02/12/2013

Oracle needs the security community as much as the security community needs security at Oracle

The historic antipathy between security researchers and Oracle is partially explained by the software giant's often painfully slow acknowledgement of security problems as well as its staggered release of patches - both for Java and for its database software and other enterprise applications.

 

Rather than working together with security experts - such as David Litchfield - who discover and report dangerous programming flaws, Oracle has been, by several accounts, difficult, unresponsive and occasionally combative.

 

Oracle needs to take a leaf out of Microsoft's book and play nice with researchers. A little engagement from its side would go a long way towards getting more outside input on bugs.
http://www.theregister.co.uk/2013/01/30/oracle_java_secur...

Microsoft is really a class example of what to do

I remember Microsoft as the most hated company 10 years ago with a security that was not worth its name.

Than came the memo from Gates about security and everything in the company was put on hold untill they were sure it was secure and since than everything has changed.

Microsoft is criticized for security here and there but the way it is communicating, implementing and organizing security throughout its firms and users has become an example in securitymanagement.

It was a security-Titanic, it is now a luxury more or less secure cruiseship sailing in seas without icebergs (as long as the captains stay on deck and don't go down to party too much)

Permalink | |  Print |  Facebook | | | | Pin it! |

02/11/2013

OPRRN why the RRN number is not secure

there are too many knowns or too little controlnumbers

it is a total of 11 numbers

the first 6 numbers are the birthdate in the order of year, month and day

the second 3 numbers are depending if you are men 001 tot 997 or womn 002 tot 998 (500 numbers unknown)

the third group are 2 control numbers (00 to 99)

so if you know the birthdate there are 6 out of 11 known with one series of 1000 and one series of 99

if you know if it is a man or a woman there are 6 out of 11 known with one series of 500 and one series of 99

so if any system uses this to log and has no defense against bruteforce

than how long should it take a server with specialised software to break in

Permalink | |  Print |  Facebook | | | | Pin it! |

interesting hack at gpo.gov : a defacement by 404 bad searches

http://www.gpo.gov/gpo/sitesearch/homedosite.action;jsessionid=FhzGRXKCy4vWcBl7hr6rnL562frklTjf1JhJRJcz95ShQ73tQttG!-621226587?st=%22%3E%3Cimg+src%3D%22http%3A%2F%2Fi.imgur.com%2FiMvu7.jpg%22%3E%3CIMG+SRC%3Dhttp%3A%2F%2Fi.imgur.com%2FiMvu7.jpg%3E%3Cbr%3E%3CH2%3E%3CB%3E%3CBR%3E%3CU%3EHacked+by+Anonymous+Squad+No.+035%3C%2FH2%3E%3C%2FB%3E%3C%2FU%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E&ddname=gpo

this won't stay online but now it looks like

Permalink | |  Print |  Facebook | | | | Pin it! |

chinese hacking other governments is like throwing stone from a glasshouse

just the last week - and this is only defacements

and these are only the special ones from last week

and this one about the confirmed hacks in the .cn domain

Permalink | |  Print |  Facebook | | | | Pin it! |

why it is a stupid idea to let your loginpics be copied to wherever

it makes programs and phishing like this childplay

"A new phishing techniques has emerged that tricks users into handing over credentials by mimicking popular website's user dashboards. 

 

A

 

The phishing attacks were generated by a Python tool which produced custom webpages designed to mimic websites like online banking and social networking sites. 

 

The developer of the tool, Australian researcher Jamieson O'Reilly, said the attacks exploit users who are accustomed to remaining signed into web sites via session cookies.

 

"The general user [finds] it normal to just open a browser and be already logged in which is where this vector takes advantage," O'Reilly said.

 

The Python-based tool, dubbed TSURT (trust in reverse) uses the open source web scrapy framework Scrapy to pull user information like logos or avatars from a target site which are then embedded in the phishing page.

 

This makes the phishing page appear as a legitimate logged in dashboard.

