security - Page 3

  • the best security joke from Apple in years

    Let's see we have

    2. Apple is safe and you don't need anti-virus because there are no viruses for Apple. Apple doesn't even need a security awareness page and campaign.

    3. you are not going to speak about securityproblems with apple software or we are going to sue you into bankruptcy (a favourite tactic to silence people and journalists)

    But the number one is the latest one that Apple uses to defend its colonizing of the iphone and keeping jailbreaking (using it with other networks than the monopolies they have created) illegal in the uS. In the US you can protest against this and for example ask that the software that makes jailbraking easy becomes legal.

    In the public debate before the different parties and the interested parties have to publicize their arguments (gets better all the time don't you think fellow Europeans, a public debate with public documents in an open process )

    " Apple's filing explained that jailbreaking could allow hackers to altering the iPhone’s BBP — the “baseband processor” software, which enables a connection to cell phone towers.

    By tinkering with this code, “a local or international hacker could potentially initiate commands (such as a denial of service attack) that could crash the tower software, rendering the tower entirely inoperable to process calls or transmit data,” Apple wrote the government. “Taking control of the BBP software would be much the equivalent of getting inside the firewall of a corporate computer — to potentially catastrophic result."

    It could also make phone calls with an iphone totally anonymous..... Also good for terrorists and drugdealers. Maybe we should send thousands of those jailbroken iphones to Iran.

    What makes me wonder. The BBP software is thus the achilles of the mobile network. Hack, crack or attack it and all goes down. And as many people and business are totally dependent on those networks, chaos is the result. Imagine no mobile phones that work.... I hope you still have a fixed line as backup. And that mobile extra towers are present if that is the case. Maybe an idea for blackhat next week in Las Vegas. It already promises to be a very hard blackhat, but maybe they could throw in a hack of a mobile tower, just for the fun of it. :)

    Or what Apple says is true and than the mobile infrastructure has to be defended and re-organised at the highest urgency or it is crap. And if it is true, be sure that you have a fixed line and that all your mobile data and contacts are also usable and present on your fixed line. 

    A company that says it is secure from a - to z and that says it is professional and only says professional things, can't say such things without any proof. And if it can proof it, it is a national emergency without any precedence. If it ain't true, it is apologize and retract.

  • texting while driving to be outlawed soon ?

    The first study of drivers texting inside their vehicles shows that the risk sharply exceeds previous estimates based on laboratory research — and far surpasses the dangers of other driving distractions.

    The new study, which entailed outfitting the cabs of long-haul trucks with video cameras over 18 months, found that when the drivers texted, their collision risk was 23 times greater than when not texting.

    The Virginia Tech Transportation Institute, which compiled the research and plans to release its findings on Tuesday, also measured the time drivers took their eyes from the road to send or receive texts.

    Insurance companies will add as a first step to their contracts that they are not responsable if the driver was using his phone or pda.

    When you drive, drive and concentrate. There is nothing that can't wait. And otherwise take the train or let someone else drive or anwser the phone if you think that you are that important.

  • banksys realtime bankcard fraud monitoring

    Last week a group of easteuropean thiefs were arrested in Brussels. Nothing special about that but the details of how they were discovered is impressive.

    They got hold of a series of creditcards or bankcards through Ikea (how is not discussed) and got also the necessary details.

    Banksys notified the police that they were seeing a series of suspicious transactions at an ATM in Brussels. When the police arrived the thiefs were retrieving money and had more cards with them.

    Banksys informed the police of another suspicous transaction taking place at another ATM not far from there. The police arrieved and arrested him also.

    Seems like Banksys is upping its monitoring. Nice. Keep up. It seems to pay off.

    But what if the cards/details were used in another country ? This is a loophole that some gangs already used. Not all systems are instantly put on guard against the thousands of cards/details that are being lost/compromised every day.

    The customer should be able to disable the international use of his card and only activate it after passing at the bank. This would not work for a certain group of people but it would work for a great number of them. A system like that is being put into place in the UK (with its growing pains).

    Separating the bankcard from the internetcard for transactions would be another. It would even enable the possibilities of upgrading the security of the internetcard to another level without having to invest millions into changing all those cardreaders around the world.

  • network solutions lost half a million creditcards numbers to hackers

    Network solutions is the grandmother of the .com domainname. It is the database that is the most uptodate and in fact the only real referral database if you have a problem with another .com reseller. That network solutions is hacked, is like saying that a Fortis can go broke :) Everything is possible nowadays it seems...

    Most surprisingly it was hacked in march and thanks to planted spyware the hackers intercepted all the creditcards and other information on one of these servers (doing in the cloud everything-you-need-to-have-an-online-store) between the beginning of march and the 15th of June. This means that they didn't see a thing for 4 months. 4 months without being noticed an external spyware was planted on a server and intercepted all the information and did get it out. For 4 months.

    The customers of their 4000 to 5000 clients/webshops have all lost their financial information and need to be informed (12 states in the US have all different laws regaring breach notification). Network solutions is offering them a free creditmonitoring solution for a year. (ok hacker, wait a year and meanwhile try to get other data about the persons on the cards, email, facebook, websites, ebay,....).

    Those business will now go bust because there is no trust anymore and will network solutions pay for that ? And how much. If they come off lightly, it will be the wrong message to the other online businesses. If you f... off you will get off lightly.

    so if you bought anything online of the network solutions hosted stores (and are not living in a country or state with breach notification laws - like Belgium - you better contact network solutions or your creditcardcompany yourself. And if I were you - I ask another creditcard with another number and even on another name (the one from your partner/husband or your maiden name or with your second name).

  • malicious PDF/Flash files with a strong 0 day attack

    1. It is the code that is used by PDF and/or Flash that is at stake which makes it more interesting to develop different attack strategies

    2. There are attack sites but malicious code/files are also being injected in normal sites (that neglected their security, you should never let anyone else upload such stuff).

    3. Even if you had disabled javascript of used flashblocked, the attack will continue to work

    4. The attack code uses deception methods to evade Intrusion detection systems that could have find the attack code otherwise

    5. Adobe reader itself has no possibility to mitigate the attack itself.

    6. they have a different attack code for internet explorer and for Firefox

    source Internet storm center

    Adobe says it will distribute a patch next week (between the 30th and the 31th) So keep ready for this patching round (if you are a network I hope you have already automated this)


  • microsoft important patch update next tuesday

    Keep your systems ready for direct distribution and implementation

    This is the message

    We have just published our advance notification for an out-of-band security bulletin release, with a target of 10:00 AM Pacific Time next Tuesday, July 28, 2009. 

    While this release is to address a single, overall issue, in order to provide the broadest protections possible to customers, we’ll be releasing two separate security bulletins:

    1.       One Security Bulletin for Visual Studio

    2.       One Security Bulletin for Internet Explorer

    While we can’t go into specifics about the issue prior to release, we can say that the Visual Studio bulletin will address an issue that can affect certain types of applications. The Internet Explorer bulletin will provide defense-in-depth changes to Internet Explorer to help provide additional protections for the issues addressed by the Visual Studio bulletin. The Internet Explorer update will also address vulnerabilities rated as Critical that are unrelated to the Visual Studio bulletin that were privately and responsibly reported.

  • New securitywarnings and updates and more 

    * zeroday for Firefox and fixes

    * patches for Microsoft to install




    More proxies on the proxy blog

    More books on the ebooks blog

    More clips on the musicmix blog

    More films on the belsectv blog

  • arbor networks Belgacom network with high number of attacks

    The Belgacom network has a high number of attacks for the moment. It is mostly from infected stations that are surfing because there is not enough sun and nothing on tv :)

    On the international scale the intensity of the attacks for each subnet is

       CN (China)       433.73    
        BE (Belgium)     59.51

    Most are from Belgacom networks.

    The attacking posts were (     13.31     (     8.71     (     2.89     (     1.86     (     1.68     (     1.62     (     1.49     (     1.16     (     0.97     (     0.96

    and there is even a botnet control center on their network which makes it even easier to believe

    source arbor networks

  • .tk domain under fastflux attack (react or be blocked)

    If the .tk domain does not clean up its act immediately it will be blacklisted and will not recover from this attack. Malwarescenario architects have developed a scheme in which they are taking these free redirection domainnames as a cover for their other sites. First it were only a few, than .tk blocked them and they went away but since a few days the number .tk domains that are used in fastflux botnets is growing exponently.

    Many blocking services and critical networks will now just blacklist it. Unless it acts now and dramatically.

    When the .be domainname was used at the beginning of this year it took belsec some weeks to convince everyone in the chain of command but at last the domain registrar, the justice department and the FCCU had a very simple procedure to take those domains out in a few hours time with very clear procedures and contacts between the different parties. It has since than worked very efficiently and also thanks to arbor networks.

