations like this, you can only try to limit your risks. People who have put everything on the cloud and thought that cheaper opensource products were better than products with some support behind it will now get value for their money. A Return on Investment of a million against one

Expect everything because everything is possible (with up to half a billion machines that eventually could be attacked and even if only 3% can be exploited this makes an enormous base for botnets and malware)

and my last thought is

which opensource code is next ?

more links at

https://www.diigo.com/list/mailforlen/Security/6n0ke5g 

Rss feed is here https://www.diigo.com/rss/list?u_name=Mailforlen&uri=...

Permalink | |  Print |  Facebook | | | | Pin it! |

09/10/2014

Leaked (mostly) Russian gmailaccounts - Google says it knows what happened

According to the Russia-based CNews a spokesperson for the Russian office of Google Svetlana Anurova said: "experts now understand what happened in the case". She also urged users to "select strong passwords and be sure to use a two-step authentication".
http://www.news965.com/news/news/local/google-investigati...

aside from the strong passwords and the double authentification

what happened

was it possible to do some bruteforcing on the servers

was traffic to the server intercepted

was it phishing

if you know what happened

you have to say what happened even if you have fucked up

this is what real trust is based on

that it may happen but will never happen again (the same thing)

Permalink | |  Print |  Facebook | | | | Pin it! |

SHA1 certificates aren't secure enough for Google, you have to upgrade

source https://blog.globalsignblog.com/blog/google-to-display-wa...

Permalink | |  Print |  Facebook | | | | Pin it! |

how the new malware bypasses url-blocking by proxies and webfilters

As per “Malware Traffic Analysis” blog, similar infection chain is seen from www.techo-bloc.com too. In both the cases, the Javascript file in the compromised server is modified to serve the exploit kit. The initial redirection server 192.185.16.158 has been used widely in recent web infections. It appears to be a website hosting server and belongs to the company HOSTGATOR according to the recent DomainTools lookup. Various domains of innocent users from music industry and law firms are used as “redirection” link in the infection chain. The target exploit server (95.163.121.188) is hosted in Russia. This is a sinkhole that is connected to many such varying domain names. All of these names have some substring “cdn” in them. Once the bad actors get access to an account/server they just create a corresponding “cdn” domain entry under that domain and use it to point to the target exploit server. This way they can bypass a lot of the URL categorization and URL blacklisting technologies.
http://www.cyphort.com/blog/israeli-security-think-tank-w... 

never expect your enemy to be passive and not to be always on the lookout for a bypass and to use it massively as long as it works as a window of opportunity because it takes a long time before you have found a way to block these automatically and afterwards to distribute it to all of your installations

oh and what is more, only one URL blockers knows the command and control server of this tool

but it is already distributing malware since at least march 2014

source http://totalhash.com/analysis/60c5632656bef4f5e42a6f4805c...

as is proven in this other analysis

http://support.clean-mx.de/clean-mx/viruses.php?sort=firs...

so an URL can have various malicious downloads for some time that are detected but will not be stopped as a bad URL by most of them

big opportunity for their zerodays

I just block all traffic to Russia on my network - point final

Permalink | |  Print |  Facebook | | | | Pin it! |

The military strategy of China is now informationwarfare centered

"Xi Jinping, head of the Chinese Communist Party, is calling on China’s military to focus on innovation and information warfare. He declared the world is seeing a “new military revolution.”

 

“We should cast off the paradigm of mechanized warfare and embrace an approach to war featuring information technology,” Xi said, during a meeting of the Political Bureau of the Chinese Communist Party (CCP) Central Committee.

 

Xi gave his speech on Friday. His statements were reported by China’s state-run news agency Xinhua on Sunday.
http://www.theepochtimes.com/n3/926297-china-calls-for-mi...

this does also involve electronic warfare as you have to intercept and disrupt the electronic communications and Tools of the enemy - even if you are not shooting at each other :)

it also means much more 'reconnaissance' and 'intelligence' (cyberespionage)

Permalink | |  Print |  Facebook | | | | Pin it! |

why western firms are not locating top managment and secret information in China anymore

"The many frustrations of doing business in China have made some difference in the plans to move executives here — choking air pollution, countless regulations that favor local competitors and weak protection for intellectual property. A rising wave of economic nationalism has also manifested itself in large-scale raids on the Chinese offices of multinationals in the automotive, pharmaceutical and technology sectors. Police officials are copying large numbers of computer hard drives and interrogating employees without allowing access to legal advice.

More important, many multinationals are starting to pay renewed attention to Southeast Asia, which is showing signs of revival 17 years after the Asian financial crisis. They have found it hard to do that from Shanghai or Beijing. Each major city has no more than one flight a day to Jakarta, Indonesia, for example. And China’s diplomatic and trade ties to Southeast Asia have been strained by its increasingly assertive claims to control over practically all of the South China Sea.
http://www.nytimes.com/2014/09/10/business/international/...

China is only part of Asia of which is has very strained political and military relations for the moment, sometimes binkering on the edge of conflicts and incidents and talk of war

Having your secret business information in China involves enormous investments in its security and transporting it to China needs something like the Unbreakable Laptop (Sophos) or other high secure transportation

Permalink | |  Print |  Facebook | | | | Pin it! |

09/09/2014

#leaks if you have connections or business with Israel you will be attacked and leaked in #opisrael

one example of an institution that has connections or relations with Israel and got hacked and leaked

Permalink | |  Print |  Facebook | | | | Pin it! |

#leak of #twitter accounts #passwords

several series

strange that their security department didn't see that

but disabling activist accounts that can go quite fast nowadays

Permalink | |  Print |  Facebook | | | | Pin it! |

09/08/2014

hacking a botnet and make a dump of all the infected computers

this is how it it should be done

source http://siph0n.net/exploits.php?id=3528

Permalink | |  Print |  Facebook | | | | Pin it! |

#leak comicbookdb.com 52.000K users passwords (also belgians)

source  http://siph0n.net/exploits.php?id=3550

Permalink | |  Print |  Facebook | | | | Pin it! |

the harkonnen operation : too good to be true

300 business exécutives all over Europe were infected

from 2002 onwards and nobody saw it

300 shell companies were based in the UK to harvest the data

the data was also about biological warfare and nuclear research

well

somebody read too many spynovels and did a fast but wrong analysis and quickly confused adware with spyware and spyware with espionagewar and from there to targeted attacks

and maybe the business exécutives were more attacked because they don't like the protections that the others have and nobody has the guts to impose them

and maybe the business exécutives had access to these data but that doesn't mean that they lost that data

except if there is real proof that the adware network was used for real cyberespionage

this is another salestrick as we see more and more often

especially when firms are in for clients or have to face a though quarter or an IPO

meanwhile trust in reporting about cybersecurity got another foot in the mouth

except if they come with real evidence

they are LIARS LIARS LIARS

show me the real evidence of shut up

Permalink | |  Print |  Facebook | | | | Pin it! |

it can be true but the proof given for the harkonnen operation is unbelievable (sales)CRAP for now

this is the analysis based upon the pdf with the dangerous IP addresses linked to this cyberespionage operation

and these are in fact known - just as all the other IP ranges to be known as spam and adware - which some of the domains in fact show (and yes the firm Consumer benefit is in the UK)

and there are viruses on the domains but they are ADWARE

"A couple of network blocks came to my attention after investigating some adware ntlanmbn.exe (VirusTotal report) and GFilterSvc.exe (report) both in C:WINDOWSSYSTEM32.

The blocks are 212.19.36.192/27 and 82.98.97.192/28
http://cbnetsecurity.com/colors/archives/3296

and many of the URL's are clean by the way

although some have some detection

and than look at this file and you will see that it is about exactly the same operation

http://blog.dynamoo.com/2013/11/consumer-benefit-ltd-adwa...

so is it all crap because you have distributed your product in the three countries that you have said are touched

because this proofs nothing of what you said

but absolutely nothing

I think it is about time that we begin to prosecute security firms who

* scare markets and countries with false flag information

* find datadumps and don't give them to the authorities but keep them for their own

* find botnets and don't give the IP addresses to the certs concerned

Permalink | |  Print |  Facebook | | | | Pin it! |

why the Harkonnen operation reminds us of the executive low hanging fruit in any organisation

This specific attack has proven to be just the tip of an international cybercrime iceberg. CYBERTINEL has since found records of ‘Harkonnen Operation’ on more than 300 additional organisations in Germany, Austria and Switzerland, targeting key executives
http://cybertinel.com/news/press-release-harkonnen-operat...

try to explain to your CEO or topmanagment that they can't have access to those documents, that they can't install whatever they want on their computer or smartphone and that the material they get is totally locked down because they are prime targets

if they are smart they ask for that kind of protection or if the firm is smart it is written in their contracts

they should take it as part of the proof that they have become so important that their access to information has become so important to the organisation that they need the 'secret protection' of their hardware and access because they have become the prime targets for any group of specialised dedicated hackers

this is the reason why they should be in permanent 'hardware lockdown' and 'full supervision' and 'full encryption'

try to explain that to your big boss

or try to keep him holding on to that without trying to bypass you or the system

Permalink | |  Print |  Facebook | | | | Pin it! |

why European intelligence should be worried about the Harkonnen Operation

yep it is in the détails again

if you sit down you read the following sentence aloud or to some-one else and look at your own or his or her reaction

"In the past month, Cybertinel has been in touch with 300 current and former victims, who discovered digital clues indicating that the hackers stole sensitive documents — studies on biological warfare and nuclear physics, as well as plans for key (and top-secret) infrastructure, along with the “usual” bank account and credit card data.
http://www.timesofisrael.com/israeli-firm-busts-13-year-l...

the first question is if one of the both kinds of documents may be a diversion and if those documents have been thrown away afterwards or not

if it is a Financial operation they could have done the data-operations to set the investigators on the wrong foot, looking for state actors instead of the tradtional cybercrime operations

if it is a spy operation than the Financial data may be a diversion to make the investigators and the press look for the typical cybercrime operations instead of the state operations

you can also say that if it is a Russian or Chinese operation they may have needed those military or scientific documents to keep the state intelligence services happy so they could operate freely (as long as they didn't attack infrastructure in their own country of course)

The first question for the intelligence agencies in Europe will now be to find the culprits and to dismantle or infiltrate the whole infrastructure or group. The second question will be to know what was lost or may be considered 'compromised' and what is the damage done. And one kind of analysis is what would happen if that information got into the hands of..... Knowing that this kind of information could also be 'put on the market'.

