No trust without independent control - Page 8

  • US police services are using laws from the 18Th century to oblige Apple and Google to give them your decryption keys

    "Now court documents have emerged showing just how far the Feds are willing to go to decrypt citizens' data.



    The paperwork has shown two cases where federal prosecutors have cited the All Writs Act – which was enacted in 1789 as part of the Judiciary Act – to force companies to decrypt information on gadgets.

    The Act, which was signed into law by none other than George Washington and later revised in the 20th century, gives the courts the right to...

    issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.

    That's a pretty broad remit, but the Feds think it's just the thing to force Apple and others to break down privacy protections.

  • #sonyhack : 30.000 salaries of unnamed deloitte consultants (2005) published

    if you take 11 terra of files of one of the biggest companies and you have probably a copy of not only the intranet and some mailboxes but also of a backup server, than this is the kind of things that will happen

    expect attacks in the future to go more often after these backupservers (if it is from a backupserver but even if it isn't it is there that you can find the biggest collection of unencrypted files without much protection)

  • #sonyhack : it is nearly official :North Korea hacked Sony in the US into destruction

    north korea kim jong un

    Yes he has won against 'the interview', a film that should never have been made and even if it was made, never would have been made public. I salute you hackers, you have shown what a small country like ours can do with so little cyberresources. It is the best example yet of the power of asymetric warfare

    Putin must be wondering if he shouldn't pull back his tanks from Oekraine and just start some permanent cyberwar. It costs less and it is very difficult to point the finger to him.

    but do not underestimate them

    and read also this report

  • update2 the portal of wallonie on the internet has some serious securityleaks (defaced page)

    You can say that if you can add an image 

    you can add code (malware) or a snoopingware or a redirect or popup 

    this is not enormous but it is a signal that there is something wrong 

    and what is more 

    it wasn't even noticed so this is even more alarming because it means that you can do these things without being noticed 

    it wasn't even noticed by CERT or any securityservice (undermanned and underpaid) 

    oh and it isn't the first time that parts of the portal have been defaced which shows that there are too many parts to be managed and too few people and resources to do this securily

    click on the link for more information

    oh and just a reminder has a free alerting service for your domain and it is about 600 euro for such a service for all the .be domains but never found the money for that (they prefer giving thousands of euro's for papers and studies)



    we have found the reason why 

    it is an old server and nobody looks at it

    but they have made a very stupid mistake

    if the site doesn't exist

    you make a redirect in your dns server 

    and you take down everything that is old and no longer maintained on that server

    so you don't get defacements and other attacks 

    because even if this subdomain is old, I am not sure if it isn't connected to the new servers because it is in the same masterdomain 

    spw wallonie.PNG

    but that domain isn't that old itself has hundreds of other subdomains like  with logins and etc...


    so this is a very strange page to destroy 

    and the hack become important again because it was in the main page that there was the upload, so the main page of hundreds of subdomains of the subdomain spw of 

    it looks like the chain got broken somewhere and somebody will have to fix it - FAST

    one question for example is why one needs to have so many different login systems as they are all made in the domain ? I have the impression that this is begining to look like an impressionistic painting but in which you see you figures 

  • as Scada developers refuse to sign their files, some think this is an alternative

    "A prominent security researcher has put together a new database of hundreds of thousands of known-good files from ICS and SCADA software vendors in an effort to help users and other researchers identify legitimate files and home in on potentially malicious ones.


    The database, known as WhiteScope, comprises nearly 350,000 files, including executables and DLLs, from dozens of vendors. Among the vendors represented in the database are Advantech, GE, Rockwell, Schneider and Siemens. The project is the work of Billy Rios, a former Google security researcher who has worked extensively on ICS and SCADA security issues. WhiteScope is a kind of reverse VirusTotal for ICS and SCADA files, allowing people to determine which files are known to be good, rather than which are detected as malicious.


    “While participating in a few incident response engagements, I realized it’s fairly difficult to know what is a ‘legitimate’ ICS/SCADA file and what is not. Given the overwhelming majority of ICS/SCADA vendors refuse to sign their software, we’re stuck with determining whether files like ‘FTShell.dll’ or ‘WFCU.exe’ (both legitimate files btw) are really supposed to be there. With this problem in mind, I started a database of all the files I’ve seen on ICS/SCADA systems, so that others can compare notes,” Rios wrote in the FAQ for the site.

    well, the governments will need to oblige the developers to sign their code and to make it possible to control the signatures of these signatures

    otherwise this makes no sense

    what if this database gets hacked, penetrated or is impersonated ? 

    this is an enormous honeypot 

    and even if you don't hack it, you can penetrate the server or any other routing installation before it just to get network and other for the people who are responsable for those highly critical networks

  • general attention points from the Iranian #Cleaver cybercampaign

    "The report also contains more than 150 indicators of compromise. In most cases, once Operation Cleaver has infiltrated an organization, it has deep access via Active Directory domain controllers and credentials and compromised VPN credentials. In most cases, they’re exploiting vulnerabilities in Windows, Adobe products, Apache, and Cisco VPNs, switches and routers. Its most successful campaigns via these avenues, Cylance said, have been against South Korean transportation networks, including airports and airlines. To date no zero day exploits have been found, Cylance said.


    "Cylance’s report also cautions that Operation Cleaver could have a special interest in airline and SCADA networks present in most critical industries. Overall, the campaign could be retaliation for Stuxnet, Duqu and Flame, Cylance said.


    “Within our investigation, we had no direct evidence of a successful compromise of specific Industrial Control Systems (ICS) or Supervisory Control and Data Acquisition (SCADA) networks, but Cleaver did exfiltrate extremely sensitive data from many critical infrastructure companies allowing them to directly affect the systems they run,” Cylance said in its report. “This data could enable them, or affiliated organizations, to target and potentially sabotage ICS and SCADA environments with ease.”

    first there is still some hesitation to really attack the critical infrastructure of other countries 

    secondly the importance of the Active Directory and its security is shown another time

    third without double authentification you have no real secure authentification 

    read this 80page report 

  • #sonyhack : DDOS attack against PC clients hosting Sonydata on Torren

    "Multiple sources are reporting that the links to the torrents for the stolen Sony internal data were posted on Pastebin late Monday morning. Less than an hour after that post went live, the individual hosts that were sharing copies of the Sony data came under sustained denial-of-service attacks apparently aimed at keeping the files from being shared with other torrent users.

    If you know how P2P or bittorrent works than you know that if you don't delete the torrent in your client after you have downloaded it, you are sharing it with the whole world. You are becoming a publisher, a website in fact. 

    In this case it makes it enormously difficult for Sony to get the data off the web, but it seems that some operatives (it is hardly Sony itself because this is illegal in some countries even if you can't file a complaint because you are hosting illegal stolen files) are using the DDOS weapon to slow down the computers or sharers of their files to limit the spread.  

    This is an interesting development in the Torrent world because it can inspire others and because it will also have effects on routers and other installations not only of ISP's but from customers. You can start a DDOS but you will never because of the nature of the internet control all the fall-out of a DDOS attack

  • #sonyhack : this is the only sure thing that discovers the wiperware beacon (snort)

    the advantage of having a snort on your network - or if it is too big on the most important part of your network - is that it can discover botnets and viruses before the identities of your antivirus have been updated and distributed 

    there is for the moment no virustotal check for the file so there is no way of knowing if your network was attacked with it 

    "“The following Snort signature can be used to detect the beacon traffic, though by the time the beacons occur, the destructive process of wiping the files has begun,” the alert warned.


    Here’s the Snort signature, in case this is useful for any readers who didn’t get this memo:


    Alert tcp any any – > [,,] [8080, 8000] (msg: “wiper_callout”;
    dsize:42;  content:  “|ff  ff  ff  ff|”;  offset:  26;  depth:  4;  sid:  314;

    but that you understand it rightly 

    if that kind of traffic arrives than you have to take down the machine immediately because the beacon has started destroying all data on that disk and you are not sure that you will be able to recover it - there is absolutely no guarantee 

    and this is as important for your servers as for your desktops or laptops

  • #sonyhack : a multistrategy attackplan combining the best of everything

    There was a massive DDOS attack but nobody is sure where that came from.

    There were infections through emailattachments

    There seems to be some physical penetration.

    There seems to be some employees that have helped the hackers. 


    before reading the quote you have to remember the following thing before jumping to conclusions

    If this comes from North Korea, than it is an intelligence operation.

    If this is an intelligence operation, than the operative methods of intelligence operations have to be taken into account.

    One of the most important aspects in this is to hide your sources, your methods and your identity.

    Secondly if by sending false information you can get an organisation to become totally paranoid and begin investigating every possibility and so to lose attention for the real sources, methods and you because they are investigating tens or hundreds of internal employees looking for the mole - than you have hit the organisation a second time and this time big time because it will be gone into purges and paranoia and even in total disintegration (like MI5 when they were hunting for the 5th Russian spy who was never found if there was ever one)

    so this is the quote, but it can be just a diversion 

    I hope some people helping Sony have some intelligence background and are capable of playing the mindgames that the hackers seem to be playing 

    nevertheless, the physical security has to be integrated into the total securityplan of your organisation and people should wander freely around the building or offices (as is the case in some military headquarters.....)

    "In a statement to The Verge, 'Lena' referenced the need for equality once again, adding that Sony didn't want such a thing, and that it was "an upward battle."

    "Sony doesn't lock their doors, physically, so we worked with other staff with similar interests to get in. Im sorry I can't say more, safety for our team is important [sic]," 'Lena' told The Verge.

    "If the claims are true, and the GOP had help from the inside in order to accomplish their aims, this is a disaster for Sony. It's one thing for an attacker to gain access from the outside; it's another when they can physically touch the environment.

    in the article the claim is that some disgruntled people from Sony helped the hackers because she wanted more equality which means that probably some female employees are really pissed off and were manipulated by the hackers (intelligence operatives) to lend them some information (without really knowing what the impact would be and probably thinking it would be like another lulzsec attack). That is, if this is not a diversion.

    if you take one and one together, you are at disgruntled female employees with high credentials who can bring external people inside the building without being double checked and with access to the backup 

    if this is the case, than some-one has taken or a server of a number of tera of several harddisks and copied this directly (at the high rate of the internal networks and not through the firewall so this explains why they didn't see it) If this is the case (I repeat, to be sure).

    in such environments you would have to work with the information you have and make some assumptions about the possible scenario's and sometimes you can eliminate some of them immediately while other continue to be working scenario's for which you are looking for evidence to close it down as a dead end or something that is still plausible

    if we go from a multistrategy attackplan than it is even possible that the infectionattacks are seperate from the copying of the backup and the intranet - even if they seem to be done by the same group

  • #sonyhack : medical and financial information of personnel leaked on TOR

    "another file being traded online appears to be a status report from April 2014 listing the names, dates of birth, SSNs and health savings account data on more than 700 Sony employees. Yet another apparently purloined file’s name suggests it was the product of an internal audit from accounting firm Pricewaterhouse Coopers, and includes screen shots of dozens of employee federal tax records and other compensation data.

    now leaking on TOR makes it very hard to destroy the data online because it is being hosted on hundreds or thousands of computers

    now it is possible to contact the people in several western countries to destroy that data because of the legal issues of sharing publicly such data but that can't be the case for the computers in other countries

    you can also easily repackage the data in another file or make it a secret torrent that you only share on certain networks which makes cleaning it up very difficult

    this means that it is impossible to do anything else than to consider it definitely lost and that for the respective persons they will have to get new numbers, new accounts and so on and that the cost of this has to be taken on by Sony 

    it is clear that it is the clear intent of the hackers to hurt and eventually destroy Sony who can do little to stop the leaking and the disastrous effects of it 

    as so much information has been copied Sony will have to consider that all internal information is compromised and will have to take these measures for all their employees which had any kind of information on the affected networks and installations

    this distinction hasn't been made by the Belgian privacycommission in her guidelines of january 2013 about dataleakages and I am not sure that the European directive also makes this distinction. 

  • #sonyhack : more internal documents published

    "In the documents viewed by Salted Hash, the sales items were for airing rights to various shows such as Dr. Oz, Judge Hatchett, Outer Limits, and Stargate, SG-1. The documents also disclose details related to syndication rights for sitcoms such as King of Queens, Seinfeld, and Rules of Engagement.

    While internal sales data is bad enough, the data dump has the ability to make Sony's situation worse.

    It includes an internal phone list and organizational chart, complete with names, titles, departments, phone extensions (with outside line dialing information) and cellular phone numbers. The phone list was created in 2009, but it covers the company sales teams in Los Angeles, Atlanta, Chicago, and New York.

    The full first package is only 25 GB ..... out of the 11 terabyte that was claimed first 

    now they claim to have more than 100 terrabyte and they say they will continue to publish information 

    but the files are old - which means that they probably have gotten an hold on backupservers (also) which is interesting because those are not always (very rarely in fact) encrypted and the access is not always controlled that strictly. It also explains why so much information could have left the company because it could be that a big filetransfer is totally normal in the backup process 

    * hey jan what is this enormous surge in data traffic

    * oh, it is the backup processes

    * do we do a backup now ? 

    * don't know have to ask the backup people, they change all the time when they do backups 

    * okay, let's go on to the next incident, attack, malware 

  • #sonyhack : how northkoreans deny the hack with newsspeak that they have done it

    "Reacting to the news that North Korea is behind the attacks, a person claiming to represent GOP told Salted Hash:

    "We are an international organization including famous figures in the politics and society from several nations such as United States, United Kingdom and France. We are not under direction of any state.

    "Our aim is not at the film The Interview as Sony Pictures suggests. But it is widely reported as if our activity is related to The Interview. This shows how dangerous film The Interview is. The Interview is very dangerous enough to cause a massive hack attack. Sony Pictures produced the film harming the regional peace and security and violating human rights for money.

    "The news with The Interview fully acquaints us with the crimes of Sony Pictures. Like this, their activity is contrary to our philosophy. We struggle to fight against such greed of Sony Pictures."

    if you read it you will see that this is typical propaganda newsspeak tactics 

    The action is not against the Film because the film is against North Korea but because it harms the regional peace because the dictator in North Korea is so mad about the film that he is capable of doing anything (saying that more attacks and even military incidents can be expected) and so the film harms regional peace and for this reason this film shouldn't have been made because is angers the great dictator. Sony should only have made films that the great dictator likes personally so he isn't so mad that he wants to turn his anger into a destructive attack - cyberwise or military 

    so we can expect more such attacks, military incidents and threats from the Great Dictator in the coming weeks 

    the only question is how the Chinese will respond or if they will try to calm it down

    at the other side, don't be surprised if the film gets a limited distribution and only in specialised festivals and so on and if paychannels won't program it in their library 

    with the same reasoning we shouldn't have made any film about Hitler and the Nazis because we would be afraid of his reaction and the same about Ukraine (even if we are holding the same discourse to the Ukraine people all the time, that they shouldn't anger Putin and should try to negotiate something with him instead of resisting)

  • #sonyhack: it came by the mail (and why don't we sandbox emailattachments ?)

    "Once installed on the victim's system, by way of a malicious email attachment in most cases, the malware – called a wiper in some circles – will initiate a beacon and phone home.

    The malware described by the FBI relies on hardcoded IP addresses (C&C servers) in Italy, Thailand, or Poland, and connect them on either port 8080 or 8000. The malware will attempt to make connections every 10 minutes to each of the IPs. If that fails, a two-hour sleep command is issued, after which the computer is shutdown and rebooted.

    The memo warns that once the beacons start, the process of wiping the files has begun

    this is like most of the APT attacks that are described are very 'professional attacks and code only available to ...blablablabla' 

    but if you follow the same logical examination as any forensic investigation and you ask how the file came on the PC (even before asking yourself how it is possible that those workstations have so many administrative rights and so little protection .... behind that socalled firewall and other securitywalls) 

    than the answer is in most cases always the same 

    "it came as an attachment from the mail" or as a "download from a link in the mail" 

    but why do we accept that these attachments in the mail are downloaded and placed on the computers or our internal networks ? Why don't we place them on a sandboxed server (with no connection to the internet or even the intranet) where people can open them, read them and eventually sanitize them before placing them on a server in the network (that you can secure much harder than the rest of your servers (for example no networkconnections for files). 

    Ideally you should be able to let those files be analyzed every so many days by a number of antivirus, antimalware etc products and block all those where there are suspicions 

    this would be the cheapiest solution that would in fact be very easy to set up and add to your mailserver and network. 

  • #sony attack : the destructive wiperware and more information coming out (links)

    it is impossible to say who protects against the file because virustotal doesn't give any answer, nor on the MD5 nor on the filename

    maybe this is done at the demand of the FBI to make it impossible for the attacker to discover which networks can be attacked easily because their antivirus isn't uptodate yet - even if in the other cases it doesn't mean that all the antiviruses on all the machines in the networks have updated libraries and protections 

    it is also clear that this virus is generic, it isn't build for a specific machine or model or version, it just attacks all the boot processes so it makes it much harder to protect against and much more dangerous to protect against once it is inside your environment (because if it had been written specifically for a specific machine you could calculate how many more of such machines you had and where they were located and what was the risk of each machine and concentrate immediately on those that are of most value to the organisation, business or network) 

    File: igfxtrayex.exe
    Size: 249856 bytes (244.0 KB)
    MD5: 760c35a80d758f032d02cf4db12d3e55
    PE Compile Time: 2014-11-24 04:11:08
    Language pack of resource section: Korean

    normally the name of the software would have let it pass through process controls 

    igfxtray.exe is a process which allows you to access the Intel Graphics configuration and diagnostic application for the Intel 810 series graphics chipset.This program is a non-essential system process, and is installed for ease of use via the desktop tray.

    the virusfile was uploaded yesterday to this sandbox (with connections to Tokio) 

    This file was already called malware in 2011 by this site (and it was attributed to the TRUECRYPT organisation but it isn't digitaly signed (well as long as such software can be placed into the boot or root of a pc without any digital signing we are just riding in the dark without lights - and if they were signed they have to be checked)

    virustotal has for this file an analysis  but some antiviruses didn't protect against it 

    this was an 32bits version - one that shouldn't have worked in an 64bits environment 

    2011 seems to be a very difficult year for the rootkit-bootkit developers as they have to migrate to 64bits :)

  • Did North Korea send a digital atombomb at Sony and what is this destructware

    The reason for the attack is political

    "Yet the technology news site Re/code reported that Sony was investigating to determine whether hackers working on behalf of North Korea were responsible for the attack as retribution for the company's backing of the film "The Interview."

    The movie, which is due to be released in the United States and Canada on Dec. 25, is a comedy about two journalists recruited by the CIA to assassinate North Korean leader Kim Jong Un. The Pyongyang government denounced the film as "undisguised sponsoring of terrorism, as well as an act of war" in a letter to U.N. Secretary-General Ban Ki-moon in June.

    The technical section of the FBI report said some of the software used by the hackers had been compiled in Korean, but it did not discuss any possible connection to North Korea.

  • destructionware.... bootkits have become digital atomic bombs at Sonyhack

    "The report said the malware overrides all data on hard drives of computers, including the master boot record, which prevents them from booting up.  The overwriting of the data files will make it extremely difficult and costly, if not impossible, to recover the data using standard forensic methods," the report said.

    Security experts said that repairing the computers requires technicians to manually either replace the hard drives on each computer, or re-image them, a time-consuming and expensive process.

    we have seen the hundreds of pages with all the sites and information that has been downloaded and now seems destroyed. It are whole intranets with intranetsites (and their code) and databases and internal applications and passwords and files and personal mailboxes and so it goes on for hundreds of pages

    now it is clear that all the harddisks on which this data was found were virutally destroyed and I hope they have good external backups and that these were isolated from the network so that the hackers couldn't delete those at well (which was done in several hacking incidents)

    by using destructive bootkits you also make i very hard to do some very professional forensic analysis because it will be very hard to find that evidence in the destroyed hard disks - eventually you will have to destroy it yourself to be able to recuperate some other data (instead of the eventlogs and other proof)

    we already had viruses that blocked your data with an encryption key but this is a whole new ballgame..... they are just out to copy and publish your internal network and to destroy it totally afterwards with the only intent of making you pay by creating chaos

    but the big question naturally is why Sony wasn't better prepared for this after its attacks and leaks in 2011

  • fanning : some kids lost their digital virginity online and some online firms should protect them better

    yep this is one screenshot ..... and the most innocent part of the fanning collections that were downloaded from icloud because they had forgotten to active the most active defense against passwordguessing being prohibiting bruteforce attacks in which thousands of passwords could be tested without any alert

    but you have to see the files to understand the real disaster is that these are youngsters who will find some of these files on all kinds of fileservers and pornservers (there is pornographic stuff in it although not that much even if I didn't look at or downloaded each of the thousands of files)

    maybe we should demand from online organisations that they protect the files of our kids higher than our own. if we make a stupid sextape than it is our own fault, we are adults - but we can't control them every minute of the day or control every contact or movie they make - so it is up for the online organisations to give them a safer and more secure online environment

    and really this is innocent stuff

    once digital, it can travel anywhere anytime and once it is out there or with someone else it is gone - out of control - out of your control

  • no we don't need military in our streets for now, we need them at our nuclear installations

    The minister of Security (as he calls himself) proposed to the minister of Defense of the same party (NVA) to let military patrol the streets in Belgium.

    They have done already that once but than we had at the same time the attacks from the Bende van Nijvel and from the CCC which was creating the strategy of tension in Belgium voluntary or not as not all information about that will be declassified before I die

    He refers to France but France started with military patrols at certain historic and strategic places after some real big terroristic attacks and because from time to time they arrest terroristic cells before they can attack. This is not necessarily a good strategy (in Great Britain it are just heavily armed policemen - but still policemen)

    If the minister wants to put the military to any good use, he should place them at and around our nuclear installations where we have already lost one due to internal strategic sabotage and have lost another for two days because of a fire in an external electrical installation that is not protected by any wall or defensive installation 

    if we lose any of the other nuclear installations we will be in a real blackout and the only thing you have to do is to blow up some electrical installations outside the installations which are totally unprotected

    oh, no not only I am saying this, it was on the journal of RTBF (  from  minute 16) and in France there are also calls to militarise the protection and security of our nuclear installations (shortly after 9/11 there were military and missiles around our nuclear installations)

  • #ferguson milk in your face to keep the tears away

    Clouds of tear gas filled the streets of Ferguson, forcing demonstrators to run for cover. Standing among broken bottles and shop windows, one woman doused herself in Milk of Magnesia to relieve the symptoms.