Belgian Security Blognetwork

Stupid Compiler? Not sure! [/dev/random]

Fri, 17 Jul 2009 07:08:37 -0700

A nice story reported by ISC today! A Linux kernel vulnerability has been discovered in the Linux kernel (and was present for a while IMHO!)

The vulnerability origin was not the “human being the keyboard” but the compiler! GCC, the GNU C compiler has lot of optimization features (If you are interested, have a look at this article from the LinuxJournal.com about GCC optimizations).

As explained on the ISC diary page, the vulnerability was very difficult to detect while reading the source code. It’s due to an optimization by the compiler: GCC decided to skip a condition block, enabling a security breach in the code.

A new vulnerability is never good but what else can we “learn” from this story? The Linux code is constantly reviewed by hundreds of developers and the problem described here was very difficult to detect. That’s why you need multiple lines of defenses: You cannot rely only on a strong source code audit, you have to take other countermeasures. Also, can you trust the tools you use on a daily purpose? Who knows exactly what kind of optimizations are performed by the GCC compile when optimization is enabled? GCC is used by thousands of developers every day and, for sure, the same kind of vulnerability exists in other applications. Keep this in mind!

Source: http://isc.sans.org/diary.html?storyid=6820

Nmap 5.00 Released with new additions: ndiff, ncat; nse and better performance!!! [Security4all]

Security4all — Thu, 16 Jul 2009 17:50:00 -0700

This is awesome news. Nmap version 5.00 has been released. It is the first major release since 4.50 in 2007. Here is a more detailed overview of the changes.

To have a quick glance, here are the top 5 improvements in Nmap 5:

The new Ncat tool. It will do data transfer, redirection, and debugging.
Ndiff is a scan comparison tool. It will make it easy to automatically scan your network daily and report on any changes
Nmap's 5.0 performance has improved dramatically.
Nmap Network Scanning, the official Nmap guide to network discovery and security scanning.
The Nmap Scripting Engine (NSE) . It allows users to write (and share) simple scripts to automate a wide variety of networking tasks. New scripts include a whole bunch of MSRPC/NetBIOS attacks, queries, and vulnerability probes; open proxy detection; whois and AS number lookup queries; brute force attack scripts against the SNMP and POP3 protocols; and many more.

This just looks awesome. Playing with NMAP 5.0 goes on to my TODO list for the next month!

(Photo under creative commons from libraryman's photostream)

Virtual Money with Real Risks? [/dev/random]

Thu, 16 Jul 2009 14:13:31 -0700

The financial group ING announced a partnership with NetLog, the Belgian social network website.

On a marketing point of view, this is a good action to attract young potential customers. ING (one of the top-3 bank in Belgium) will catch them on Netlog hoping that, later, they will switch to the real world by using real banking services with ING.

ING will provide virtual money (called “credits”) to all NetLog users. Classic operations will be available: receiving credits when performing special actions (like using a credit card, by SMS, etc) and buying online services with them. Of course, ING will have a virtual office on NetLog where financial operations will be performed.

But… What about the security? Big communities like NetLog (500K Belgian users according to the website) are potential targets for phishing attacks. The NetLog users database could also become a target. Fortunately, it seems that it won’t be possible to sell “credits” to receive money. But anyway, message to the future ING virtual money users: Take care!

Check out the official page in French or Dutch.

Your Regex Coach [/dev/random]

Thu, 16 Jul 2009 13:16:08 -0700

Click to enlarge

Regular expression (or regex) [Wikipedia] are a very powerful method to parse data and extract the information you need. But a regular expression can quickly turn into a nightmare due to its complexity. I often use a memo but testing the regexp live is the quickest way to debug them.

Edmund Weitz wrote a nice tool called “Regex Coach” which does exactly I wanted. The last version of his tool runs only on Windows operating systems. According to the author, the Linux version had less success and took time to be maintained. Sad!

Check http://weitz.de/regex-coach/ for details and installation instructions. A great tool!

According to Child Support groups, Net filtering is a waste of money [Security4all]

Security4all — Wed, 15 Jul 2009 04:34:00 -0700

Australia was one of the first countries to deploy massive Net filtering. The main reason was to fight online child pornography (as usual reason). Now the Children support groups are criticizing the measure.

In a joint statement with lobby group GetUp, both Save the Children Australia and the National Children's & Youth Law Centre believe the resources could be better spent on law enforcement agencies battling to eradicate child pornography on the internet. (from Australian IT)

So why have these Net filters at all? The following wikileaks article caught my eye: Australia secretly censors Wikileaks press release and Danish Internet censorship list, 16 Mar 2009

The first rule of censorship is that you cannot talk about censorship.

In late 2008, Wikileaks released the secret Internet censorship list for Denmark, together with a press release condemning the practice for lack of public or judicial oversight. Here's an extract from the press release:

The list is generated without judicial or public oversight and is kept secret by the ISPs using it. Unaccountability is intrinsic to such a secret censorship system.

Most sites on the list are still censored (i.e must be on the current list), even though many have clearly changed owners or were possibly even wrongly placed on the list, for example the Dutch transport company Vanbokhorst.

The list has been leaked because cases such as Thailand and Finland demonstrate that once a secret censorship system is established for pornographic content the same system can rapidly expand to cover other material, including political material, at the worst possible moment -- when government needs reform.

Two days ago Wikileaks released the secret Internet censorship list for Thailand. Of the 1,203 sites censored this year, all have the internally noted reason of "lese majeste" -- criticizing the Royal family. Like Denmark, the Thai censorship system was originally promoted as a mechanism to prevent the flow of child pornography. (Source: wikileaks)

Emphasis added by myself. So why do these lists need to be kept secret? When wikileaks released the secret Australian censorship list, it seemed that "half of the sites on the list are not related to child porn and include a slew of online poker sites, YouTube links, regular gay and straight porn sites, Wikipedia entries, euthanasia sites, websites of fringe religions such as satanic sites, fetish sites, Christian sites, the website of a tour operator and even a Queensland dentist." (source: boingboing.net)

So who decides what gets on this list. If they have the possibility, they WILL use these systems as "they" see fit. So common sense hasn't set in yet. The next country to jump into the deep end is New Zealand.

If you thought that net filtering and grandiose firewalls were the exclusive preserve of West Island (or "Australia", as the locals like to call it), think again. New Zealand is showing that it, too, is ready to play its part in the great Antipodean censorship stakes.

Last week, the Department of Internal Affairs (DIA) announced it was setting up a filter system that will allow internet service providers to stop people accessing child pornography.

