A secure democratic Net is a fundamental right

Radiant Info Systems has come to a deal with the Indian state of Andhra Pradesh to hire 200 inmates of a state jail to work on data entry, and the processing and transmitting of information.

"The idea is to ensure a good future for the educated convicts after they come out of jail," CN Gopinath Reddy, director general of prisons in Andhra Pradesh, told the BBC.

"With their experience of working in the BPO [business process outsourcing] in jail, any company will absorb them in future."

The outsourcing centre will handle banking information 24 hours a day using a shift system. Inmates will be paid US$2.20 a day, compared to US$0.33 cents a day for other work. source

And this is NO joke.

I would like to know if inmates are handling my banking information - even if I don't do much if any of online banking or transactions.

They say that if you pay peanuts you get monkeys, but here you get bandits.

2010/05/15 Und3rGr0unD W4rri0rZ www.lapeyre.be/img/index.html Linux mirror 2010/05/15 Und3rGr0unD W4rri0rZ M game.candia.be/lang/index.html Linux mirror  2010/05/15 Und3rGr0unD W4rri0rZ H M www.club-promo.be Linux mirror

2010/05/15 Und3rGr0unD W4rri0rZ M www.clubextra.be/lang/index.html Linux mirror 2010/05/15 Und3rGr0unD W4rri0rZ M www.coachbelgium.be/popup/inde... Linux mirror

2010/05/15 Und3rGr0unD W4rri0rZ M www.di.be/news/index.html Linux mirror 2010/05/15 Und3rGr0unD W4rri0rZ M www.lapeyre-game.be/images/ind... Linux mirror

2010/05/15 Und3rGr0unD W4rri0rZ M www.mbricolage.be/images/index... Linux mirror

2010/05/15 Und3rGr0unD W4rri0rZ M www.perledelait.be/images/inde... Linux mirror
http://www.zone-h.org/archive/filter=1/domain=be/page=1

What is nice is that you have so many high value accounts on the same linux server

Palin is supposed to give a speech in a public university in June. The details of the contract itself were made public because of some 'destruction negligence' by the organizers so that opponents could find and publish the document.

"The students who found the contract document said they acted on a tip that documents were being shredded at the campus administration building on a day when staff members were supposed to be on furlough.

Alicia Lewis, 26, was one of the students who went to investigate. The building was locked and gated, but the students were able to retrieve piles of paperwork, including the contract document, from a nearby trash bin, Lewis said.  source

I prefer confetti machines and for the totally paranoïd I have seen some in which the confetti arrives in a big ball that makes it nearly impossible to find which confetti's to use to make which document. Especially if you add some normal papers with much text.

what you put online will be found online

also by emailscrapers used by spambots

so why make it so easy for them

1.830 van google.com/profiles  voor @hotmail.com

3.620 van google.com/profiles voor @yahoo.com

76.000 van google.com/profiles voor @gmail.com

567 van google.com/profiles voor @googlemail.com

1 - 100 van circa 4.500 van google.com/profiles  voor @live.com

The numbers say it all: In 2009, there were 148,000 zombie computers (spammers, botnets, etc.) created per day, over 2.6 million known malicious code threats at the start of 2009, and by the end of the year, nearly 1 million new ones were created. In other words, to quote the illustrious Stewart Baker: "[The security threat] is worse than we even thought."

http://www.circleid.com/posts/icann_and_cybersecurity_hot...

and some other numbers

Congress and other government agencies are under a cyber attack an average of 1.8 billion times a month, a number that has been growing exponentially since President Barack Obama took office.

In 2008, security events caused by vectors including worms, Trojan horses and spybots averaged 8 million hits per month. That number skyrocketed to 1.6 billion in 2009 and climbed to 1.8 billion this year, according to Senate Sergeant-at-Arms Terrance Gainer.

The Senate Security Operations Center alone receives 13.9 million of those attempts per day.
http://www.politico.com/news/stories/0310/33987.html

Just try to imagine those numbers. Even if only 1% are targeted zero-day very genious attacks, it makes for hundreds of attacks to probe and stop manually.

If you don't have a budget and you have important data you just close down, limit access and block everything you can on a whitelist basis.There is no way any securityproduct will stop all of this all the time everywhere.

At one side, they are funny and as such they are treated like the youtube freaks

a quick laugh and quickly forgotten

but there is more to consider

cadeaufabriek.be uses no HTTPS to order cheques

the official organisation that intervenes between the clients and the energy companies uses no https on its forms in which you have to fill in all kinds of personal data

the login process for your CV on the other site has also no HTTPS protection

And there are other sites (also official) in which there is no or very scare or bad use of SSL encryption in their datahandling and -protection. There are no norms in Belgium about that.

And on top of it all, these sites were hacked.

There is no impact report or audit, there is no information for the possible victims if data has been leaked, there is only the wild wild west. Use at your own risk.Because there are no norms in Belgium about that. And as long as nobody files an complaint with the FCCU or the PrivacyCommission there is no problem.

As long as we don't talk about it, right ?

Because people could start having doubts and we would have to invest in security and we can't have that.

and that is all for today, see you tomorrow

Internet Service Providers like Belgacom and Telenet should block PC's that seem to be infected by recognized viruscontrols (not heuristic or advanced onces - that would make for too many false positives).

The only problem with this is that you will need a whitelist of organisations, enterprises and infrastructure that can't be blocked individually but that should go through an alert system. In fact this is the beginning of the building of a networkwide alerting system because every such network would have to set up a process in which calls for cleanup from the ISP are taken care off in a speedy way. This would be useful for the CERT and during crisis. And the reason they would have to do it is because otherwise they couldn't be whitelisted (they will need to adapt a process and fill in forms). The reason they would have to clean up is because they would otherwise loose their whitelisting and be automatically blocked if one of their pc's on their network is infected again. I think the business value of securing your network will be so evident (imagine a day without mail or internet) that no one will doubt for a second to secure the computers and place the necessary limits and controls.

