security - Page 36

  • hundreds of sites (including bitcoinplatforms) going offline to fix a critical bug in openssl

    A Q&A posted here by Codenomicon states that: “This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.”

    Codenomicon notes that the bug has been “in the wild” since March 2012. More conservative sites, the Q&A notes, will be running older branches like 1.0.0 or 0.9.8 that aren't vulnerable.es the bug.

    The fixed version is OpenSSL 1.0.1g. If you're stuck with a previous version of OpenSSL for some reason, you can block the vulnerability by re-compiling it using the OPENSSL_NO_HEARTBEATS flag. OpenSSL 1.0.2 will have the bug fixed in the upcoming 1.0.2-beta2 release. ®
    http://www.theregister.co.uk/2014/04/08/running_openssl_patch_now_to_fix_critical_bug/

    the key which is in fact needed to decrypt your encrypted connection can be found (this is so much as putting your key under the doormat)

    so it is known since march 2012 and the open ssl community had more than TWO years to have its users to install a fixed version but now TWO years later many critical and important services were still running on a version so old that it was still leaking its keys

    this means that the communications on these platforms could have been intercepted

    the people behind TOR advise to stay of the 'confidential' internet for a few days to a week untill everybody important has more or less fixed its problems

    not everybody is using OPENSSL many are using the more quality commercial encryption models because they find that such things are so important that you can't leave them in the hands of volunteers and that some robust organisation has to be behind it and that is never 'free' (which doesn't say that opensource project are doomed to fail but that for certain things you need so many assurances that it will be hard to follow up for free - except if somebody sponsors it or there is a paying version for businesses with support)

    there are tons of belgian governmental services using openssl and there is even an important Belgian bank - this is not to say that they are running vulnerable services - only that they have chosen the cheap way

  • 6000 internet servers still running XP and older

    "Notably, there are 14 US government websites still running on Windows XP, including a webmail system used by the State of Utah. Unsupported web-facing Windows XP servers are likely to become prime targets for hackers, particularly if any new Windows XP vulnerabilities are discovered, as no security updates will be available to fix them.  To afford some breathing space, the UK Government recently struck a £5.5m deal for Microsoft to provide it with an extra year of support for Windows XP, although there are currently no Windows XP-powered websites under the gov.uk top-level domain.

     

    One of the busiest sites still using Windows XP is TransFerry.com. This site was previously using Windows 2000, and perhaps more worrying is the significantly larger number of websites which still use Windows 2000. This version of Windows reached its extended support end date in July 2010, yet nearly half a million of today's websites are hosted on Windows 2000 servers, most of which are using the Microsoft IIS 5.0 web server software they were shipped with. This version of IIS is practically identical to that used by Windows XP (IIS 5.1).

     

    Netcraft's April 2014 survey also found 50,000 websites which are hosted on even older Windows NT4 servers running Microsoft IIS 4.0, although three quarters of these sites are served from the same computer in Norway. One of the busiest sites still running on Windows NT4 is the Australian Postal Corporation's post.com.au, which has been using the same operating system for at least 13 years. Window NT4 and IIS 4.0 are also still used by Australia Post's Postbillpay bill payment service, airindia.co.in and by the French government's Ministère de l'Économie, des Finances et de l'Industrie.
    http://news.netcraft.com/archives/2014/04/08/thousands-of-websites-still-hosted-on-windows-xp.html

  • #kiev Russian bluff in Donestk has been called and they lose (this time)

    it is over

    but also a big alert

    now everybody knows how you will play that game

    demonstrations - occupying a building - getting in armed green men - declaring independence - igniting bloodshed - coming in

    somewhere in between public order troops will have to be more efficient and the critical factor is between one and two (this is what we know here in the west and why you hardly ever see this happening over here)

    the attackers learned there were too few demonstrations (lower number each weekend) and the different leaders and factions don't agree among themselves (during the night 4 of the 6 leaders and their factions left the building) and Russia itself changed its instructions (didn't want to be blamed for the operation that was going to fail but looked great on paper) and they didn't have enough weapons and people to hold on over time (you have to be there for a certain period of time with thousands of people to have some legitimacy.

    alternative : some terrorist operation or an undercover operation in Ukraine uniforms against Russians (it will only be found out later anyway)

