security - Page 90

  • Tridium Niagara AX Framework can and will be exploited if you don't take action

    The vulnerability in the Tridium Niagara AX Framework allows an attacker to remotely access the system’s config.bog file, which holds all of the system’s configuration data, including usernames and passwords to log in to the framework and control systems managed by it.

     

    Billy Rios and Terry McCorkle, noted security researchers with Cylance, who have found numerous vulnerabilities in the Tridium system and other industrial control systems in the last two years, demonstrated a zero-day attack on the system at the Kaspersky Security Analyst Summmit on Tuesday. The attack exploits a remote, pre-authenticated vulnerability that, combined with a privilege-escalation bug, gave them root on the system’s platform, which underlies the devices.

     

    “The platform is written in Java, which is really, really good from an exploitation standpoint,” Rios said. “Once we can own the platform, a lot of the other stuff is very, very straightforward [to attack].”

     

    The vulnerability allows them to get root on what Tridium calls its SoftJACE system — basically a Windows system with a Java virtual machine and the Tridium client software running on it — as well as all of the company’s embedded software
    http://www.wired.com/threatlevel/2013/02/tridium-niagara-zero-day/

  • password stealers are password stealers - even for the most strategic networks

    By using Gozi to round up online banking passwords, the hackers were allegedly able to steal tens of millions of dollars. The virus was also apparently responsible for breaching around 190 NASA computers between 2007 and 2012, giving the hackers access to sensitive Gchats and other communications within the aerospace agency.
    http://www.theatlanticwire.com/technology/2013/01/inside-eastern-european-cybercrime-network-brought-down-nasa/61344/

    passwords are dead when you want to protect

    especially very strategic networks

  • how automated hostriskanalysis and malware-analysis is automatically bypassed

    To summarize, Nap is a malicious downloader. It uses the fast flux technique to hide the location/identity of the attacker. Coincidently, from the New York Times report, the malware used in the recent NYT breach also used a similar hiding technique where the attacker used the university computers as front-end agents and kept switching from one IP to another. Nap employs extended sleep calls, an anti-VM technique to avoid automated analysis systems capturing its behavior.

     

    Using a long sleep is a classic technique used to stay under the radar of an automated analysis system. In addition to extended sleep calls to evade automated analysis, we have observed many techniques, like hooking to a mouse, that are actively being employed by the advanced active malwares. Our recently published article in Virus Bulletin's February 2013 issue discusses many of these techniques along with the APIs that are actively being employed by malware. In the near future we expect to see malware employing automated analysis evasion techniques combined with network evasion techniques to evade detection.
    http://blog.fireeye.com/research/2013/02/an-encounter-with-trojan-nap.html

    cat and mouse

    long live the sandbox - and that it stays there

  • data about half a million canadians without encryption and double authentification

    Human Resources and Skills Development Canada (HRSDC), a department of the Government of Canada, was reeling last month after the personal data of 583,000 Canadians was lost on a portable hard drive.

     

    The drive, which went missing from an HRSDC office in Gatineau, Quebec, contained information relating to 583,000 Canada Student Loans clients from 2000-2006. It also contained the personal information of 250 HRSDC employees. HRSDC informed the public on Jan. 11, two months after the hard drive was found to be missing.

     

    Information on the drive included student names, social insurance numbers, birthdates, contact information and loan balances.
    http://www.scmagazine.com/hrsdc-loses-583000-personal-data-of-canadians/article/279205/

    encryption and double pre-boot authentification are the twins of datasecurity

  • have you enough bandwith and processing power to resist a ddos like this

    Today's denial-of-service attacks consume massive bandwidth, averaging 1 Gbps and frequently topping 50 Gbps, while concealing more subtle attacks aimed at tying up application servers,
    http://www.darkreading.com/vulnerability-management/167901026/security/perimeter-security/240147949/ddos-attacks-spur-concerns-over-infrastructure-weaknesses.html

    think not

    especially if they are targeting loadbalancers, dns and switches with specific attack to tie them down so they can't hold of these attack and limit the impact

  • OPRRN and political parties publish RRN numbers of their candidates

    and this is on a form of the Flemish administration in which they have to sign that they will respect all the laws

    but maybe it is a good idea to be sure that it is written in big letters that this may never be published online

  • OPRRN and even communes publish RRN numbers in public documents online

    so why does anyone care anymore

    http://www.schelle.be/file_uploads/1636.pdf?_vs=0_N

    1) De gemeente Schelle, hier vertegenwoordigd door:
    - de heer Mennes Robert Ludo, burgemeester, wonende te Schelle, Provinciale steenweg 144 (identiteitskaart nummer 591.3773727.44);
    - mevrouw Van Cauteren Betty Isabella, waarnemend gemeentesecretaris, wonende te Schelle, Rollierstraat 23 (identiteitskaart nummer 591.2752842.84);
    handelend in uitvoering van de beslissing van de gemeenteraad van de gemeente Schelle de dato #, waarvan een eensluidend afschrift hier aangehecht.
    Hierna "verkoopster" genoemd.
    2) Mevrouw VAN BOGAERT Simonne Maria Rita, geboren te Schelle op twintig november negentienhonderd zesenveertig, echtgenote van de heer Andreas Raymondus Maria Vandenhende, wonende te Aartselaar, Pierstraat 274 (identiteitskaart nummer #, rijksregister nummer 46.11.20-324.22); gehuwd onder het beheer van de scheiding van goederen met gemeenschap van aanwinsten, blijkens huwelijkscontract verleden voor notaris Paul Hellemans te Hemiksem op zestien mei negentienhonderd vierenzeventig.
    Mevrouw Van Bogaert kopen

    so why are we not surprised when there is now IDtheft in Belgium

  • OPRRN how your RRN can become accessable all over the web

    So your firm posts a pdf (not really in a link or mentioned on the page) but somewhere on his site with the statues of some organisation and puts all the legally required data in it (for example EID and RRN)

    http://www.hetzoute.be/pdf-beheer/statuten-aquamarine.pdf

    and in which you will find the following information

    3a) De heer RAPEMAN Jean Pierre (identiteitskaart nummer 2090161506 74
    en rijksregisternummer 390209 325 44), geboren te Kortrijk op negen februari
    negentienhonderd negenendertig, en zijn echtgenote mevrouw DELAEY Nicole
    Elisabeth Maria, (identiteitskaartnummer 209 0140574 94 en rijksregisternummer
    430703 254 26), geboren te Izegem op drie juli negentienhonderd drieënveertig,
    wonende te 8510 Kortrijk, Abdis Agnesstraat 35.
    Gehuwd onder het stelsel van scheiding van goederen met gemeenschap van
    aanwinsten, blijkens huwelijkscontract verleden voor notaris Willem Donck, te
    Izegem, op dertien juli negentienhonderd zevenenzestig, niet gewijzigd alzo
    verklaard.
    3b) De heer RADEMAN Paul (identiteitskaart nummer 209 0110838 40 en
    rijksregisternummer 70.10.29 331-48), geboren te Kortrijk op negenentwintig
    oktober negentienhonderd zeventig, ongehuwd, wonende te 8510 Kortrijk, Abdis
    Agnesstraat 35.
    Hierna genoemd 'de eigenaar'.

    well this is not so bad, but this pdf and all of its contents get indexed

    now it is only a link but what if they have indexed and cached all the personal info in the file

    they are under 123people.ch swiss law but what if it was in liberia to take one example

  • why android updates must be automatic and faster and why they are not

    Android malware skyrocketed over the last 12 months. Researchers at Kaspersky Lab said that 99 percent of mobile malware detected monthly was targeting Android; in May 2012, there 7,000 unique attacks detected for the platform. Android has the largest mobile device market share, yet users are vulnerable to a number of attacks, the most prevalent being SMS attacks that run up premium calling charges. Malicious applications that drop malware are also rampant on the Google Play marketplace, despite the introduction of the Google Bouncer malware scanner.