The filter system has already been trialled in hundreds of thousands of New Zealand households, and Internal Affairs deputy secretary Keith Manch confirmed that the voluntary system will block access to around 7000 websites carrying images of child sexual abuse. (Full story at The Register)

In the end, criminals will circumvent these filters and citizens will be limited by secret black lists in what they can view and what not. Money down the drain. And a step closer to totalitarian states.

Related posts:

(Photo under creative commons from S@Z's photostream)

1500 deaths from this new flu foreseen in Belgium [belsec]

Wed, 15 Jul 2009 01:34:54 -0700

Well this what our head of the Influenza agency is saying.

He said that one third of the population would be infected (3 million) and that 0.05 percentage would die. Which makes about 1500 people.

Meanwhile the army is distributing 900.000 masks (for 3 million infected people, will we re-use them ?) and 90.000 doses of Tamuflu (is this the total number of vulnerable people ?) around the country.

It are the communes that are responsable for the crisisplanning on their territory. I presume that a city like Antwerp will know what to do because it already has Seveso installations on its territory, but what about the small communes or where there were untill now no real reasons to have such a pandemie planning ?

This is not a pandemie, this is paniekemie.....

Maybe they have understood that the consequences of this virus is nothing like we have seen before in our lifetime.

Or after the lost months of communcating that there is no problem, they are really gong so much in overdrive that it seems as if the huns are at our borders and that they will take our country by storm in the next few days.

New securitywarnings and updates and more [belsec]

Wed, 15 Jul 2009 01:21:27 -0700

http://insecure.skynetblogs.be

* zeroday for Firefox and fixes

* patches for Microsoft to install

and

More proxies on the proxy blog

More books on the ebooks blog

More clips on the musicmix blog

More films on the belsectv blog

Oracle & Microsoft Patch Tuesday and a Firefox 0-day [Security4all]

Security4all — Tue, 14 Jul 2009 18:26:00 -0700

Yes, only a day after the discovery of an Internet Explorer ActiveX (Office) 0-day, it's time for black Tuesday with a surprise. (see previous post)

For the Microsoft patch overview, the one from Swa Fransen over at SANS ISC is still advisable.

Then Oracle followed suit with their quarterly patch cycle: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html

And to finish, an exploit was posted to milw0rm (who came back) that affects Firefox 3.5 and possible earlier versions. The mozilla blog above has a workaround by temporary disabling the javascript.options.jit.content setting in about:config. Additionally, using NoScript stops it as well, successfully detecting the PoC’s attempt to access file://.

Be safe.

Related posts:

(Photo under creative commons from Libby's photostream)

Fake OpenSSH 0-day, don't run 0pen0wn.c [Security4all]

Security4all — Tue, 14 Jul 2009 17:52:00 -0700

There were some rumors of an 0-day OpenSSH vulnerability doing the rounds. It seems this was just a hoax. Compromised systems were due to brute force attacks.

Damien Miller (openSSH) responded that he still has not gotten a single piece of evidence of a 0-day exploit. He summarizes some of the possible attacks and argues that its very unlikely that openSSH can be compromized in those ways. It seems that the actual hacks were brute-force password attacks that actually succeeded. (Source: secgeeks)

Fueled by this hoax, the anti-sec group released some fake shellcode. As some victims that tried it and quickly found out, it will trash your system. So don't run it. If you want a detailed analysis of the shellcode disssasembled, Thierry Zoller posted a good analysis on his blog.

The anti-sec group is also known for the Astalavista and Imageshack incident. See also "Hacker group declares war on the security industry" (Heise)

(photo under creative commons from quinn.anya's photostream)

Looking for Wi-Fi? [/dev/random]

Tue, 14 Jul 2009 15:31:34 -0700

Click to enlarge

This afternoon I was looking for a Wi-Fi hotspot!

arbor networks Belgacom network with high number of attacks [belsec]

Tue, 14 Jul 2009 05:36:09 -0700

The Belgacom network has a high number of attacks for the moment. It is mostly from infected stations that are surfing because there is not enough sun and nothing on tv :)

On the international scale the intensity of the attacks for each subnet is

CN (China) 433.73
BE (Belgium) 59.51

Most are from Belgacom networks.

The attacking posts were

    91.181.85.19 (19.85-181-91.adsl-dyn.isp.belgacom.be)     13.31

    87.66.219.9 (9.219-66-87.adsl-static.isp.belgacom.be)     8.71

    91.181.84.15 (15.84-181-91.adsl-dyn.isp.belgacom.be)     2.89

    80.200.209.109 (109.209-200-80.adsl-dyn.isp.belgacom.be)     1.86

    80.200.223.153 (153.223-200-80.adsl-dyn.isp.belgacom.be)     1.68

    81.242.197.33 (33.197-242-81.adsl-dyn.isp.belgacom.be)     1.62

    91.181.237.2 (2.237-181-91.adsl-dyn.isp.belgacom.be)     1.49

    81.240.155.23 (23.155-240-81.adsl-dyn.isp.belgacom.be)     1.16

    80.200.217.99 (99.217-200-80.adsl-dyn.isp.belgacom.be)     0.97

    80.200.136.118 (118.136-200-80.adsl-dyn.isp.belgacom.be)     0.96

and there is even a botnet control center on their network which makes it even easier to believe

source arbor networks

Announcing the early bird ticket winner [BruCON]

Security4all — Tue, 14 Jul 2009 05:47:00 -0700

Mr. Erik Vanderhasselt is the lucky winner of the Offensive Security course. We congratulate him and will send him further details soon. In addition, we want to thank Offensive Security for offering...

[[ This is a content summary only. Visit my website for full links, other content, and more! ]]

Active exploitation of Office Web Component ActiveX vulnerability. ISC level raised to yellow. [Security4all]

Security4all — Mon, 13 Jul 2009 17:48:00 -0700

A critical security vulnerability in an Office Web Component that allows attackers to gain control of a Windows PC has been identified (Microsoft Security Advisory 973472). When using Internet Explorer, code execution is remote and may not require any user intervention.

According to Microsoft and the SANS Internet Storm Center, this vulnerability is being exploited in the wild. SANS ISC Threat level has been raised to yellow to raise awareness of this issue.

Currently there is no update but Microsoft has released a Fix-it tool to disable the vulnerable control in Internet Explorer.

This tool probably sets the two CLSIDs you need to set the killbit:

{0002E541-0000-0000-C000-000000000046}
{0002E559-0000-0000-C000-000000000046}

The following twitter account is relaying up to date information:

http://twitter.com/sans_isc_fast

The latest tweets reported millions of computers being infected in China. If you're not a twitter user, you can also monitor the Twitter account through this RSS feed.