    If .tk has no fast procedure to take those domains out as fast as possible with clear procedures and communication lines it will become a wasted unnecessary domainextension that will just be blacklisted.

    Viewing the number of .tk domains that are being used now as malware infectors it has no choice but to act now

    this is just a part of the list from Arbor Networks (and the list of active zombies seems to be increasing since last week, normally they were around 600 to 800 active zombie domains, now there are around 1600-1800 daily). Maybe the exploits are no coïncidence.

    Do not visit these sites, some are chinese and the chinese web is for the moment responsable for most of the zerodays attacks. We don't know if there is a link.

  • web is ready for zero day office attacks

    Metasploit the number one tool used by script kiddies and scamnetwork architects alike has released a module for their users to exploit the vulnerability as easily as possible.

    Several other sites have also released javascript or html code to use.

    Two listings of sites that are actively exploiting the vulnerability have been published on security alerts (see above) You should block these

    You should think about blocking the .cn domain altogether if you are not from China or has no business there.

    There is a module for snort with which you can discover this malware traffic on your network.

    alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MS 0day Excel ActiveX1 CVE-2009-1136 ref"; flow:from_server, established; content:"0002E559-0000-0000-C000-000000000046"; nocase; pcre:"/<OBJECTs+[^>]*classids*=s*[x22x27]?s*clsids*x3as* x7B?s*0002E559-0000-0000-C000-000000000046/si";  classtype:attempted-user; sid:1000099; rev:1;)

    alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MS 0day Excel ActiveX2 CVE-2009-1136 ref"; flow:from_server, established; content:"0002E541-0000-0000-C000-000000000046"; nocase; pcre:"/<OBJECTs+[^>]*classids*=s*[x22x27]?s*clsids*x3as* x7B?s*0002E541-0000-0000-C000-000000000046/si"; classtype:attempted-user; sid:1000101; rev:1;)

    You should also use the automatic fixit tools from Microsoft as explained beneath and follow the new information as it flows in into the internet storm center

  • Internet Storm center to yellow : refix your windows office (exploits and attacks underway)

    We have already published the links to the information and the quick fix.

    You will have to check this in your network (or on your computers)

    This is being actively exploited on websites as a form of attack against computer who have the vulnerable versions of excel on their computers.

    what is remarkable is that this is the second exploit against part of code that isn't really used anymore

  • new windows Office zeroday making the rounds (with fix-it link)

    Microsoft is investigating a privately reported vulnerability in Microsoft Office Web Components. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. When using Internet Explorer, code execution is remote and may not require any user intervention

    Affected Software

    Microsoft Office XP Service Pack 3

    Microsoft Office 2003 Service Pack 3

    Microsoft Office XP Web Components Service Pack 3

    Microsoft Office 2003 Web Components Service Pack 3

    Microsoft Office 2003 Web Components for the 2007 Microsoft Office system Service Pack 1

    Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 3

    Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 3

    Microsoft Internet Security and Acceleration Server 2006

    Internet Security and Acceleration Server 2006 Supportability Update

    Microsoft Internet Security and Acceleration Server 2006 Service Pack 1

    Microsoft Office Small Business Accounting 2006

    Non-Affected Software

    Microsoft Office 2000 Service Pack 3

    2007 Microsoft Office Suite Service Pack 1 and 2007 Microsoft Office Suite Service Pack 2

    You can fix it with a click here

    There is talk that the patch for the activex is expected for tomorrow - or maybe even today somewhere else in the world (we don't live in countries anymore on the web but in timezones)

  • windows update will be updated (and don't forget it)

    We will start this infrastructure update in late August, and it will take a couple of months to complete the rollout. Updates to the services and Windows code are required from time to time to maintain and improve service quality, reliability, and operations. The last update occurred in November of 2008.


    This update will not change your current Windows Update or Automatic Updates settings. It will improve the user interface for Windows Vista and Windows Server 2008 computers running Windows Update, adding a more visible and detailed description of updates as well as improvements in how users are notified about service packs. This update will not change the look and feel of Automatic Updates.


