Posted: 25 Aug 2008 07:27 AM CDT
It doesn't happen often that Wikileaks is used by Belgians to place documents that maybe could steer a bit of a debate in Belgium. Wikileaks is perfect for that. You should only be sure that when you do it you use a proxy, another free emailadress that has no reference to yours and that you don't do it from work or any other monitored place. You should prefer a cybercafe and if you are uploading often documents or looking at the other mail (that you otherwise don't use at all anywhere) you should change (there should be nothing that could be foreseen or planned in your behaviour).
Back to the document now
1.) This file and this context have never been released before.
2.) This file shows, how the belgium tax-department supports tax evasion for belgium citizens living outside from Belgium. The belgium land-register belongs to the tax department; It allows to bring in wrong addresses of landowners in the land-register. The land register is run electronical, so land owners can anonymize their foreign address and they can not be found by tax authorities in the country they are living. The document shows the work of a notary and a lawyer, Anne Van Ysendyck; Her address is completely wrong, the other addresses are wrong too. The addresses are in that way changed, that the owner can not be found by foreign tax authorities.
3.) The audience could be all tax payers in the European Union, angry about tax evasion by the rich.
Posted: 25 Aug 2008 07:25 AM CDT
Good morning all! Back to work today. I’m pondering over my cup of coffee this morning as to exactly how today will play out.
And now, the news…
Posted: 25 Aug 2008 06:48 AM CDT
AN INTERNATIONAL criminal gang has pulled off one of the most audacious cyber-crimes ever and stolen the identities of an estimated eight million people in a hacking raid that could ultimately net more than £2.8billion in illegal funds.
A Sunday Herald investigation has discovered that late on Thursday night, a previously unknown Indian hacker successfully breached the IT defences of the Best Western Hotel group's online booking system and sold details of how to access it through an underground network operated by the Russian mafia.
Some hacker succeeded in placing a trojan on a PC used to make the reservations and got the login and than downloaded the whole database. This means that someone who made a reservation had access AND downloadrights to the WHOLE database. Mama mia. There you go again, make HIS day.
Restrict all the rights in a database to the strict minimum. Use special seperate machines for management control of those machines and give only downloadrights after approval, especially of this kinds of databases. But off course outsourcing to India if so safe.......
If you are a customer of Best Western than you should
* tell this to your credit company and ask them to be suspicous of transfers of money that are not normal with your normal behaviour.
* control all the transactions with your cards for some time. Some people that were in stolen databases only saw their first fraudulent use after some months. (Delhaize US).
* safest is to ask a new one alltogether, say that you have lost it if you can life without it for a few days.
* ask more information at Best Western, let them sweat a bit, make it clear you don't appreciate this kind of lax security
And if you are an European who thinks this could only happen in the US according to the article this is the first time that the Russian (mafia) Business Network has gotten hold of such a big database with European ID's and Creditcards. Maybe they expect the Europeans not to be too prepared or educated against the crimewave that could (in theory) take place now. Question is if it will happen at once or bit by bit....
For our Belgian readers now you can maybe understand a bit better why we were so angry that the ID information on our EID (electronic Identity Card) could be intercepted so easily by a virus. All public information they said, yes but very dangerous if it was coupled with a database with credticards. This is now the case. Imagine if you could combine an EID database with a creditcard database. Pretty impressive not ?
Posted: 25 Aug 2008 06:08 AM CDT
If an payment service still accepts payment for a program of which the whole web now knows that it is a total scam, than it has no ethics and will probably work with any crook to accept whatever money.
Posted: 25 Aug 2008 05:58 AM CDT
He has been placing links in forums (registration as a member) or in guestbooks
his site is an attrapment with an illegal scanner that will warn you of threats real or unreal. But you should never use software like this. They don't have the quality and expertise and they are just crap and install sometimes spyware on your computers.
Posted: 25 Aug 2008 05:48 AM CDT
added some others while I was at it
Posted: 25 Aug 2008 05:07 AM CDT
these attacks are going on in full strength according to the Internet storm center and they say that particulary these seem to be increasing while others are cleaned up
this is also a list
Posted: 25 Aug 2008 01:01 AM CDT
For those who weren't satisfied with slides alone from Dan Kaminsky's DNS talk, the video (m4v) and the audio (mp3) from Black Ops 2008: It's the end of the cache as we know it (ppt) is now available (courtesy of Blackhat.com). They already have the majority of presentations and whitepapers from Blackhat USA 2008 online on this page and it will be updated with videos as well. Keep an eye on it.
It's the end of the cache as we know it
Posted: 25 Aug 2008 12:20 AM CDT
I don't write about national politics much on this blog, but as soon as I heard Obama chose Biden for his VP, it was obvious to me why. All the issues the media raises about Biden's negatives (he's old, been in Washington too long, was an Obama naysayer, etc.) are simply missing the point.
My view on the strategy behind why Biden is Obama's VP pick: Biden is basically the democrat version of McCain. Biden's got the foreign policy experience, senate experience, he's outspoken, he has a temper he doesn't always control, has foot-in-mouth disease, has that independent, hard to control spirit, and is seen as a maverick. Very much like McCain.
Biden neutralizes McCain – Why cross over and vote McCain when you can get the same thing in Biden. If you're a Democrat, don't cross over to McCain because you've got Biden. If you're a Republican considering going for Obama, it's "safer" now because you get most of what you liked about McCain in Biden. (Except the national hero, POW hero factor.) And the knock that Obama's not ready to be President? Well, Obama must be if Biden changed his mind enough to be Obama's VP. Biden left that door open in the Democrat debates when he said "[Obama] could be ready".
It's the neutralize McCain strategy by taking away most of the differentiating reasons you'd vote for him. Personally, I believe Hillary would have given Obama the best chance of winning, even though she would have made the run up to the election more like a Bill-ary turkey shoot for the Republicans.
The media isn't buying into Obama's Biden VP pick but I think this is the real strategy behind it.
Posted: 24 Aug 2008 09:28 PM CDT
Two acronyms worth remembering.
RGE: (Resume Generating Event) – An event that forces a person, or the persons manger to generate an updated resume.An RGE is something most of us don't want to experience, at least not too often. RGEs are often followed by changes in income, housing, marital status, etc.
HGE: (Headline Generating Event) – An event that causes news reporters to write stories and generate headlines.HGEs can be either positive or negative, depending on the causes and effects of the event, although with the exception of dot-com startups, most IT initiated HGEs are negative events related to system or project failures of some sort.
HGEs are often followed by RGEs.
Obviously a goal of system mangers, security people and IT folks in general is to make sure that that acronyms like the above don't show up unexpectedly. Those of us in public service are particularly sensitive to HGEs. There are not too many circumstances where public service IT organizations can generate positive headlines. Odds are that if there are headlines, they are not good. There is no incentive for the local news broadcast to begin with a segment on your shiny and fast new servers or your four nine's of application uptime.
We spend a lot of time analyzing risk in security decisions, system designs, deployments and upgrades. If we do it right, we can design, build, manage and maintain systems that meet user/customer requirements while minimizing the probability of triggering an HGE and the follow on RGEs.
And if we are REALLY doing it right, we'll have fun while we are doing it.
Posted: 24 Aug 2008 08:11 PM CDT
TJX and Hannaford breaches. The London Telegraph is reporting that over 8 million customer accounts have been stolen from Best Western and sold to the Russian mafia. This story is still breaking but from the article:
It is believed an Indian hacker succeeded in bypassing the security software and placing a Trojan virus on one of the firm's machines used for reservations.
A Sunday newspaper discovered the crime? Jeez. I'm sure there will be much, much more to come about this one.
Original Story: Hackers steal details of millions of Best Western hotel guests
Posted: 24 Aug 2008 05:07 PM CDT
Posted: 24 Aug 2008 05:01 PM CDT
Darkoz was so kind of maintaining a huge media archive of talks of the past Defcon, Blackhat, Shmoocon, HOPE, and others conferences over at mirrors.easynews.com.
In the end, the archive was near a terabyte of diskspace and easynews couldn't support the archive anymore.
If you can help us with bandwith and storage, please check out Darkoz's post over on his blog. Even if you don't have these resources, pass the word.
(Photo under creative commons from RobotSkirts' photostream)
Posted: 24 Aug 2008 04:59 PM CDT
Posted: 24 Aug 2008 04:42 PM CDT
Last week, some of Redhat's computer systems were compromised. During this incident, the attacker was able to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4 (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture only).
As a precaution, Redhat is releasing an updated version of these packages. Redhat has also released a script with which you can test your system for any affected packages:
(Photo under creative commons from Michell Zappa's photostream)
Posted: 24 Aug 2008 02:34 PM CDT
An article over at Dark Reading entitled Hacking the Call Center got me thinking about some of the issues I have discovered with outsourcing call centers. I have written about one such issue here. I have found that business units assume that the call center is discrete with their data and that every customer is handled on separate systems. Nothing could be farther from the truth.
When you outsource call centers you may have your own phone numbers, assigned operators, and perhaps even a dedicated information system for tracking data. Let's assume best case scenario: How does the data travel to your "dedicated" server? Over their shared infrastructure? Yes! Now now, I know what you're about to say... "they could just put those operators on a separate VLAN, problem solved." Typically that would mean one of three scenarios:
So how do we solve some of these problems?
Posted: 24 Aug 2008 02:32 PM CDT
Image via Wikipedia
Bob Sullivan wrote a post titled "Are airline kiosks safe?" for The Red Tape Chronicles at msnbc.com last week that made me frown when I first read it. (Note: I'll give Bob Sullivan credit... at least he tried to be balanced, read on). On July 24th the The Toronto Star broke a story titled "Airports a natural target for credit card fraud: Expert." Ok, airports are a target... so are discount retail chains and grocery stores... what's with the title? It turns out that Visa was investigating "isolated fraud incidents" that were occurring when people used the cards to check in to their flights and get their boarding passes. What drives me nuts is that the article spends almost 500 words scaring the bejeebus out of people when right in the middle of the article there is this gem of a quote:
"WestJet has cautioned against pinning the blame solely on the kiosks until the investigation is complete."Eh? They didn't really know where the fraud was originating from, the banks (which do not usually have detailed information regarding POS (Point of Sale) location or IT infrastructure of organizations) were guessing that the kiosks was a logical place to start looking. Makes sense to me. But then the UPI picked up on the story with the albeit better title "Toronto airport credit card scam probed." Unfortunately, this article also takes the tact that it's better to scare people about swiping your card than emphasize that the banks were investigating whether there was something to investigate.
Well, not long after the UPI story came out the security and travel blogosphere grabbed the ball and ran. With titles like these who wouldn't be scared about checking in at a kiosk?
Why am I picking on this particular news item? Well, just a few days after the initial story broke (five (5) days to be exact) cbc news reported that "No fraud linked to Toronto Pearson airport kiosks." Yes, that's right... they did an audit and found that there are "no confirmed cases of fraud currently at [Pearson] airport kiosks."
I scoured the blogosphere for follow-up articles giving the "all clear" to let people use credit cards in addition to their passports or PNR numbers to check into their flight. I could only find a few stories in the Canadian press about it. At least there will be one article out there spreading the good news. Swiping your credit card (CC) at an airport kiosks is just as dangerous as storing your CC information online, swiping it at the grocery store, handing it to a waiter at a resteraunt, etc. In other words, not really all that safe at all but convenient.
Shout out to Howard for sending me the msnbc post.
Posted: 24 Aug 2008 02:32 PM CDT
The AP is reporting that the online-retail store Montgomery Ward was breached back in December with between 51,000 to 200,000 credit card numbers, expiration dates, and CVV2 numbers. Details of the breach aren't widely known and it wasn't reported whether Direct Marketing Services [DMS], the company that purchased the Montgomery Ward name out of bankruptcy, was PCI DSS compliant.
None of that information is that troubling to me however. Breaches happen. We learn from them (hopefully) and move on. What irks me about this one is that DMS didn't notify their customers after the breach occurred. Since the penalties for non-disclosure are far less (non-existent in some cases) than the costs associated with replacing credit cards and monitoring up to 200,000 credit reports DMS did what companies do best: Act in their own self-interest, watch the bottom line, and hope nobody finds out.
Obviously there is no easy solution to this problem. DMS followed guidelines and notified banks of the breach. However, it is not mandated that the bank notify a customer that their information was potentially compromised. Disclosure is left up to the merchant that was originally hit and will ultimately pay for any and all costs associated with replacement of cards and monitoring of accounts.
Unfortunately, this is a case where the private market will not lead to an efficient outcome. Legislation is needed in order to hold companies accountable for the non-disclosure of private and financial information breaches. We will see proper disclosure of breaches when we start walking CIO's and CEO's out of headquarters in handcuffs and making the fines high enough to make full disclosure seem like a bargain. I hope companies start doing the right thing by their customers but I, for one, will hold my breath.
Posted: 24 Aug 2008 02:30 PM CDT
Great article in the London Times this morning entitled "We have the technology, but no security." Author Simon Davies goes through the laundry list of compromises that have hit the British government over the past year and correctly comes to the conclusion that it is a lack of standards, policy, and understanding about data security that lead to a culture of carelessness.
Hackers in Britain don't need to scan servers for vulnerabilities nor do they have to prepare "spear phishing" attacks to compromise desktops within the government... they just need to walk around the street and look for discarded DVDs and USB key drives. Their problems are definitely on the people and process side of the security triad (people, process, technology).
I hope someone in the British government takes control of the situation and institutes an educational program coupled with a strong encryption and data access policies with the necessary technical controls to help enforcement.
Posted: 24 Aug 2008 02:30 PM CDT
...and should they have to pay for it?
Bush Administration and the Department of Homeland Security have told the airline carriers that they will collect biometric information such as fingerprints from foreign travelers on their exit from the United States. I will refrain from discussing the political and social aspects of this request and instead will focus on the financial and technological aspects of such an idea.
The US-based airline carriers are facing record fuel prices, increased competition, price elastic demand, and a volatile customer base. If the administration forces the airlines to also fingerprint passengers, the additional infrastructure, storage, networking, and security costs would kill IT budgets. It could also cause the airlines that are close to the edge financially to either further pull back operations or perhaps file for bankruptcy.
Beside the financial burden this would place on the airlines another question that must be asked is: why? Why should the airlines collect and maintain biometric records of their passengers? We currently have the federal government stopping to check for both citizen/visa status as well as customs inspection at all ports of entry. Why can't we just turn some of those booths around the other way?
The DHS is already collecting fingerprints and taking pictures of people that visit the country. Why should the airlines duplicate the entire infrastructure costs that are associated with this program? The costs would include the purchase of fingerprint scanners, computer systems, programs, databases, and storage as well as an interface into the federal government system. The cost for putting these systems into each international airport will be huge, and will have to be duplicated by each airline.
This is the ultimate "pass the buck" program. The Bush administration and the DHS shouldn't place this undue burden on the airlines who will, in turn, pass the costs onto the consumer... that is, if the airline stays in business and continues to fly internationally.
Posted: 24 Aug 2008 02:28 PM CDT
Government Computer News (GCN) reported that the National Institute of Standards and Technology (NIST) recently released three draft guides for public comment before their official publication. From the article:
SP 800-107, titled "Recommendation for Applications Using Approved Hash Algorithms," is in its second draft release. It provides guidelines for achieving the appropriate level of security when using approved hash functions.
Draft SP 800-121, titled "Guide to Bluetooth Security," describes the security capabilities of Bluetooth technologies and gives recommendations on securing them effectively.
Draft SP 800-41 Revision 1, titled "Guidelines on Firewalls and Firewall Policy," updates the original publication released in 2002. It provides recommendations on developing firewall policies and selecting, configuring, testing, deploying and managing firewalls. The publication covers a number of firewall technologies, including packet filtering, stateful inspection, application-proxy gateways, host-based and personal firewalls.I have begun reading and intend on commenting on the Firewall draft. From my first peek inside it seems very thorough and covers not only firewall policies and requirements but also architecture, rule selection, and life-cycle management.
Posted: 24 Aug 2008 02:28 PM CDT
Let me clarify before I begin... by "us" I mean IT as a community, not information security specifically. Now that I have that out of the way let's discuss how our reliance on network firewalls, application firewalls, VPNs, encryption, etc. have caused system administrators, architects, programmers, and yes, even us security-type-folk lazy. Let me explain a bit.
Let's pretend for a moment that we didn't have AV, network firewalls, SSL, IDS, or any other security-specific solutions available to us. How would we design our information systems? How would we protect resources? How could we possibly defend our networks against attack? These are the questions I like to ask myself when I have to design a new security architecture, review a proposed design, or audit an existing system.
I am not saying we should design all of our systems with these questions in mind. I understand the fact that we have these wonderful network and system security tools at our disposal. Thus, we can adapt our architectures, designs, and programs to include these solutions. The problem I see is an over-reliance on these tools. As an industry we have moved away from pushing most of the security work to the system administrators and programmers. We have told them (implicitly) "Don't worry about it... we've got it covered."
So how do we fix it? How do IT professionals stop relying on "things" and start building security from the ground-up? How do we do this while increasing functionality, ease-of-use, and speed? In future installments of this series I will attempt to look at where IT professionals can focus their energies to begin "spreading the gospel" to the developers and administrators and have them buy into the idea of secure system from the start.
Posted: 24 Aug 2008 02:28 PM CDT
From the Wikipedia Article on Packet Sniffers:
A packet sniffer (also known as a network sniffer, network analyzer or protocol analyzer or, for particular types of networks, an Ethernet sniffer or wireless sniffer) is computer software or computer hardware that can intercept and log traffic passing over a digital network or part of a network. As data streams flow across the network, the sniffer captures each packet and eventually decodes and analyzes its content according to the appropriate RFC or other specifications.
Posted: 24 Aug 2008 02:28 PM CDT
The net is abuzz about how ICANN & IANA were redirected for a short time on Friday. The Turkish hacker group NetDevilz posted the following message on icann.com, icann.net, iana.com, and iana-servers.com:
"You think that you control the domains but you don't! Everybody knows wrong. We control the domains including ICANN! Don't you believe us? haha :)"The hackers aren't saying how they pulled off the attack but smart money is on either some some of code injection. I can't imagine why every Internet-facing site isn't scanned daily for SQL Injection, XSS, CSRF, and similar vulnerabilities.
The reason why we (the good guys) should be scanning daily because they (the bad guys) are already performing the scans and will pounce within seconds of spotting a soft spot.
The administrators got the sites back online within 20 minutes but imagine if the hackers didn't publically expose the hack but instead started delivering malware or altering data. Scary stuff when it comes to organizations that manage the Internet's core infrastructure (routing & DNS).
Posted: 24 Aug 2008 02:25 PM CDT
The Payment Card Institute (PCI) Security Standards Council has pre-released it's highly anticipated Data Security Standards (DSS) version 1.2. The standard is due to be officially released in October of this year (2008) but the PCI wanted to give businesses a chance to examine the changes and begin re-architecting half the stuff they hurriedly put in place this year in order to meet the June 30 deadline for 1.1. Enough of my babbling, onto the good stuff:
Posted: 24 Aug 2008 02:24 PM CDT
Mike Rothman wrote an interesting article titled "Security certifications: Are they worth the trouble?" at SearchSecurity.com. His take was pretty close to the one I have and his expierence is in line with what I have experienced in my years within the IT field. From the article:
I've never really been a fan of certifications for two reasons: some of the smartest security folks I know don't have any, and some of the least capable do.I don't have a CISSP, nor have I earned a CEH, CISA, Security+, etc. Quite honestly I am too busy to study for any of them. I have found a few types of "certified" folks out there:
I think what is beginning to happen with security certifications is what has happened with Cisco certifications and college degrees... so many unqualified, uninterested, and incompetent people have been attaining the high level certs that they are becoming almost worthless as a selection criteria of value or knowledge.
That being said, I would actually consider a certification that still meant something like the CISSP (but that is changing by the day) or a newer, lesser known SANS certification (management or technical tracks... I still haven't decided which direction I want my career to go). Of course that would put me in the first type of certified professional I listed above ;)
Posted: 24 Aug 2008 02:24 PM CDT
Stuart King wrote an excellent post at computerweekly.com regarding how to reduce the cost of information security. His points are spot on and very similar to things I have been bringing up at work over the past few months. My organization in particular is being hit particularly hard due to current economic conditions so it is imperative that I show value for every dollar I spend, perform thorough risk analysis on new projects, and evaluate existing security projects, services, and infrastructure for cost savings. Of course I have to do all this while maintaining (or improving) the current security posture of the enterprise.
Posted: 24 Aug 2008 02:24 PM CDT
For your reading pleasure: a guest op-ed piece in Ryan Nariene's Zero Day blog at ZDNet.
A recent blog proclaiming that Twitter could soon become a rival to PayPal made me shudder in fear. The blog author postulated that Twitter could offer a method to transfer money between users via "tweet." After reading these posts I thought to myself, "Cool, what a super convenient Web 2.0-ish way to lose my money!"
Posted: 24 Aug 2008 02:24 PM CDT
Image via WikipediaAfter reading this article over at Errata Security and this article over at un-excogitate.org about Blizzard (makers of StarCraft and World of Warcraft) selling security token devices for €6 on their European website. In a nutshell, you have a small device that displays a random six digit number that corresponds to a number on a login server. Coupled with a username and password it meets the standards of two-factor authentication (something you know and something you have). The general sense I get from these two blogs and others I have read on the subject is that banks and other insitutions should be providing similar tokens to their customers. For instance:
If Blizzard is able to offer One Time Password Tokens for a MMORPG platform, then there is no longer a reason why your financial institute doesn't offer the same.I agree with the sentiment but I wanted to start a conversation regarding why you won't be seeing these tokens in the mail from your bank any time soon. The reason most banks, e-commerce sites, and even corporate VPN connections aren't protected by two-factor authentication can be broken down into a few reasons:
Perhaps there needs to be an OpenID style system of purchasing a security token that is centrally managed and can be accessed by multiple businesses. Verisign was demonstrating that very technology at the RSA conference this year. But until the technology becomes ubiquitous and cheap keep your passwords strong and your cookies safe.
|You are subscribed to email updates from Security Bloggers Network |
To stop receiving these emails, you may unsubscribe now.
|Email Delivery powered by FeedBurner|
|Inbox too full? Subscribe to the feed version of Security Bloggers Network in a feed reader.|
|If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610|