The third question is why that information wasn't protected better ?

Permalink | |  Print |  Facebook | | | | Pin it! |

why the Harkonnen Operation wasn't discovered as an operation for 12 years

"The Harkonnen attacks showed just how easy it is for hackers to pull off a scam, said Ben-Naim. “One of the secrets of their success was that they were in and out quickly, so even though they used the same infrastructure to attack companies, they only remained on a server for a few months.” In the case of their German client — a 30 year old corporation with over 300 employees — the hackers stayed on a little longer than usual, giving the company an opportunity to notice that something was amiss.

 

“The fact that the attacks were relatively short and specifically directed at certain data, and that the Trojans were unsigned, all contributed to the failure by anyone to realize that a major organized attack was going on for such a long time,” he said. “’You can’t be too careful’ is a lesson I would take from this incident.”
http://www.timesofisrael.com/israeli-firm-busts-13-year-l...

so when people talk about '800 victims' than we should remember that they weren't all victims at the same time but that at some time they were penetrated for some weeks or maximum months and than were left - and it is not clear if they cleaned up the proof afterwards which some attackers do (especially if they have also access to the logs and you don't have a protected 'no access' copy.

but the method was traditional, one of the shell companies wrote an email with a link that was clicked upon by somebody which installed the trojan and that computer was used as the beachhead to get the documents and once the documents or data were found, they've stopped the operation and moved on to the next target

and the trojan was not that complicated they say (before you start shouting about APT and complicated malware)

By the way I hate all that APT and complicated malware stuff because the most complicated malware can be bought online for a several hundred Euro for the most complicated and permanently updated attacktools and secondly even the most simple attacktool now have incorporated some of those 'complicated' functions of the socalled Advanced malware

Permalink | |  Print |  Facebook | | | | Pin it! |

hackers used since 2002 a real spytactic to hide their hack of 300 european (financial) businesses and instutions

In real espionage you set up a shell company and you make everything look as if it is legitimate - this is important because you don't alert any suspicion straight from the beginning

these attackers spent an enormous lot of money - maybe the result of their first penetrations - to set up real companies on paper and get the paperwork done to look as if it is real. Remember this operation has been going on since 2002 and has only been discovered in august 2014 (so 300 companies and networks have a maximum of 12 years of penetration through a digital beachhead)

other attackers are still too stupid to spend some cash on hiding themselves more professionally but this could change because if you could hide your operations for years by setting up shells - than the Return on Investment is really Worth it

"Unusually for a targeted attack campaign, the group behind Harkonnen chose not to send the exfiltrated data to a hijacked domain, but instead spent $150,000 setting up legitimately registered companies with legitimate domains and certificates in the UK – making it much harder to detect.

“If they would have hijacked legitimate hosts they would have risked detection much earlier, which would have put their entire attack business at risk,” explained Jonathan Gad of Cybertinel partner Elite Cyber Solutions.

“Remember, technically, the infrastructure was completely real. You could look up the companies at Companies House, or the domains etc, and see a real entity with an address and phone number. These hackers were long-term serious hackers, so they made long-term serious investments which look like they paid off.”

Gad told Infosecurity that the lack of checks made on companies registering domains in the UK helped the gang get away with their campaign for so long.

For example, many of the 833 ‘companies’ were registered with the same physical address in Wakefield but with the same phone number, a German number.

In addition many were closed a few months after opening but the certs were renewed annually.

“It does seem that better checks could be done on company registration/cert buying etc to avoid this kind of scam. In other countries a range of additional checks are done when buying certs, so the UK could include some of these too,” Gad argued
http://www.infosecurity-magazine.com/news/hacker-disguise...

off course this makes any company in the UK now look suspicious if it doesn't have enough credentials already - and the UK is not the only one thinking about companies in Russia and China which are spyridden or offshore companies in which you will never know who is behind them

that is also why real business buy businessinformation and analyses before getting into business with a business and maybe this will be a new 'dataleakage' protection service (checking on the business you are sending certain kinds of information) It can also be a blacklist or a list with indicators based upon administrative and business data (turnover for example, number of clients, etc....)

more information can be found here

Click to view the ‘Harkonnen Operation’ report.

 

Click here for a list of hazardous addresses.

Permalink | |  Print |  Facebook | | | | Pin it! |

why we need a global interdiction on certain trademarks in all domainnames (except from the real owners)

just to make it much more difficult for the attackers to use legalsounding names to keep networkadministrators from interrogating the traffic or users from not clicking on it or letting it pass

like eBay and Google and in other lists you will find other examples

remember there will be close to a thousand new domainextensions soon

all free to use any of the those names and confuse us and overwhelm our administrators and securitypeople

Permalink | |  Print |  Facebook | | | | Pin it! |