  • #kiev why is it important to follow this up now so closely

    first if there is a cold war or even a war and it seems strongly going even more that way every day - we are living very dangerous times now - than itsecurity will have to change its attitudes and will have to take in certain environments more defensive and controlling positions as cyberattacks are just part of the total package of possibilities - as we are the old enemies again of the Russian regime

    secondly war or cold war changes also things internally. The mindset changes and some people will have to start to give more attention to things internally that before wouldn't be dangerous - like contacts with Russia or the need for background checks in certain jobs and so on

    thirdly if Putin goes on like this he will once go too far and we will effectively have a stand-off or period of exchanging fire and everything will change even more fast than it is now - if you haven't followed the news or this blog our world in Europe has changed dramatically over the last weeks - everything we thought we could wish for has gone in the dustbin and everything we hoped that we wouldn't need anymore is again on the table

    it is in this fastly changing environment that securitypeople operate because our businesses and our institutions have to adapt

    security - and also ITsecurity - will become a part of national security and not bringing your environment in order when it is not secure will become to mean the same thing as endangering our national security

    this is a whole new ballgame and you better adapt before it obliges to adapt even more quickly than you have ever thought

  • how to fuck up online ddos interface with a simple trick

    very simple - type the address in of the host or website you have found it

    or it is theirs and it goes down because they don't have the money to resist themselves such attacks

    or they are abusing another service and some-one will notice it and get the site down

  • it is so simple to make a ddos machine from our own blog/site/server

    this is an example

    just some lines of code to paste

    and this is another one placed on a site that probably doesn't know it

  • nexenta systems leading cloudprovider hacked - security up in smoke

    A hacker seems to have breached the security of Nexenta Systems which is the world’s leading provider of Software-defined Storage solutions. The hacker seems to have dumped the database records of the Nexenta.com website. The company’s flagship software-only platform, NexentaStor, delivers high-performance, ultra-scalable, cloud- and virtualization-optimized storage management. Privately held, Nexenta is headquartered in Santa Clara, California.
    http://www.cyberwarzone.com/nexenta-systems-hacked-sqli-dump?utm_source=twitterfeed&utm_medium=twitter

  • why a digital certificate of your code doesn't mean we have to trust it

    "A new dangerous variant of ZeuS Banking Trojan has been identified by Comodo AV labs which is signed by stolen Digital Certificate which belongs to Microsoft Developer to avoid detection from Web browsers and anti-virus systems.

     

     

    Every Windows PC in the world is set to accept software "signed" with Microsoft's digital certificates of authenticity, an extremely sensitive cryptography seal.

    Cyber Criminals somehow managed to hack valid Microsoft digital certificate, used it to trick users and admins into trusting the file. Since the executable is digitally signed by the Microsoft developer no antivirus tool could find it as malicious.http://thehackernews.com/2014/04/beware-of-zeus-banking-trojan-signed.html
     
    last year 200.000 malwares were discovered with VALID certificates
  • some notverywise-dude thinks he is secure enough to bypass the seperate belgian bankcardreader

    this dude is more stupid than he thinks - he thinks his computer is safe and for this reason he doesn't understand a thing about infections, about root- and bootkits and all the other new tricks or perfected tricks of the trade

    so because he was bored by using the seperate hardware cardreaders the banks give he downloaded and installed a script - by another Belgian - which let him use the EID reader as a card reader

    he forgets that one of the main reasons no financial institution right in its right mind will use this card reader is that there are serious questions about the code and the way it has been written - the fact even that the code is in opensource on often-hacked github is just one of the most obvious reasons

    and there is a following question for the banks now

    if someone doesn't respect the basic security rules that you have imposed and in which you have invested (using the seperate bankreader) and does his financial transactions this way - who is responsable if something happens ? And how can you know by a code if the seperate cardreader has been used or not (it can also be that there is a code if this is not the case because otherwise you will have to make a bridge between the airbag between the seperate cardreader and the machine (by the unsafe bluebooth for example)

    another problem is with the writer of the code

    he has lost total control about the code because it is with open-source code (but not adaptable) on the web but I am not sure he has certified it and has a clean copy somewhere totally airbagged from the rest of his installations and network.

    source http://blog.webtito.be/2014/03/10/utiliser-un-lecteur-de-cartes-didentite-pour-se-connecter-au-pc-banking/

    this is something we would be totally against - and every marketing boy trying to impose this as a liberty or good idea should be held responsable for the millions the bank is so going to lose because that code and those transactions are so easy to intercept and penetrate ........

  • another small belgian insurance website goes bananas

    they don't care - nobody controls them or nobody says them that they will be held responsable if they are irresponsable

  • breach-extorsion becoming a new business

    this means that they breach your network or database, extract the data and than ask money for it to get it back and not go public with it (and having to pay millions and send letters to all your customers)

    "A hacker who goes by the handle ‘MrNervous’ or ‘WhiteHatMrNervous’ has been up to some questionable activities earlier this year which has resulted in data being leaked and a business being given a very short time to pay a “bounty” to fix a vulnerability.

     

    WhiteHatMrNervous has posted that the Flight Centre Travel Group had been contacted by him/her about a breach that occurred on the 9th of February in which s/he had tried to advise the IT staff of the issue and how it should be resolved, but requested a US$5,000 “bounty” for the information. After waiting for only one day without a reply, s/he published two site databases on various file hosting websites: fcm.travel and flightcentreassociates.com.

     

    The two databases have resulted in very different types of data becoming public, both via a very common but not very published method. Like this case, many hackers are are finding vulnerabilities in web sites, extracting data, and asking for a payout to tell the site how to fix the data. If no money is forthcoming, then the data gets posted publicly to shame the company
    https://www.riskbasedsecurity.com/2014/04/flight-centre-travel-group-data-leaked-after-attempted-extortion/

    another risk to add to your long list of things you have forgotten to do

  • Security blackmail to oblige belgian and dutch sites to close the vulnerabilities

    I think he has enough work for the rest of his life

    although he should be very careful with Belgian websites because the Belgian law on Cybercrime is so vague that it is not perfectly clear if what he is doing is illegal or not

    for .be sites he should notify the cert@cert.be

    when I do I always give a specific period - between 48 hours and a week

    if it is very serious I don't publish it but follow it up with the cert

    if there is no answer and the CERT can't do anything, even than I will publish it and publicly ask to bring the site down because it is too insecure

    it is very dangerous to contact the webadministrators or their technological contacts because of the very vague Belgian law on cybercrime and the fact that I have been threatened several times with legal action - even if I was not making the mistakes

    they can contact me but through the CERT

    if the CERT think that I am doing something wrong - they tell me and I respect that :)

    one rule : NEVER NEVER access things or try exploits to see if they work (it is not because you see the vulnerability that the exploit will work (there are maybe other defenses or configurations)

    there is in Belgium NO reglementation of Responsable Declaration or Statute for Security researchers

    if there is a trail you can only hope that the judge will interpret your motives and the way you have handled during that case positively - but there is no way that you could be sure at any time

    these arguments have even withhold one important securityresearcher of starting a securityproject in Belgium because his lawyers said they needed some months to negotiate and to set up the procedures and the necessary technical measures before he could start

    the belgian site could be this one https://www.google.be/search?q=site%3Abe+inurl%3Aamvb&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a&channel=sb&gfe_rd=cr&ei=NoY-U6n3GMT98gON4IHoCw

    in fact the hacker is giving too much information because with a googledork you could look up the most probable domainnames  inurl:mast site:nl

  • this is the code to insert with an image to launch a DDOS from a popular site with xss vulnerabilities

    if you are vulnerable you not only let people place images on your site

    but also code behind of with the image

    that code will divert the visitor to another page - in the backoffice without seeing it

    and will have as a result that the visitor is participating in a massive DDOS attack

    it was because of an enormous DDOS attack that it was discovered

    http://3.bp.blogspot.com/-lQM0O9w4I7Q/Uz2xmNHvtUI/AAAAAAAAbB0/Hip_ysQ0K9o/s1600/layer-7-ddos-attack-using-xss-flaw.png

    http://thehackernews.com/2014/04/vulnerability-in-worlds-largest-site.html

  • joke : a Syrian open router - just googled

  • millions of home routers avaible for reflective DNS DDOS attacks by botnets

    source http://nominum.com/news-post/24m-home-routers-expose-ddos/

    half a million personal pc's were infected by botnets in Belgium last year according to the cert

  • #kiev recent example why Ukraine will have to clean up its cybercrime business

    In addition, this fake bank campaign appears to have previously targeted Facebook, as well as banks in Australia and Spain, including Caixa Bank, Commonwealth Bank, National Australia Bank, and St. George Bank.

