11/23/2014

#regin these are the md5 files and the discovery rates of Virustotal (and some thoughts)

and this explains why some were not discovered anyway on 52 security tools analyzed 3 hours ago

https://www.virustotal.com/nl/file/7d38eb24cf5644e090e45d5efa923aff0e69a600fb0ab627e8929bb485243926/analysis/  30 discovery

https://www.virustotal.com/nl/file/40c46bcab9acc0d6d235491c01a66d4c6f35d884c19c6f410901af6d1e33513b/analysis/ 37 discovery

https://www.virustotal.com/nl/file/a7e3ad8ea7edf1ca10b0e5b0d976675c3016e5933219f97e94900dea0d470abe/analysis/  28/43  3 years 4 months (2011)

https://www.virustotal.com/nl/file/f1d903251db466d35533c28e3c032b7212aa43c8d64ddf8c5521b43031e69e1e/analysis/  4/42  2 years

https://www.virustotal.com/nl/file/9cd5127ef31da0e8a4e36292f2af5a9ec1de3b294da367d7c05786fe2d5de44f/analysis/  23/48  1 year ago

and there are more of them but we can conclude the following

because the antivirus and security industry doesn't work together and because they give different names to the same viruses and don't exchange technical information it takes years to get the full picture and so even if some of the files of the virus were found to be malicious not all the files were found to be malicious especially not by all the securityprograms at the same time

it also means that we have to change the general perception of an antivirus. People just install an antivirus and than look if it finds viruses (normally it does) and than make sometimes some general report about it but don't analyse what it is and what the consequences are that the file or virus has been found on a server or a pc and if there are other files that or traffic or behaviour for that machine that have to be researched and that have to be integrated in the report

it is intelligent analysis that will make the difference in high value environments, not putting just machine after machine after machine hoping that that will do the trick

Permalink | |  Print |  Facebook | | | | Pin it! |

the first lesson belgian insurance companies should learn is itsecurity and not getting hacked

this is their blablablablabla

and on the same site this is the real reality of belgian insurance companies and websites online (and no one is really responsable to control their security for the moment)

Permalink | |  Print |  Facebook | | | | Pin it! |

11/22/2014

truste fined by the US FTC for forgetting to check yearly the security of all its clients

"The US Federal Trade Commission (FTC) has charged TRUSTe, US-based provider of privacy certifications for online businesses, for deceiving consumers about its recertification program for companies’ privacy practices. The FTC Chairwoman, Edith Ramirez, said that “TRUSTe promised to hold companies accountable for protecting consumer privacy, but it fell short of that pledge. Self-regulation plays an important role in helping to protect consumers.  But when companies fail to live up to their promises to consumers, the FTC will not hesitate to take action."

 

The FTC alleges that from 2006 until January 2013, TRUSTe failed to conduct annual re-certifications in over 1,000 cases, but its website informed consumers that companies holding TRUSTe Certified Privacy Seals receive recertification every year.
http://www.privacylaws.com/Int_enews_21_11_14

they have some explanation but whatever they say it ain't right and so it proves that if one wants to set up such a procedure than one needs to do it right

Permalink | |  Print |  Facebook | | | | Pin it! |

HP does the right thing : no slave labor to make your computer or printer

"The electronics manufacturer HP has announced a series of landmark policy changes on labor practices throughout its global supply chains, becoming the first U.S. information technology company to halt the common use of recruitment agencies for hiring foreign migrant workers among its suppliers.

 

Recruitment agencies, which often hire poor workers in one country for employment in another, have for years been criticized for a range of practices that can facilitate forced labor and slavery. Advocates thus see requiring the direct employment of migrant workers by suppliers of multinational corporations as a key opportunity to crack down on bonded labor and other rights abuses in the international economy.