 

In a video demonstration, the tool pulls down a Facebook account profile picture which is then placed inside a fake Facebook dashboard screen featuring a fake private message.
http://www.scmagazine.com.au/News/331434,new-phishing-too...

and don't tell me there are no way to prohibit the use of your pics elsewhere or to put other pictures or code over it or to control where your pics are downloaded to or used by

Permalink | |  Print |  Facebook | | | | Pin it! |

the bughunt of mega shows the slopiness of the coders and the controllers of the coders

We believe that it would be premature to draw any conclusions at this time — barely three weeks after our launch and one week into the program. It is clear that the vulnerabilities identified so far could all be found by checking only a few lines of code at a time; none of them required any analysis at a higher level of abstraction. Needless to mention that nobody cracked any of the brute-force challenges yet (please check back in a few billion billion years).
https://mega.co.nz/#blog_8

yeah it are all small things, things that were forgotten to check or double check (like xss)

so no breaking of the encryption yet

but the criticasters are just about one thing : leaving the key unprotected on a machine is a gamble  - securitypeople and coders may say that the risk is not enormous or important - but it makes it too easy to try to set up timing and other attacks against the key and the connections with the servers. Protecting access to it by putting it in a protected folder or sandbox - eventually with some automated acces restrictions or giving the possiblity of protecting that folder with a password or something like that - may make it more secure

for that sort timing attacks to be succesful will take some time, but as the key is unprotected on the pc's it will be tried with some mixed results (the same kind of barrier that were certificates and https encryption were also somewhat broken or abused under certain circumstances)

Permalink | |  Print |  Facebook | | | | Pin it! |

US cyberwar and the inflated cyberrisks helped by short memory

First let us say that there never was a cyberdoomsday and that there are no cybersuperman (even not China) which means that every country can be hacked and attacked to the ground because the same vulnerabilities and stupidities are everywhere

Secondly there is no way one can put a finger on anything secret because no one has any idea and there is a natural tendency to inflate the damage and importance because it is in the interest of the securitycommunity, of the firms to get more help from the state (instead of investing themselves more) and from the mediapeople who want bigger headlines to blow the opposition away

Third this kind of reports have been published over and over again and again, with ever increasing numbers and facts and estimations

but

* there has always been spying - and even today there is non-digital spying

* if there is such a loss, the real problem is not China, it is the unsecure infrastructure and the fact that we have too much information online or digital that shouldn't be online or digital or unsecured

* all necessary technologies to secure your information and to limit access to only the authoritzed people is present, one has just to implement them

* some simple stupid securityrules may already limit the damage from a security-incident (although they are seldom implemented)

Permalink | |  Print |  Facebook | | | | Pin it! |

Google is not responsable for the bad-ads it receives money for

Google has won a landmark court case with Australia's High Court ruling it had not engaged in misleading behaviour with its sponsored links and that it was not responsible for messages conveyed by paid advertisers.

 

The ruling helps Internet providers and search engines argue that they are not publishers, but simply carriers of information provided by third parties.

 

While the judgement applies only in Australia, the ruling will be closely watched around the world and could be cited as a precedent in the event of similar cases arising in the rapidly evolving area of law.

 

"Others will definitely be looking at this ruling. Google is a worldwide business. This is something of a first, and it does add some clarity for the industry," the head of Australia's Internet Industry Association, Peter Lee, told Reuters.
http://www.stuff.co.nz/technology/digital-living/8278904/...

this is easy

receive the money but not the complaints and don't control if your ads are anything else but a scam

Permalink | |  Print |  Facebook | | | | Pin it! |

even at airports is security human (brussels airport)

a twelve year old boy got through the automated ticket check on the Brussels Airport without a ticket

   - the human inspector who has to look out for incidents didn't see anything

there is no ID control because the flight is inside the Schengen zone (a good idea for goods, bad idea for persons)

he then hang around the corridors for the full night on which there are permanent CCTV camera's spinning around, looking for suspicious behaviour and people (nobody wrote down there was a guy hanging around for hours even when there were no planes left)

he then tried to board a few planes but without a ticket he couldn't get boarded but nobody informed security that there was a young passenger in the corridors trying to board an airplane without a ticket

he then boarded a plane by staying close behind a couple giving the impression he was with them, avoiding the securityminded controller and opted for the charming hostess of the company

on the plane itself there was no headcount because there is no headcount on internal european flights

------------------------------------

every al qaida planner has now read this story and has read it the way I have described it

just waiting for a hijack or attack so that everybody remembers what the first rule of security is : healthy paranoia and the 'not on my watch" mentality

marketing and security are two totally different attitudes, even if that doesn't mean that you have to be a brute, but security comes first, than understanding and helping the customer

that boy should work as a human tester of physical security

technology can't replace physical security - even if we are only human

Permalink | |  Print |  Facebook | | | | Pin it! |

Yahoo xss attack maybe not totally resolved

it is over when you are sure that it is totally over and that all possibilities to use that attack have been closed and that all new forms of attack based upon this succesful attack have been thoroughly tested

""Given the nature of these emails - sent indisputably to Xtra contact lists, in some cases to people who haven't been in contact for a long time and others very recently - it's highly likely that either the issue wasn't patched successfully, a new attack vector has been found or more likely, contact lists have been harvested during the initial attack to enable this secondary attack on Xtra email holders.

"According to security sources, this original attack appears to have been due to a vulnerability in the Yahoo Developers Network, due to blog software that hadn't been updated for at least nine months. The fact that there was an XSS vulnerability at Yahoo has been known since at least November," he says.

"So assuming this is the cause of the attack, it would appear to be due to a vulnerability at Yahoo and very difficult for users to avoid. This is a major attack and appears unrelated to any of the standard 'from Xtra account services' phishing emails which are regularly circulated."

One victim, YahooXtra customer Michael Beckett, said scam emails were sent from his email address while his computer was turned off and he was out on a boat.

"I went to change my password, but that kept on crashing and when I went to delete my contact lists - which is what the hack had programmed their malware to exploit - I couldn't delete the addresses."
http://computerworld.co.nz/news.nsf/news/telecom-denies-r...

a security incident is bad, a quick fix that doesn't resolve anything is worse

Permalink | |  Print |  Facebook | | | | Pin it! |

Bit9 stupid hack only the first of a series of breaches throughout their clients

The hackers accessed a system that Bit9 said it uses to digitally sign its software to let customers know it is safe to run on their computers. The hackers then forged Bit9's digital signature on malicious software, which they used to attack some of its customers, according to the privately held company.

 

Bit9 said in a blog post on Friday that it believed the hackers were able to access one of its internal systems because the company had failed to properly install its own software throughout its network.

 

Bit9, which has about a 1000 customers including US government agencies and major defence, energy and financial companies, is one of the leading providers of security technology known as "white listing."

 

Unlike traditional anti-virus software, which seeks to block malicious programs, white listing looks to protect systems from attack by only allowing computers to run programs from trusted vendors.

 

"Due to an operational oversight within Bit9, we failed to install our own product on a handful of computers within our network," Chief Executive Patrick Morley wrote on Bit9's blog. "As a result, a malicious third party was able to illegally gain temporary access to one of our digital code-signing certificates that they then used to illegitimately sign malware."
http://www.stuff.co.nz/technology/digital-living/8286519/...

I presume they say at their clients to install their paid software everywhere on any machine .....

also interesting to see that the digital certificates of their updates and maybe even their code itself may have been breached and that they will have to do that all over again for all their clients

also interesting to see that because of this hack they could install signed and approved malware on a series of networks (maybe a time-bomb ?) which opens the case for a thoroughly investigation because you must be sure that this infiltration didn't install other things, opened new accounts and so on ....

Permalink | |  Print |  Facebook | | | | Pin it! |

02/09/2013

a new place for putting stolen leaked information : your website

Imagine you have this website

and all of a sudden you are national and international news because Anonymous decided to install some stolen pages or information on your website

Permalink | |  Print |  Facebook | | | | Pin it! |

OPPBARBXL the cotisation website is placed in France (barreaudebruxelles.be)

have they asked a lawyer a second opinion about that ?

so the vmware website is here

cotisation.barreaudebruxelles.be.	7200	IN	A	91.121.22.78

you remember that that website had problems with the certificate and all that (vulnerable)
http://www.yougetsignal.com/tools/network-location/

Permalink | |  Print |  Facebook | | | | Pin it! |

OPPBARBXL the very strange mail subdomain of the site of the barreaudebruxelles.be

when you type in http://mail.barreaudebruxelles.be/

you get this as an answer

85.158.211.22 is the IP address they are speaking about 
but we don't seem to find more information so it is probably bad configured
figure that

Permalink | |  Print |  Facebook | | | | Pin it! |

OPPBARBXL the very strange mailing subdomain from barreaudebruxelles.be

this is strange

because this is the site  http://mailing-lalettre.barreaudebruxelles.be/

and you would expect to see a login or an archive of newsletters

but no it is the set up of some old (2004) newsletter system

and it refers to goofy.sloebers.be

but if something happens to that mailserver, the judicial responsability is for barreaudebruxelles because it is a subdomain of it - strange that no lawyer thought of that

Permalink | |  Print |  Facebook | | | | Pin it! |

OPPBARBXL it is not that they don't have the money

a good certificate costs around 300 Euro each year

a secure host a few thousand euro each year

their budget is

D’un montant de 2.829.566 Euro en 2008, on est passé à un montant de 2.027.886 Euro en
2009, de 1.985.340 Euro en 2010, de 2.117.132 Euro (chiffre provisoire) en 2011 et de
1.933.335 Euro en 2012 (budget).

