31-10-07

hack of the week : met.wallonie.be

http://www.zone-h.org/component/option,com_mirrorwrp/Item...

and now it says that

Site indisponible !

Le site patrimoine.met.wallonie.be est actuellement en maintenance, et devrait revenir en ligne dans la semaine du 5 au 9 novembre 2007.
Because the problem is that you can't be all that sure that even if they only defaced one page of your portal they didn't have access to other parts of your portal but didn't use them yet or that they didn't install backdoors. So the clean-up act must take much more time.
The fact that it takes that long proves that they didn't think they could fall victim and that they probably didn't have the necessary clean backups.

00:24 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |

30-10-07

What could be done by the gateway defenders of the Belgian Internet

It is a good exercise. Take that a few thousand zombies from all over the world attack a list of Belgian website to compromise them or to take them out (ddos). How would you react ?

Well there should be plans for three centers in the case of a cyberattack. They have totally different tasks and should have different people - enough people to be on permanent standby as long as the attack endures.

1. Communication : where will the networkadministrators and journalists find information about the developing situation ? Infomration that should be correct and verified and without any hyperbole. It should also give a list of all the patches and tricks that are being used and the workarounds. This should go very very fast.

2. Take-out center : where would all the information be concentrated about webservers and services that are being used in the attack and that have to be taken out or blocked at the first gateways to the Belgian Internet.  Internaitonal coördination is also necessary here. Internally Belgian compromised webservices should be taken out as fast as possible. This should be verified but very fast.

3. Prosecution center : where would all the forensic information arrive so that official - eventually international - complaints can be launched. In the case of such an attack this would be necessary if you would to treat this as a government-level problem in which the Turkish government has to act. This should be first very well verified before being handed over as evidence. The procedure and the information needed should be set up now to communicate at the start of the attack to the Information and take-out center.

09:21 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |

Looking for a turkish language IT co-blogger

I do not speak turkish, but I have that list with Turkish hacker sites that seem interesting if you wanne have a better view on what the Turkish hacker clans are preparing. If it is being prepared it will be prepared there and the discussions among them about attacking this or that target can be interesting to know what the probability will be of such an attack.

Remember for the moment we - as networkadministrators - are all on our own. There is no Internet Storm Center in Belgium - even if the Belgian Telecom Law has foreseen one. This internet storm center would coordinate and interpret all the information they would get from different resources about announced attacks and those taken place and would give us a local belgian view of what to expect and what is happening.

I hope meanwhile that our national intelligence service has some Turkish language security researchers keeping an eye on the Turkish hackers clans. Or would they say like after 9/11 that they don't have enough foreign language speaking people to foresee and correctly interpret what is being said and done ?

So if there is a turkish IT knowledgable blogger that doesn't have himself anything to do with hacking, than you can contact me. The turkish hacker clans are roughly accountable for more than 75% off all defacements in Belgium.

08:57 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |

It is not because the cyberattack hasn't taken place yet

That the member of the Turkish hacker clan that proclaimed the threat is playing golf. For the moment he or the name of the clan he said he belonged to are waging attacks on the Belgian cyberinfrastructure that are being seen. But they are still defacing numerous sites everywhere else around the world. So they still have all the firing power they would need to launch such an attack.

That in Belgium authorities and security people are playing sitting duck and just waiting to see if something will happen. Have the impression that some people are starting to follow up on the story. In the best case they are studying what happened during the big scale attacks against other countries and have plans ready or are setting them up. Responding to such wide scale attacks without a plan and a coordination would be totally irresponsable. It would multiply the economic impact of such an attack by .........

A worst case scenario is that they are now making an inventory of the sites and infrastructure to attack and are scanning. After that they can wait for the next release of windows patches (and an exploit against unpatched machines at the latest a few days later) or are waiting for a new zero day exploit coming on the black market (for sale). Next week may be critical. If there are no political or military events that change the context, the situation may cool down after that if next week no major attack takes place. (which means 'only' 5 to 20 Belgian .be websites hacked every few days).

In the best case scenario they have understood that another such attack against an European country would do no benefit at all for Turkye.  It will not get them any sympathy for their 'cause' against the PKK and it will not make a good impression while you are negotiating a better 'membership-or-somthing-like-that' deal with the European Community of which the institutions are placed in Brussels, Belgium....  You do not need to be a general to understand this.

So in colours I would say Yellow in Sans terms. Prepare yourself and watch out. If something big happens, it would be between now and the end of next week without any change in the political context. For the rest, control your firewall, your logs, patch your machines, close down the applications, change standard passwords, upgrade older machines, make backups, set up a procedure who to contact and what to do and what everyone should do if something goes wrong and test next week the time you would need to patch all your machines as fast as possible. In that case this announcement is a good case for an exercise. Better be prepared than sorry. (ps I am not a believer in end-of-the-digital-world-conspiracies )

08:49 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |

29-10-07

vao.be was hacked and reported in the news

No news yet that a Turkish hacking storm may be on the horizon, although the warning has been sent to the media.

Meanwhile this example should awaken some - but less than a pre-alert.

So, lets look at the hack
First it is being done by Briam - a very Turkish name. (sic)
Secondly the contact address is mail.ru in Ruland. So forget asking any information over there.
Thirdly there is no mention of other Turkish hackers or clans or websites.
Fourth the language is not the normal nationalistic Turkish slogans.
So maybe it is a lone Turkish cybersoldier and maybe it has been done from a Belgian IP address and we can see an arrest in the coming hours or days. And he will be another stupid belgian hacker who forgot that in Belgium the  cyberlaw is in its place and being used by the cybercops.

15:57 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |

major Internet backbone global crossing facing huge dificulties today

Network problems on a major backbone: Global Crossing

During the day we were receiving messages regarding the problem with one of the major backbone providers - Global Crossing whose fiber optic network covers more than 100,000 route miles, reaching six continents, 60 countries and more than 600 major cities. They are some problems experienced on the following routes - from Global Crossing to Internap, Level3, Savvis, SBC, Verizon, XO. This is the cause that many websites during the day are experiencing problems with availability and latency.

12:55 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |

site will be updated as needed

We are going to focus on this developing situation in the next day and keeping a watchful eye on what is happening and if something is going to happen. And even if nothing is happening, let it be a good exercise to

- watch out if your website is hacked (or still being Google cached as such)

- control if your infrastructure is safe and monitored

- control if you have a backup of your website and the necessary plans in place

Meanwhile BIPT and DNS.Be should think seriously about getting those forgotten hacked belgian websites unreachable as long as they aren't fixed because they could become launching platforms for new attacks that could become nastier than those we have known so far.

If you don't let broken down cars drive on our highways, why let hacked websites still be out there without any lock-out. Or google can lock-out the websites that are daily hacked by badware.org. This would oblige Google to clean its cache and the administrators to clean up their act.

The political parties that will form the government should also foresee the concentration of all forces in Belgian to defend our critical infrastructure. It is maybe time to organise hearings about this subjecs and to take the necessary legal action and to implement the laws and plans already established. I do not care how it is organised (local, federal) as long as there is a fluent coordination in REALTIME.

Because otherwise 'we will all go down together'.

12:40 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |