For our English readers Belsec wants that our computer crime unit, the domainextension .be authority and the justice department develop a fast track procedure to block at the DNS level the new fast flux DNS botnets because it is the only way to stop them. In a fast flux DNS botnet the sites are hosted on a different hacked or infected computer or server every so many minutes. It will not be possible to bring those down in time if one is to use the normal legal procedures. Blocking the domainnames after a quick check is the only way.De blog Belsec van de Belgian (en international) Security Bloggers Netwerk heeft de afgelopen 2 dagen de aandacht gevestigd bij de overheid op een nieuw verschijnsel voor het Belgische .be en het Europese .eu domain, namelijk dat deze gebruikt werden in een fast flux DNS botnet dat deze domeinnamen gebruikt wordt voor phishing.Om het even simpel uit te leggen.Een botnet is een netwerk van geïnfecteerde computers (zombies ook genoemd) die van een centrale computer (control and command center genoemd) de opdracht krijgen om een bepaalde opdracht uit te voeren zonder dat de eigenaar van de computer dit merkt. Dit kan gaan van het hosten van webpagina's, het doorsturen van spam of het aanvallen van websites.Phishing is waarbij nagemaakte loginpagina's van banken en andere instellingen worden geplaatst op verschillende sites waarna naar zoveel mogelijk gebruikers van die banken een email met een link naar die valse loginpagina wordt gestuurd. Men wilt op deze manier de login van deze mensen verkrijgen en zo de rekeningen plunderen.DNS is het systeem waarbij een IP adres van een server (een aantal cijfers) wordt omgezet in de naam van een webadres of URL zoals we ze wel kennen.Het nieuwe systeem fast flux dat verleden jaar zijn opgang maakte werd gebruikt door botnets om minder kwetsbaar te zijn indien het commando centrum werd ontdekt en om ontdekking moeilijker te maken. De URL's of webadressen worden door een serie kleine DNS servers steeds naar andere IP adressen van geïnfecteerde computers of gehackte servers gestuurd.In het geval van de Belgische adressen zagen we dat deze de ene keer vb in Spanje en een andere keer in japan terechtkwamen. Volgens Arbor netwerk bestaan deze twee botnets die gebruik maken van .be en .eu uit enkele tientallen IP adressen die deze URL's gebruiken.Het viel de onderzoekers van belsec op dat in Phishtank.com dinsdag een hele serie .be en .eu adressen voorkwamen en dat per adres verschillende pagina's met verschillende logins werden aangebracht. Tevens bleken ze op dezelfde manier gecodeerd te zijn en bleken de namen op elkaar te lijken. Het bleek tevens dat de adressen de dag voordien werden aangekocht bij DNS.Be.De enige manier om deze internetadressen down te brengen is door ze te blokkeren op DNS niveau. Het is praktisch niet mogelijk om de tientallen zombies snel genoeg te localiseren en te laten desactiveren, vooral niet als het netwerk van zombies dagelijks andere zombies in andere landen zou gebruiken.DNS.Be en FCCU.Be zullen samen moeten werken met het gerecht om een fast track procedure overeen te komen om in dit geval en in andere gevallen waarvan ontegensprekelijk sprake is van een dergelijk fast flux botnet dat gebruikt wordt voor phishing preventieve actie te ondernemen. Een fast flux botnet kan snel worden vastgesteld omdat ze heel eigen kenmerken heeft.Belsec werkt voor wat betreft de Belgische onveiligheid op het internet samen met Arbor Networks dat deze specifieke vorm van botnets reeds in kaart heeft gebracht. Op hun lijst van gebruikte domeinnamen van meer dan 2000 domeinnamen staan dagelijks nieuwe. Daartussen staan nu dus ook een serie .be en .eu domeinnamen.Men mag niet de indruk geven dat het .be domeinnaam gemakkelijk te exploiteren is voor een snelle oplichtingsoperatie omdat men veronderstelt dat ons gerecht en antwoordmogelijkheid te beperkt en bureaucratisch is. In deze snel veranderende ecrime-economie is daarom ook een aangepast antwoord nodig.Belsec doet deze oproep om de verantwoordelijke beleidsmakers preventief te waarschuwen dat indien nu niet wordt getoond dat het .be domein niet zo kan misbruikt worden het risico wordt gelopen dat de internationale ecrime-economie ons domein nog massaler zal gaan misbruiken.het verloop in omgekeerde volgorde (laatste gebeurtenis eerst)nieuwste betrokken domeinnamenArbor networks bevestigt ons onderzoekWe denken dat het een fast flux phishing botnet isWe doen de eerste ontdekking van deze rare .be domeinnamen in phishtank.com
You can vote untill the 25th of january or is it the 26th and you have 5 votes in different categories. So as we are nominated - thanx for that, you can now make the difference and vote for belsec blog. As such if I understand we will become frontpage news on skynetblogs or something like that, that would be interesting to say the least...
So as so many people in Belgium do so much effort to keep us out of the headlines, you can put us back in again.... Tijl Uylenspiegel lives here again.
