No trust without independent control - Page 12

  • some damn clear facts about terrorism in 2013

    that doesn't mean that in your physical securityplan you don't have to take the protection into account (there are several books about specific physical protection for buildings against terrorism going from bomb attacks (perimeter defense) to hostage taking (secret entrances and secret hide rooms))

    source (the documents can be downloaded at the site without registration)

  • #ukraine just a reminder that this is a local limited but REAL daily war

    so those who think that we shouldn't have so much attention for it are wrong

    here weapons are tested, here strategies are being adopted, here future special soldiers are being trained, here plans are being made for 2020 (by Russia) when its military will have finished its transformation and will have all the new weaponary it needs for...... (read what Putin is saying publicly and you know)

    or we win this war and send a clear message now, or we have another one and worse in a few years

  • #ukraine is becoming the biggest real testfield for military hardware in Europe

    Even if those weapons have been developed for the wars in Afghanistan and Iraq, they have never been tested in real war in Europe with another climate and other battle conditions. So both sides are starting to send their newest military hardware to the Ukranian battlefield (this is what it is really, sad to say) and to learn what works and what should be changed - especially in the new doctrine of waging or combating a Hybrid war (which is even different from the kinds of wars that are being fought in Iraq and Afghanistan).

     

    for those interested in the networking of the battlefield, you will see that secure communication is part of the infrastructure and the success of these military hardware

    This is in fact a big argument for NATO or other countries or even industries to get their newest weaponary to Ukraine so they can achieve some military balance and keep the conflict under control as long as there is no diplomatic solution and have a learning process that no exercise can give. When it comes to real or limited war somewhere on our Eastern European borders than those leassons will be very important. The Baltic states surely think so.

  • and the DDOS storms get bigger and bigger : 500 GBPS (against Hong Kong Protest sites)

    "The websites, Apple Daily and PopVote, have been vocal supporters of the pro-democracy protests and even carried out mock chief executive elections for Hong Kong. Cloudflare, a company which is employed to protect websites against distributed denial of service attacks, has revealed thatsince June, these two websites have been bombarded by attacks of unprecedented size.

    According to Matthew Prince, CEO of Cloudflare, the attacks have hit 500 gigabits per second (Gbps), which tops attacks in February of 400Gbps that were at the time the biggest in internet history.

    According to Prince, who was speaking to Forbes: "[It's] larger than any attack we've ever seen, and we've seen some of the biggest attacks the Internet has seen."

    Last year a DDoS (distributed denial of service) attack on the anti-spamming group Spamhaus was declared the "biggest in the history of the internet" peaking at 300Gb
    http://www.ibtimes.co.uk/largest-cyber-attack-history-hits-pro-hong-kong-protest-websites-1475876

    now where does that come from  ?

  • Danish tax administration will use #luxleaks as evidence for reviewing the taxes

    the tax administration in Danmark has said that it will use the luxleaks documents and they will ask the firms for an explanation and maybe even ajust the taxes (upwards). They will also use the documents to understand how these countries are negotiating and setting up such tax-rulings, probably to find ways to make them even more difficult or illegal in the future

    source for translation that follows http://politiken.dk/oekonomi/fokus_oekonomi/Luxembourg_laekage/ECE2462186/skat-gaar-paa-jagt-i-hundredvis-af-stjaalne-skatteaftaler/

    ""Tax examines the publicly available agreements between individual companies and the state of Luxembourg closer. If there is information in the material, and this will affect the settlement of tax in Denmark, it will be treated based on the rules of Skat control work - in addition to this materiality and risk, "said in a written statement to Politiken .

    Insight into the secret world

    Taxes do not want to elaborate. But before the publication of the hundreds of tax treaties, which escaped from the accounting firm PwC Tax expressed interest in gaining insight into how these tax treaties are designed:

    "We have heard that such agreements exist, but we have never been told what is in them, and we have never seen one," said Troels Kjølby Nielsen, Tax Administration Division, responsible for international tax treaties"

    my comment : this kind of discussions have been going on before about stolen listings and documents and sometimes they have been holding up cases for years or even decennia (ubs case for example) but in the end they were used somewhere - even if it was to blackmail the firms or people into coming to some agreement with the tax administration because they also can't always go through a public conflict about their taxes for years.

