ik ging geen afscheid nemen zonder nog 1 keer te overlopen wat de afgelopen 10 jaar via Belsec werd uitgevoerd en al dan niet verwezenlijkt of aangepakt en wat de belangrijkste strijdpunten zijn en blijven.

Zonder statuut of bescherming van securityresearchers zelfs als bloggers is het de laatste maanden steeds moeilijker geworden om zonder kleerscheuren dit soort activiteit te blijven voortdoen. Na 10 jaar inzet werd het dan ook tijd om dit soort stress en risico's aan me te laten voorbijgaan. 

De Financieel Economische Tijd van morgen. 

hopelijk iets dat de discussie zal kunnen voeden 

http://observing.skynetblogs.be/

this is NOT an infosecurityblog it is a security-risk-war blog of which infosecurity is only a small part (and not even necessarily important)

we are NOT watching the Belgian internet for leaks and vulnerabilities anymore, this is the job of the state and the state has to do its work as it has to

this is just some observations, links and informations I share while I am reading

and this only because i am so bored reading the belgian press - sorry guys (but I know you don't have the resources and space you need to make reading belgian press more interesting)

have patience with closing down this blog and service

and moving over to the other one

if you are in belgium and interested about belgian infosecurity we are closing with a bang and if you thought that the presentations on tv and radio and in the press were a bang

await the final exclusive interview about 10 years of fighting for a more secure belgian internet

gloves are off

the archives will be coming online in the coming weeks

all this work will be finished by the end of january - stay on this blog

we have stopped

monitoring pastebin for belgian leaks

monitoring zone-h for belgian hacks

monitoring securityreports for belgian insecurity or compromised sites

monitoring the belgian web with googledorks for insecurity and unresponsable datacollection

we will just be reading and analyzing and thinking and having fun

stay tuned

we can't publish the link due to harrassment by lawyers of Mensura but you can find it easily if you are a little webwise (which shows how stupid these lawyers are)

it also shows what I have said on tv - once on the web always somewhere on the web

so the banks, paypal and others should have taken already all the dispositions to protect the people

new are the old ones of buyway.be (you know that nobody is responsable for overseeing the security and their financial balances of online creditcompanies in Belgium - NO ONE)

update 21/12

1. my sources will stay online and may stay updated

the netvibes are a few hundred RSS feeds

the diigo are a nearly 200.000 links of which we will be liberating a few thousand that will be liberated in the coming days - they were private awaiting treatment

the lists with leaks and insecure belgium are a nice list of leaked data and insecure belgium sites that were hacked or are hackable - if you like to read than you should look at the list documents

the torguide is one of the best around

the twitterlist of leaks and other sources are a nice collection to start with

in January we will close down the following older blogs  insecure.skynetblogs.be, scams.skynetblogs.be be-hacked.skynetblogs.be -  we will place here the links to the pdf archives and others

2. I thank everybody for the support and I thank those who have enough trust in me to understand that I have always been truthful and that the only way to work with sources and contacts is by being totally open about your intentions and the information you have and I won't change that

3. in january I will help with some of the biggest breakthroughs in the fight for privacy in Belgium of the latest 10 years. But not in the limelight

4. meanwhile we are sliding to 2015 and we can only hope that it may only become better because it can't get worse with cybersecurity in Belgium than has been 2014

-------------------------------

Some people have been playing a trick on me and my family

this is not worth it

you don't play with my family

after ten years, I have done enough

I have also a life

and other priorities 

It is for the state to invest and to do its work

not me and surely not against my family 

bye

and a happy 2015

I am not coming back. Not this time

------------------------------------------------------------------------------------------------------------------------

just to make some things clear

* I never hacked, I don't know hackers and I am not Rex Mundi, never was and I don't know who he is

* I am open for new opportunities or possibilities to work for a safer internet or network somewhere - only serious offers this time - but this blog will not be updated again but we will update through this post about the clean-up actions and what we will make or not make available

* I am available for other freelance work

"Yesterday, Bloomberg News reported that hackers, likely from Russia, caused a 2008 explosion on the Baku-Tbilisi-Ceyhan (BTC) oil pipeline in Turkey. According to Bloomberg, the BTC pipeline attack “Opened [a] New Cyberwar Era,” two years before the Stuxnet worm derailed Iranian nuclear centrifuges. The report is significant because it moves back the timeline for alleged state-sponsored cyber attacks that caused destruction in the physical world. (I use “attack” throughout this post in the colloquial sense, without reference to whether an “attack” is an “armed attack” for purposes of international law.)

But the pipeline explosion report also highlights another important issue. It took six years for the explosion to be publicly revealed as a cyber attack, and confusion about whether an incident is an accident or a cyber attack may be a common problem going forward. Although lot of attention focuses on cybersecurity attribution as a question of who carried out an intrusion, the BTC explosion exemplifies an analytically prior attribution question: what caused an incident, a cyber attack or a simple malfunction?http://justsecurity.org/18334/cyber-attribution-problems-not-who/

and so if people get the right to respond immediately to such a cyberattack, the chance that they will be responding to the wrong country and are falling into a second trap is much bigger than anybody realises

in the US there is even talk of responding with military attacks

some cloudproviders have been hacked over the last days

this is an alert, read more on the problem by following the link

"Shellshock is far from "over", with many devices still not patched and out there ready for exploitation. One set of the devices receiving a lot of attention recently are QNAP disk storage systems. QNAP released a patch in early October, but applying the patch is not automatic and far from trivial for many users[1]. Our reader Erich submitted a link to an interesting Pastebin post with code commonly used in these scans [2]

The attack targets a QNAP CGI script, "/cgi-bin/authLogin.cgi", a well known vector for Shellshock on QNAP devices [3]. This script is called during login, and reachable without authentication. The exploit is then used to launch a simple shell script that will download and execute a number of additional pieces of malware:
https://isc.sans.edu/forums/diary/Worm+Backdoors+and+Secures+QNAP+Network+Storage+Devices/19061

and this comment shows why automatic patching is so important

"I have one of the affected units. In the firmware update section of the admin interface, the closest thing I can find for an auto-updater is a checkbox that reads, "Automatically check if a new version is available when logging into the NAS web administration interface." From there, you have to manually tell the system to update -- as far as I can tell, there is no option to automatically update the unit. And the manufacturer doesn't send out emails to notify users when there is an update.
http://arstechnica.com/security/2014/12/worm-exploits-nasty-shellshock-bug-to-commandeer-network-storage-systems/

among others

it means they will have to redo their whole certificate infrastructure and default on all their old and present ones

source http://arstechnica.com/security/2014/12/hackers-promise-christmas-present-sony-pictures-wont-like/

NIST Computer Security Division announce the release of Special Publication (SP) 800-53 A Revision 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans

This update to Special Publication 800-53A contains significant changes to the 2010 version of the publication in both content and format.

To view the full announcement of the release of SP 800-53 A Revision 4, please see the full announcement on the CSRC News/Announcement page – this announcement will provide full details of this updated document:
http://csrc.nist.gov/news_events/#dec12

Direct link to the SP 800-53A Revision 4 document (in .PDF):
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf

dit staat er momenteel in wat er in de kennisgeving moet staan aan de getroffenen

• naam van de verantwoordelijke voor de gegevensverwerking,

• contactgegevens van een aanspreekpunt waar bijkomende informatie kan worden verkregen,
• samenvatting van het incident dat de persoonsgegevens heeft aangetast,
• vermoedelijke datum van het incident,
• aard en strekking van de betrokken persoonsgegevens,
• denkbare gevolgen van het gegevenslek voor de betrokken personen,
• omstandigheden waaronder het gegevenslek plaatsvond,
• de maatregelen die de verantwoordelijke heeft genomen om dit gegevenslek te verhelpen,
• de maatregelen die de verantwoordelijke aan de betrokken personen aanbeveelt om de mogelijke schade in te perken.

