02/02/2013

regetel.be belgian crisiscommunication website not only hacked but also very unsecure

regetel is the website of the crisis communication if our country has a natural disaster, a big terrorist attack, an explosion, internal revolts, a cyberwar or war

"Alle 100 centrales (medische noodoproepen), de crisiscentra van de gouverneurs (CCPROV) en de permanente eenheden van de Civiele Veiligheid werden aangesloten. De aansluitingen naar andere belangrijke crisiscentra zoals het Maritiem Redding- en Coördinatiecentrum (MRCC) te Oostende, het Maritiem Informatie Kruispunt (MIK) te Zeebrugge, het secretariaat van de Zeewacht in Oostende, belangrijke sites van Fluxys, Electrabel, Elia, nucleaire installaties in Doel, Tihange, dispatchings van het Rode Kruis en de crisiscellen van de Communicatie- en Informatiecentra (CICASTRID) werden onlangs gerealiseerd of zijn in uitvoering."

it is the website that should make sure that everybody knows who they have to talk to and to manage the crisis telephonenetwork that is put into place  (of which it has placed the directory online for everybody to see)

oh yes and it uses VOIP (that is telephone over the internet, block the internet and there is no telephone) but they also have public telephone numbers.

do you understand now how critical this may become ?

than go here : http://www.regetel.be/master/RegetelFlex.swf  an external login page with password (and NO SSL encryption) so all these passwords are in cleartext and even if they were encrypted, such a network should have double authentification because in times of crisis you don't have time to reset stolen or abused password or to double check the identity of someone, you have to be absolutely sure

and how they were hacked ?  even more stupidly probably

http://www.regetel.be/index.php?option=com_search&view=search  this page is hacked so this page is a searchpage which means that probably they were hacked by sql injection. Now sql injection is as old as the year 2000 and should be known as something to check for before you put anything online, you even have specialised tools and better professional codingtools have the protections even integrated when you start coding searchforms and so on

it also means that this network or site has never had an external securitytest because this would have been found immediately

it also means that this network or site is not behind a good Web Application Defense or that the application is so badly coded that no Web Application Defense will be able to protect it

one of the three telephone directories  dutch  french

and if you are planning an attack on the VOIP network you should know where the system is developed or just not (so that there are still bugs you can use). That you can see on this page without password (the page is hacked so you can't see it now)

read also this for backinformation

http://webcache.googleusercontent.com/search?q=cache:-s6ZXTscL8cJ:www.regetel.be/index.php%3Foption%3Dcom_content%26view%3Darticle%26id%3D3%26Itemid%3D6%26lang%3Dnl+&cd=17&hl=nl&ct=clnk&gl=be&client=firefox-a

this is a form

http://webcache.googleusercontent.com/search?q=cache:W1l3eIsCGoUJ:www.regetel.be/index.php%3Foption%3Dcom_contact%26view%3Dcontact%26id%3D4%26Itemid%3D27%26lang%3Dnl+&cd=21&hl=nl&ct=clnk&gl=be&client=firefox-a

but the best I found with web-sniffer.net

Date: Sat, 02 Feb 2013 12:38:13 GMT  
Server: Apache/1.3.41 (Unix) mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a  
X-Powered-By: PHP/5.2.10

not one part of this is patched and in order and really OpenSSL for highly critical networks ? Didn't have the 200 euro's for a real certificate ?

jokers

oh yes, if you have taken this down, you will have to take everything to the dustbin because how will you be 100 percent sure that there are no backdoors, keyloggers, sleeping accounts, insert bugs or timebombs

CLOSE THIS SHIT DOWN - and we will be more secure (oh and by the way you will have to change the numbers because they were distributed over the cybersoldiers over the whole world who one day may decide to do an undercover operation against the capital of the European Community or something like that

don't shoot the pianist - I already said and blogged about this stupid website in......2008 and before the belgian parliament during hearings