     

    The miscreant behind this campaign seems to have done little to hide his activities. The same registry information that was used to register the domain associated with this botnet — funnygammi.com — was also used to register the phony bank domains that delivered this malware, including alrajhiankapps.com, commbankaddons.com, facebooksoft.net, caixadirecta.net, commbankapps.com, nationalaustralia.org, and stgeorgeaddons.com. The registrar used in each of those cases was Center of Ukrainian Internet Names.
    http://itsecuritynews.info/2014/04/03/android-botnet-targets-middle-east-banks/

    There are proposals in Congress to send cybercrime specialists from the FBI to Ukraine to assist in that

  • why make it yourself difficult to steal a login : do it this way

    But a recently-discovered flaw meant attackers could build profiles on the site to impersonate others, thanks to a specific font by Keybase which made characters such as a lowercase 'i' appear like a capital 'L'. The simple flaw allowed a security researcher with LastPass to build fake accounts and imitate the site's co-founder Chris Coyne.

     

    Attackers using this trick could fool users into emailing sensitive material to them instead of their intended recipient.

     

    "Due to the font they chose, I could impersonate any user with a zero, capital 'O', lowercase 'l', or capital 'i' in their name ... I would also need to be able to register Twitter and GitHub [accounts] with the same name," researcher Evan Johnson said. "I was able to almost perfectly impersonate the co-founder of the site."

     

    Co-founder Maxwell Krohn responded quickly to what he described as a "pretty serious security bug" after Johnson posted the flaw to GitHub.
    http://www.itnews.com.au/News/381346,font-flaw-allowed-keybase-copycats.aspx

  • how Yahoo is better protecting its services

    • Made Yahoo Mail more secure by making browsing over HTTPS the default.

     

    • Has enabled encryption of mail between its servers and other mail providers that support the SMTPTLS standard.

     

    • The Yahoo Homepage and all search queries that run on the Yahoo Homepage and most Yahoo properties also have HTTPS encryption enabled by default.

     

    • Implemented the latest in security best-practices, including supporting TLS 1.2, Perfect Forward Secrecy and a 2048-bit RSA key for many the company’s global properties.

     

    * users can initiate an encrypted session for a variety of the company’s news and media services by typing “https” before the site URL in their web browser.

     

    “One of our biggest areas of focus in the coming months is to work with and encourage thousands of our partners across all of Yahoo’s hundreds of global properties to make sure that any data that is running on our network is secure,” Stamos wrote in a blog post. “Our broader mission is to not only make Yahoo secure, but improve the security of the overall web ecosystem.”

    in the months ahead :

     

    * A new, encrypted, version of Yahoo Messenger will be available

     

    * implementing additional security measures such as HSTS, Perfect Forward Secrecy and Certificate Transparency
    http://itsecuritynews.info/2014/04/03/yahoo-ciso-says-now-encrypting-traffic-between-datacenters-more-encryption-coming/

  • council on cybersecurity is now responsable for the SANS20 critical security controls

    In a time of limited resources, security programs are also experiencing pressure to do more with less. The 20 Critical Security Controls (20 CSC) provides the baseline for implementing the required technical controls that are required to ensure a robust network security posture.

    The 20 CSC have also emerged as the “defacto yardstick by which corporate security programs can be measured,” according to the Cybersecurity Law Institute.

    The controls were previously governed by SANS, but the ongoing development and adoption of the controls are now the responsibility of the Council on CyberSecurity, an independent, expert, not-for-profit organization with a global scope.

    The Council on CyberSecurity was formed to seize this moment and catalyze change – specifically, to accelerate the widespread availability and adoption of effective cyber security measures, practice and policy.
    http://www.tripwire.com/state-of-security/featured/making-cybersecurity-simple-effective/

    this is the bible of securitymanagment - a must to read and follow up permanently

    http://www.counciloncybersecurity.org/attachments/article/12/CSC-MASTER-VER50-2-27-2014.pdf