 

“Workers who are employed by labor agents are more at risk of forced labor than those employed directly,” Dan Viederman, the head of Verité, a Massachusetts-based NGO that worked with HP to develop the new recruitment policies, said in a statement.
http://www.mintpressnews.com/hp-becomes-first-tech-compan...

maybe all governmental and big contractors should put the same obligation in their contracts

Permalink | |  Print |  Facebook | | | | Pin it! |

what the hell is going on here, massive attacks looks like cyberwar - anybody awake

what is this

somebody declared cyberwar ?

Permalink | |  Print |  Facebook | | | | Pin it! |

Chinese networks are attacking US networks live here (not a game)

this is just small sniper fire

http://map.ipviking.com/

if you don't need traffic from China, don't accept traffic from China, just block it at the router or the firewall

Permalink | |  Print |  Facebook | | | | Pin it! |

networks are slow because the biggest DDOS attacks ever are happening

this is a  picture

it is around 400 GBPS a second

OVH in France in implicated like several servers in the US

the strangest thing is that nobody is seeing this or doing something to stop it

we really need an international center that could cut those servers or routers or hosters untill they have cleaned up their act

Permalink | |  Print |  Facebook | | | | Pin it! |

NATO stops 200 million cyberattacks a day of which 5 very serious each week

source http://news.sky.com/story/1377444/natos-cyber-war-games-a...

that is why training is so important and that has to be according to scenario's because attacks follow a complicated scenario's in which there are several different aspects that in case of discovery or breach have to be treated at the same time and of which some have to be visible to the attacker and others don't because it is all a mindgame in the first place (chess)

Permalink | |  Print |  Facebook | | | | Pin it! |

US legal framework for information sharing about cyberincidents is stalled

the reason is that it isn't seperated from the more overal discussion about information sharing with the intelligence and securityservices and as such is part of the global discussion about surveillance, democracy and what is a security threat

these things are much clearer in cybersecurity and it is necessary that such discussions and agreements are seperate from discussions about terrorism, subversion and surveillance

they should talk about ddos, hacking attemps, botnets, phishing attacks and so on

source article that follows http://justsecurity.org/17653/takeaways-house-intelligence-committee-cybersecurity-hearing/

On information sharing, Representatives Rogers and Ruppersberger pushed for passage in the lame-duck session of a bill to permit sharing of cyber threat information between the private sector and the government. Rogers and Ruppersberger’s bill on the issue, the Cyber Threat Information Sharing & Protection Act (“CISPA”), passed the House in April 2013, but drew a veto threat from the White House and generated broad public opposition due to privacy concerns about the businesses providing Internet users’ information to the government. A Senate information sharing bill, the Cybersecurity Information Sharing Act, has prompted similar concerns. Proponents of cyber threat information sharing see it as crucial to facilitating increased security for U.S. systems and networks, but such information sharing has been pulled into the broader debate about surveillance reform and the flow of information to the intelligence community. The failure of the USA FREEDOM Act earlier this week substantially dims the chances for information sharing legislation until the new Congress.
http://justsecurity.org/17653/takeaways-house-intelligenc...

Permalink | |  Print |  Facebook | | | | Pin it! |

and the DDOS storms get bigger and bigger : 500 GBPS (against Hong Kong Protest sites)

"The websites, Apple Daily and PopVote, have been vocal supporters of the pro-democracy protests and even carried out mock chief executive elections for Hong Kong. Cloudflare, a company which is employed to protect websites against distributed denial of service attacks, has revealed thatsince June, these two websites have been bombarded by attacks of unprecedented size.

According to Matthew Prince, CEO of Cloudflare, the attacks have hit 500 gigabits per second (Gbps), which tops attacks in February of 400Gbps that were at the time the biggest in internet history.

According to Prince, who was speaking to Forbes: "[It's] larger than any attack we've ever seen, and we've seen some of the biggest attacks the Internet has seen."

Last year a DDoS (distributed denial of service) attack on the anti-spamming group Spamhaus was declared the "biggest in the history of the internet" peaking at 300Gb
http://www.ibtimes.co.uk/largest-cyber-attack-history-hit...

now where does that come from  ?