    The Windows Update or Automatic Updates client software must be updated, or you may not be able to successfully check for updates or perform other configured actions. If Windows Update or Automatic Updates is enabled to automatically check for updates, download updates, or install updates on your computer then the infrastructure update will be downloaded and installed automatically. Your computer will not be updated if you have disabled Windows Update (or Automatic Updates) and do not check for updates

  • Quarantaine computers with this Korean infection or they will self-destruct

    Look for this traffic pattern

    1. the malware begins to attempt to beacon to these three IP addresses:

    2. It immediately starts connecting out to the web on tcp port 80 with
    a pre-set list of update servers. The malware would
    look to pull a file with a ".gif" extension from the following list of hosts:

    The owners of these machines should be quarantained so that the virus can't update itself because it will self-destruct the machine once it get updated from today.

    We are talking about 200.000 infected machines probably worldwide. I hope the securitypeople of the ISP's didn't take a holiday.

  • Internet Storm Center wants ISP's to secure their clients

    The internet storm center is the main central where everybody turns to when things need to be checked, mentioned and alerted about. It is the portal ( that every securityofficer has as a daily favourite to be checked. Iit is part of the SANS a ITsecurity education and researchinstitute that has contributors and events around the world. This doesn't mean it is a bible and that if they don't mention something that it doesn't exist. I didn't say it should be your only indicator, it is one of the must-have indicators.

    So after the DDOS attacks with some impact (mostly media impact calling it a cyberwar) against US and Korean website, the handler of the ISC says the obvious

    "The problem is that end-users cannot (nor should not be expected to) secure their home hardware.  They simply lack the skills (and we shouldn't lament this, these skills being a scarce commodity allows us to demand high salaries after all). The responsibility must be shifted to the person closest to the user with the resources and skills to remediate this problem, namely, the ISPs. Until we get to that point, these problems will keep recurring."

    Well a few years ago, in 2006 some members of belsec were active helping to rewrite the Belgian New law on Telecommunications together with Mr Philippe DeCoene (SP.A) and seem to be actively supported by Roel Deseyn. It was put into law that the ISP's had to give all the Belgian users a free included securitypackage and that the Belgian Internet and Telecom regulator had the oversight on this (try to say no as an ISP to your regulator....). We knew that the price for each package would be minimal because of the number that would have been sold and we knew that antivirus firms were willing to go very very very very low to have that deal. But the ISP's led by Telenet lobbyists didn't want to hear about it and resisted and missed a historical opportunity. They thought at the time that securing the walls would be enough and cheaper. It isn't and it can't secure your network. Meanwhile some subscriptions with ISP's have now a free package included (in fact it still costs 5 euro a month). The ISP's won for the moment even if they all had to do some big investments in security to be sure that they could prove that their walls were well secured. Some people who didn't understand how ITsecurity really works were impressed by this fata Morgana.

    To make a long story short. One of the leaders of the SANS wrote us at the time saying that the Belgian model (ISP regulator imposes personalised free securitypackages for the users for the ISP's who want a license) was very interesting and promising. A pitty it is just dead paper.

    I would have been doing other things than writing about ITsecurity or writing more interesting things because your ISP or hoster would have already taken care of it.

  • orange day 3 update your VMware and wordpress

    WordPress 2.8.1 has been released to fixes many bugs and tightens security for plugin administration pages. Some admin pages added by certain plugins could be viewed by unprivileged users, resulting in information being leaked. Not all plugins are vulnerable to information leak but WordPress advise upgrading to 2.8.1 to be safe.


    VMSA-2009-0009, a new advisory concerning  ESX Service Console updates for udev, sudo, and curl.

    VMSA-2009-0008, an advisory from June 30th, has been updated.  It is an ESX Service Console update for krb5.


    Update always everything, also your SSH even if it seems that there is for the moment no 0 day just an increase in more sophisticated bruteforce and social engineering attacks (also in Belgium). You will need to review your controls, monitoring, filtering and hardening of your SSH environment

  • Orange day 2 upgrade your coldfusion NOW if you didn't


    Adobe recommends affected ColdFusion customers update their installation using the instructions below:
    NOTE: ColdFusion 8 customers who have not already done so should first update to ColdFusion 8.0.1.

    ColdFusion 8.0.1

    1. Download and unzip the hot fix. (10K)
    2. Open the ColdFusion Administrator and apply the provided hot fix using the System Information page.
    3. Make a backup of /CFIDE/scripts/ajax/FCKeditor folder outside of the webroot.
    4. Download and unzip the provided file.
    5. Merge the unzipped CFIDE folder with the existing CFIDE located at the webroot, overwriting the files in the existing CFIDE folder when prompted.
    6. Delete the following files cf5_upload.cfm, cf5_connector.cfm from under cfwebrootCFIDEscriptsajaxFCKeditoreditorfilemanagerconnectorscfm.
    7. Restart ColdFusion.