Permalink | |  Print |  Facebook | | | | Pin it! |

regetel.be belgian crisiscommunication coordination website still hacked (close it down)

waaahaahahahaha

instant crisis communication  where are the cybersoldiers

Permalink | |  Print |  Facebook | | | | Pin it! |

oprrn more unsecure belgian ehealthservices with only rijksregisternummer

http://www.digitalewachtkamer.be/%28S%28ul41ri453gyxuo55pi3ytp55%29%29/Users/newaccount2.aspx?D_ID=467

Permalink | |  Print |  Facebook | | | | Pin it! |

oprrn = unsecure e-health, get any medical file if you know the rijksregisternumber and some public info

http://opleiding.e-zorgplan.be/login/Directlogin.aspx?ReturnUrl=%2f

Permalink | |  Print |  Facebook | | | | Pin it! |

hacked : website regetel, the national disaster communication network in belgium

the website is built in Joomla and was hacked yesterday

and even the website itself is just stupid in dataleakage because you can find all the numbers of all the critical offices and administrations that should be contacted if there is a disaster in our country

"Het Projectbureau REGETEL (Telecommunicatienetwerk van de Regering) stelt U zijn telefoongids voor. Het REGETEL-netwerk is een belangrijk onderdeel van het volledige pallet van alternatieve communicatiesystemen dat in geval van crisis beschikbaar gesteld wordt door de federale overheid. Sinds 2004 maakt het Projectbureau REGETEL deel uit van de Algemene Directie Crisiscentrum, FOD Binnenlandse Zaken. Het REGETEL-netwerk beschikt over autonome spraakservers, autonome technische diensten en in Brussel over een autonoom netwerk. Hierdoor kan aan de gebruiker een onafhankelijk en alternatief communicatiemiddel aangeboden worden. De voornaamste toepassingen zijn telefonie- en faxverkeer, maar ook dataverkeer is mogelijk."

you can download the full list of the telephone numbers here (yes it is fully public, totally stupid to do that but all these important overpaid crisismanagers have decided to make it fully public on the internet for all to see)

the fact that this site is hackable makes it totally insecure and in a time of cyberwar a target and it may even be possible to find information but that some information has been changed or that some files that everyone will download have been infected by trojans

so in cyberwar we will have no crisiswebsite becasuse it will hacked

and just for your information

the page where the hacking begun already gave in Google some mistakes

Gedetailleerde tabel van de projecten - Regetel

www.regetel.be/index.php?option=com_content&view...

14 dec. 2009 – Regetel Hotline. OK. Send failed. Client.Error.MessageSend. OK. Send failed. Client.Error.MessageSend. OK. Send failed. Client.Error.

and you don't need more to know as a hacker that that website has so many problems that you can hack it all

Permalink | |  Print |  Facebook | | | | Pin it! |

02/01/2013

best joke - the 404 page of vlaanderen.be makes you feel stupid like a cow

Permalink | |  Print |  Facebook | | | | Pin it! |

belsec blocked by bluecoats - censorship because there is no hacking here

this was a visit

46.235.154.39 UK - blue coat systems inc 1 feb 14:14 Nederlands http://notify.bluecoat.com/notify-Coach?http/bels

and that site says

If you were expecting another web site, this may be the result of a configuration error in your network. The domain notify.bluecoat.com is the default "virtual hostname" for user notification pages produced by security appliances from Blue Coat Systems, Inc. Requests in your network for that host should be intercepted by the appliance. Please seek assistance from your network administrators.

If you came to notify.bluecoat.com deliberately, you have now seen the entire site.

translation

the user have seen that their bluecoat has blocked belsec.skynetblogs.be for its securitypeople so they can't read things about insecurity

stick your head in the sand

there is also dataleakage because the full url gives this which seems a lot of information if decrypted to go out

http://notify.bluecoat.com/notify-Coach?http/belsec.skynetblogs.be/aHR0cDovL2JlbHNlYy5za3luZXRibG9ncy5iZS9hcmNoaXZlLzIwMTMvMDIvMDEvb3Bycm4tbW9yZS1zZXJ2aWNlcy