Permalink | |  Print |  Facebook | | | | Pin it! |

a very honest 404 error page

Permalink | |  Print |  Facebook | | | | Pin it! |

11/21/2014

9lives - een antwoord van de Privacycommissie (en enkele bedenkingen)

Dit is de brief die ik mocht ontvangen van de privacycommissie 9lilves1.PNG

9lives2.PNG

enkele opmerkelijke zaken 

First these are all the postings we did about 9lives

1. Telenet kan NIET zonder enige twijfel vertellen welke gegevens werden gecopieerd wat erop wijst dat de logging van haar database beperkt is terwijl er toch veel professionelere software bestaat die toelaat om te weten welke gegvens uit welke colomnen van de database werden gestolen (en dat in feite zelfs onmogelijk te maken).  Indien men natuurlijk zo goedkoop mogelijk wenst te werken zonder geld uit te geven dan kan men niet verwachten dat men veel informatie heeft. 

2. Niet iedereen werd geïnformeerd omdat de hacker waarschijnlijk niet zoals Telenet de data copieerde maar ze ook vernietigde. Hoe is het anders mogelijk dat Telenet in dezelfde brief zegt dat ze de mensen niet persoonlijk kon verwittigen omdat ze geen backup meer had. Je hebt een backup enkel en alleen nodig als je niet meer over het origineel beschikt.  Het doet tevens de vraag rijzen wat de hacker eventueel nog heeft vernietigd, logs vb ? Dit verklaart dan ook weer waarom breach notification rules of 48 hours were not respected tegenover een aantal personen. 

3. wij blijven bij onze zaak dat de gebruikte software wel kwetsbaarheden had want het was NIET de betaalde onderhouden software maar de gratis versie die al een geruime tijd niet werd onderhouden en waarvoor met een simpele zoekopdracht op het internet exploits voor konden worden gevonden. En we spreken hier wel over slechts 400 dollar, dit is gewoon al die miserie niet waard. Ook ik ben voor opensource software maar we nemen bijna altijd betalende of ondersteunde versies indien er belangrijke data mee gemoeid is. 

De privacycommissie noteert enkel dat Telenet dit ontkent. Ik begrijp dit niet. Dit is toch zo duidelijk. 

Trouwens wat is dit ? "Telenet kon door het onderzoek gedurende een week niet aan de servers van de site, maar heeft ondertussen een oplossing gevonden. Het lek zat naar verluidt bij software van een externe leverancier, maar Telenet heeft het probleem zelf opgelost. http://www.demorgen.be/technologie/telenet-zet-gehackte-g...  Dus toch een lek of een kwetsbaarheid, waar het ook vandaan komt, dat doet er niet toe, je blijft even verantwoordelijk voor je platform. 

4. De privacycommissie heeft haar onderzoek niet voortgezet om het juridisch onderzoek niet te hinderen, maar deze zijn in feite twee totaal verschillende zaken en misschien moet moet het FCCU en de privacycommissie hierover een aantal afspraken maken. De FCCU kan gerust werken op basis van een copie terwijl de privacycommissie haar 'feitenanalyse' kan voortzetten. De doelstelling van de FCCU is om de verantwoordelijke te vinden als enkel de firma klacht heeft neergelegd. Indien gebruikers of hun vertegenwoordigers klacht zouden neerleggen tegen Telenet en 9lives dan moet zij ook onderzoeken of wel alle nodige maatregelen zijn genomen.  In de toekomst zou ze zich hiervoor misschien moeten laten bijstaan door specialisten die de juiste vragen stellen en de antwoorden ook technisch kunnen beantwoorden. Het kan zijn dat de software veilig is maar 

En om af te sluiten kunnen we gewoon vaststellen dat deze ooh zo veilige server van 9lives na de veilige heropstart een zodanig onveilige encryptie en certificatie gebruikte dat er het aantal aanvalsmogelijkheden nog altijd groot genoeg was. 