  • the Russian hacker showing thousands of unprotected webcams is looking for a job

    he is in all the itblogs and newsmagazines all over the world

    thousands or millions of people are visiting his site

    regreting they didn't change the standard password of their videocam and not encrypting the stream if it goes outside (imagine a smart-tv with reverse videocam)

    but hey, does he get your attention ? He is just looking for a job

  • a very honest 404 error page

  • happy birthday to #Euromaidan while Ukranian Mad Max are still fighting the invading Russians

    looks like a Mad Max car if you ask me - they made it themselves in the factory based upon the battlefield experiences

    meanwhile at Euromaidan people are now remembering the fallen 100 and the people they lost there

     

    We have hundreds of posting about Kiev, Maidan and Ukraine they are all here in chronological order

    and this is when it for us all began and we started to take notice and from that moment on we were hooked and chose our site, those of the people for the people and by the people (in all there are about 800 postings about Ukraine since than). Several times our frontpage was even changed to show the importance of the burning tyres resisting the attacks every night or the invading russian tanks that have been coming without an end the last months.

    we have also a tweetlist about Ukraine and in our main tweetfeed Ukraine is always on our mind (and in our eye). We always keep a close watch on what is happening in this new Front for democracy.

    and this was one of the first barricades to appear in Kiev

    and this is how it ended - when even snipers couldn't end the protest are killing a 100 people and wounding several hundred - they fled and the regime with them

    and since one year they had military battles with defeats and success and two elections and a lot of support but not enough of it and yet after one year Putin only occupies 5% of the territory and didn't accomplish his strategic goal.... or not yet

    but if anybody would have told us that one year ago, nobody would have believed that that was possible

  • After the DDOS on gamenetworks, here are the stolen passwords (also belgians)

    First there were the big DDOS attacks, but these were only the diversion, the real goal was to penetrate and to steal passwords and other stuff while all the staff was busy trying to keep the network up and the securitytools were being overwhelmed, downgraded or just set on hold to be sure that the traffic past fast enough 

    this is nothing new

    it has been done before by hackers and is in fact a very old military tactic 

    now there are thousands of logins (and some are from belgians) 

    • Dear Internet, the following is a very small portion of Lord Gaben and the rest of his crews glorious raids across the high seas of the Internet.
    •  
    • Portions of our raids include:
    • 2K Gaming studio user credentials
    • Windows Live Email user credentials
    • PlayStation Network user credentials
    •  
    • These usernames our bestowed upon you in the humble name of Derp.
    •  
    • @DerpTrolling - @GabenTheLord - @UGLegion
    •  
    • Let this be a warning to all.
    •  
    • Nothing is safe from Derp

    http://pastebin.com/WVzviPyp

  • 9lives - een antwoord van de Privacycommissie (en enkele bedenkingen)

    Dit is de brief die ik mocht ontvangen van de privacycommissie 9lilves1.PNG

    9lives2.PNG

    enkele opmerkelijke zaken 

    First these are all the postings we did about 9lives

    1. Telenet kan NIET zonder enige twijfel vertellen welke gegevens werden gecopieerd wat erop wijst dat de logging van haar database beperkt is terwijl er toch veel professionelere software bestaat die toelaat om te weten welke gegvens uit welke colomnen van de database werden gestolen (en dat in feite zelfs onmogelijk te maken).  Indien men natuurlijk zo goedkoop mogelijk wenst te werken zonder geld uit te geven dan kan men niet verwachten dat men veel informatie heeft. 

    2. Niet iedereen werd geïnformeerd omdat de hacker waarschijnlijk niet zoals Telenet de data copieerde maar ze ook vernietigde. Hoe is het anders mogelijk dat Telenet in dezelfde brief zegt dat ze de mensen niet persoonlijk kon verwittigen omdat ze geen backup meer had. Je hebt een backup enkel en alleen nodig als je niet meer over het origineel beschikt.  Het doet tevens de vraag rijzen wat de hacker eventueel nog heeft vernietigd, logs vb ? Dit verklaart dan ook weer waarom breach notification rules of 48 hours were not respected tegenover een aantal personen. 

    3. wij blijven bij onze zaak dat de gebruikte software wel kwetsbaarheden had want het was NIET de betaalde onderhouden software maar de gratis versie die al een geruime tijd niet werd onderhouden en waarvoor met een simpele zoekopdracht op het internet exploits voor konden worden gevonden. En we spreken hier wel over slechts 400 dollar, dit is gewoon al die miserie niet waard. Ook ik ben voor opensource software maar we nemen bijna altijd betalende of ondersteunde versies indien er belangrijke data mee gemoeid is. 

    De privacycommissie noteert enkel dat Telenet dit ontkent. Ik begrijp dit niet. Dit is toch zo duidelijk. 

    Trouwens wat is dit ? "Telenet kon door het onderzoek gedurende een week niet aan de servers van de site, maar heeft ondertussen een oplossing gevonden. Het lek zat naar verluidt bij software van een externe leverancier, maar Telenet heeft het probleem zelf opgelost. http://www.demorgen.be/technologie/telenet-zet-gehackte-gamingsite-9lives-be-weer-online-a2110069/  Dus toch een lek of een kwetsbaarheid, waar het ook vandaan komt, dat doet er niet toe, je blijft even verantwoordelijk voor je platform. 

    4. De privacycommissie heeft haar onderzoek niet voortgezet om het juridisch onderzoek niet te hinderen, maar deze zijn in feite twee totaal verschillende zaken en misschien moet moet het FCCU en de privacycommissie hierover een aantal afspraken maken. De FCCU kan gerust werken op basis van een copie terwijl de privacycommissie haar 'feitenanalyse' kan voortzetten. De doelstelling van de FCCU is om de verantwoordelijke te vinden als enkel de firma klacht heeft neergelegd. Indien gebruikers of hun vertegenwoordigers klacht zouden neerleggen tegen Telenet en 9lives dan moet zij ook onderzoeken of wel alle nodige maatregelen zijn genomen.  In de toekomst zou ze zich hiervoor misschien moeten laten bijstaan door specialisten die de juiste vragen stellen en de antwoorden ook technisch kunnen beantwoorden. Het kan zijn dat de software veilig is maar 

    En om af te sluiten kunnen we gewoon vaststellen dat deze ooh zo veilige server van 9lives na de veilige heropstart een zodanig onveilige encryptie en certificatie gebruikte dat er het aantal aanvalsmogelijkheden nog altijd groot genoeg was. 

    Een andere reden waarom het voor de privacycommissie zo belangrijk is om het onderzoek naar 9lives toch weer op te nemen is om de sector van de hosting er toch zo op te wijzen dat zij ook bepaalde verantwoordelijkheden hebben en meer beveiliging van hun servers, hostingplatformen, netwerken en firewalls moeten voorzien - ongeacht de verantwoordelijkheden van de eigenaren van de websites zelf.

  • detekt espoinageware on your computer with this new tool

    espionageware is not spyware because it is used to follow your political information and your political friends and it is not spyware because spyware wants just to make some bucks independently of your political views

    'Detekt is a very useful tool that can uncover the presence of some commonly used spyware on a computer, however it cannot detect all surveillance software. In addition, companies that develop the spyware will probably react fast to update their products to ensure they avoid detection.

    This is why we are encouraging security researchers in the open-source community to help the organizations behind this project to identify additional spyware or new versions to help Detekt keep up to date. Contact information is available here.

    It is important to underline that if Detekt does not find trace of spyware on a computer, it does not necessarily mean that none is present. Rather than provide a conclusive guarantee to activists that their computer is infected, our hope is that Detekt will help raise awareness of the use of such spyware by governments and will make activists more vigilant to this threat.
    http://www.amnesty.org/en/news/detekt-new-tool-against-government-surveillance-questions-and-answers-2014-11-20

    you can find the tool here : https://resistsurveillance.org/

  • mensura lek : ACV vraagt regering en sociale partners om onmiddellijk actie te ondernemen

    het is voor de eerste keer na zoveel lekken dat een vakbondsorganisatie zich openlijk inzet voor de privacyrechten van de werknemers en daar een plaats voor maakt in het sociaal overleg 

    For the first time a major labor union in Belgium has understood that the privacy rights of its members have a place in the social negotiations that they have on a national level. In ten years of security-activism, this is really the first time and a major change.

    -----------------------------------------------------------------------------------------------------------------------------------

    Privacy van honderden Belgische werknemers zwaar geschaad door Mensura leaks
    ACV vraagt onmiddellijke oprichting task-force

    Hackers hebben zich toegang verschaft tot een deel van de gegevens van  de dienst controle geneeskunde van Mensura. Hackers verkregen zo de identiteitsgegevens van honderden werknemers, onder andere hun rijksregisternummer. Ook de bemerkingen die de betrokken werkgever meedeelde aan Mensura over de betrokken werknemer werden gehackt: aanwijzingen over hun gezondheidstoestand, maar soms ook over hun gedrag in de onderneming, bemerkingen over hun familie, zwangerschappen, aantal ziektedagen, incidenten in de onderneming, evaluatiegesprekken, activiteiten op sociale media, …

    Na een mislukte chantagepoging tegen Mensura werden door de hackers een deel van deze bestanden online gezet. Daardoor zijn deze bestanden vrij beschikbaar op internet en werden ze  inmiddels honderden keer gedownload. De privacy-rechten van de betrokken werknemers worden daardoor zwaar geschaad. Deze gegevens dreigen hen voor eeuwig te achtervolgen op het internet.

    In weerwil  van de gedragscode maakte Mensura dit incident pas bekend nadat op een IT-blog dit voorval werd gesignaleerd . Mensura verwittigde tot nog toe enkel de betrokken werkgevers van dit lek, niet de betrokken werknemers. Deze zijn vaak nog steeds niet op de hoogte. Mensura beschikt nochtans over de precieze adresgegevens van de betrokken werknemers en over alle persoonlijke gegevens over deze werknemer die werden gelekt. Mensura vroeg de werkgevers om op hun beurt de betrokken slachtoffers, de werknemers, te informeren. Het is daarbij zeer de vraag of alle werkgevers de betrokken werknemers zullen informeren, en ook de info zullen meegeven die door de werkgever aan Mensura werd bezorgd. De aard van die commentaren brengt sommige werkgevers immers in een vrij gênante situatie. 

    We vragen dat Mensura onverwijld alle betrokken werknemers informeert  over welke informatie gestolen is. Dit is  de toepassing van de regels van de privacycommissie.  Tot nog toe publiceerden de hackers immers slechts een deel van de gestolen informatie. Werknemers hebben er recht op te weten welke persoonlijke informatie over henzelf in handen is gekomen van criminelen.

    Het ACV vraagt  aan Minister van Justitie Geens, de Minister van Werk Peeters en de Staatssecretaris bevoegd  voor Privacy Tommelein om onmiddellijk een taskforce samen te stellen met de sociale partners en de federale computer crime unit om deze crisis-situatie aan te pakken en de gevolgen voor alle betrokken werknemers zo snel mogelijk ongedaan te kunnen maken.  Deze Task Force moet ook een debat ten gronde voeren over de wijze waarop gevoelige informatie wordt opgeslagen en uitgewisseld.  In het kader van  de invoering van de medische enkelband kan het belang van duidelijke en goede afspraken niet onderschat worden .

    Ook de regelgeving dient aangepast zodat werknemers inzage krijgen in de gegevens die over hen aan derden worden bezorgd in toepassing van het arbeidsrecht. De rechten van werknemers op persoonlijke informatie indien ze het slachtoffer worden van incidenten dienen in de wetgeving ingeschreven en afdwingbaar te worden. 