For the ISP's it is also quite interesting because it will take off some of their responsability. They can say : "you are blocked because you are infected and you should clean up your computer before you can reconnect. If you don't know which antivirus, here are links to several free ones you can use for home and/or business use. THis is the virus and see here some links to some help if you can't get it off your systems."  The banks and financial services will also find something interesting in it because they will have less infected clients attacking their networks and trying to steal money from their customers.

If customers get fed up with a continuous stream of infections they don't seem to handle (once hacked, always attacked), isp's can offer a clean pipe or protected zone (get mail, bank and another 100 selected trusted services if that is all you do on the web or what you want your kids or others to do on the web). The trusted zones can also be used when a massive worldwide new attack makes it difficult to use the web worldwide.

This is the quote

"If the access provider just made sure you're not carrying any disease and you're not going to infect the community we'll let you connect with no further ado. But if you are infected with something we recognize and have a signature for, let's clean you up and allow you to connect.

I wondered what is the rational basis for doing this to consumers and I started thinking about smoking. People smoked for the longest time even after we knew it causes many types of cancer, heart disease. Society said you have a right to smoke. Even though you're going to add cost to the health care system that we're all going to have to pay for, if you're going to risk lung cancer that's your right. Then the EPA came out with the secondhand smoke report and suddenly smoking was banned in a lot of public places. The philosophy is simple--you may have the right to risk your own life and risk disease, but you don't have a right to sicken the person next to you. So when we started in Internet security we said to consumers, run antivirus, update your software, and back up your data, and many people didn't. The problem with botnets is you're not just risking yourself any more, you're risking everybody else in the community. It's just like smoking."

http://news.cnet.com/8301-27080_3-10462649-245.html

The PDF format is becoming every day more a vehicle for malware diffusion and hacking. Didier Stevens - a Belgian by the way - has proven another time that you can do whatever you want through manipulated PDF readers (by using the features - not necessarily bugs).

He has made a proof of concept by which he has stolen files from a local computer that was contacted through an infected-hacked PDF file.

Encryption should become the norm or some form of identification before you get access to important files.

It is just a shame that Adobe is killing the PDF format this way, but let no one blame Microsoft afterwards that people will look at its formats again for safe standards because Adobe did this all by itself.

The best thing Adobe can do is give us back a stupid read only no script secure Adobe reader and PDF format. Like in the good old days.

An interesting read

First they discovered wireless and forgotten all about security, who needs that anyway, the internet was made without security so why would the wireless protocol need any security.

After a few incidents and questions the industry as they call themselves got together and decided to write some security protocols to have at least some security, but not too much or too heavy.

This WEP was easily broken, so they had to make another WPA that would be much harder to break (meanwhile people are using no security or WEP) and there is even WPA2 now.

But as with any security it can be broken and what can be broken can be sold and what can be sold can become a criminal business.

So one of the new business models from the cloud is that you can ask a collection of servers and databases to break passwords and encryption. THousands of computers do it for you and you just have to pay for the result. Isn't that fantastic, the power of the cloud for the criminals, a criminal cloud. Imagine what the GRID or Internet2 could bring for organised online crime.

Eerst was er geen beveiling toen ze begonnen met wireless. Gewoon vergeten, het moest natuurlijk eerst allemaal zo snel mogelijk gelanceerd worden.

Dan kwamen ze uiteindelijk samen om een aantal veiligheidsnormen op te stellen voor de verschillende soorten draadloze verbindingen (protocollen).

 http://ph33rbot.com/wpa-password-cracker/

http://www.wpacracker.com/

And it even doesn't has to be computers, but due to the enormous computing power for gameboxen are they the favourite tool to set up farms of boxes that will crack passwords and encryption.

What would that mean for an EID attack - to get your national register number, the most unsafe combination of letters even rassembled as an unique identifier.

We have this week about ten to twenty million of personal computers that were part of botnets and that as zombies have now lost control and contact with their criminal masters and their infrastructure.

There is no way that we can clean them up manually or individually.

But we have captured the infrastructure and the botnet control scripts or domains that are used.

The idea is the following.

All those infected computers should receive a security cleaning and update. It will otherwise change nothing at the threat landscape because those computers will be rehacked and rebotnetted again and again. Probably the other botnets are already trying to reinfect or take over those computers.

So let's use the botnet infrastructure and commands and domains to send a message to those users that they were infected by a botnet and that they should install antivirus software.

Problem is how do you do it while we are telling everyone that they shouldn't click on security alerts that are popping up their screen because they could click on fake security software that is malware in fact.

Maybe the conficker working group can be used. They work through the certs that distribute the IP adresses through their ISP's and at least the network admins will be informed and can clean up these stations or contact the users. For the other individuals maybe one should make an online checkpage or an auto-download directly from their ISP and announce  that they have to install the necessary software (without adding other things so that there is no privacy or other outcry over which is essentially a security cleaning up operation)

It will also prove that the conficker working group is not so much an overhyped exercise but the setting in motion of an international security cooperation and coordination group that can be essential in the tracking, arresting and cleaning up of those international botnets. As long as we have a minimal state in cyberspace, we should have a maximum cooperation between the private partners at least against organised cybercrime and botnets.

I think it is one of the biggest challenges that are before us as the tracking and arresting or dismanteling of botnets becomes easier, the cleaning up operation afterwards will become more challenging and important.