10aGF0LXVzZS1ycm4tYXMtbG9naW4uaHRtbD91dG1fc291cmNlPWRsdnIuaXQmdXRtX21lZGl1bT10d2l0dGVy

Permalink | |  Print |  Facebook | | | | Pin it! |

NYT hack : see how stupid passwords are

they are working with confidential sources and confidential material

now they claim that 'hackers' have 'hacked' their systems

no, they had access to their systems because they had the passwords of 50 employees

but hey, why are you still using passwords in a confidential environment

last year more than 40 million passwords were publicized on the net (and lets not forget all those that are not publicized)

DOUBLE AUTHENTIFICATION should be the norm, passwords is for dummies, crybabies

and have you ever heard about encryption and dataleakage prevention (do you have a security officer who knows what security is and has power and budgets to do something instead of going to presentations and having blablabla meetings)

so don't blame everybody else - blame yourself - and do something about it

if you want to be a trusted online source and publication you should have a security people can trust

what will be the next thing : changing an editorial of the NYT or leaking internal files that were leaked to you or your sources or internal telephone number book with all your sources ?

Permalink | |  Print |  Facebook | | | | Pin it! |

no more blablabla do something - belsec in action mood

we will not hold back anymore waiting this and that and just telling it to the cert and hoping that somebody will do something about it

we will only hold back when we see that people are in danger and when we know that the service managers did before do something and are willing to do something fast

we will never access systems or log in

we will never steal files or change settings

we will never NEVER access systems with specialised PC software - google is our friend as are online services that anybody can use (securitymanagers of big systems or networks can send me their contactdetails so I can warn them if there is something that may concern them - but at one condition and that condition only - never ask for sources and never put me under investigation as I do nothing more than googling and watching the net)

we will not wait for the NEXT big ones (oh there was already a big one ?)

tips are always welcome - but respect the groundrules (do not log in and do not abuse the information and do not publish it before contacting me) The publication of the nmbs file online was done with good intentions but was quite badly executed and was a new dataleak an sich.

Let's make this interesting times (to make it less interesting for real hackers and criminals)

Permalink | |  Print |  Facebook | | | | Pin it! |

OPRRN 2 : VDAB.Be look at the unemployment file of any person of which you know the RRN

first you have to know the RRN number of somebody

we didn't do anything and we didn't try it as this is illegal

I don't have a file there, so I can't know

it seems that they know that it is insecure but as long as nobody publishes about it they won't do anything about it _ i HAVE NO IDEA WHAT YOU CAN DO WITH A FILE (change information for example, put as experience that your are a pimp :) )

and if nobody publishes about it in Belgium, than why shouldn't I  do it

I REPEAT :  DO NOT ABUSE The sytem AND i didn't DO IT

vdab   CLOSE  THIS DOWN  THIS IS BAD STUPID AND SO ON

 

we will continue OPRRN in the coming days

all tips are welcome but at one condition

DO NOT LOGIN AND DO NOT ABUSE THE INFORMATION

not everything will be published if people are put in danger - but here the case have been brought to the attention of the VDAB according to different sources time and time again without any effect

Permalink | |  Print |  Facebook | | | | Pin it! |

OPRRN : more services that use RRN as login (update : some are reacting already)

https://www.mtc-it2.be/DELEGE/DelegeNl.swf   as ID  pasword needed  - doctors

https://www. SERVICE HAS NOTIFIED IT WILL CORRECT THIS  as ID password needed - Vlaamse Examencommissie and also to recuperate your password but you will have to control also the emailaddress from your target and also that http://www. SERVICE HAS NOTIFIED IT WILL CORRECT THIS /index.htm  vlaanderen.be is going to a private host somewhere for its logins is dangerous (xss), legally probematic and why do you have an authentification server at vlaanderen.be ?