    Optional: To enable file uploads in FCKeditor when using the CFTEXTAREA tag with richtext, follow these steps:

    1. Ensure that access to the cfm page using CFTEXTAREA richtext=true is restricted only to users with a valid login.
    2. Edit jvm.config file and add the JVM argument “–Dcoldfusion.fckupload=true”
    3. Edit cfwebroot/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/Config.cfm and set Config.Enabled = true
    4. Set sessionmanagementclientmanagement in Application.cfc or Application.cfm to true in the application that uses the cftextarea tag with attribute richtext as true

    The ColdFusion hot fix JAR file does not need to be retained after installing it with the ColdFusion Administrator. The file has been copied into the correct location. The ColdFusion hot fix JAR file will appear as a new entry in the System Information list.

    ColdFusion 8

    ColdFusion 8.0 ships with the default value of config.Enabled in the editor/filemanager/connectors/cfm/config.cfm file set to false, which mitigates this issue. ColdFusion 8.0 customers unable to update to ColdFusion 8.0.1 can follow the instructions below to further mitigate this issue:

    1. Remove unused cfm files under editor/filemanager/connectors/cfm directory of the FCKeditor.
    2. Inspect FCKeditor directories for content that has already been uploaded. The uploaded files typically go under the userfiles folder in the webroot.
    3. If you have an editor/filemanager/connectors/cfm/config.cfm file obtained or installed from an external source, set value of config.Enabled to false in the editor/filemanager/connectors/cfm/config.cfm file.

    remember attacks are underway and there seems to be also a campaign underway to hack sites to insert redirect scripts to infect IE users who didn't desactivate the bug in ActiveX. If you want to be zombied. Go ahead. One day they should fine you for damages.

  • how to attack iphone, nokia and Symbian

    1. Iphone 3.0

    They have made it easy for the user. It always tries to connect to the internet and if it finds a connection, fine. If it don't it tries to launch Safari and a login screen. That is when the fun starts. It may seem a bit difficult, but the most interesting attack scenario's are those that are scenario's and not only based on 'luck' or the stupidity of people. We thank Apple for this new insecure feature that makes the job of security people so much harder again.

    Read Blog - Alert -  View Video

    2. Symbian - Nokia

    How to find bugs in Symbian without investing in special hardware and software. Read

    So you may be expecting a lot more of bugs and exploits to be published soon.

    It seems that some of them maybe remotely exploitable and can do things like putting the GPS tracker or microphone (espionage....)


    Untill now smartphones have been used as if they were safe and there were no things to worry about. But as smartphones are used much more by very important people and have very important information those machines become much more critical and should be treated as if.

    It is not the machine or the communication channel that is important in security it is which kind of information is on it and what it is connected to. Or it is a smartphone, a laptop or a paper.

  • hack and virusvideos on La Libre Belgique ?

    interesting ? Legally also....


  • orange day 2 DDOS attacks increasing also in Belgium

    Yep we have got your attention and for the moment there is no reason to lower the insecuritylevel, even if you would think that it ain't worse than normal with all those bugs and cyberattacks in the press

    So there were some articles in the press about DDOS attacks against American, Korean and Irish targets. Some call it cyberwar others say it was so amateuristic (except the Irish attack against a DNS server) that it can't be a real cyberwar (by the way I hate the term because we never had a real 'war' or 'terrorist' attacks in Cyberworld. Not if you compare it with what it means in the real world. It is just a bunch of sensationalism and panickmarketeering).

    But shadowserver says that the number and volume of DDDOS attacks is increasing.

    Arbor Networks also says that in Belgium the number of DDOS attacks is increasing again. So if you are a hoster or an ISP you should start looking out and if you have critical infrastructure you should ask yourself what will be doing if you would be the next victims.

    For the moment it seems as if we are attacking other countries. This means you have botnets and zombies on your netwerk. You can find out more on the securityalerts blogs (the links at your right)

    Outbound Attacks     3
    Maximum packet rate     113.50 k pps
    Maximum traffic rate     54.73 Mbps
    Attack class     Misuse: 3
    Attack subclass     TCP RST: 1,