  • antwoord van de privacycommissie over mijn klacht tegen mensura (gelieve neer te zitten)

    anders zult u zelf moeten neerzitten want dit slaat echt alles 

    het was een klacht omdat mensura ook mijn gegevens bevat 

    en natuurlijk heeft de Commissie reeds mensura gecontacteerd 

    so what

    wat heeft ze ermee gedaan

    wat gebeurt er met mijn klacht

    moet ik nu echt naar het gerecht om klacht neer te leggen wegens onverantwoordelijk gedrag en niet naleving van de voorschriften van de privacycommissie zelf over de bescherming van data van januari 2013 ? 

    de mensen van mensura moeten wel lachen zeker

    geen boete, geen vermaning, een beetje pers maar dat gaat wel over (zolang geen van hun grote klanten naar het gerecht stapt en dan nog dan duurt het een paar jaar) en ondertussen doen we gewoon verder en de volgende keer (dan betalen we wel, dan zijn we van al die zever af die we nu hebben gehad en kunnen we tegen iedereen die tegen betaling was zeggen dat ze beter hadden betaald want zoveel gezever hebben we nog niet gehad en dat heeft ons veel meer geld gekost) 

    privacycommissie-mensura.PNG

  • Update 2 : releak by Rex Mundi (pizza domino.fr)

    Rex Mundi said he was looking at some new targets yesterday 

    so we published an alert for the financial, HRM, ISP sectors 

    today he is publishing a file claiming to come from pizzadomino.be/fr  ----- NO they retract it is their old file 

    they say that they have also hacked the NL database - maybe the database with France or Domino Pizza is in the backoffice one big mess but so what .... 

    I need confirmation or more proof to announce belgian dominopizza.be as officially hacked and leaked 

    now pizzadomino.fr was hacked (with a file of half a million people - now disappeared again) 

    but there is something strange with that file - there are french addresses in it (in the total of 3000 addresses) amongst Belgian adresses and the biggest bunch that can't be localised 

    the passwords are encrypted and salted and so I don't see the big securityproblem in this one for the moment except that you have some mobile numbers and some emailaddresses together which make a fine combination for a combined attack 

    it also shows why big data is a big risk and why you should never keep data that is old 

    tweets 

    @mailforlen Just 2 b clear, this data is from our old hack. On the same server, Domino's had 3 DBs: FR, Be-FR and Be-NL

    @mailforlen Yes, as we said, this one is from the French-speaking version of the Belgian website of Domino's. We also have NL version.

     

     

  • securitymarketeers are abusing the easypay and mensura database ... phishers may follow

    Do not 

    * click on links that are send in mails about your data in the easypay and mensura database (especially if you are not in the public database of 1100 out of the 32.000) 

    * think twice before you are responding to these emails - it is a very lousy marketingpractice that doesn't show a clear sense of ethics.  Or they are desperate (and any securityfirm that is desperate nowadays is doing something terrible wrong because it is a booming business) or they are just moneygrabbers out for an opportunity 

    * I am not sure of the it but I think the use of stolen data - even published - for marketingpurposes may be something the privacycommission doesn't like (because the purpose is to get that data OFF the internet and not in as many databases and emaillists as possible .....) 

    I hope that everybody keeps their calm and do the things that you know you should be doing (and that doesn't cost any money like changing passwords) and go to real professionals with clear business and professional ethics for solutions for problems that you seem to have discovered now (double authentification being one of them, centralised logging another, WAF and securitychecks another and encryption and so on) 

    if you receive such an email 

    commission@privacycommission.com where you can also file an complaint about the way things are going 

    you have also the right to file a complaint - if you are a bigger customer - at the local court (maybe some of the bigger ones should do this - to send a clear message to all their other outsourced serviceproviders that they better take datasecurity seriously)

    there is already enough evidence on this blog of all the reasons why the the best principles weren't followed before, during and after the incident

    I filed a complaint against mensura for these reasons with the privacycommission. 

  • ALERT (and evidence from victim from France) : If you were client of easypay : CHANGE ALL PASSWORDS NOW if your emailaddress has the same password

    I change the warning just to be sure 

    because all your passwords and the way to change passwords in other services go through your principal emailaddress

    this is why you should have at least an unique password for your principal emailaddress (and not one that has the same logic or words in another order as your compromised password)

    you can also activate in some online mailservices the double authentification with your mobile phone (although your mobile phone is as secure as a computer was 10 years ago so I am not sure that this is real futureproof solution) 

    these are two tweets that got my attention (maybe they want to show that the emailaddresses and passwords really work and give access to more than easypay which has changed its passwords lately) 

    In the press is mentioned that Belgocontrol (air traffic control) wasn't compromised by this leak. We never said they were. But if your authentification is ONLY based upon passwords for login than you are now faced with a big problem to secure your access. 

    some points 

    * smart hackers won't pay with bitcoin because it is not totally anonymous so don't trust the fact that it isn't sold yet according to the bitcoin indexes

    * I hope that easypay gave all of her clients also the very strongly worded advice to change their passwords now especially those from their email and social media and to contact the securitycell of their firm, bank or network if they use the password to access files or applications 

    * securitypeople from many networks, banks and organisations will now have to block a limited number of people (if they received a list of their members who were a client with easypay and are on the 32.000 list). They can't depend on the supposition that those people - even warned - will all do the right thing in time and should block their access to the extranet, files or applications for the time being and do some research (going back 2 weeks) and decide to give a new password  

    there are also french people involved so I hope that the cert and easypay have contacted the french clients, the french privacycommission and CERT to enable them to take all these measures as discribed above 

    otherwise even more complaints may be coming their way and the french privacycommission has the possibility to give an administrative fine (something our new secretary of state for privacy DOES NOT WANT to do - which is nonsense because Europe will enforce this in two years).

    r.marissal in France has so more possibilities of receiving a financial compensation than any Belgian victim

    Rex Mundi said that as a test they have at least accessed 2 mailboxes and one CMS of a website of a firm (so all firms should look at the CMS of their websites if one of their users is in the list). You could be in for a lot of trouble if some-one else infects it, uses it to attack another site or just downloads all the data on it

    some securitypeople in Belgium and France will have a lot of work these days .... but if they follow the best practices they should be able to tell their CIO's that today or tomorrow everything is checked and changed or blocked awaiting results of the analysis.

    if you didn't have received the client list for your network than you should complain to easypay or cert.be 

  • ISIS grabs city in....Libya 2OO km from Europe

    source http://www.ibtimes.co.uk/black-flag-isis-raised-over-libyas-derna-just-200-miles-eu-coast-1475600

  • privacycommission was in 2013 against the use of rijksregisternumber as online identification

    a few cases were mentioned and they were resolved but as we saw yesterday is still the case with several flemish websites for example

  • privacycommission wanted in 2013 that rijksregisternumbers are secured online

    further in the letter they say that I give people bad ideas but it are the amateurs setting up websites withouit security that should be weeded out or brought inline

    we are now more than one year later and the same situation just goes on without any respect for the problems that arise if they lose a database with your rijksregisternumber

  • maybe nobody bought the Belgian database yet of Rex Mundi (with Bitcoins that is)

    you can follow that publicly (and with more private tools :)

    those who think that bitcoins are private and anonymous don't understand bitcoins and all the very interesting metadata that goes with them 

    also there are sometimes major securityproblems and infoleaks with the exchanges, with the protocol and with the bitcoins themselves 

    even the IP address of every transaction (so you need a proxy and/or VPN before you go on a Tor Relay (only one with lots of traffic and everything else closed down-updated and an updated TOR browser) 

    if he wants to sell and earn some money he will have to do it differently - but than you may have the same thing happening as many amateur darkweb sellers who are getting caught (you never know who is in front of you)

    your fast underground buck may not necessarily bring you luck and may get stuck (hihi)

     

    rexmunidbitcoin.PNG