security - Page 33

  • new feature in Android to secure your applications against malware

    source of image http://hackersnewsbulletin.com/2014/04/new-androids-security-feature-will-regularly-scan-apps-protect-harmful-software.html

  • Lacie one of the webshops that have lost data because they didn't patch Coldfusion

     

     

    "Computer hardware company LaCie is warning customers who have made transactions between March 27th, 2013 and March 10th, 2014 that their personal data may have been compromised. According to a statement released by the company, customer names, addresses, email addresses, payment card numbers, card expiration numbers and passwords could be at risk

    LaCie's disclosure of the year-long security breach came a month after Krebs on Security published evidence of the attack. Brian Krebs wrote extensively about "a botnet of hacked e-commerce sites" created using Adobe ColdFusion vulnerabilities. http://www.theverge.com/2014/4/16/5619336/lacie-infected-malware-sensitive-information-compromised

    many of those websites are STILL Vulnerable

    "The botnet control panel listed dozens of other e-commerce sites as actively infected. Incredibly, some of the shops that were listed as compromised in August 2013 are still apparently infected — as evidenced by the existence of publicly-accessible backdoors on the sites. KrebsOnSecurity notified the companies that own the Web sites listed in the botnet panel (snippets of which appear above and below, in red and green), but most of them have yet to respond.  http://krebsonsecurity.com/2014/03/thieves-jam-up-smuckers-card-processor

  • comité I - responsable for intelligence oversight runs an unsafe contactform

    they have a contact form

    that is where you have to fill in details because you want to complain about the intelligence services or you want to ask what information they are collecting about you

    it is interesting to know for other parties who in Belgium is followed by intelligence services and in such a way that they want more information why they are followed (which may be interesting to you)

    so that form should be very well protected no ?

    also in the interest of the person itself because if this information is intercepted than that person - who could be innocent can be treated by a number of intelligence services of suspicious - even if they don't know what for

    so the page with the form

    first there is total mismatch of the SSL form - which also makes it clear to the attacker that the server is running plesk - a platform for which there are enough exploits to find online

    secondly if we test the certificate of the server itself - it may be a good one than the result is devastating

    so if you want to contact the comité R or I than you better don't do it online

  • #heartbleed panic about the leak at the Belgian Comité R

    That Belgian comité R of the Belgian parliament is not only responsable for the oversight of the military and civil intelligence services but they also handle complaints against these services and they can launch investigations or make the services stop certain investigations

    saturday a securityresearchers who apparently was scanning the belgian internet with the released phyton code found that their mailserver was still vulnerable. He contacted the services who patched the system on synday and who patched the system and than started on monday to investigate the possible securityproblems and actions

    so first a few things

    * as the scripts that is used downloads also information as part of the test (surely on some servers) I didn't use that script because I am not legally appointed to do such tests and to have such information on my computer so it is something that may be dangerous

    * as the CERT was responsable for informing all the different networks and operators I presumed that highly secretive organisations like comite I were to be included last week

    * as the press was full with all kinds of alerts and warnings about the bug and how to patch it you could suppose that it was already done by the networkadministrator - if you work for such an institution you should have the mindset to keep it always secure, not

    now the hardest part

    there is concrete information that the bug was used actively since november 2013 - this leaves ample time to do all the reconnaissance you want

    there is concrete confirmation that you can get all the necessary information including the encryption keys which means that everything has to be changed

    it is not because the other servers aren't impacted by the bug that there is no connection between the two servers and it is possible that one may have used this backoffice link to penetrate the other servers with the confidential information

    they say that all the emails can be affected and they have taken the mailserver offline but do you know what that means, it means that all the passwords can be affected and if someone uses no double authentification than all these passwords everywhere are impacted and should be changed

    if the intelligence services want to name the commission now a real security risk and refuse to give them information on their servers instead of obliging them to come to their offices to check the information they have asked for, than if you see everything that has happened in this crisis as sufficient proof of lax security - and there is more coming ......

  • XSS through flash (especially with banner advertising)

    this article explains it rather well

    source http://www.acunetix.com/blog/web-security-zone/elaborate-ways-exploit-xss-flash-parameter-injection/

  • #kiev Russian banks in Kiev were financing the seperatists and were raided today

    after the arrest of a few ringleaders who started singing like canaries operational information becomes available on which the Ukr security and intelligence services can act and luckily they do

    "One of the Russian banks financed the terrorist groups in the east of Ukraine, stated the Security Service of Ukraine. During March and April of this year, the bank is now cashed 45 million USD, which was spent on organization of separatist actions . Officials of the bank's operating headquarters in Kiev , in violation of the law of Ukraine " On prevention and counteraction to legalization (laundering ) of proceeds from crime and terrorist financing ." " Financed terrorist groups whose members do violence to the citizens, riots , arson, destruction of property, seizure of public buildings , resisted state authorities and law enforcement agencies with weapons , as well as actions aimed at preparing to commit terrorist acts " - the the statement of the SBU.