http://www.barreaudebruxelles.be/LA_LETTRE/document/divers/cotisations2012.pdf 

what does this say about handling as a good housefather

Permalink | |  Print |  Facebook | | | | Pin it! |

OPPBARBXL the unsecured subsite of barreau de bxl for its cotisations

but this part of the website is not well protected

Het certificaat wordt niet vertrouwd, omdat er geen uitgeversketen is aangeboden.
Het certificaat is alleen geldig voor *.tuitin.com

but that leads to the following website https://cotisation.barreaudebruxelles.be/zimbra/

and according to https://www.ssllabs.com/ssltest/analyze.html?d=cotisation...

and this gives access (not well secured) but it is already better than the other entrance

only let's hope that user and password are not the same as those explained on the website extranet

due to belgian law we couldn't do more tests

strange that they didn't use this system for all their extranets but it makes it easier to move quickly from the very old and dangerous entrance on their main website to this one (if they make the certificate better)

Permalink | |  Print |  Facebook | | | | Pin it! |

02/08/2013

belgian secret service has a puzzle for you

two secret documents were given to two groups of people (both were about the influence of sects in Belgium and with some politicians in particular)

one was given to a group of 5 people

one was given to a group of 45 people

how was a journalist capable of reading and publishing about both of them ?

that are they now investigating

but after a joke, somewhat more serious

a secret service has two words, secret which means it needs secrecy to be able to function and service which means that it has to fulfill a service and in a democracy it is defending democracy against its enemies in the best of its capabilities

the audit will have to show what are its capabilities and priorities and if there are no other things that are more important in a situation in which the dangers are more complicated and the funding is limited

there are rumors that there is not enough cyberespionage response and prevention capacity somthing all the different auditors for the Minister, the parliament and I probably forget one may have to study and repair

Permalink | |  Print |  Facebook | | | | Pin it! |

OPRRN NEVER GIVE YOUR RNN OR EID number online if there is no SSL and no official reason to do so

you don't have to give that information legally in most of the cases

they don't have the permission to do so

and if they want that information, they should protect it with all the security that the Unique Identifier needs

and SSL is the least of it (if it is well implemented)

and even better is that they only ask it if you have logged in a secure way to a secured full https backoffice form (which probably will be under higher security and on other hardware)

just a thought : Ogone became a succesfull business because it gave ecommerce in Belgium and worldwide the possibility to implement secure epayment without each time having to implement for each online shop a new epayment service (it is the castle in the Middle (dark) ages of the unsecure Internet)

maybe we need such a service for identification (with all the risks I have set out in a post a few hours before)

But you have the power to say no

and maybe they will start to listen when enough people say NO

just say NO

and if they don't agree you tell them to go to the privacycommission and get a permission (if they ever will get one) to get RRN numbers in an unsecure way online ..... and if they don't want to give you the service you have a right to without giving your RRN number online in an unsecure way (and all the other personal info that could be used for profiling) you go to the privacycommission.be

your RRN is not just a number it is for the rest of your life your Personal Unique Identification and changing it because some-one used yours is not that simple and will cost you and the state enormous amounts of money and time and effort

support this OPRRN

* link to this post or just distribute the message

* challenge your IT and other people to stop playing with RRN numbers online or ask an advice at your legal department (they will freak out)

* contact the privacycommission.be if you find RRN numbers online without protection (post also here)

and for network and CIO and the rest of the IT branch

in security and privacy and risk, less is more, if you don't need, you don't have to ask for it and if you don't need to keep it, destroy it (even if there is a chance that you could eventually re-use a percentage of it) because LESS data is MORE money for better security and is for this reason more futureproof

Permalink | |  Print |  Facebook | | | | Pin it! |

OPRRN : UNSECURE belgian (official) sites ask for personal information for dienstencheques

never heard about SSL protection  or secure login before asking such information

http://www.domestic-services.be/form-avoir-2/

http://www.dienstencheques-rva.be/nl_particulier_inschrijving_form.asp   RRN number and bankaccount

http://soeasy.sodexo.be/espi_ms/be/home.asp?lang=nl&pagetype=7&in=24  login to "secure services"  UNSECURE

http://www.partena-dienstencheques.be/nl/contact/contactformulieren/poets-en-strijkhulp-aanvragen

http://www.thuisdienst.be/insformulier.php  RRN number

http://tpoetshuis.be/index.asp

and so on..... I rest my case

much smarter

a form to fax

http://www.dienstencheques-rva.be/assets/pdf/particulier_inscription_nl.pdf

just a thought : real thiefs could know now when there is nobody at home if they had access to that database, look at the neighborhood and the houses in Google Street View and plan their visits

Permalink | |  Print |  Facebook | | | | Pin it! |