dus de kosten en het ongemak van het wijzigen van de bankrekening of de gsm zijn enkel en alleen voor het slachtoffer, men noemt dit in feite dubbele victimisatie zoals bij verkrachting

want als er dan nadien toch misbruik gebeurt van de gegevens dan is het opeens de fout van het slachtoffer die niet alles heeft gedaan wat hij had moeten doen volgens de oorzaak van het lek (de onveilige dataverzamelaar)

nee, het is volgens mij de oorzaak van het datalek, de onveilige dataverzamelaar die de banken moet informeren als daar bankrekeningnummers in staan, de mobiele telefoonmaatschappijen als daar mobiele nummers in staan enzovoort

dit is zo in de VS en misschien moeten we dat voorbeeld maar eens overnemen

dan zullen opeens veel meer bedrijven meer gaan opletten en veel minder gegevens vragen die ze via een veiliger weg ook kunnen verkrijgen

do they understand how important this is for the security of the machines

if people start not downloading automatically security updates than we are creating a situation in which we are going back to 2004

we should be able to trust Microsoft to have put every needed resource in this process so that we can continue to trust it

and interfering with updates and drivers from hardware that are generally so well known shows that there is something going totally wrong in the quality control

source http://www.forbes.com/sites/jasonevangelho/2014/12/13/new-windows-7-patch-is-effectively-malware-disables-graphics-driver-updates-and-windows-defender/

it is quite simple

it is simple

the minister for privacy doesn't want the privacycommission to have more powers and more resources and the privacycommission itself told me last week that they were not responsable for the security of the internet and that they don't have the resources - maybe once the European directive on the dataprotection will come into force

so who is responsable for the security of the internet

the prime minister, well the new federal center for cybersecurity has been announced for years but after a lot of talk about who should be the general and the colonels they finally may be deciding to set it up but they don't seem to make this a priority and announce it for somewhere in 2015 while not being sure they have any funding for it

the cert, the cert is not responsable for the security of the internet, they try to handle the incidents that they receive, not the incidents they want to prevent from happening '(which is why you can't call them the firemen of the internet over here because they don't have those powers or resources)

the national bank and the financial sector have some rules and controls (although at the national bank the cell that is responsable for the itsecuritycontrols of the banks - although this is becoming internationally a big responsability - are with few and have very few powers and resources and best of all - the online companies for credit and loans are explicitly excluded from these controls without naming who is responsable

maybe the sector could do it ? yep, the sector could do it but there are some initiatives but you see that they don't work and if the same kind of controls were put into place in our fields of our economy or real life than it would be a quite bloody mess around here

so this is worse than the titanic

there is even a captain on board and the crew is underpaid, understaffed and doesn't really know what it is supposed to do

so if you were rexmundi why should you make your life difficult ?

you do some google searches and find the forms, you do some quick checks and you see if the form has an sql injection or not and once you see that there is one, you download and send an email and a number of cases you get paid and in another you get publicity

should we keep quiet about Rex Mundi

well no because if we give publicity or not, the data are there online and the data are data from our citizens who don't know that their data are leaked or are informed but that is it - they don't do anything more (not paying for another mobile number, the cost of changing your emailaddress and all your passwords, bankaccounts and so on)

the people have the right to know that this is a mess and nobody is telling them and the people who should clean it up are with too few and have too few resources and too few rights to intervene to prevent accidents from happening

it is all too well from ministers and parliamentarians of saying how bad it is

DO SOMETHING ABOUT IT NOW

http://www.okkrediet.be/leningaanvraag/

no encryption

these are the data they want

http://www.allokrediet.be/ 

nonononon

yep fill that in online and you can lose it all

and no encryption

and this kind of data they are asking from you

in fact this means there is no real certificate

there is some encryption on the server itself but it is not clear if there is encryption when you transfer information

part of their forms

another certificate that doesn't work

and that certificate is expired and weak

but they need from you all these personal data online without login

their certificate

and than there is this

they have a strange ssl certificate

and this certificate is not strong