    In addition , the bank daily transfers from $ 200 to 500 on credit cards issued to members of terrorist groups. SBU investigators discovered by these facts a criminal case against officials of financial institutions under Part 3. 258-5 ( terrorist financing) of the Criminal Code of Ukraine.

    https://www.facebook.com/photo.php?fbid=600233420072999

  • the people from Truecrypt shout that no backdoors were found but

    first remember that the heartbleed bug was one line of bad code not more

    secondly remember that a succesful attack against a evoting machine was not done through one bug but an unexpected combination of several small bugs which each apart were not a big issue

    than you read this part of the report of the audit of the code of Truecrypt and think for yourself if you are going to jump through the roof (if you don't use for very important stuff) or if you aren't that sure anymore (if your stuff you are protecting with truecrypt is really really important)

    by the way this proofs that even opensource code should be researched by professional tools and people who are only doing this during weeks and are obliged to give their upperbest as they are paid to do so and their credibility (in fact their business) depends on it

    source http://arstechnica.com/security/2014/04/truecrypt-audit-finds-no-evidence-of-backdoors-or-malicious-code/

  • how an xss bug makes ddosbotnetclients out of your visitors

    scary if you know how much xss mistakes there are on the web - and they don't care because most often they don't even know what it is, the prime concern is that it has to look good and be simple

    http://arstechnica.com/security/2014/04/how-a-website-flaw-turned-22000-visitors-into-a-botnet-of-ddos-zombies/

  • .be websites that lost logins in 2013-2014 according to one source

    all the breached .be sites that had logins published online in 2013 - 2014

    this is a commercial service https://shouldichangemypassword.com/all-sources

    approx 4883 paswords and logins from .be domains in a year

    this isn't all the Belgian sites

    this is only the known Belgian sites because they logins were thrown on the internet

    underground there are far larger datasets for sale

     

     

     

  • this is one of the things that happen when your twitter account gets hacked

    and this will see all your followers

    this is a private account but imagine that it is a highprofile business account

  • #opisrael participants hacked by Israeli hackers themselves - does your mother know ?

    this is one example of a list of attackers of which they have penetrated the computers, infected them, stole the passwords (and published them) send online warning on their screen and took a picture of them

    the kids themselves responded to the appeal of the Opisrael operation but didn't know they would be attacked themselves and that passwords and other stuff would be published about them

  • #heartbleed Canadian Tax office lost data because of this vulnerability

    they had closed down the site the moment the information about the vulnerability became public but it was too late, they were already attacked with the exploit

    "The Canada Revenue Agency (CRA) blocked public access to its online services last Tuesday in reaction to the announcement, but that wasn't fast enough to stop attackers from stealing information, it said on its website.

     

    "Regrettably, the CRA has been notified by the Government of Canada's lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period. Based on our analysis to date, Social Insurance Numbers of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability."

     

    The CRA said its analysis of the attack is not yet complete and it is continuing to analyze "other fragments of data, some that may relate to businesses" that was also apparently removed.
    http://www.computerworld.com/s/article/9247661/First_sites_admit_data_loss_through_Heartbleed_attacks

  • a website from Mobistar hacked (now cleaned)

     

    but before it was like this

    they surely need some work on that server :)

  • hacked by anonymous euro-villages.be

    this is their website

    and this was the hack but they have already found the page

  • if you are a cert you should use this infoportal from Spamhaus

    Today, The Spamhaus Project is both happy and proud to announce the official launch of the Spamhaus CERT Insight Portal. The aim of the new web portal is to help Computer Emergency Response Teams (CERTs) and Computer Security Incident Response Team (CSIRTs) with a national or regional responsibility to protect their critical infrastructure and IP address space from cyberthreats.

    The CERT Insight Portal, which is available for free, provides information about malware infected computers (bots) within a CERT/CSIRT area of responsibility — the specific country or region that the CERT or CSIRT is responsible for. This data set is sourced from the Spamhaus XBL. In addition, the portal contains a notification system for any new SBL and Botnet C&C listings within a CERT/CSIRT area of responsibility.

     

    Last year, Spamhaus opened the CERT Insight Portal to beta users, and it has already been a big success. More than 30 CERTs with a national responsibility are now receiving near-real-time feeds from Spamhaus, helping them to remediate infections in their country and take action against new Botnet Command & Control servers (C&Cs).

     

    CERTs and CSIRTs with national or regional responsibility can request access to the CERT Insight Portal by contacting the Spamhaus CERT Outreach team at: cert-team@spamhaus.org
    http://www.spamhaus.org/news/article/705

    using this should become one of the things a cert has to do to be accredited

    and they also should have a certain miniam resolve rate

    what is the use of having access if you don't or can't do anything with it

  • how to report an incident to the Belgian CERT.be

    This is not the same as reporting it to the police, the cert can only help you with resolving it

    I also send lists of hacked belgian sites, vulnerable belgian sites, found belgian ID data

    I never contact the owners themselves, the number of times they have said they would sue ME or just ignored it

    "Report an incident

     

    Please report any cyber security incident via cert@cert.be

     

    If you would like to report an incident by phone first, call +32 (0)2 790 33 85 (every working day from 08.00 to 18.00).