Een andere reden waarom het voor de privacycommissie zo belangrijk is om het onderzoek naar 9lives toch weer op te nemen is om de sector van de hosting er toch zo op te wijzen dat zij ook bepaalde verantwoordelijkheden hebben en meer beveiliging van hun servers, hostingplatformen, netwerken en firewalls moeten voorzien - ongeacht de verantwoordelijkheden van de eigenaren van de websites zelf.

Permalink | |  Print |  Facebook | | | | Pin it! |

11/20/2014

Update 2 : releak by Rex Mundi (pizza domino.fr)

Rex Mundi said he was looking at some new targets yesterday 

so we published an alert for the financial, HRM, ISP sectors 

today he is publishing a file claiming to come from pizzadomino.be/fr  ----- NO they retract it is their old file 

they say that they have also hacked the NL database - maybe the database with France or Domino Pizza is in the backoffice one big mess but so what .... 

I need confirmation or more proof to announce belgian dominopizza.be as officially hacked and leaked 

now pizzadomino.fr was hacked (with a file of half a million people - now disappeared again) 

but there is something strange with that file - there are french addresses in it (in the total of 3000 addresses) amongst Belgian adresses and the biggest bunch that can't be localised 

the passwords are encrypted and salted and so I don't see the big securityproblem in this one for the moment except that you have some mobile numbers and some emailaddresses together which make a fine combination for a combined attack 

it also shows why big data is a big risk and why you should never keep data that is old 

tweets 

@mailforlen Just 2 b clear, this data is from our old hack. On the same server, Domino's had 3 DBs: FR, Be-FR and Be-NL

@mailforlen Yes, as we said, this one is from the French-speaking version of the Belgian website of Domino's. We also have NL version.

 

 

Permalink | |  Print |  Facebook | | | | Pin it! |

securitymarketeers are abusing the easypay and mensura database ... phishers may follow

Do not 

* click on links that are send in mails about your data in the easypay and mensura database (especially if you are not in the public database of 1100 out of the 32.000) 

* think twice before you are responding to these emails - it is a very lousy marketingpractice that doesn't show a clear sense of ethics.  Or they are desperate (and any securityfirm that is desperate nowadays is doing something terrible wrong because it is a booming business) or they are just moneygrabbers out for an opportunity 

* I am not sure of the it but I think the use of stolen data - even published - for marketingpurposes may be something the privacycommission doesn't like (because the purpose is to get that data OFF the internet and not in as many databases and emaillists as possible .....) 

I hope that everybody keeps their calm and do the things that you know you should be doing (and that doesn't cost any money like changing passwords) and go to real professionals with clear business and professional ethics for solutions for problems that you seem to have discovered now (double authentification being one of them, centralised logging another, WAF and securitychecks another and encryption and so on) 

if you receive such an email 

commission@privacycommission.com where you can also file an complaint about the way things are going 

you have also the right to file a complaint - if you are a bigger customer - at the local court (maybe some of the bigger ones should do this - to send a clear message to all their other outsourced serviceproviders that they better take datasecurity seriously)

there is already enough evidence on this blog of all the reasons why the the best principles weren't followed before, during and after the incident

I filed a complaint against mensura for these reasons with the privacycommission. 

Permalink | |  Print |  Facebook | | | | Pin it! |

11/19/2014

maybe nobody bought the Belgian database yet of Rex Mundi (with Bitcoins that is)

you can follow that publicly (and with more private tools :)

those who think that bitcoins are private and anonymous don't understand bitcoins and all the very interesting metadata that goes with them 

also there are sometimes major securityproblems and infoleaks with the exchanges, with the protocol and with the bitcoins themselves 

even the IP address of every transaction (so you need a proxy and/or VPN before you go on a Tor Relay (only one with lots of traffic and everything else closed down-updated and an updated TOR browser) 

if he wants to sell and earn some money he will have to do it differently - but than you may have the same thing happening as many amateur darkweb sellers who are getting caught (you never know who is in front of you)

your fast underground buck may not necessarily bring you luck and may get stuck (hihi)

 

rexmunidbitcoin.PNG

Permalink | |  Print |  Facebook | | | | Pin it! |

how to detect sql injection mistakes on your websites and databases and keep Rex Mundi away

It is illegal to do this against any other site in Belgium without approval of the victim and under control of the victim. Even as a white hacker because that doesn't exist - even if you are coming on tv :). The victim or his lawyers can come after you at any time and you won't know what hit you (or your parents like the hacker on VRT). 

this is for the programmers and the owners.