This is the link to vote
more propaganda material will come tomorrow
The South Korean government has decided to arrest an imposter who presented himself as an ex trader who wanted to share exclusive internal financial insights and predictions with the population and after a few right hits was more popular and had a bigger following than the official Sourh Korean economic policy communication itself. He turned out to be an unemployed who was studying economics. The other factor was that he was a staunch critic of the official South Korean economic policy and was beginning to have a real impact on media and policy.
At one side it is wrong to present yourself under another function than you have and it is wrong to make people believe that you have access ot privileged information and professional insights, while you have none of that.
At the other side it is wrong to arrest and emprison him. if the governments would do as much to pursue the scammers and pump and dump stock schemes the financial world would be a safer place.
The whole question of anonimity on the internet is a double edged sword. When we say who we are we will be open to pressure and the discussion will be about the persons and not the facts. While in IT there should be more discussion about the facts and not about the persons or the camps they supposedly belong to. At the other side some people refuse to take your arguments into consideration because they are published more or less without a proper identification.
If Belgium was an open democratic country in which free discussion was possible without fear for your good name, job or career prospects, than all of this would not be necessary. The fact that we still publish in this way, proofs the contrary.
we will be soon publishing and exclusive report here about hacking .be in 2008
and we will do some crossblogging on zone-h
if zone-h.com seems to be working all right
we might even move our hacking .be articles over there and link to them from here
belsec is slowly spreading its wings
want to join the flight.....
thanx for the votes
but you can still vote us to the frontpage of skynetblogs untill the 25th
that would be something, we on the frontpage with this kind of news....
banners and other stuff will follow soon here
spread the word
We have been reporting the last couple of weeks about the threatlevel on the Belgian internet and have been using the information from Arbor Netsworks that was publicly available and have been quoting them as such.
The advantage of this was that it was clear to anyone when there was where a problem and which attacks were increasing on a specific network. It is this kind of information that one needs ot be able to do with the limited time and resources the things that will bring the most security and preventive monitoring to the ITsecurity cell.
We hope to be working with Arbor Networks and to be able to continue publishing this information for the community, but we also hope that they will return to the situation in which such information was available up to a certain level. It was a great help and in the present situation in which there are several threats looming at the same time, it is important to be able to use such an indicator.
If there are limitations about the interpretation maybe they should be noted explicitly (like for example that its installations are on the skynet network and that this is the reason that you see so much attacktraffic on that network and so few of the Telenet network for example)
we thank you for the votes for the nomination, voting has ended
we also thank you for the visits, we were the number one skynetblog with the best increase in the number of visitors this week for a few days
we are looking for other collaborators and informers and if possible a project sponser of two
thanx, it makes a great beginning for this year, watch out for some surprises here in the coming weeks
If you take a minute to vote for this blog (see at your left of this blog) than this blog is between the nominated blogs. It doesn't cost a penny and it is a good way to start off a year, ain't it ? You can vote
Today is the last day you can nominate this blog for the skynetblog awards. Afterwards they will be another selection it seems, but hey if we could get nominated that would already mean something, doesn't cost you anything. Just a few minutes of your time. Thanx and don't forget to subscribe to our feed, who knows what we will be publishing next that you don't know about.....
follow the link at the left side of the blog
oh and info and bloggers are always welcome here....
Since a few years new years eve is the year in which people burn their cars to get a new one from their insurance or get their car fixed and burnt because some kidz don't know better than to burn other people's cars (the saddest thing is that it are cars from poor people like them because the rich hide their cars on new years eve). The really poor people can get up to 4000 Euro's from a fund for the victims of terrorism, those that have some better paid work and the middle class have to repay it all by their own.
In the Belgian newspaper De Morgen we read about 440 cars that were burnt out that night
In the french newspapers we read the following thing about last night burnt out cars
First the 440 cars is only for the Region of Paris (and most of them in the ghetto's (called banlieus) around it.
and this source says this "1.147 véhicules ont été incendiés au cours de la nuit de la Saint-Sylvestre 2008-2009, contre 878 durant la même période de l'année précédente, selon un bilan définitif «des faits vérifiés», publié jeudi soir par le ministère de l'Intérieur. Soit une hausse de plus de 30,6 % par rapport à 2007" It says that there are 1147 cars burnt that night, which is an increase with 30%
So what is the problem here with online journalism and which makes it less trustful
1. The online newspapers around here don't go updating and changing their online stories. Once published they are just archived and let alone just alike articles in the newspapers. This is totally wrong attitude. Online articles should live and be updated and given more links, information, changes and corrections. It is only after some time online that you can close a version. It is also this changing nature of your articles that makes it interesting to keep on reading.
2. The online editions don't control the web permanently and don't google the facts that they are publishing. So they just trust one source and don't do the double checking. So one makes mistakes. The difference between a lie and a truth is sometimes a word (like paris instead of France
The newspapers are sacking a great number of journalists and editors this year but they say that this won't have any influence on their quality. This is not possible. You need human eyes and hands to make quality content.
We have taken away the advertising. The reason is that it takes too much space and doesn't bring in the necessary cash. So we try to keep it clean and look for some strategic sponserships.
The amazon bookclub is still active. So if you would like to buy some securitybooks you can do that here, it won't cost you any more. It is also a good way to look for books. We will update the collection in the coming months, but in fact you can buy any amazon book from there. You didn't buy one, but it stays a great resource because some of you did surf through the collection.
But as we said before, we are not into this for the money. IF this would be the case you would have been reading much more commercial stuff and product placements and other stuff like that.
if you think it should be about public service and information and going further than the normal media would go
vote for this blog (if you don't have one, you should make a skynetblogs profile that would take you 5 minutes) you can even start blogging afterwards if you would like that (even here if you would like to blog about infosecurity or risks)
"You have arrived at the CastleCops website, which is currently offline. It has been our pleasure to investigate online crime and volunteer with our virtual family to assist with your computer needs and make the Internet a safer place. Unfortunately, all things come to an end. Keep up the good fight folks, for the spirit of this community lies within each of us. We are empowered to improve the safety and security of the Internet in our own way. Let us feel blessed for the impact we made and the relationships created. "
this is another proof that government should pay for permanent personnel at those first lines defenses (even if it would be financed with contributions from ISP's or other ebusiness)
you can't expect from volunteers to stay on working like that against such a menace without any support (or even thanks or respect for that matter)
there is for the moment not much to replace them
wanted for 2009 : YOUR HELP HERE (lots still to do) contact me
I am off to family and quality time
this is a free nonpaid voluntary effort to get some information about security and insecurity out but I am taking time off this time
it has been a nice time and we have done a lot this year that others could only dream about
but we dream about a CERT, we dream about certifications and audits and coordination
and all we see is promises
let's hope that we will get somewhere in 2009 because after 2008 2009 will not be like any other year
for those looking for free stuff, you have 16.000 cached articles and links, links to 900 freeware, 1500 books and lots of more links here around (on netvibes there are links to digg and so on that change permanently)
make love, have fun, friends, family and be happy and healthy
we will be back in a day of four - and no netties (vlaamse vertaling) nogal drukke familietijd (sorry)
After some speculation and strategic rumors, the Belgian government is no more. This is not good news - nor for the economic crisis, nor for the financial crisis (Fortis being the most urgent). Let's hope there is enough intelligence to put together fast an emergency government with limited powers to handle specifically those two urgencies. The voters can decide after the holidays or together with the regional and European elections who should make the new federal government.
some thoughts about the last days and hours of this government
* it is strange that the guy in the cabinet of the prime minister who is responsable for the illegal pressure and leaks is a prosecutor himself. He of all people should have known that what he did was illegal and he of all people should have known that he shouldn't have left all these footmarks and fingerprints leading to him. It is also strange to see that neither him nor the Chef of the Cabinet of the prime minister resigned themselves, saying that the prime minister didn't know anything and that it was their own initiative.
* it was also strange to see again that SMS messages where being sent by ministers during the crisis conferences to journalists who were reading them aloud before the television. How can you negotiate or speak freely like that ? Where is the confidence if what you are saying (even tactically) is being send to journalists (without the same context) in realtime ? I think mobile phone blockers are a product of the future and that the government should have them in their conference rooms.
* you can try to lie but you can't hide and somewhere somehow the truth will be published
During this Leterme I we have asked several times to take some necessary measures for the Cybersecurity in Belgium and we had several contacts that were working on that idea. But it was always not the right time, there were other things and so on. There are and will always be other things, but this thing has been talked about in Belgium for more than 6 years now and there is nearly nothing in place that looks like a national coordination center.
They have missed a historic opportunity. The insecurity of the Belgian web has never been so clear. The IT organisations were clearly asking for it. The European Commission said that we must have one. The big IT firms in Belgium find it necessary and activists and professionals are learning to speak to each other and understand and trust each other.
Whoever will be part of the next government, we hope he or she will be open and take some initiative even if there are about 1000 other things that ask some attention.
Luckily we have the EURO
als u het geheel of de lijn of de verbanden niet meer tussen al die verschillende postings op al die verschillende belgische security blogs even niet meer ziet
in 2009 zullen we dat dan synthetiseren in een maandoverzicht denk ik
en misschien moeten we maar eens aan een jaaroverzicht 2008 werken
http://www.netties.be/extra/overzicht.htm de andere weekoverzichten met nuttige tips en links die u misschien gemist hebt ondertussen
The feed of the Belgian security bloggers network is nearing the 400.000 views
We thank the spooks, the security researchers, advisors, hackers, ITpeople, administrators, curious and engineers from different countries and industries for their visits during a year.
We hope to see you often and soon
this is only the beginning.
we thank our families for their patience and understanding while we were active trying to get our country a little bit more secure.
and this is not a joke
and this trying to follow it all http://twemes.com/griots