security - Page 5

  • Belgian ecrime 1 : 43 mules arrested in 2008

    According to the federal financial crime unit of the Belgian police 43 mules were arrested in Belgium in 2008. As journalists don't really understand what a mule is, they made a headline as if only 230.000 Euro was won by the criminals. This is not reading the real numbers and facts.

    In total the mules send about 230.000 Euro from Belgian hacked bankaccounts to the criminal gangs. They wanted to send 383.215 euro but they were blocked by the banks, cardservices and police to do so. The police found about 154.083 Euro that was given back to the rightful owners. So, this means that there is still a time-lapse that is too big between the hacking of the account and the sending of the information to the mules and the transfers done by the mules and especially the last one (to the crimegangs).

    The mules that were recruted in Belgium were really poor and marginals. Maybe this explains some of the time-lapses. You have to know something about the workings of computers and banks and moneytransfer services and have some social capabilities to not being caught.

    If you recruit monkeys as mules you are a mule and will get caught. :)

    This means that over time - as with the online crimebusiness - the mulebusiness will become professionalised. The crisis gives them every opportunity.

  • slow http dos attacks started - apache, sun etc... vulnerable

    There is an unofficial patch for Apache

    "Finally, an unofficial patch has been released at http://synflood.at/tmp/anti-slowloris.diff - I haven't tested it but the patch is supposed to dynamically change the TimeOut value depending on the load (which depends on the number of Apache processes that are currently processing HTTP requests)."
    http://isc.sans.org/diary.html?storyid=6622

    * There is no compiled list of who is vulnerable and who not but if you are in the money or government business or can have the attention of some angry and stupid people and are running Apache, sun or some other vulnerable server, you should take attention to DDOS or just drop incomplete packets faster.

    * more attack and discovery tools can be found here, at the father of this kind of attack against Apache. He says that the new tool doesn't still use the full capacity of the attack method. THis promises

    * do not buy any anti DDOS equipment that is not designed to cope with this kind of attack and contact your account manager if you have anti-DDOS equipment to ask if they protect you against this (if you are running an Apache or other vulnerable server)

    * you can think about a proxy or copy of your webserver on another environment (like windows) so you can swith according to the vulnerabilities and attacks.

  • the dead London Action plan against spam

    What it is about blablabla

    http://www.londonactionplan.org/?q=node/1

    Belgium:
    DG Enforcement and Mediation of the Federal Public Service Economy
    Federation of European Direct and Interactive Marketing
    http://www.londonactionplan.org/?q=node/5

    Report and statistics untill 2006....

    http://www.londonactionplan.org/?q=node/26

  • spamdomain shows 199 Belgian spammers

    An international research has analyzed a selection of spam to find some malicious servers or hosters and ISP's. Some were located in China and pressure will be put upon the authorities to close them down. THis is a scientific way to attack spam by prioritizing according to volume. It makes the effect greater when you get one of those bigger spammers down.

    The research also found 199 Belgian spammers

    Hosting Country
    ================
    48,331 CN - 70% of all spam domains hosted in China
    8,412 US
    3,914 KR
    1,555 RU
    1,053 UA
    884 CA
    719 MY
    594 BG
    524 DE
    460 HK
    323 AR
    228 BR
    210 IL
    199 BE
    187 NL
    185 PL
    179 GB
    178 RO
    104 CZ
    http://garwarner.blogspot.com/2009/06/spam-crisis-in-china.html

    we hope to publish them soon

    Spamming is illegal in Belgium.

  • 'slow http ddos' extending in importance

    This is a technique in which one machine opens a port on a webserver (function port 80 only) and than another and another and another untill there are none left and no one else can access this server. It can do so because it only sends partial requests and the server keeps its connections open waiting for the rest of the datapackage - which will never come. THe longer the server waits for the other data the easier it is to bring it down for a certain period of time. And if you thought that this isn't important how much would your ecommerce lose if it wasn't accessable for let's say an hour at it highest selling moment ? The investment for the attacker is very minimal (one linux box and a dsl), the effect is guaranteed and the chances that the attacker is discovered are minimal to nonexistant.