But this is just the beginning and not the finish. You really need to limit the online access to forms (put it behind a proxy on a server seperate from your contentserver), you need to limit the data behind the database (destroy old data and don't let people 'download whole datastacks, so only download from the user no big uploads to the user), encrypt it sufficiently (not md5 even if it is salted), place a vulnerability checker (to update all the different things that you are running) and put a patchpolicy in place, install a WAF firewall or policy (make it yourself easy, only accept normal commands and block all the rest) and activate an alarmprocedure to get a warning when an sql injection has some success and is downloading datastacks or too many attacks are happening (even if they don't succeed). Have a takedown procedure in hand so you can take down the site or only the datasets if this doesn't help. (attacks mostly happen with metasploit)

and let this test yearly by a penetration tester but with a clearly defined goal : get the information out of that datase whatever the way (while he is doing these tests someone from security and the network should sit next to him so that he has a contact if something can go wrong or to take immediate action if this is needed (finding a hardencoded password for example) 

LESS data is MORE security (and less costs and responsabilities and fines)  so if people want to add more data or combine data you should ask youirself if it is WORTH all that 

and the best way is to write in every contract that the code has to repond to OWASP 10 or OWASP 20 and that the programmers have to show the results of their tests certifying that they don't have those mistakes in their code (enfin your code) 

Testing for SQL Injection (OTG-INPVAL-005) - OWASP

How to Detect SQL Injection Attacks - The Hacker News

How do I check if my website has an SQL Injection?

Practical Identification of SQL Injection

sqlmap: automatic SQL injection and database takeover tool

Basic Tests for SQL-Injection Vulnerabilities 

Understanding SQL Injection - Cisco Systems

Automated SQL Injection Detection – Arne  (many good links) 

and so on 

 

 

Permalink | |  Print |  Facebook | | | | Pin it! |

some introductory links about sql injection attacks (rex mundi likes this :))

1. SQL Injection Prevention Cheat Sheet - OWASP

2. Prevent SQL Injection: Tutorial, Cheat Sheet

3. SQL Injection - W3Schools

4. How To: Protect From SQL Injection in ASP.NET

5. Preventing SQL Injection Attacks 

6. PHP: SQL Injection

7. MySQL - SQL Injection Prevention - Tizag Tutorials

8. bobby-tables.com: A guide to preventing SQL injection

9. What is SQL Injection and How to Fix It 

10. Prevent SQL Injection Attacks 

11. Preventing SQL Injection Oracle 

12. SQL Injection Prevention - ProgrammerInterview.com

 

Permalink | |  Print |  Facebook | | | | Pin it! |

what we learn about the data rex mundi placed online

it has been uploaded twice 

the first one was uploaded to pastebin and downloaded more than 300 times 

it was destroyed but not good enough because with a search you could find some data (from the internal cache I suppose) that is how we saw that there has been data about Belgians 

we just search pastebin for @skynet.be and seperately @telenet.be and whatever address - a software could do that but everybody that I proposed this found this 'not interesting' even if I got around 50.000 belgian data during the Lulzsec campaign by only doing this 

than it was uploaded to another pastesite but it didn't stay online very long - but was downloaded again several times

than it was uploaded again to another pastesite and after 24h it is offline again (but not from Google cache - forgot that) 

at first view the data is not being uploaded elsewhere 

this protects the individual victims but not the file that has been downloaded (count 400 times) 

it means that once the data has been stolen and the mails with the question of payment has been sent and the cat and mouse game start, you will have to have a legal team ready with the necessary forms to block the content (although it will be much more difficult with some hosters) 

in fact the EC should subsidise a center like that that the hosters can trust that it is not used for censorships but just to keep illegal leaks with personal data from the internet (even if one can ask how pastebin can't do this from the beginning and be more pro-active)

now, for the networks that have members on that list, that doesn't mean that the risk is gone. The list with passwords and emailaddresses is still in his hands and you can never know what they will be doing with this. 

Permalink | |  Print |  Facebook | | | | Pin it! |

if Rex Mundi finds his next target what will happen ?

first he will look for the most vulnerable and download the data

than he will send you an email asking you for payment (as we hear it is now between 30K and 50K depending the data) 

he will give a data  or period in which you can respond 

than he will send another mail threatening to publish some data at some date 

he will announce the release of a new dataset on twitter without mentioning who is the victim 

if he didn't receive anything nor any feedback, he will publish some data 

than the real shit starts 

* most firms didn't even upgrade their security during that period - you should do that from the moment you have received that mail (it also means that you will have to get in securityconsultants, new securityappliances, forensic advisers,......) 

* most firms didn't start contacting the authorities and the privacycommission during that period - you should in the 24hours from the moment that you were informed that you would be breached (this doesn't mean that they publish that information)

you probably can start looking for a firm specialised in crisiscommunication 

if it is heavy like easypay and mensura than you can start looking for a lawyer in case you will have complaints with the privacycommission or the courts from victims (and the longer you wait with doing the things above the longer the list of complaints will be and the more you at least will look guilty) 

* the number of attacks against your network and data will increase because rex mundi is not the only one in the digital universe knowing how the push the button examine and extract if vulnerable (as that is all one has to do with modern sql injection software - I didn't use it - I just looked at it) 

So if there are new targets being attacked in the next days than we will know in 2 to 3 weeks - in time for him to buy his christmas presents 

Even if you decide to pay you still have to go through a total password reset and a total resecurisation of your internetconnections, data and webservices 

meanwhile if you have some budget for next year, there are two essential things : stop sql injection (WAF and handmade tests) and use strong encryption and if you have enough money seperate your access to your backoffice totally from your newsportal (seperate server with seperate IP and seperate access rules and firewall protections and other dataflowrules (no downloads of data for example, only uploads). 

Permalink | |  Print |  Facebook | | | | Pin it! |

SSL libraries of Microsoft Urgently patched again and when are you upgrading your servers ?

THe most important patch in the normal package of patches this month was in the SSL library although it wasn't clearly identified as such. It seems that Microsoft has decided to go through the code and processes and logic of its SSL library and processes and chains line by line (and discovered the 9 year old mistake).

Now the mistake they have discovered is in the Kerberos chain and makes it possible to forge a certificate. Kerberos is used by many enterprises as a cheap alternative to real certificates. But that it gets fixed fast - and out of band if there are reports that targeted attacks are being launched (without any attackcode being publicly available to this end) 

At one side you can say that it is worrying and the other side it is extremely comforting that they are putting so many resources in that (which is normal if you understand that Microsoft is in fact the only alternative to the openssl debacle). If you compare that to the one, two or three persons that will be going through all the code of openssl, you understand that Microsoft has a competitive advantage - even if some believed that all intellligent users of opensource software would check it for mistakes (as if they have nothing else to do). This dogma has to be proven totally wrong and will ask some fundamental rethinking 

"A remote elevation of privilege vulnerability exists in implementations of Kerberos KDC in Microsoft Windows. The vulnerability exists when the Microsoft Kerberos KDC implementations fail to properly validate signatures, which can allow for certain aspects of a Kerberos service ticket to be forged. Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability. Note that the known attacks did not affect systems running Windows Server 2012 or Windows Server 2012 R2. The update addresses the vulnerability by correcting signature verification behavior in Windows implementations of Kerberos.http://ma.ttias.be/yet-another-microsoft-cve-local-privil...

Permalink | |  Print |  Facebook | | | | Pin it! |