Alternatively to setting killbits, you can switch to an alternative browser.

This advisory discusses the following software.

Affected Software

Microsoft Office XP Service Pack 3
Microsoft Office 2003 Service Pack 3
Microsoft Office XP Web Components Service Pack 3
Microsoft Office 2003 Web Components Service Pack 3
Microsoft Office 2003 Web Components for the 2007 Microsoft Office system Service Pack 1
Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 3
Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 3
Microsoft Internet Security and Acceleration Server 2006
Internet Security and Acceleration Server 2006 Supportability Update
Microsoft Internet Security and Acceleration Server 2006 Service Pack 1
Microsoft Office Small Business Accounting 2006

Non-Affected Software

Microsoft Office 2000 Service Pack 3
2007 Microsoft Office Suite Service Pack 1 and 2007 Microsoft Office Suite Service Pack 2
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1 and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2
Microsoft Forefront Threat Management Gateway, Medium Business Edition
Microsoft Internet Security and Acceleration Server 2000 Service Pack 2

(Photo under creative commons from TedRheingold's photostream)

HostileWRT: the misconceptions about the Hadopi Router [Security4all]

Security4all — Mon, 13 Jul 2009 17:25:00 -0700

So the three strike law has been passed in France (slashdot). In my previous blogpost I mentioned an article about the Hadopi router. A firmware made to infect routers, reroute traffic through other routers and infect those as well, just to challenge the Hadopi law.

The whole story first launched by a French newspaper, seems to have been one big misconceptions. The Hadopi router firmware is actually HostileWRT, it's based on openWRT and can automate the cracking of wireless security passwords. It's intention was to prove the insecurity of wireless network and has nothing to do with the Hadopi law. Who, by the way has become worse, because in this form, instead of getting disconnected from the net, can lead up to 3 years in jail.

For other sources, check Be carefull what you read about the Hadopi router (CrunchGear).

(Photo under creative commons from inju's photostream)

Use the Right Words! [/dev/random]

Mon, 13 Jul 2009 13:34:29 -0700

Security awareness messages must target the right persons. But they need to target them using the right words! Be sure to adapt your messages to keep them understandable by all your audience.

Click to enlarge

Quickpost: TrueCrypt’s Boot Loader Screen Options [Didier Stevens]

Sun, 12 Jul 2009 17:26:34 -0700

Ready for some Security Through Obscurity fun?
I’ve been playing with TrueCrypt’s Boot Loader Screen Options to display a custom message when I boot my laptop with full disk encryption.

It’s probably enough to be misleading during a casual inspection of your laptop:

The screen doesn’t even display asterisks when you type your TrueCrypt password.
It’s just as unresponsive as the original “NTLDR is missing” screen.
The only difference with the Windows XP NT Loader missing message, is that the original is just a bit longer:

Or you can just let it display gibberish, like this:

And if challenged, say your laptop was infected with a virus from that damned hotel’s WiFi network.

Quickpost info

Malware experts are strange people ... [WAVCI]

noreply@blogger.com (Eddy Willems) — Sun, 12 Jul 2009 02:07:00 -0700

This is what I hear sometimes. I must admit that we all sometimes have some strange habits but isn't that normal as a human. I have showed to the public this year a lot of times what a real analyst or expert is doing. In my presentation 'A Virusanalyst in 15 Minutes' I'm showing the real life of an expert which is not always that amazing... shortly you will find on my press page also the original article I wrote about this presentation. It's more or less some kind of whitepaper and a guide how you can do some pre-analysing stuff.
I'm now 2 weeks back from our analyst meeting trip in Dubrovnik and you can find pictures of it at this link of my website. Most of it are some touristic pictures, some pictures are showing some experts in some strange situations. And definitely our 10the Kaspersky Virus Analyst Meeting combined with the press tour was very nice this year!
At least the price for the most strange-humorous picture goes to Michael Molsner(my German-Japanese colleague): a perfect example how practical a malware expert can be!
Michael I own you a pint ...

Big Brother 2009: Has the rebellion started? [Security4all]

Security4all — Fri, 10 Jul 2009 10:48:00 -0700

A lot of legislation and surveillance measures have appeared these last years that endanger the civil rights and liberties of the people. Measure like the EU Dataretention, internet filtering or the three strike law (for example in France: HADOPI) are all measures that are starting to make me shiver.

Are we slowly evolving to a censorship system akin to the Chinese Great Firewall? A lot of these measures are implemented either to combat child pornography or terrorism. But is it the right way? What are we sacrificing?

More and more awareness about this issue is being raised and more projects have started to circumvent censorship of any kind. The CCC already had Tor on a stick called the Freedom stick for the people in China and other repressive states.

Some of the internet filters are based on DNS filters which can easily be bypassed by setting up your own DNS server or using OpenDNS, a freely available DNS service.

Two recent projects have arisen as a protest against Dataretention and the three strike law respectively: Smallsister.org and the HADOPI router firmware (boingboing.net).

Smallsister is aimed at anonymizing email:

At this point one issue has caught our immediate attention and that is data retention. This legal tools forces Telephony and Internet Service Providers to store information on their users. For instance who is behind an Internet-address or a telephone number. Not only that it also requires to register who tried to call whom and who has been e-mail whom. For users that would mean that certain things can’t be secret anymore. For instance: a whistle blower should go through a great pain to reach a journalist to break a story that would correct wrong. Or what about a company that tries to do a deal and fears to be frustrated by a foreign government that would pass information on to a local, competing company (as happened with Airbus and Boeing for instance). We intend to do something about that. So we look at anomizing e-mail. (source: smallsister.org)

The HADOPI router is aimed at proving that an IP address is not a good identifier to link to people. Law cases of the RIAA suing people that didn't even own a computer proved that case quite well. ~~Although I'm a bit divided by the method that the HADOPI firmware uses (cracking wireless keys) and re-routing packets through the routers of neighbours.~~ (update here) It does prove a point that laws shouldn't be used to fix broken business models.

So are governments starting an uphill battle about control of the internet? I know only one thing, if kids can bypass school filters by using DNS VPNs and anonymous proxies, people will find a way to bypass this as well.

How can we educate governments that this is the wrong way?

(sarcasm) Yes, we are living in a world where people using linux are found to be suspicous! (/sarcasm) Click the link, it's a real story!

Related posts:

(Photo under creative commons from dolescum's photostream)

Club Mate available @ BruCON [BruCON]

Security4all — Thu, 09 Jul 2009 07:07:00 -0700

Due to popular demand, we will serve Club Mate at BruCON. Club Mate is a caffeinated carbonated Mate-extract beverage. For more info on the beverage, click here.

[[ This is a content summary only. Visit my website for full links, other content, and more! ]]

Patching PDF Readers to Support Hidden Embedded Files [Didier Stevens]

Mon, 06 Jul 2009 13:27:54 -0700

Today, I’m showing you how you can patch your PDF reader (Foxit or Adobe) to handle PDF documents with hidden embedded files. And for Foxit, there’s a bonus: Foxit Reader can also embed files into existing PDF documents.

In my stego PDF trick, I just replace the name /EmbeddedFiles with /Embeddedfiles in the PDF document. As the PDF language is case-sensitive, your PDF reader doesn’t recognize /Embeddedfiles, and hence doesn’t handle the embedded file. PDF readers are designed to skip features of the PDF language they don’t understand (i.e. new features of the PDF language), so that’s why you don’t get an error message from your PDF reader for /Embeddedfiles.

If you search for the string EmbeddedFiles in the binaries of your PDF reader and replace it with Embeddedfiles, it will handle PDF documents with hidden embedded files (but it will stop supporting PDF documents with visible embedded files).

Doing this for Foxit is easy, as there’s only one binary, Foxit Reader.exe. Open it with a hex editor and search for EmbeddedFiles:

Replace it with Embeddedfiles and save it:

That’s it, now you use your patched Foxit Reader to reveal hidden embedded files:

And have you noticed the Add button? Foxit Reader also provides support to add embedded files to existing PDF documents! So you’re not limited to using my Python program to create your own PDF documents.

For Adobe Reader, the trick is the same. Open AcroRd32.dll in a hex editor and do a search and replace (I had to patch 2 instances of of EmbeddedFiles).

Regulating computer security [Eternal sunshine of the geeky mind]

noreply@blogger.com (An Hilven) — Mon, 06 Jul 2009 05:52:00 -0700

Jack Goldsmith (New York Times) pleads for a government regulation of computer security. I do agree with him that some regulations should be implemented, also in Europe. We already have laws saying that if you don't lock the doors of your house or your car door, you're responsible for the consequences. But not every computer or network breach can be avoided by regulations, and users can't always be kept responsible. For example, one can't expect from the everyday user to protect himself from zero-days. I would however regulate the fact that users should have at least a firewall and anti-virus, and that signatures should be updated on a regular basis. Then if a user would for example be victim of a zero-day, and his computer is used for larger attacks, at least he can say "I had signature version such-and-such", and it can be deducted that his anti-virus did not yet protect against this threat at that specific time or date. I think at least a user should have an up-to-date anti-virus and firewall, and if they don't they can be kept responsible.

Reconstructing Meterpreter sessions from memory [Eternal sunshine of the geeky mind]

noreply@blogger.com (An Hilven) — Mon, 06 Jul 2009 05:51:00 -0700

Peter Silberman and Steve Davis (both from Mandiant) found a method to discover the use of Metaspl0it's Meterpreter and how to construct the session, uncovering the attacker's tracks. They will present their findings at Black Hat this summer.

" During this talk we discuss accessing physical memory for the purpose of acquiring a specific processes’ address space. Process address space acquisition includes DLLs, EXEs, stacks and heaps. This includes memory resident modules. We describe in detail how meterpeter operates in memory and specifically how memory looks when meterpreter scripts/commands are executed and the residue these scripts create in the exploited processes’ memory space. Finally, we tie all this knowledge together and discuss how to reconstruct a meterpreter session – completely from memory – and determine what the attacker was doing on the exploited machine. "

Facebook as a threat to life [Eternal sunshine of the geeky mind]

noreply@blogger.com (An Hilven) — Mon, 06 Jul 2009 05:50:00 -0700

Sir John Sawers, the new head (as of November 2009) of British Secret Intelligence Service (better known as MI6), is currently experiencing first hand the possible negative consequences of social networking. His wife posted personal pictures and address information on Facebook without protecting her profile. An investigation is ongoing to verify if Sawers can still assume his new function, as there is fear for the security of his family and friends after this information was leaked.

Source: ZDNet

Managing the Human Factor in Information Security [Eternal sunshine of the geeky mind]

noreply@blogger.com (An Hilven) — Mon, 06 Jul 2009 05:49:00 -0700

For all of us security adepts out there blaming it all on 'the user', David Lacey wrote a book recently about managing our layer 8 problems!

Embedding and Hiding Files in PDF Documents [Didier Stevens]

Tue, 30 Jun 2009 23:28:14 -0700

My corrupted PDF quip inspired me to program another steganography trick: embed a file in a PDF document and corrupt the reference, thereby effectively making the embedded file invisible to the PDF reader.

The PDF specification provides ways to embed files in PDF documents. I’m releasing my Python program to create a PDF file with embedded file (I used make-pdf-embedded.py to create my EICAR.pdf).

Here’s how a PDF document with an embedded file looks like:

/EmbeddedFiles points to the dictionary with the embedded files:

As names defined in the PDF specification are case sensitive, changing the case changes the semantics: /Embeddedfiles has no meaning, and thus the PDF reader ignores it and doesn’t find the embedded file.

Actually, I used this trick in my Brucon puzzle. I used the –stego option of make-pdf-embedded.py:

Of course, once you know the stego trick, it’s easy to recover the embedded file: edit the PDF document with an hex editor and change the case back to /EmbeddedFiles.

But if you want to make it harder to detect, use PDF obfuscation techniques. Or embed the file twice with incremental updates. First version is the file you want to hide, second version is a decoy…

The PDF language offers so many features to hide and obfuscate data!

Download:

make-pdf_V0_1_2.zip (https)

MD5: 305D57692C27DD3CD91D8C85A3932948

SHA256: A030BBCB8B54137D8047A4CB5C350725599383A4B113CABBA8871AC221378C5B

A small contest: win a discount and some free stickers (updated) [BruCON]

Security4all — Tue, 30 Jun 2009 05:59:00 -0700

To give our visitors a small sample of "The Hex Factor", we are doing a little contest. Here is a file from the reverse engineering track. There is a hidden message within the file. The first person...

[[ This is a content summary only. Visit my website for full links, other content, and more! ]]

MessageBox Shellcode [Didier Stevens]

Mon, 29 Jun 2009 22:40:34 -0700

Per request, I release my assembly code I’ve used in my previous blogposts to display a message box when the injected shellcode gets executed. It’s nothing special, but it will save you some time when you need a similar program.

Assemble the code with nasm like this:

nasm -o sc-mba-hello.bin sc-mba-hello.asm

I use the DLL locating code published in The Shellcoder’s Handbook, you can find it in the include file sc-api-functions.asm. MessageBoxA is located in user32.dll, this dll has to be loaded in the process you’re injecting with sc-mba-hello.

sc-ods.asm is a similar program, calling OutputDebugStringA in stead of MessageBoxA.

Download:

my-shellcode_v0_0_1.zip (https)

MD5: F215B29BA3C8F24CFBA5C24BED65B68A

SHA256: EA1DB8028954CEB18B8AD2EB37CA6BA0CD7CDC6B9A64F10561382152701C013F

The shellcode:

Quickpost: Time Lapse Photography With a Nokia Mobile [Didier Stevens]

Sun, 28 Jun 2009 19:20:23 -0700

Did you know Nokia mobile phones with the S60 platform can be programmed in Python? During my last holiday, I wrote a small program for time lapse photography with my mobile. Here is the result, showing tidal ebbs and flows in Saint-Vaast-la-Hogue and Cancale:

This is the Python program I wrote to take a picture every minute:

#!/usr/bin/python __description__ = 'Tool to take pictures with a Nokia phone at regular intervals'
__author__ = 'Didier Stevens'
__version__ = '0.1.1'
__date__ = '2009/06/22' """ Source code put in public domain by Didier Stevens, no Copyright
https://DidierStevens.com
Use at your own risk History: 2009/06/17: start 2009/06/22: refactoring Todo: Get Threading to work
""" import camera
import time
import os timelapseFolder = 'e:\\timelapse\\'
sleepTime = 57 def TakeAndSavePicture(): global timelapseFolder now = '%04d%02d%02d-%02d%02d%02d' % time.localtime()[0:6] pic = camera.take_photo() pic.save(os.path.join(timelapseFolder, now, '.jpeg')) print 'Picture taken: %s' % now def Main(): global timelapseFolder global sleepTime print 'Timelapse photography started' if not os.path.isdir(timelapseFolder): os.mkdir(timelapseFolder) print 'Timelapse folder created: %s' % timelapseFolder print 'Wait between pictures %d' % sleepTime while True: TakeAndSavePicture() time.sleep(sleepTime) if __name__ == '__main__': Main()

And then I use Avisynth to combine the jpeg pictures in a movie like this (I join pictures 00001.jpg through 00197.jpeg, 5 per second and produce a 25 fps movie):

ImageSource("%05d.jpeg", 1, 197, 5).ChangeFPS(25)

Quickpost info

Closing early bird tickets and a few days extensions [BruCON]

Security4all — Fri, 26 Jun 2009 06:05:00 -0700

Since some of our mailings only went out at the last moment, we are extending the early bird tickets with a few days. To be eligible for early bird fees, you have to register on the 3rd of July at...

[[ This is a content summary only. Visit my website for full links, other content, and more! ]]

Two weekly Volunteer meeting [BruCON]

Security4all — Tue, 23 Jun 2009 15:05:00 -0700

Just a reminder for the volunteers that tomorrow (Wednesday evening) 18:30 is our two-weekly meeting. All the dates and location or other information is available on the volunteer part of the...

[[ This is a content summary only. Visit my website for full links, other content, and more! ]]

Planning for Pandemics ? [The Security Kitchen]

Mon, 22 Jun 2009 16:59:24 -0700

Today I attended a local ISSA event, which featured a presentation by Marc Vael on Pandemic Continuity during Phase 6.

As you are all aware, the WHO has recently raised the pandemic alert for the Influenza A H1N1 strain to level six .

A Pandemic can have effect on your business and it is worth looking out for what you can do to mitigate that impact but imho, there’s some caveats too.

While pandemic influenza is hot news, it still is an event that happens about every 50 years. Let’s do some math, starting from the known pandemic casualty numbers. The Spanish flu in 1918/19) killed 50 million people worldwide. there were 1,6 billion people alive at that time. That’s about a 3% mortality rate. 500.000.000 were actually infected, meaning 30%. In our current day and time, about 2 billion people would be infected and an estimated 6.000.000 people would actually die from the disease.

Let’s see what impact this may have on our company … of 2000 employees. 600 may become ill, over a period of 2 years. Not everybody will get ill at the same day, Not everybody will be absent for the same amount of time, but about 60 employees will not return to their desk after they became sick. 600 absentees for an average period of 2 weeks, that’s 6000 mandays lost. at $30 an hour, this results in $1,4 mio lost, gone, down the drain. Additional losses can occur, business will slow down eventually so let’s double that number : $2,8k lost, gone, down the drain. But wait … the chance that it happens … was once every 50 years !! That would actually mean that you can spend about $56k/year on pandemic planning …

That’s NOT A LOT FOLKS !! ok, it’s a basic calculation … but still : What the FUD ? There is not a lot of working groups you can fund with that over a prolonged period of time and it sure doesn’t buy a lot of Tamiflu doses, operational masks, gloves, soap, …

IMHO, if you have to start planning for a Pandemic now, you’re too late. 70 to 80% of what you can do in case of a pandemic should already be in your BCP Strategy. That is, if you have one

BTW, Brian Honan of BHConsulting.ie has written a blogpost on what you can actually try to do during pandemic situations : http://bhconsulting.ie/securitywatch/?p=664

The fight against Cybercrime. [WAVCI]

noreply@blogger.com (Eddy Willems) — Sun, 21 Jun 2009 02:21:00 -0700

I'm again on the road ... well the last few weeks I was traveling to several countries and went to several events which all have to do with security. So crisis and security are definitely not connected to my opinion. I also visited several Police Crime Units in several countries and guess what.. they don't have all the same questions or remarks. This confirms that there is (and will be) still a lot of work to be done within this environment: the fight against cybercrime is just in his baby phase but will tackle the real organised (cyber)crime in the future. Let's also hope it can tackle most of the possible cyberwar-attacks too.
Next week I'm in Dubrovnik for Kaspersky's 10the Virus Analyst Summary, an internal and external conference, where we will talk about new technologies and techniques and after that I'm back home for the launch of our new consumer products with a beatiful set and combination of new technologies in Kaspersky Lab's fight against new malware.
Watch out!

You are not alone. [The Security Kitchen]

Fri, 19 Jun 2009 15:39:09 -0700

Michael Jackson sung it best, but that is not what this blogpost is about.

In today’s IT environment, there’s an overwhelming load of challenges coming at you like an avalanche every single day.
Moreover, the challenges come from every possible direction you can look in. Windows, Linux, Unix in your LAN, WAN, DMZ interconnected by highly available converged networks transporting data, voice and video which is generated and consumed by on-premise or hosted applications (say CLOUD !). It’s a tough job but someone’s got to do it. Right ?

As HR tried to put everyone into little boxes based on skill assessments, we grew apart. We built high, enforced walls around our cubicles. The *nix guys laugh at the Windows guys when there’s another virus outbreak. They join forces when it’s time to curse at the network guys as the 24/7 network turns out to be, well, not so 24/7 anymore :-s The network guys (and girls…) pick up their voodoo dolls when the application people demands a ginormous amount of bandwidth or some unreasonable number of ports to open on the perimeter. Everybody rolls their eyes when HR decides to use some new fancy app, cloudified of course, to try and manage their skills and at the same time make those little boxes even smaller. The circle is oval.

Because we have compartimentalized our infrastructure management to a very high degree, securing it becomes mighty difficult. There is no Windows person who will accept authority from a Unix person, and vice versa. This is bad people. It’s time for change !!!

If you are responsible for Information Security, you have to be platform agnostic. Incident handling is not depending on the platform it is executed against. Sure, somebody is gonna be responsible for realizing the vision you have defined, but in the end, they are all part of a big team. It’s better to start out with a fight, settle it once and for all, and move on together. Appointing someone responsible for [platform of choice] security and letting them do their thang doesn’t cut it anymore.

Bring all those great minds together, make them realize that they are not alone and put your joint energy in fighting this (unfair) fight together instead of against eachother.

Now y’all go hug eachother and have a mighty fine weekend !

OSSEC in a nutshell [The Security Kitchen]

Mon, 15 Jun 2009 15:25:41 -0700

for those who don’t know about OSSEC :

OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.

It runs on

Linux
MS Windows
AIX
Solaris
…

OSSEC installs stand-alone on a single system, in server mode or in agent mode. For the sake of this blogpost, I will assume that at least one server is used. I will also not touch on the Windows installation.

Log Analysis

On a agent system, in ossec.conf, you define which log files will be monitored. Any new events in this logfile will be transferred to the OSSEC server using a secured connection. Note that there is no analysis of an event on the agent.

A server ‘decodes’ the event, pulling out critical information, this information is compared to rules. rules are extremely powerful in OSSEC. You can define single rules, but you can also define rule trees. I will dedicate a seperate blogpost to rule trees, imho this is where the power of OSSEC is. Alerts are triggered on a level between 0 (ignored) and 16 (attack occured). Alerts can be logged and sent out in e-mail (or even SMS) to your incident handlers.

Ow, wait. Your OSSEC server can be configured to be a syslog server too … and you can have all your appliances (firewall, switch, proxies, routers, mail security thingies, … forward logging to there. Now you can correlate end-to-end logging, FOR FREE !!

OSSEC, in it’s turn, can provide it’s syslog output into another SIEM if need be. It’s open,remember ? Open works both ways for OSSEC

System Integrity Checking

On the OSSEC client you define which directories need to be checked for file integrity. OSSEC will perform a scheduled analysis of the files in these directories and alert you when changes have been detected. You have full granular control over the analysis schedule, low-risk directories can be checked on a daily basis, while high-risk directories can be checked every 20 minutes. You can even exclude certain subdirectories (maybe because they contain files that change regularly and you’re ok with that …). I told you, OSSEC rocks !

Active Response

And it gets better !! You can trigger scripts based on the alerts OSSEC throws. Now you can block access from a bad host entirely, remove execute permissions frm a file that was changed, stop a service …

OSSEC just turned in an HIPS, and it is still free …

Unfortunately, a lot of business are still wary of introducing Open Source solutions in their infrastructure. After all, who’s gonna support them? Third Brigade, the owners of OSSEC, has recently been acquired by TrendMicro, who has vouched that OSSEC will remain Open Source and Third Brigade will continue to support the software.

If you are looking into HIDS/HIPS solutions, don’t forget to consider OSSEC. It’s a beautiful solution, and cross-platform to boot. Don’t hesitate to ask questions if you get stuck !!

You can find more info about OSSEC here : http://www.ossec.net

If you are gonna try and learn OSSEC to the bone, consider buying this book.

Oh yeah, an OSSEC plugin was developed for Splunk too !!! read more here

I, for one, am an OSSEC aficionado. Now you go download it … and tell me what you think.

Searchengine Redirects? It could be a patched ws2_32.dll file... [miekiemoes]

noreply@blogger.com (miekiemoes) — Wed, 10 Jun 2009 15:45:00 -0700

I was helping someone yesterday (online support via forums) who was complaining about searchengine redirects. Redirections mainly went to mybig-portal.com, virus-detect-soft.com, edmonds.com, us.peeplo.com, directkitchenremodeling.com...

There are already many different infections responsible for searchengine redirections, I see several different ones every day.... so after a while, it's getting easier for me where to look/search.
The info is mainly gathered from logs (Registry loading points, Rootkit scans, etc).

However, this one was different. I just couldn't find the culprit. Same scenario as with the first Daonol/JsRedirect/Gumblar variant I discussed here last year (October 2008).
People who know me also know that I will search untill I find it, so I finally found the culprit - a patched ws2_32.dll file.
The ws2_32.dll is a legit Microsoft Windows file that contains the Windows Sockets API used by most Internet and network applications to handle network connections.
In this case, it was patched by malware. Its copies in the dllcache and ServicePackFiles\i386 folder were also affected. Reference thread here.
It wasn't detected by any scanner yet. Sophos Antivirus will now detect this one as Troj/WShack-B.

So if you encounter the same and just can't find the culprit of a searchengine Hijack after trying anything else - then it *may be a patched ws2_32.dll file. Don't delete that file if it's indeed patched/infected, but replace it with a clean copy.
If unsure/in doubt, post you issue in the forums.

Cybercrime awareness campain in The Netherlands [Eternal sunshine of the geeky mind]

noreply@blogger.com (An Hilven) — Wed, 10 Jun 2009 01:19:00 -0700

I read a while ago (don't remember where exactly) that a campaign started in The Netherlands on TV and radio to increase awareness with regards to cybercrime, created by the Department of Justice and GOVCERT. The first thing I though was: yeah right, like that's gonna work. Then yesterday I was in the Netherlands, and as I couldn't receive my favorite Belgian radio station anymore that far over the border, I had to listen to a local radio station. That's when I heard one of the awareness commercials, and it was actually quite nice, and seems like it might 'stick' to some people at least. The first part was a bit like trivial pursuit, where one person asks the question 'what is spoofing', and someone answers 'a new kind of dancing'. Then there was another, normal, commercial. And next was the second part of the awareness commercial, and said 'spoofing is acting like you are someone else on the Internet'. It's not the most accurate description, but for people not in information security they at least get the idea. I've searched the Internet for examples of other lines they use, but unfortunately couldn't find any. Nevertheless, very nice work!

Elections and a special week... [WAVCI]

noreply@blogger.com (Eddy Willems) — Sun, 07 Jun 2009 02:26:00 -0700

It will be an interesting week for me, starting with my votes for the Flemish and European Parliament, taking afterwards a plane to do some secret business (presenting) in Lyon, France ... hmmm, what will I do over there...., flying back and presenting on a Belgium Security event organised by (Qcom) Van Roey, driving back to a Citrix event in Antwerp, driving the next day to Luxembourg where I will present again on a Lannews Security event in Luxembourg and ending with the Ingram Showcase in Edingen/Enghien in Belgium back home. So if you think I always have time to put something up on my blog ... no way. However I updated my website with some interesting pictures taken during some events like the last EICAR conference and some other events. Further on: keep following me on Twitter of course!

(IN)SECURE Magazine Issue 21 released [Wouter Veugelen]

Mon, 01 Jun 2009 18:53:32 -0700

Table of contents:

* Malicious PDF: Get owned without opening
* Review: IronKey Personal
* Windows 7 security features: Building on Vista
* Using Wireshark to capture and analyze wireless traffic
* “Unclonable” RFID - a technical overview
* Secure development principles
* Q&A: Ron Gula on Nessus and Tenable Network Security
* Establish your social media presence with security in mind
* A historical perspective on the cybersecurity dilemma
* A risk-based, cost effective approach to holistic security
* AND MORE!

Choosing the right VPN solution… [The Security Kitchen]

Tue, 26 May 2009 15:16:28 -0700

It isn’t easy man…

You’ve been relying on that IPSec or L2TP VPN solution for a few years now. You’re either using a dedicated VPN solution (genre Cisco VPN Concentrator) or terminating VPN somewhere on your perimeter or in a DMZ (good thinking !!) and (hopefully) you got a set of policies and access control strategies to secure it even further.

You’re happy. Your users are happy. Why change ? Either you need to change to support the business needs or you have to change because the product you are using has been declared end of life. If the former is the case, you’re in a better position to evaluate because you (or your company) realized that the current setup just doesn’t cut it anymore. If the latter is the case, you might be reluctant to investigate your options. Your plate is already overfull and this is just another project that needed to be finished yesterday.

Wait … checking out all your options is worth it. And there aren’t that many … You can either remain with IPSec/L2TP or you can choose a SSL/TLS VPN Solution. Both have pro’s and con’s though.

An IPSec solution needs a client installed on the workstation making the connection. That’s good because then you know only the people with the client (and the correct configuration) can connect. However, if you have external parties connecting (say service providers, consultants, …) how sure can you be that the client, the configuration and even the user certificate is not shared among multiple users ?

Most SSL/TLS VPN solutions do not require a client for limited functionality like web access to an internal website. Other functionality, like a VPN tunnel or RDP/Citrix access to a server, will require an ActiveX or Java control/applet to be installed on the endpoint. It isn’t clientless but the big advantage is that the user pulls the configuration and software from the box, you don’t need to distribute software and configurations.

Moving from one IPSec solution to the other requires thorough planning. If you change vendors, keep in mind that VPN client applications don’t tend to like eachother. Most of the time you can not run 2 VPN Clients on the same box. This might have major implications on your road warriors who will come into the office only sporadically. If something goes wrong, they lost their lifeline …. NOT GOOD.

Moving from IPSec to SSL/TLS however … while planning is still needed, it’s less of an headache because you only need to provide the new procedure to the end users. But the technology change might force you to rethink your architecture.

Some pointers :

- 2-Factor authentication : the main SSL/TLS VPN solutions support easy integration with 2-Factor authentication solutions. While it’ll cost you extra, I wouldn’t suggest SSL/TLS without it. The least you wanna know is that the user connection to your network is who she says she is.

- Client verification : Since you are no longer in control of which endpoints your users use to connect to your network, you have to make sure that the endpoints meet a certain security standard. To the very least, the solution should support OS detection, AV/AS detection. Most of the solutions go further and allow you to build granular policies to allow access to resources based on which endpoint connects. John D connecting from a internet kiosk in Madagascar will have less functionality then the same user connecting with his company laptop. Take your time to create the necessary profiles, for both users and endpoints.

- Single Sign-On : You can achieve this ! With SAML you can have your authentication and authorization information passed on to back-end website (your internal portal, a helpdesk application, a time registration application, …). This can bring huge benefits to the company. (More info on SAML : http://en.wikipedia.org/wiki/SAML).

- Connection : if choosing an SSL/TLS solution, think about how you connect it. The solutions usually allow single-legged or multi-legged configurations. I would opt for at least a two-legged config. The reason is simple. All traffic from the endpoints reach the box encrypted, on an untrusted network. My gut tells me you can not send the unencrypted traffic over that same connection into your internal network.

Conclusion
Either implementation costs money. In my humble opinion, SSL/TLS solutions bring more additional benefits then IPSec/L2TP solutions because they allow you to support a broader base of user types and in general be more flexible in allowing or restricting access to internal resources. If you choose SSL/TLS, think about the endpoints and how you can control them.

EICAR Conference 2009 Summary (Berlin) [WAVCI]

noreply@blogger.com (Eddy Willems) — Sun, 24 May 2009 03:12:00 -0700

The EICAR conference 2009 held at the Steigenberger Hotel in Berlin, Germany from 9th to 12th May 2009 was a great success. The hotel provided perfect conference facilities, excellent food and due to their demonstrated flexibility in response to our short term changing requests, considerably contributed to the success of the conference. The absolute highlight was the keynote by Fred Cohen and the following discussions throughout the next two days in respect to his virus definition and the negative annotation of it. The paper “Applied parallel coordinates for logs and network traffic attack analysis” written by Sebastian Tricaud and Philippe Saadé was awarded the “Best Paper Award”, an excellent decision by the conference committee. The level of presented scientific papers as well as the one for the industrial papers was excellent and very well balanced. Many more papers have been submitted but, though of good quality, some had to be rejected because of simply insufficient space on the agenda. 'Moderated by the EICAR Chairman of the Board, Rainer Fahs, Panel members form AMTSO (Andrew Lee), CARO (Morton swimmer), EICAR (Eric Filiol), and ICSALabs (Andrew Hayter) represented a brought array of stakeholders in the anti-malware field and came to the conclusion that the complexity of the issue requires close cooperation between all stakeholders since isolated developments would not be a good way ahead.' (cfr. Rainer Fahs) During his farewell address the Chairman of the Board announced that, due to the generous offer by ESAT France, next year’s EICAR conference will be held from Saturday 8th to Tuesday 11th May 2010 in Paris at The conference facility of the Ecole Supérieure et d’Application des Transmissions (ESAT). A call for papers as well as more detailed information about our conference 2010 will be published soon.