    With Android, the situation is worse than a joke, it’s a crisis,” said Soghoian, principal technologies and senior policy analyst with the American Civil Liberties Union. “With Android, you get updates when the carrier and hardware manufacturers want them to go out. Usually, that’s not often because the hardware vendor has thin [profit] margins. Whenever Google updates Android, engineers have to modify it for each phone, chip, radio card that relies on the OS. Hardware vendors must make a unique version for each device and they have scarce resources. Engineers are usually focused on the current version, and devices that are coming out in the next year.”

    http://threatpost.com/en_us/blogs/wireless-carriers-put-notice-about-providing-regular-android-security-updates-020413?utm_source=Threatpost&utm_medium=Left+Sidebar&utm_campaign=Most+Commented

    we should oblige our wireless carriers in Belgium to update any system as fast as possible with some limits

     

  • Belgian insurance industry defrauded for 2 million euro's online by stolen Belgian ID's

    The insurance industry in Belgium has gone into alert and has formed a workgroup to study the problem. It came to their attention last december but they still are not taking the necessary precautions.

    The strategy was to take up an insurance under a certain identity and than at in the last weeks before the end of the contract change the banking number. Two weeks later they were paid out 20.000 to 30.000 euro. When it was discovered the bank accounts were already closed.

    but that doesn't impress me much

    the online insurance industry in Belgium has been hacked and blackmailed by rex mundi who showed he could steal whole databases of information about users

    the online insurance industry in Belgium has been defaced by hackers showing that they are running sometimes on insecure and old software without any monitoring or patching

    the online insurance industry in Belgium asks their users complete details about everything inclusive information on their EID that should be illegal to ask in such an insecure environment especially if they even don't encrypt the website

    so that is why it doesn't surprise me much

    and that is why it is only going to be much bigger and growing untill they will do what the banks have been doing

    just to survive

  • hack of the day : gumtv.be

    GUM TV | Empowering the talented
    gumtv.be/ - Vertaal deze pagina
    GUM TV showcases videos of mainly unsigned Belgian artists/talents. The program airs daily from Monday to Sunday.GUMTV can be watched in Flanders

    http://www.zone-h.org/mirror/id/19251269

  • some samsung phones can be easily rooted with an exploit

    Alephzain said that he stumbled upon the vulnerability while trying to find a new way to root his Galaxy S3, but that the exploit affects the Galaxy S2, Galaxy Note, and Meizu MX as well. However, the Nexus 10 is unaffected as it uses the Exynos 5 chip.

    Alephzain developed an exploit he said bypasses the system permissions, allowing any app to extract data from the device's RAM or inject malicious code into the kernel.
    http://news.cnet.com/8301-1035_3-57559495-94/suspected-security-hole-found-in-many-samsung-devices/

    this is enough reason to block any update and install on one of these machines

  • flame virus techniques now used in banking trojans using digital certificates

    Security vendor Malwarebytes has uncovered a banking Trojan capable of bypassing traditional security by spoofing legitimate digital certificates. The certificate used by the malware is usually legitimate but it's now being sent out by a fake-company set up to get hold of the certificates from Digicert. The certificate allows the hacker to sneak a malicious PDF file infected with the Trojan past most computer security systems. Malwarebytes said that the malware had already targeted a slew of high-profile firms.

     

    "The malware is a banking/password stealer using email to spread. It appears to be a PDF invoice with a valid certificate issued to a real Brazilian software company which was issued by SSL certificate authority DigiCert," senior security researcher at Malwarebytes Jerome Segura told V3.Digital certificates are coded signatures used by companies to guarantee the authenticity of a file they are sending.The attack bears striking similarities to the Flame and Stuxnet malwares. Flame broke new ground in 2012 being the first malware able to mimic a Microsoft update certificate.

     

    "This Trojan is a new breed of intelligent malware, able to fool even the most acclaimed digital certificate authorities. Cyber criminals are finding new and more deceitful ways to disguise malware as trustful programmes in order to attack systems and take your personal identity," said Segura.
    http://www.v3.co.uk/v3-uk/news/2241553/malwarebytes-uncovers-digital-certificatespoofing-trojan

     

  • where a simple wordpress blog on a site could lead to (yahoo compromise)

    Last week, security researchers disclosed a breach of Yahoo Mail that exploited a bug in WordPress (CVE-2012-3414) which happens to be used in the Yahoo developers blog. This allowed attackers to circumvent the same-origin policy and steal Yahoo Mail users’ cookies and obtain their contact lists. The details of the attack are described here.

     

    After clicking a malicious link, unsuspecting users were redirected to the phishing site www[.]msnbc[.]msn[.]com-im9[.]net, which would appear to many to be legitimate MSNBC content.

     

    The phishing webpage belongs to a subdomain of com-im9[.]net. The whois information shows the domain com-im9[.]net was registered on Jan 27th via a Ukrainian registrar but stayed dormant (did not resolve to any IP) for 2 days.
    http://labs.umbrella.com/2013/02/05/a-look-into-the-yahoo-mail-compromise-from-the-dns-perspective/

  • the top 30 most dangerous hosting countries in the world according to opendns.com

     

    so if you can filter by network there are some networks that you can block and it will give you a security return

    on investment that would cost you thousands if you would pay a proxy to do this

    we are not anymore in it, thanks to cert and dns.be

  • opendns will be offering a new free security analysis service for researchers

    Shortly after I joined OpenDNS last year I blogged about the need for security vendors to evolve from a strategy of ‘collect and react’ to a foundation of ‘real-time adapt’. It’s the key to ensuring that security vendors move from being a step behind cyber criminals to a step ahead of the pace of technological change. Part of achieving this vision involves effectively harnessing and analyzing Big Data so that we can predict unknown threats, rather than simply block known threats.

     

    The Umbrella Security Graph enables our researchers to access a global view of Internet connections and traffic patterns and apply sophisticated analytics and scoring capabilities. Combined with machine learning, graph theory and related algorithms, the Umbrella Security Graph allows us to deliver predictive Internet security protection to customers. It’s just the beginning of our move into predictive security intelligence. We look forward to seeing how partners might contribute additional data scoring techniques, data mining capabilities and visual graphs to help us further transform Internet security.

     

    We will be announcing more details on how to get access to the Umbrella Security Graph in early March. Please follow us on Twitter to stay up-to-date @thinkumbrella.
    http://labs.umbrella.com/2013/02/05/introducing-the-umbrella-security-graph-where-big-data-meets-security/

    opendns is what dns should be but it doesn't seem to be free anymore

    at the other side it blocks an ever increasing number of badsites

  • how to invite automatic defacers by publishing your technical details

    when you publish this

    you don't have to be astonished that mass defacers will use Google with such searchterms, find you and have

    exactly the latest exploit to attack your site and change everything they ever dreamt of

    when you do this in Google you will find a lot more of these

    mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1  site:.be

    and put the word for example 'shop' behind it

     

  • how does a fucked up belgian site .be look like ?

    like this

    and yes you have all the administrator and technical information you need

    and so it was hacked (no, really ?)

    <!-- hacked by Gabby --> <!-- Indonesian Female Hacker --> <!-- http://www.thecrowscrew.org --> <HTML> <HEAD> <link href='http://adeesign.com/wp-content/uploads/2009/08/Bendera-indonesia-berkibar.gif' rel='SHORTCUT ICON'/> <META NAME="Keywords" CONTENT="The Crows Crew, Yogyacarderlink , Gabby Was Here ,Indonesian Female Hacker, Pwned By Gabby , Hacked By Gabby"> <TITLE>[+] Hacked By Gabby [+]</TITLE> <style type='text/css'> <!-- .style1 { color: grey; font-family: Courier New, Helvetica, sans-serif; font-size: 20px; } .style4 {font-size: 15px} a:link { color: grey; text-decoration: none; }
    http://www.chikara.be/d0b31fbcc22831493957623bbc0dae2e

    but luckily nobody placed some shells or phishing on it...... yet

    and google gave it already

    Index of /
    www.chikara.be/ - Vertaal deze pagina
    ... (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.chikara.be Port 80.

  • as barreaux de bruxelles doesn't close down, expect us

    we have written to them asking them to close down their extranet

    and set up a security operation

    we will go further in our analyses

    using only legal informationsearching tools - nothing illegal, accessing or scanning nothing

    but the lawyers need to know how bad it is

    opbdbxl is coming if they don't do something

    this is too dangerous for too many people to stay as such