    But as we are reading through the documentation and comments on the original hackersblog there are some things that become clear

    * The apache people don't understand how IIS manages at being immune for this kind of attack

    * proxies and IPtables and load balancers have no use against this attack if one doesn't put a specialized DDOS defenderbox before it. This seems now to be a new appliance one should put before the rest of all the infrastructure (not behind it) and it could also be a single point of failure it is isn't hardened and patched itself

    * Sun webservers also seem vulnerable

    * Nor IPtables nor the different modules for Apache that should protect against it do so because they don't work in a sequential way, this is to say they don't control the IP address of the host that asks for another connection and don't refuse it if the same Ip address has already an open connection. IIS does so without modules.

    This means it even more dangerous if it is being launched by a botnet with fastchanging IP addresses

    Maybe one should place the content on a technological failover system. If IIS fails you go to Apache and vice versa.

    Apache has no clue and no news about patches or solutions.

    If you go to IIS, go to IIS 7 or higher. IIS 6 is insecure an sich. Just as a Lada is in traffic.

  • bring down half of the servers with a simple PC and dsl line

    Half of the servers of the internet are using Apache open source servers. They can now be brought down by a simple linux-pc that uses a  program that will attack only the webserver function in such a way that it will become unavailable for all others. There is no real mitigation and if you read the conclusions by the Internet Storm Center even those solutions should be used with caution as they all have serious side effects.

    The biggest webservices will have enough defenses and back-up or failover and those that are running IIS can go one securing and patching their servers with other stuff but those with vulnerable servers such as Apache and Squid should get to work.

    There is no really simple solution. You will have to think conceptually and look at your infrastructure and your business plan and objectives. Every measure you will take will have its costs and/or implications for your visitors and users or clients.

    The public release of this tool is based upon a problem that has been written about since 2005 and has been proven to work since 2007 and about which nothing was done - probably because one thought that no one would do the old hat DDOS stuff anymore.

    But that is what changed since last year with the massive DDOS attacks against countries (Georgia, Estonia,....) or Tibetian dissidents or the sites of the Iranian government now. DDOS has become so simple that it has become very popular. It is also difficult to prosecute someone for a DDOS because if you are with many, they won't arrest everyone of them - if they can find them anyway because the first thing one does during a DDOS attack is try to drop the traffic.

    So anyone who knows how to install a phyton program on a linux box can now take out any website that is using apache 1 or 2 or squid and some others. THe IIS servers are NOT vulnerable (yet ?).

    http://isc.sans.org/diary.html?storyid=6613 You will read here how difficult it is to defend against such an attack if you didn't invest heavily in failover and proxying and fastload and stuff like that.

    http://ha.ckers.org/slowloris/ this is a must read

     

  • how Belgian tax on web was out of service for a day

    Tax on web is used by thousand of civil servants and accounts who fill in online thousands of tax forms for individuals during these last few weeks. Last week the service was bugged down during nearly a day. There were several questions in the parliament and from the answers we can read the following.

    There was a cable to a harddisk that was posing problems so that the harddisk was not accessable. Maybe you should read this again and than take your IT-architecture handbooks and look up the following words

    fail over - monitoring - pre-testing - business continuity - virutalisation - spare parts -.... and so and so on

    Remember this is one of the most popular and most critical installations of egov in Belgium. of an applications that still is easy to spoof by the way - something we blogged about .... a year ago. If their hardware installation has been tested the same way one can understand the problems they had.

    Security people should never underestimate hardware or take it for granted. It is only hardware.

  • First Big hack of Belgian credit cards

    A few weeks ago the minister of Justice declared that there were 45.000 Belgian creditcards that were compromised in 2008. Most of them were the victim of hacks of websites outside of Belgium and most were repaid.

    This is something different than the declaration of the Financial Control Agency (bfca) who said that in 2008 only a few Belgian banks were attacked and only a few Belgian creditcards. It obliged the banks to upgrade their security as the banking trojans (special viruses that intercept everything that you do when you do your banking or buying online) were becoming smarter. The double authentification and the other security measures that made the banks declare themselves (without any audit) that they were the most secured installations on earth seems under real pressure. 

    Now it is clear in JUNE that in MARCH (look at the difference) there were about 45.000 to 50.000 Belgian creditcards that were compromised and used for online payments. THe fraud detection network of Atos worldwide noticed the problem and informed the Justice department who forget according to the stories today to inform the federal computer crime unit and the users of these cards.

    Dexia has reminded today its directors of the local agencies to follow strictly the rules. This made the headlines as if Dexia itself had lost 45.000 creditcards, but Dexia was not the only victim of the hack. And in the article itself they say that Atos saw that only a 1000 creditcards were used to defraud their users from about a million dollars (which is about 1000 dollars a card). So in march there should be a great hack of creditcards of which about 45.000 were from Belgian origin.

    In the worst case is this only the result of the big hacks of the financial transaction and payment processors. It is not unusual for hackers to use the stolen data about creditcards over time.

    It is also a shame that people are only contacted about 4 months after the fraud has been found and many months more maybe after the hack of the database where their card was recorded. They will be informed in the coming days. If you are planning to go on holiday soon you will have a problem to get a new card in time.

  • tax on web forgets testing new software

    Taxonweb our famous taxapplication was having hard times yesterday and was not usable for some time. In De Morgen a national newspaper a representative of the union said that it was not the fault of the workers but of the management that forgot to test new software before installing it.

    sorry ? Installing and launching a critical webapplication like taxonweb and not testing the new functions and softare ? Process ? auditing ? norms ?

  • Exclusive the most dangerous Belgian search terms

    McAfee published a report about the most dangerous search terms that one could use in a search machine. They are dangerous because sites that are infected or will try to infect you are placed so high that there is some probability that you will click on them.

    This is the risk if you use the following search terms for sites for Belgium at the time that McAfee did its testing. Meanwhile it can be that some of those sites are cleaned up or closed down. The maximum risk percentage was 10%. 

    The most important lesson to be learned is that malware writers and strategists use any keyword in any language to infect any popular or highly ranked site from any country as long as it gets them traffic and infections. There is no reason that dutch or french sites or Belgian sites should be excluded.

     

    Keyword
    daens
    pasta recepten
    jeux
    hotmail
    msn
    netlog
    recettes marocaines
    recette houmous
    recette soupe
    skyrock
    deredactie
    koekjes
    scampi recepten
    soep recepten
    youtube
    milk inc
    acdc
    franse recepten
    hln
    iphone
    recettes de chicons
    dexia
    ebay
    facebook
    mika
    piet huysentruyt
    recette soupe epinard
    alicia keys
    hot chip
    portishead
    pukkelpop
    radiohead
    recettes de pizza
    coldplay
    portugal-grèce
    leonard cohen
    moto gp
    tv

    roland garros

     

    We will come back on that one later

  • participate with Microsoft survey about the patchprocess

    Thank you for participating in the Project Quant patch management survey. The goal of this survey is to gain a better understanding of current real-world patch management processes. Future surveys will help us validate the processes and specific patch management metrics developed as part of the project. All questions are optional, but the more details you provide the more accurate the eventual model will be. All results will be made publicly available (email addresses and personally or corporate identifiable information will be kept confidential).


    http://www.surveymonkey.com/s.aspx?sm=SjehgbiAl3mR_2b1gauMibQw_3d_3d

  • certipost, telenet and post.be vulnerable to xss flash injection

    on http://insecure.skynetblogs.be  we will be adding more information on xss

    we have found some belgian sites that are indexed as vulnerable (and aren't fixed yet)

    and we have found that even some big sites are vulnerable to a malicious link injection through their flash animations

    this means that your site can be used as a hop for a driveby download

    one rule : always use your http(s) address in full in all of your links if you want to stay in control

  • 100.000 websites hacked and half lost on a cheap server

    In april there is a posting on milworm (a famous hackerssite) of 24 bugs in a software that manages xen and other virtualisation software. In may the makers of the software are informed by a securityresearchers that these bugs are published and give root to any one. THere is no real reaction from the firm, nor any follow up.

    They are lucky because only one of their biggest partners got hacked today and half of their clients have lost all data (because they didn't pay for the backup). Vaserv is now trying to restore anything but it shows once again that peanut offers for hosting are not worth the paper they are written on.

    They are lucky that the backups were really good seperated from the rest of the infrastructure and could be used.

    They are not so lucky to not have a real security guy doing security research and follow up even if they have a really big installation. Now they have lost some credibility and it will be hard to win it back.

    The firm itself kloxo is in even bigger shit because they have ignored postings and contacts since april/may to solve those bugs, even if they say that security is very important for them. Using software from such a firm is a risk you are taking. Using a firm that uses such software is a risk you are taking.

    They had encrypted all the important personal information on the servers. Which is another good thing. Imagine all the personal and financial information from 100.000 sites out in the open ?

    The lesson, virtualisation is maybe some DRP or Business continuity but not security an sich. You will have to invest a lot of money in security and monitoring and backup of your virtualised infrastructure. Even if you thought that you would make big economies by virtualising. The only big economy you will make is on DRP and BC, not on your total investment in hardware + software + management and security + backup.

    It also shows that departimentalisation and seperation of servers is even in a virtualised environment a critical aspect of security.

  • The whole Slovak (secret) telephone database on a lost USB stick

    This time anonymous man brought to the offices of Slovak newspaper SME just one USB pendrive. As he told, he found it on the main square in small town on the west of the Slovakia where it was lost by a crew of a black BMW (usually used by the politicians or some higher officers...). Content of the drive should be highly confidential: it contains extensive documents and personal data about policemens from Slovak Military Police. Just to mention that some Slovak military cops are on the mission in Afghanistan...

    source zone-H.com

  • webdav hacking campaign, find vulnerable server before hackers do

    IIS 6 sites with the WebDAV extension enabled may be vulnerable to authentication bypass because of a bug in the way that the extension handles Unicode characters.

    Cutting the URI path with random Unicode characters allows hackers to bypass the access control list. Depending on the permissions of the Web server files, a hacker would be able to retrieve user names and passwords, upload, overwrite and delete files, or run malicious code.

    Use the WebTuff utility to check your system vulnerability:

    1.  Try to retrieve the file at the given URI using a simple WebDAV GET command

    2.  Try to retrieve the file at the given URI using a simple WebDAV GET command, cutting the URI with these Hex | Unicode characters: %c0 and %af.

    3.  Save the retrieved file locally and / or report server response

    Download WebTuff Tool:

    webTuff link (zip file containing win32 binary + Python source code)

    WebTuff-MD5 (MD5 hash of WebTuff binary)


    http://www.applicure.com/News/WebDAV_Exploit

  • Apple has to put some security in its 5 month old java bug

    If you don't agree you can protest at Apple http://www.apple.com/feedback/macosx.html and ask them why they are taken so long to fix a bug that has been fixed by Sun in DECEMBER.

    Secondly your mac can be hacked by any specially crafted package on a website, even if you have patched and secured your machine.

    You can only stop this meanwhile by

    * disabling the downloading safe files

    * dumping Safari crap and take a real browser

    * disable the java in Safari if you still want to use that crap

    If you are not running mac, you should however fix this bug here

    http://sunsolve.sun.com/search/document.do?assetkey=1-66-244991-1

    Lets hope that the java and mac update processes become more professional.
    Macromedia has already decided to re-organise its updateprocess although a 3month period is much too long. It looks like Oracle patch process.

  • belnet, the Belgian official internetworks mostly attacked by chinese networks

    2. Top scanners from their newsletter

    # | Region / Domain

    4345 | Zigong Sciences Informations Academe

    933 | Flexwebhosting B.V

    886 | CHINANET anhui province network

    850 | China Unicom Heilongjiang Province Network

    591 | Ministry of Water and Irrigation

    556 | China Unicom Beijing province network

    556 | Sichuan Public Information Industry Co.Ltd IDC

    501 | CHINANET Anhui province network

    452 | CHINANET-HN Zhuzhou node network

    434 | CHINANET jiangsu province network

     

    +++ 3. Top scanned ports

    # | port # | service

    5849 | 1434 / udp |Microsoft SQL Monitor 3950 |

    445 / tcp | Windows File-&Print Sharing - SMB 1788 |

    22 / tcp | ssh 1534 |

    1433 / tcp | 1219 |

    2967 / tcp | 872 |

    23 / tcp | 845 |

    135 / tcp | DCE Endpoint 750 |

    139 / tcp | 611 |

    1026 / udp | 604 | 4899 / tcp |
    https://cert.belnet.be/newsletters/belnet-cert-newsletter-new2009-21

    do we really need that Chinese traffic or should we whitelist it instead of blacklisting ?

  • all Openssh not 5.2 is insecure an sich

    All programs that incorporate the OpenSSH implementation of SSH, short for Secure Shell, should make sure they use version 5.2, which provides several countermeasures to prevent the attacks. Other SSH implementations may be vulnerable as well, the researchers from the Information Security Group at the University of London's Royal Holloway said.

    The attack exploits subtle differences in the way SSH software reacts when encountering errors during cryptographic processing. By directing specially manipulated packets at the application, an attacker has a one in 262,144 chance of recovering 32 bits of plaintext from an arbitrary chunk of ciphertext.


    http://www.securityfocus.com/news/11550

  • webdav hacking still in full force, how to find webdav servers on your networks

    Question: How can I find IIS servers in my environment running WebDAV?

    Answer: You can use the IIS Manager interface on the server to quickly tell whether the server is running WebDAV. If you want to do so remotely, you can issue an HTTP request to the server directly:

    $ telnet server 80

    OPTIONS / HTTP/1.1
    Host: server
    Accept: */*

    (An extra Enter on the blank line after the Accept will complete the request for the webserver.)

    If you get an HTTP response that looks like the one below, the server is running WebDAV.

    HTTP/1.1 200 OK
    Date: Wed, 20 May 2009 00:52:58 GMT
    Server: Microsoft-IIS/6.0
    X-Powered-By: ASP.NET
    MS-Author-Via: DAV
    Content-Length: 0
    Accept-Ranges: none
    DASL:
    DAV: 1, 2
    Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIN
    D, PROPPATCH, LOCK, UNLOCK, SEARCH
    Allow: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
    Cache-Control: private

    To evaluate the response for existence of WebDAV, use the following logic:

    • Received 2xx response status to OPTIONS request made to root of site.
    • Response contains DAV header with value 1,2.
    • Response contains MS-Author-Via header which contains DAV value.
    • Response DOES NOT contain X-MSDAVEXT header. Existence of this means its Sharepoint’s DAV.

    To test a server that only accepts HTTPS connections, you can use a tool like wfetch.


    http://blogs.technet.com/srd

  • attacks on Directshow quicktime filter

    As every applications tries to make as much own plugins for all these old and new and marginal protocols and products that are being used, vulnerabilities will continue to pop up in client software.

    Today it is the Directshow for Microsoft that is being hit by exploits for their quicktime plugin. It is even not necessary to have quicktime installed or not to open quicktime files. If you have quartz.dll, than you are vulnerable, period.

    The best workaround is this one according to Microsoft

    #1: Disable Quick Time Parsing in Quartz.dll by deleting the following registry key:

    HKEY_CLASSES_ROOTCLSID{D51BD5A0-7548-11CF-A520-0080C77EF58A}

    This is fine for a lot of networks where this operation will be set into motion
    But how do individual newbies do that without making some mistake ?
    Shouldn't you produce some script or program to do that for them ?
    Click and play ?

    You can try it this way

    For 32-bit Windows systems:

    1.

    Click Start, click Run, type Regedit in the Open box, and then click OK.

    2.

    Locate the following subkey:
    HKEY_CLASSES_ROOTCLSID{D51BD5A0-7548-11CF-A520-0080C77EF58A}

    3.

    On the File menu, click Export.

    4.

    In the Export Registry File dialog box, enter QuickTime_Parser_Backup.reg and click Save.

    Note This will create a backup of this registry key in the My Documents folder by default.

    5.

    Press the Delete key on the keyboard to delete the registry key. When prompted to delete the registry key via the Confirm Key Delete dialog box, click Yes


    sources Microsoft and ISC
    This vulnerability is being exploited right now in different forms.