http://www.vdab.be/login/   paswoord or RRN   (you still need a password)  no https

https://www.emut.be/EMUT2/Authentication.aspx?fed=311&lcid=2067&netw=INTER   mutualiteit but you need a password, the login itself is something to get

http://www.g-o.be/Net_KandTijd/  no https  RRN and password  for future teachers

https://www.ebcs.be/PensionPortal/Login.aspx?ReturnUrl=/pensionportal/Default.aspx&bol=yes  social secretariaat RRN and password

http://www.west-vlaanderen.be/provincie/nieuws/ezines/burenbijkunstenaars/2011%20e-zine%20buren%20bij%20kunstenaars%20-%20april%202011.html  want RRN from artists to login

http://www.denderleeuw.be/nl/160/restricted/login/index.html?print=1  extranet without https - login is RRN and password needed

http://www.cursoa.be/registratie/registreer0.asp  even better, if you have the RRN of somebody you can make him a member of this - no verification

http://www.oz.be/onlinekantoor/registreren  register somebody here without verification of EID you only need an RRN  no https

https://www.euromut.be/MyEuromut/login.htm?language=nl_BE#popup_password  use of RRN (you need to know also the username and have control over the emailbox)

http://wingene.grabbis.be/login.php  make an account if you have an RRN and the name and familynameno https

http://b-rocks.be/login.php  RRN and password no https

Permalink | |  Print |  Facebook | | | | Pin it! |

OPRRN : close down RRNlogin at solidariteit.be please

this is the most stupid thing I have ever seen and I still can't believe nobody has ever said to those organisations that this is the most stupid thing that they could every do but even than they do it  (and where is there securityofficer, doesn't he know that it is insecure and that this is NOT a way to do such things)

will somebody wake up around here - this is asking for dataleakage - there were RRN's leaked on the web before (Rex Mundi leaked some) and some other were or are published or are in insecure databases online (in a more complex operation you have to hack first these databases to get the numbers and be sure that there are numbers in it that you may use in another database)

stupid stupid stupid

close it down and get back with a real solution before it is too late and don't shoot the pianist

you are handling the most important files for your organisation for which you are legally the most responsable, those from your workers in a totally insecure way

http://personeel.solidariteit.be/    no https  only RRN needed to logon

but what is this than https://esol.solidariteit.be/secure/logon.aspx with password and certificate

you can do it differently

Permalink | |  Print |  Facebook | | | | Pin it! |

portal for EID authentification at vlaanderen.be uses insecure ssl

 

the reason is that they listen too much to marketing and not enough to securitypeople but the question is how can you market a program as secure if it isn't set up as a secure service ? People never like security when they first see it, untill they use it and become used to it and than begin to feel safe because of it and afterwards don't want ever to go back to the old insecure situation again

this is the report (time to get the specialists in I would say)

this means that it isn't that hard

* to bring the service down

* to intercept the data (from the EID and with the PC) if the PC is infected (banking or password or datastealing trojan, the most popular viruses nowadays)

Secure Renegotiation Not supported   ACTION NEEDED (more info)
Insecure Renegotiation Supported   INSECURE (more info)
BEAST attack Vulnerable   INSECURE (more info)

with this grade this means that they wouldn't be accepted in the US as complaint for egov services

Server signature Apache
Server hostname authentication.vlaanderen.be
PCI compliant No
FIPS-ready No

Permalink | |  Print |  Facebook | | | | Pin it! |

het rijksregisternummer als Unique Identifier - in sommige gemeenten gaan ze daar ver in

dit is een klachtmail van persoon x over stad y maar dit is het geval bij steeds meer diensten

"Ik ben inwoner van de stad en maak geregeld gebruik van het digitaal loket van deze stad: 

 

Van het inschrijvingsformulier voor de kinderopvang maak ik meerdere keren per maand gebruik: inschrijven, annuleren, zowel voor voor- en naopvang als voor de vakantiewerking. Hiervoor gebruik ik het rijksregisternummer van mijn kinderen. En hier wringt voor mij het schoentje; enkel het nummer volstaat om deze zaken uit te voeren. Dus, elke persoon die op de hoogte is van het rr-nummer van mijn kinderen kan deze actie uitvoeren. Ik vind dit heel onveilig; mijn persoonsgegevens (of die van mijn kinderen) worden onvoldoende beschermd. Een bijkomende beveiliging, wat mij betreft liefst token of eID, is noodzakelijk.

