12-11-07

between hype and trust and preparations

If you have been around on the ITsec newsstream on the internet for some years, you start trusting nothing and after so much hype and salesstuff taking notice of nothing, thinking it will all go over without much damage.

Afterwards you have some people saying that off course nothing happened, but how could they have known ? And if something happened how would they have reacted ? So, lets take this one step further and take three major internet security events in Belgium from the last weeks under the microscope.

First the Turkish hacker attack against Belgian sites was first discovered here. The facts were that only a few Belgian sites were hacked but with an explicit warning by a member of a very important Turkish hacker clan. A week later about 100 .be sites were hacked but not with the same message. Last week only a few Belgian sites were hacked of which the REHACK of parts of antwerpen.be made the news. The levels of defaced Belgian sites seem more normal now but this does not mean that your sites can't fall victim if they aren't defended as they should be. It looks like the leadership of the clan didn't want to launch a concentrated full attack on our networks and we hope it will stay that way. Were we right to call the alarm ? Yes because too many sites in Belgium aren't looked after and the webmasters should have been more alert as the Antwerpen.be case proved.

Secondly the online virusdownloader script. When this alert was published by the Internet Storm Center it looked like the beginning of something that could have spread like wildfire on the internet. The technique was so simple, insert a javascript in a search box, sql database or webforum. Millions of pages would be vulnerable if an important server would scan the web and insert this script whenever it could. We researched the 60.000 pages and came to a list of some 50 domains that we communicated to the Internet Storm Center. A few days later it seems that not many more pages have been added and that even if Google is showing the script present in pages, it has already been removed. Were we right to call the alarm ? Yes, because it seems that the attack was launched by the same chinese gang that launched also the massive ani attack last year and was involved in some other big attacks. The problem is also that too many forums and sites are vulnerable or accept script inserts, even if there are nowadays too many reasons to refuse any userbased scriptinsertion in your site/forum.

Thirdly the e-jihad. This has been the hype of the last week and there have been two or better said three sides to the discussion. The first was that we were going to be attacked and that it would be all hell would break lose. This has not been the case, as in the previous two announcements of cyberwar. The other side said that there was no attack that was going to take place and that everybody who says so is naive or stupid. THe position in between is based on the fact that even if the controlserver is nowadays offline, there is no technical reason it couldn't be brought online again elsewhere and could be sending its attack lists or updates to its clients/members. This wasn't the case, but who could be 100% sure ? The other argument that as Belgian sites are not that accustomed to DDOS attacks they should use this alert as a basis to do an exercise to see how their response-time and procedures are (and how their partners would execute under such situations). We weren't saying more than that.

So it is very easy to play the wise guy afterward. There are no laws, axioma's or scientific weather reports on the internet. All the time you have to collect information, look at all the details and make assumptions and plan accordingly. You have to prepare for the worst sometimes and be happy that didn't materialize, but that meanwhile you have adapted your defenses based on the lessons learned during the preparations.

This means that your boss can trust that whatever the hype next week you will be prepared for the worst if necessary.

00:00 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |

11-11-07

A call to Belgian IT and Security people

Some IT bloggers and security people around in Belgium have begun working together on a very loose basis. We don't want speakpeople, we don't want a structure or big ideas that take too much time to set up. We just want that

* people who have blogs exchange their feeds. We already have an integrated RSSnewsfeed as test which can also be used as a netvibes, yahoo and google module. You are free to put it on your blog

* people who don't have a blog but have something to say have a blog where they can do this anomously but within the law. The blog where they can do this is http://belsec.skynetblogs.be

* people, institutions and firms who have usable and interesting information about the (in) security on the Belgian internet than can be useful but didn't knew where to publish yet can do so here.

* be a meeting and starting point for other projects

In the hope that everybody will respect each other, don't try to use it for advertising and keeps on posting interesting information we hope that this way people will be able to exchange fascinating ideas and interesting and useful information.

So if you are a belgian IT/ITSec blogger or would like to blog about it/itsec or you have information about the (in)security on the Belgian web, we would like to hear from you.

22:16 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |

09-11-07

Blacklisting works like an embargo - andi it is our best reactive self-defense

It has been said before and it is touching some nerves - but brutal blacklisting is an active defense that works. Ok, some innocent services and services are also blocked but it is the only way to make it cristalclear to the guys who don't care about security upline or downline their business that they will lose much more business if they continue like this.

Look at the free .tk domain. It was a hotbed for spammers and crooks. But then it become blocked - just like .biz and .info (and .euro beginning) - as a whole without finetuning. If they don't clean up their act and don't invest time and effort in running a clean business why should be invest time in trying to make a difference between the good and the bad sites they are hosting. The .tk domain saw immediately the number of registrations falling and decided to take action and since than malwaresites are disappearing faster than re-appearing. The blockade of the .tk domain is more or less overkill now but only after a few weeks of total blockade by numerous servers and networks.

The other example is the Russian Business Network in the Ukraine. I think that after more or less a year security people got fed up with researching hundreds of domainnames and ip adresses and the rest to block and the decision was more or less taken by the antimalware fighters to block the whole ASN internetrange. Some good firms and sites would be hurt, but it would be the only way to make sure that if the hosters and ISP's that were selling their businesses to those crooks they would understand that they would faster than sooner be cut out of the internet. RBN has been cut out of the Ukrainan Internet by their ISP's and the blockade has been called to an end. Rumors are saying they will go to China. Well who needs .cn anyway ? Even the gov.cn sites are full of viruses, spam and crackers.

Maybe we should take out one malware hosters or ISP a month. All over the world. Blocking them out for at least a month untill they clean up their business. It will never end - sure - but maybe we shouldn't let the cancer develop itself like this and some operations are necessary to cut them out.

23:39 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |

hacking belgian server for phishing : real and live

And if you thought that only the Turks were attacking our network

here are the phishers Live report (resolved now) and report

this site was last year already used in a phishing campaign

so I say it again : once hacked, always attacked

14:46 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |

online virus infections - internet certs are working at it

The internet storm center is working to clean up the list with infected online websites I have sent them. I looks like futurestep.be  is clean now.

You should be sure that your programmer knows something about XSS and SQL infection. So instead of giving him an IPOD for christmas give him a course and some books.

 

14:26 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |

Waarom ik dit doe (sinds 2004) ?

Een oudere blog http://manifest.skynetblogs.be is een basistekst op basis waarvan ik indertijd de traagheid en onwerkbaarheid van oa het BIPT sinds 2004 aan de kaak stel. Het was aan de loopgraven rond de netwerken toen immers dweilen met de dijken doorbroken. En de regering en politici die keken ernaar en lieten het over aan zij die niets wilden doen.

Tot op een goede dag enkele dappere politici vonden dat het wel genoeg was geweest en dat  - zoals de tendens is in het Buitenland  - de ISP's ook wel een paar verplichtingen hebben (zoals autobouwers en andere fabricanten of zoals energietransportbedrijven)  en zo kwamen de artikels 113/114 van de Nieuwe Telecomwet tot stand die stelden op pagina 47 dat

len_003

Het is trouwens vreemd dat Test Aankoop zal zogenaamde verdedigers van de consumenten er maar niet in slagen om dit af te dwingen want elke ISP in België wenst haar gebruikers te doen betalen voor extra beveiliging. 

De gangmakers achter dit initiatief zijn de heer Roel Deseyn (toespraak) van cd&v en Philippe De Coene (sp.a) die er trouwens een eigen website aan besteedde

Maar hierna begon pas de processus van Eternach. Volgens vele specialisten hebben we een uitzonderlijke wet, maar ze heeft nooit haar uitvoeringsbesluiten gekregen. Het is nu afwachten of de nieuwe regering er wel in zal slagen om ons op zijn minst toch een 'internet storm center' te geven of wat ook de naam wordt van het ding. En dan drink ik dan een glas - of beter een fles - champagne.

14:13 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |

a hack a day ? taxshelter.be supported by the Belgian ministry of Finance

this is a site to attract investors for the film world and maybe those people are very good financial specialists supported by the minister of Finance himself but they don't know how to chose a professional website builder, even if they have made for their members a login and so on (but would you give your credentials as a financial investors to amateurs ?)

http://www.taxshelter.be/index.html  direct link to hack

this site is rehacked, the  first one was noted the 28th of october............

IF YOU WERE HACKED ONCE, YOU WILL BE RE-ATTACKED AND IF YOU DO NOTHING YOU WILL BE HACKED AGAIN AND AGAIN AND AGAIN....

taxshelter2

is the man behind him a turkish hacker

12:23 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |