No trust without independent control - Page 5

  • and to end 2014 the most hacked belgian server ever ..... hacked again (no joke)

    even with IIS7.5 they can't secure their server

    but there are some other websites on that server that are also hacked from time to time

  • #rexmundi this is why webdevelopers should have a securitycertificate (for starters)

    the installation itself should also be certified

    never sign a contract or renew it with a firm that doesn't have it or doesn't use a securitycompany to review its code and its architecture

    these two sites have very obvious stupid securitydefaults and they are in fact lucky that Rexmundi didn't take more time and didn't hack them sonywise

    for z-staffing it means that all passwords will have to be blocked and changed and that people will have to change the passwords everywhere else they have used them

    Z-staffing and tobasco should inform their victims

  • #sonyhack more information about the wipeware that was used

    source (with more technical information)

  • hacked and leaked (also belgians)

    due to lawyers no more links to leaks here

  • #sonyhack if you don't spend money on security, you don't have security

    securitymanagers and all that kind of blablablabla stuff is makebelieve security hard to make you believe that somebody is busy with security because somebody is talking about it

    that is what happened at Sony

    too many managers talking

    no people actually doing things


    and this after a history of defacements, leaks and hacks which are summed up here

  • BIPT and other ISP regulators will have to oblige IPS's to put their gaminginfrastructure far away from the rest


    in means that in the ddos battle against gameservers (now going up to 400GBPS attacks) ISP's should get there gaming infrastructure and services as far away as possible from any other service or infrastructure because whatever you do when your network is attacked with that volume than everthing connected or going through the same pipes will be impacted

    Telia is not a small ISP and it has 5 million customers that were impacted during the attack against 1 gamingserver

    this is an example and the BIPT will have to look at this in Belgium

    Telenet has a gaming site and forum that has already been attacked and hacked - are there ready to resist a 400 GPBS ddos attack

  • #Anonymous leaks picture of moneystash for Putinfriendly Russian youth organisation

    source (where there is more)

  • #rexmundi this is the public information that could have been leaked

    here is a form with contactinformation

    but it also depends on what is on your cv that you can send also - without any protection that is

    at the other side it are full profiles because there is also a pic with the cv and so on

    and as the logins aren't protected than you could in theory extend that with other information

    and if the same person used the same password for other things - like email or shopping - than it is a bigger problem (but not sure that RexMundi has those logins or just sqlinjected these forms)

    but there is better - without any ssl protection - that is in cleartext


  • #rexmundi their ssl certificate is soooo strange

    first we have this response in

    to make a long story short : NO SSL protection No encryption, everything in cleartext also your passwords and logins

    and than we get this

  • #rexmundi hacked and leak but finds security its trademark - HAHAHA


    they have to follow a course in cybersecurity because without cybersecurity you don't have security at all (as cybersecurity without fysical security is just as insecure)

  • #rexmundi the dataleak with came from here - so STUPID STUPID STUPID

    when you have to make your online account with tobasco to be able to compete for a job, than you have to fill in a form without any SSL protection as we have seen in the previous post

    well it gets even better and that is because it is STUPID STUPID STUPID

    instead of just asking for your emailaddres and another identifier you have to fill in all your personal details ONLINE without any SSL protection instead of making your profile once you have logged in - without any ssl protection

    and instead of emptying the database each time somebody had made his or her account so that the data goes behind the 'closed extranet' it stays public and online (it is a good practice to empty your online public data from your database and migrate it every x hours to a private protected database so that the impact during a breach will be very minimal)

    and this is only part of the data of the form

  • spicy belgian online tempoffice hacked and leaked by #rex mundi

    well it is spicey allright


    First they have a logon to a secure space but it has NO ENCRYPTION (SSL) at all  so if this one is breached all the information (login and passwords) is in CLEARTEXT (just downloading)

    and this another public form (with everything in cleartext)

    some forms or documents seem to have gone meanwhile

    but the best is yet to come ........


  • Refuse to fill in any national registry servicenumber in Belgian webservices period

    if they want all that information they should

    * protect it behind locked down webservices hidden after logins with double authentification

    if they can't give you that security

    you should refuse to fill it in or fill numbers in that are partly correct (the known numbers are your birthday and if you are a boy or a girl all the rest you can fake)

    just refuse it or fake it - that will learn them

    and in fact institutions and organisations that ask for information online should ask for as little as strictly necessary if they can't give you a secured environment behind a locked down extranet with double or hard registration (and not with the full explanation online of how to do that like the army did with its extranet for Human Resources)

    it is your power to refuse because they have no legal or other base to ask you for that number, none  and surely not if they can't secure it

  • we would ask one thing from #Rex Mundi - one thing only - don't publish the national registry

    do not publish the national registry numbers please they are the UID of every belgian

    and the only victims of you publishing this are the victims which will already be victimized again and not because you have published emails and telephone numbers and so on, but because you have also published the unique number they can't change and that will be the their UID for the rest of their lives

    and this is the only GOOD thing you can do - it is nearly christmas right ?

    it is only one column and won't make the difference in the leak but it will make a world of difference to all the people involved - the simple people that is

    nobody else in Belgium cares if you publish these numbers - the privacycommission don't want to ask the online webservices to stop asking them and the online webservices themselves are just thinking of amassing all the possible information without any more security controls

    I could ask you not to publish the information but that is something impossible to ask - not publishing the national registry number of the database is something you can do and

    something that you have already did before - not publishing the national registry number because we asked you

    if nobody in Belgium cares about the use and security of that number in Belgium, except me harrassing the privacycommission and some online webservices about it for years with not much effect I would say - than we could do just one thing good

    that is not to say that I agree with your methods or your criminal enterprise - but that you knew already

  • #Rex Mundi hacks two Belgian online Temporary work agencies with 6000 files to come online

    due to legal threats we can't give the source of the information - if you are smart you will find it yourself

    the sum is now 5000 Euro they ask - so nor the bitcoin enormous sum nor the let the curious pay something in some small bitcoin cent seem to have worked

    this is back to the beginning for Rex Mundi

    we were already sending alerts through different channels but to no avail - every one thinks that they won't be next - so if your security is so lax that you leave sql injections and other security mistakes - why in the hell do you think that you won't be next - do you have a guardian angel or something ?

    you are just an url in a database and an application that will test your defenses

    there is nothing more to it

    for all those not understanding this blog and jumping to conclusions

    * I am not Rex Mundi and I have no links to Rex Mundi

    * I do not hack nor do anything that is not strictly within the law

    * and if I didn't try to make people aware of the dangers with this blog and setting up an open intelligence network than it would even be much worse

  • #ukraine the Baltic states start re-arming themselves for what is to come

    and they have understood what Putin has said from the beginning

    it is about (anti)tanks - not airplanes or longdistance missiles - but tanks and troops

    so what do you buy to defend against such an enemy ?

    All US tanks have left the European Continent in 2013 although there are plans to send some back soon or they should lease them to the frontier states in the east

    in this tweet you see how many Russian troops there are in Kalingrad next to Lithuania - also re-arming themselves and the US starting to send some troops and planes

    the situation is becoming more nervous in the Baltic region the last week as the NATO has seen different Russian troop movements in Kalingrad and along the Baltic states increasing the tension

  • is this the future of global mobile internet access ?


    it is still a plan and a project but it shows how mobile routers will look like in the future