 

Ook de toegang tot de bibliotheek gebeurt op deze onveilige manier. Een rr-nummer volstaat om zicht te krijgen op welke boeken ik lees (daar heeft niemand zaken mee), om boeken in mijn plaats te reserveren, om de uitleentermijn te verlengen, ... Ook hier vind ik een bijkomende beveiliging noodzakelijk."

het schoentje past wie het past

het is niet omdat het rijksregisternummer op je EID staat dat het een PUBLIEK gegeven is dat zomaar kan gebruikt worden als ENIGE IDENTIFICATIE (soms zelfs zonder EID)

het wordt tijd dat de privacycommissie zich opnieuw publiekelijk hierover beraadt want het aantal formulieren met rijksregisternummers zonder noodzakelijke bescherming, het gebruik van het rijksregisternummer als login (vb bij het leger) leidt er langzaam maar zeker toe dat die dezelfde status begint te krijgen als het social security number in de VS en waar men daar nu zoveel problemen mee heeft dat men een EID wilt invoeren.

een nummer is maar een nummer en niet meer dan een nummer en bewijst niets anders dan dat je het nummer kent (omdat je het bent, het nummer hebt gevonden of het nummer hebt kunnen raden want het is GEEN GOED NUMMER als enige identifier want er zijn teweinig onbekenden)

en als je EID gebruikt, laat dit dan doen en controleren door specialisten en niet door mensen die het ergens op het net hebben gevonden, er zijn al genoeg onveilige EID oplossingen geïnstalleerd

 

Permalink | |  Print |  Facebook | | | | Pin it! |

01/31/2013

hack of the day : webshopawards website (as an example)

so we give the award in 2013 to sejal

Permalink | |  Print |  Facebook | | | | Pin it! |

more about cma.be the online medical defaced dataservice

you can get your medical results here

https://online.cma.be   (but that is also running IIS 6)

and what is the use of installing ssl encryption if you do it the wrong way 

https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2Fonline.cma.be%2Fonline%2FDefault.aspx

so whatever one says here there is no security blablablabalbal

Security of your Personal Information
Centrum voor Medische Analyse secures your personal information from unauthorized access, use or disclosure. Centrum voor Medische Analyse secures the personally identifiable information you provide on computer servers in a controlled, secure environment, protected from unauthorized access, use or disclosure. When personal information (such as a credit card number) is transmitted to other Web sites, it is protected through the use of encryption, such as the Secure Socket Layer (SSL) protocol.
http://www.cma.be/Home/tabid/36/ctl/Privacy/Default.aspx

and it is not conform the latest technologies as stated here

Na een volledige facelift en volledige hercodering van de software is de nieuwe webstek voor de online resultaten beschikbaar! De webstek is volledig conform de laatste ontwikkelingen op software gebied en werd gebouwd op het .net framework 3.5, microsoft visual studio 2008, XML- en CSS-technologie
http://www.cma.be/Arts/iLabOnlineHelp/tabid/268/Default.a...

because just as this documentation shows their website dates from 2008

see this documentation  http://www.cma.be/Portals/0/downloads/online.pdf

and Microsoft visual studio is already in version 2012 and IIS in 7.5 (so not the LATEST)

if this is e-health, than we can expect some things and we shouldn't be surprised to have found excell tables from a bloodbank online

Permalink | |  Print |  Facebook | | | | Pin it! |

another defacement in jobsindehandel.be (forem-vdab) and what forem does a litte better

this is one

 

but the french speaking forem does something right that the VDAB does totally wrong when you click on french and you click on information or to insert information, than you go to the site of Forem.be, you don't stay on this site with a shitty security

but this doesn't say that the forem encrypts its information (or your information)

http://www.leforem.be/particuliers/chercher/CV/creer-un-CV-simplifie.html

but it is already under its own domain making an xss attack or injection more difficult

