due to lawyers no more links to leaks here
securitymanagers and all that kind of blablablabla stuff is makebelieve security hard to make you believe that somebody is busy with security because somebody is talking about it
that is what happened at Sony
too many managers talking
no people actually doing things
and this after a history of defacements, leaks and hacks which are summed up here http://attrition.org/security/rant/sony_aka_sownage.html
BIPT and other ISP regulators will have to oblige IPS's to put their gaminginfrastructure far away from the rest
in means that in the ddos battle against gameservers (now going up to 400GBPS attacks) ISP's should get there gaming infrastructure and services as far away as possible from any other service or infrastructure because whatever you do when your network is attacked with that volume than everthing connected or going through the same pipes will be impacted
Telia is not a small ISP and it has 5 million customers that were impacted during the attack against 1 gamingserver
this is an example and the BIPT will have to look at this in Belgium
Telenet has a gaming site and forum that has already been attacked and hacked - are there ready to resist a 400 GPBS ddos attack
source (where there is more) http://globalvoicesonline.org/2014/12/10/russias-anonymous-international-promises-new-wave-of-leaks/
here is a form with contactinformation
but it also depends on what is on your cv that you can send also - without any protection that is
at the other side it are full profiles because there is also a pic with the cv and so on
and as the logins aren't protected than you could in theory extend that with other information
and if the same person used the same password for other things - like email or shopping - than it is a bigger problem (but not sure that RexMundi has those logins or just sqlinjected these forms)
but there is better - without any ssl protection - that is in cleartext
first we have this response in ssllabs.com
to make a long story short : NO SSL protection No encryption, everything in cleartext also your passwords and logins
and than we get this
they have to follow a course in cybersecurity because without cybersecurity you don't have security at all (as cybersecurity without fysical security is just as insecure)
when you have to make your online account with tobasco to be able to compete for a job, than you have to fill in a form without any SSL protection as we have seen in the previous post
well it gets even better and that is because it is STUPID STUPID STUPID
instead of just asking for your emailaddres and another identifier you have to fill in all your personal details ONLINE without any SSL protection instead of making your profile once you have logged in - without any ssl protection
and instead of emptying the database each time somebody had made his or her account so that the data goes behind the 'closed extranet' it stays public and online (it is a good practice to empty your online public data from your database and migrate it every x hours to a private protected database so that the impact during a breach will be very minimal)
and this is only part of the data of the form
well it is spicey allright
First they have a logon to a secure space but it has NO ENCRYPTION (SSL) at all so if this one is breached all the information (login and passwords) is in CLEARTEXT (just downloading)
and this another public form (with everything in cleartext)
some forms or documents seem to have gone meanwhile
but the best is yet to come ........
if they want all that information they should
* protect it behind locked down webservices hidden after logins with double authentification
if they can't give you that security
you should refuse to fill it in or fill numbers in that are partly correct (the known numbers are your birthday and if you are a boy or a girl all the rest you can fake)
just refuse it or fake it - that will learn them
and in fact institutions and organisations that ask for information online should ask for as little as strictly necessary if they can't give you a secured environment behind a locked down extranet with double or hard registration (and not with the full explanation online of how to do that like the army did with its extranet for Human Resources)
it is your power to refuse because they have no legal or other base to ask you for that number, none and surely not if they can't secure it
do not publish the national registry numbers please they are the UID of every belgian
and the only victims of you publishing this are the victims which will already be victimized again and not because you have published emails and telephone numbers and so on, but because you have also published the unique number they can't change and that will be the their UID for the rest of their lives
and this is the only GOOD thing you can do - it is nearly christmas right ?
it is only one column and won't make the difference in the leak but it will make a world of difference to all the people involved - the simple people that is
nobody else in Belgium cares if you publish these numbers - the privacycommission don't want to ask the online webservices to stop asking them and the online webservices themselves are just thinking of amassing all the possible information without any more security controls
I could ask you not to publish the information but that is something impossible to ask - not publishing the national registry number of the database is something you can do and
something that you have already did before - not publishing the national registry number because we asked you
if nobody in Belgium cares about the use and security of that number in Belgium, except me harrassing the privacycommission and some online webservices about it for years with not much effect I would say - than we could do just one thing good
that is not to say that I agree with your methods or your criminal enterprise - but that you knew already
due to legal threats we can't give the source of the information - if you are smart you will find it yourself
the sum is now 5000 Euro they ask - so nor the bitcoin enormous sum nor the let the curious pay something in some small bitcoin cent seem to have worked
this is back to the beginning for Rex Mundi
we were already sending alerts through different channels but to no avail - every one thinks that they won't be next - so if your security is so lax that you leave sql injections and other security mistakes - why in the hell do you think that you won't be next - do you have a guardian angel or something ?
you are just an url in a database and an application that will test your defenses
there is nothing more to it
for all those not understanding this blog and jumping to conclusions
* I am not Rex Mundi and I have no links to Rex Mundi
* I do not hack nor do anything that is not strictly within the law
* and if I didn't try to make people aware of the dangers with this blog and setting up an open intelligence network than it would even be much worse
and they have understood what Putin has said from the beginning
it is about (anti)tanks - not airplanes or longdistance missiles - but tanks and troops
so what do you buy to defend against such an enemy ?
All US tanks have left the European Continent in 2013 although there are plans to send some back soon or they should lease them to the frontier states in the east
in this tweet you see how many Russian troops there are in Kalingrad next to Lithuania - also re-arming themselves and the US starting to send some troops and planes
the situation is becoming more nervous in the Baltic region the last week as the NATO has seen different Russian troop movements in Kalingrad and along the Baltic states increasing the tension
it is still a plan and a project but it shows how mobile routers will look like in the future
because this is what Sony is doing - some call it offensive security
"The former Soviet Union president further said Russia had experienced difficult times after the Soviet Union's collapse and the U.S. had taken advantage of it. Gorbachev said but today was different because Russia is well-armed. He mentioned that it was good to see Russian President Vladimir Putin taking care of security, strengthening the military and developing weapons. He has no doubt that if anything happens, Russia can "hit back." http://au.ibtimes.com/articles/574603/20141202/russia-gor...
not much different from what Putin is saying
maybe he is afraid of his status and his pension in this virtual democracy in Russia (it seems it is there, but it isn't, like with the virtual environment you only have to pull the cable out to end it all)
"he hackers said the email boxes belong to Steve Mosko, president of Sony Pictures Television, and Amy Pascal, co-chairman of Sony Pictures Entertainment.
The Microsoft Outlook mailbox files run to several gigabytes and apparently contain thousands of messages sent to and by both executives over several months.
A handful of the emails, seen by IDG News Service, appear to include discussions between company executives, lists of phone messages that include contact details for executives at other companies, business information, and personal messages to family members http://www.computerworld.com/article/2857272/legal/hacker...
There is nothing as critical as a mailbox from an engineer or businessmanagement
but they hardly get an double authentification, password or encryptionprotection or to say automatic archiving to another protected environment if it is put in for example a folder secure archive
this is what I personally think : if one puts a mail in a folder 'secure archive' the exchange server takes them once a day and puts them in an archived but secured mailbox that the owner can only access online and only if he uses specific procedures (eventually password, specific hardware or decryption key and so on....)
so no more old mails that are lost during a hack or leak
and for the mails of today - one should use the same protection as for important files. Sometimes files are secret on the server and hard to reach but are send around in mailboxes as if it is candy
"The new Windows will also offer a unified user experience across all devices, from PCs to tablets to phones. Microsoft drew closer to that with Windows 8, but Windows 10 will complete the vision. The new OS will also offer a universal platform for developers to deploy apps. That's something even Apple lacks, as its Macs, iPhones, and iPads all operate on different -- albeit similar, in the case of the phones and tablets -- operating systems.
Offering a universal experience in which a phone app closely resembles its tablet and PC counterparts should provide a seamless experience for Windows users as they switch between devices. This will actually expand beyond phones, tablets, and PCs: Nadella said he expects Windows 10 to power even "the smallest Internet of Things devices," offering the same experience across the board. http://www.fool.com/investing/general/2014/12/09/microsof...
now read this from a security point of view
you can have in your network the same patching, logging, antivirus and other controls for whatever tool the person is using (desktop, server, laptop, tablet, phone) as long as it is windows10
imagine that, collecting your logs from all the different tools and putting them in one database being able to follow the attack on a pc, the penetration of his phone and extracting of his address book and than the attack on some-one else in the office or on a server ....
imagine having one antivirus, one patchmanagment, one application or softwaremanagment for all your tools
it is not only developers and programmers who may be able to re-use more or less the same code for apps on tablets that become software on desktops or serverbased applications on servers but in the first case it makes it possible for the security-industry to now make real platform for the platform that will give the network- and securityadministrators the possibility to englobe their whole network whatever the tool or the location with the same securitysolution as long as it works on windows10
this change is as big as the famous memo by Bill Gates about security because this changes security in the networks fundamentally from a fragmented always too late solution to a global solution that after the migration and the knowledge management can start to think more preventive and make attacks from taking place instead of trying to stop or correct them
off course, there will be new holes, new strategies and new mistakes but that won't offset this revolution that is now only theoretical but - if the security industriy has any vision left in their immediate salesvisions - also practical. If they don't than I think that Microsoft will develop and integrate its own solutions for its platform and than you will have all those shortvision norisktakers cry to the European Union and the US administration about a new monopoly and so on. If they want to be ready for this revolution - and help make our digital world much more safer than it will ever be possible to make it today - they should start today
just as Mozilla browser crashed when Microsoft put all of its intelligence and power behind their IE - now much less attractive than at the time - and the linux desktop that was going to replace windows crashed when windows7 came it may be a time of adapt or crash for the too fragmented security industry
the future is in overview of everthing digital in your network or enterprise and that overviewplatform is in the making and it is not the totally fragmented unixmarket or the confusing Applemarket or the even more individualized androidmarket
imagine, whatever phone or tablet or desktop you take you have the same stringent security that can be updated anywhere anytime anyhow
this is also a new securityservice opportunity for ISP's and other operators