     

    Please note, you can report a cyber incident to CERT.be and ask for additional advice if necessary. If you wish to file a complaint immediately, you should contact your local police straightaway.

     

    What information should be reported?

     

    • Your contact details.
    • What type of incident is it: DDoS, malware … ?
    • When did the incident start?
    • Is the incident ongoing?
    • How did you notice this incident?
    • What’s the impact of the incident?
    • Have you already taken actions or measures? If so, which ones?
    • Do you have logs or other useful data?
    • Who have you already informed?
    • What are you expecting from your report?

     

    After your report…

     

    • You get a receipt and an incident number. With this incident number, you can always refer to your report;
    • We will get in touch with you as soon as possible to answer your questions.

    https://www.cert.be/submit-or-report-incident

  • #heartbleed next zeroday in for example openssl will be used by the NSA legally

    "President Obama has decided that when the National Security Agency discovers major flaws in Internet security, it should — in most circumstances — reveal them to assure that they will be fixed, rather than keep mum so that the flaws can be used in espionage or cyberattacks, senior administration officials said Saturday," reports David Sanger at the New York Times. "But Mr. Obama carved a broad exception for 'a clear national security or law enforcement need,' the officials said, a loophole that is likely to allow the N.S.A. to continue to exploit security flaws both to crack encryption on the Internet and to design cyberweapons."
    http://www.washingtonpost.com/blogs/the-switch/wp/2014/04/14/the-switchboard-yes-heartbleed-can-be-used-to-get-encryption-keys/

    this means the following

    if they find a zeroday in openssl or pgp or anyother package

      * they have to tell their critical infrastructure to update their servers and networks (because if you can find someone else will find it someday)

     * they can use it against any other infrastructure they need to hack into for intelligence reasons

    but how do you combine those two responsabilities ?

    * by taking over the managment of the critical infrastructure (they have done so)

    * by releasing their own versions of opensource software or releasing it under an NDA (but that would be contrary the legal contracts of open source software)

    * by having disclosure contracts with private firms in which there is gap between the fast patch (for their own environments) and the public patch (for the general public)

    as you have probably guessed this will all be too complicated with too many risks

    so they will patch the systems of a few critical networks (government, finance platforms, military and critical infrastructure like nuclear) withoiut telling anybody (during socalled security controls of the networks) and keep it to themselves especially if they have found out before that this zeroday gives them actually proven access to communications  or installations  (proof before you demand the exception)

    PS it also means that the NSA can now use legally the heartbleed zeroday against all their targets, so if you are a possible target and you aren't patched,..... unlucky you and your users

  • #heartbleed en de Belgische openbare diensten

    Ten eerste waar wordt openssl gebruikt in de Federale diensten 

    "Tevens werden de eigen systemen die de dienstverlening van Fedict ondersteunen, geanalyseerd. “De impact van Heartbleed bleek vrij beperkt,” aldus Peter Strickx. Een hele reeks implementaties maakten gebruik van een OpenSSL versie die het probleem niet had, terwijl de aangewende ‘appliances’ na navraag evenmin waren geïmpacteerd. Alle getroffen systemen werden vervolgens aangepast, de nodige certificaten werden vervangen en tegen dinsdag waren “alle systemen van Fedict gepatcht.” Vervolgens werd er gericht gecommuniceerd naar de klanten van de specifieke Fedict-diensten, zoals id & access management, service bus en dies meer."

    en zal men nog openssl blijven gebruiken ?

    " Peter Strickx benadrukt overigens het voordeel van ‘open source’-ontwikkeling, omdat onmiddellijk na het ontdekken van de programmeerfout, hierover breed werd gecommuniceerd, en binnen de 24 uur het probleem in de code was hersteld."
    http://datanews.knack.be/ict/nieuws/belgische-overheid-stelpt-heartbleed/article-4000589704739.htm

    u kent mijn mening hierover :)

    het is nu ook duidelijk dat als iemand opnieuw een zeroday heeft voor openssl waar het wordt gebruikt

    andere belangrijke gebruikers van openssl hebben me gemeld dat zij afstappen van openssl

  • java and adobe had the biggest number of vulnerabilities in 2013

    and this has been going on for some years now and it still hasn't changed

    isn't this becoming a business liability for the investors ?

  • apple/ipad/iphone had the biggest number of vulnerabilities in 2013

    this doesn't mean that there are the biggest number of malware for it - this is Android for the moment

    but the idea marketed by Apple that Apple is an sich safe and Microsoft is not is false

    only there are so few Apple users that the Return on Investment is still not there to develop malware on a big scale for it