Permalink | |  Print |  Facebook | | | | Pin it! |

another belgian online creditcompany defaced and unsecure

this is the hack- sending out the warning to everybody that they are vulnerable

this is them

and they have also an unsecure webform in which personal and financial data is in CLEARTEXT

and they are running NO HTTPS and still on ...... yeah   not IIS 7.5 but

Server:Microsoft-IIS/7.0Set-Cookie:.ASPXANONYMOUS=BVI6kFo2zgEkAAAAMjAwYjMxMmQtYjY1OS00MGUyLTgwNjctYzI5MGU5ODBjYjgy0; expires=Thu, 11-Apr-2013 02:16:23 GMT; path=/; HttpOnlyX-AspNet-Version:2.0.50727
http://www.web-sniffer.net   (better but not perfect enough to secure a website with that kind of data)

Permalink | |  Print |  Facebook | | | | Pin it! |

yahoo spamfilter too stupid to stop phishing for yahoo logins

first never use those messages

hoover with your cursor over the link and you will see that it is not the yahoo.com domain so it is false

but what is most astonishing

is that Yahoo spamfilter are normally very good

and the fact that they are so good people begin to think that yahoo estimates that arrive in their inbox are real messages from Yahoo because they see so few spam (and so much in their spambox) that they think that as it has passed the very good antispamfilters it is real

yes, really that is the biggest danger of nearly efficient spamfilters - that people think that the 1% that gets through is genuine

what should yahoo do

first you should educate the people with a banner or warning above the mailbox stating that yahoo or any other service will never ask for your logins by email or to change them by email

secondly you could make a servicewarning - together with other big operators - in a banner or servicepage in which you could place warnings (not about an email but that people have to relog to for example this website to change their credentials)

third you could make a special button in the mail in which you could send all emails asking for your yahoo logins that comes in the mailbox of a 24H team that will immediately put them into the filters for the future ones (and set up the procedure to kill the phishing page online)

fourth you should augment your spamfilters with everything that is yahoo service or login message or in which the link that message has doesn't belong to the yahoo domain (even if the link is in text)

fifth you should make spamfilters refilter the last 100 messages or so to empty the box from spam that has only be identified as such afterwards

fifth never trust emails instantly, take your time, nobody is going to kill you if you have waited a day, to see it disappear into the spambox

Permalink | |  Print |  Facebook | | | | Pin it! |

hacked medical labo website asks belgians a lot of medical information (close it down)

so when a website is defaced it doesn't mean that it is penetrated and hacked but it means that automated vulnerability scanners have found a way to inject information but this doesn't necessarily mean they have rooted the server and have access to the database

but it does mean that there are a few problems with the server and that if the defacement is old enough that nobody is watching over the security of the server and so it indicates that those servers are like house without strong frontdoors or who have windows open on the groundlevel when everybody leaves for holiday (which doesn't mean that they will find the juwels)

but that on the same server there is an UNENCRYPTED LOGIN and an UNENCRYPTED FORM that asks all that information in CLEARTEXT is just enormous

imagine all that information being in a database and that database being leaked on the internet

but that information can be hackable because it is running a very old server version against which we are campaigning (like Microsoft itself) as being totally undefendable (meteokust.be uses it)

oh and this is the hack

and Google cache says this dates from "Dit is een momentopname van hoe de pagina eruitzag op 31 dec 2012 19:01:20 GMT"  exactly one month old

and even more there is a second page - they also didn't see

http://www.cma.be/Portals/0/ulow.txt

this is the reason why

Connection:closeDate:Thu, 31 Jan 2013 14:52:32 GMTServer:Microsoft-IIS/6.0MicrosoftOfficeWebServer:5.0_PubX-Powered-By:ASP.NETX-AspNet-Version:2.0.50727
http://www.web-sniffer.net

CLOSE THIS DOWN AND UPGRADE

Permalink | |  Print |  Facebook | | | | Pin it! |