If you want to read more about the EICAR conference please have a look at the upcoming June issue from the famous Virus Bulletin magazine. I wrote the summary.

Oh yes the picture .. from left to right: Eddy Willems (me), Fred Cohen and Eric Filiol.

SANS Community event, Amsterdam [The Security Kitchen]

Thu, 21 May 2009 15:42:59 -0700

Yesterday, I was lucky enough to have a work gig in The Hague (The Netherlands), just when the SANS crew touched down for Secure Amsterdam and as they were organizing a community event, I took the chance to go see what they had to say.

As a sidenote: Larry Pesce, from Pauldotcom fame, was one of the teachers and since I felt sorry that while he was only 2 hours away from beer walhalla, he only had Heineken to choose from, I brought him some tasty Westmalle dubbel.

I arrived late because traffic was bad just before a holiday weekend and I dropped into the SANS introductory presentation. All I remember from that was the lively discussion about the value of certification. Sorry, been there, done that, I’ve had 7 Microsoft t-shirts and lapel pins are great tools to learn kittens a lesson. What I’m really trying to say is that every cert has it’s value. Whether it’s a vendor cert, a SANS cert or a CISSP doesn’t really matter. The only guy that bugged me was someone who thought he had seen it all. You see that type of people and you immediately feel sorry for them because you just know they are on their way down. You’ve never seen it all dude, waving your business card with your unpronouncable title on it doesn’t make you ‘the man’. You’d like that, but it doesn’t. ‘The man’ is the person who works his ass off every single day without claiming the limelight. The limelight you’re revelling in, might get your ass burned, badly. Anyway, I disgress …

After the break it was time for Larry’s preso on Metadata, the silent lesson. You can find an up to date version of that preso on the pauldotcom website . Key points of this presentation were that metadata is really everywhere and there’s great fun to be had with. Looking at document metadata can teach you a lot of information about the persons or companies you’re investigating. I’ve done some testing before and what you can achieve with documents and photos from the web is really amazing. In short : really great preso, cleanly delivered by a very knowledgeable and skilled presenter. This is the kind of stuff you wanna see more often.

The last preso of the night was delivered by govcert.nl . While the presentation was build around a great concept, I think it ended up being a blow in the water. They bundled some of the results of their research into some kind of gameshow concept (odd one out) but unluckily it wasn’t really entertaining. Most of the challenges were geared towards a Dutch public while I felt the crowd at this event was more international and that’s the reason why they all fell in the water. Belgians, French, German and/or English people can’t tell the difference between Geert Wilders and a chimpansee, let alone knowing who he is. What I also missed was context. Why was this one the odd one out and what could’ve been done to prevent the data breach you meant to touch upon. Wait, there was some stuff about popups and boners that was really fun.

And there we arrive at a very big soapbox of mine. We, as Security Professionals, kinda love reading about new attack vectors, and we revel in the fame that becomes our part when we can come with something new. However, when you present something new, I expect you to do the following :

a) tell me what it is that is so special about what you found.
b) tell me how it works, what it does and obviously how I can do it.
c) and then it is your friggin responsibility to tell me how the f* I can protect myself from it.

It’s one thing to find a hole and I have lots of respect for researchers that do that each and every day.
The really great know how to educate.

That be all.

Stay Secure !

PayPal Horror Stories [Wouter Veugelen]

Tue, 12 May 2009 03:39:22 -0700

Still in my fraud awareness mood, I was reading an article stating that the Dutch website Marktplaats.nl where you can buy and sell goods will start accepting paypall payments soon.

When reading the comments of users on the article, I was astonished by the amount of Dutch people that were frauded by selling items and accepting PayPal payments. The typical PayPal fraud scenario would like like this:

A buyer (the counterfeiter) buys goods using PayPal
The seller receives the money for the goods and sends the object the buyer bought
The buyer lodges a claim to PayPal for a non-authorised payment that took place with his PayPal account
PayPal transfers the money back from the buyer to the seller’s account without requiring consent of the buyer
The buyer received the goods and didn’t pay for it
The seller’s PayPal account is frozen; he lodges a claim against the buyer
PayPal rejects the claim if the seller cannot provide all the receipts of sending the goods
The buyer is frauded and cannot lodge another claim since PayPal only allows 1 claim per transaction.

I know when buying/selling goods online, making payments via website such as MoneyGram and Western Union is a no go, but these PayPal stories were new to me.

Read out the story on this page of the poor man who’s business went bankrupt by PayPay fraudsters.

3 statements listed on paypalwarning.com to remind users of the control you give to PayPal when using the service:

Can PayPal hold my money with no explanation? The answer is YES.

Can PayPal freeze my account for no reason? The answer is YES.

Can PayPal take money out of my account without my knowledge? The answer is YES.

Personally I do have a Paypal account as well. I used it only once in the past, but as of now, i’ll think twice before I will commit into another PayPal transaction.

Check out other horror stories at:

http://www.aboutpaypal.org/
http://www.paypalwarning.com/

http://www.paypalsucks.com/

http://www.screw-paypal.com/

In case you're wondering.... [miekiemoes]

noreply@blogger.com (miekiemoes) — Wed, 06 May 2009 05:38:00 -0700

Yes, I'm still alive, just extremely busy lately.

It's now already a couple of months that MalwareBytes hired me as Malware researcher, so that's where most of my time goes nowadays.
I've decided I will only blog here once in a while - I hope at least once a month - but I cannot promise anything :-)

Also... Thank you for the nice mails I've received lately via this blog and sorry I didn't respond earlier. It looks like something went wrong with the "Contact Me" mailform, so a lot of delayed (2 months or so) mails arrived just today. Anyway, this should be fixed now.

Preparing for Kaspersky Regatta and the EICAR conference...and Twitter [WAVCI]

noreply@blogger.com (Eddy Willems) — Wed, 06 May 2009 01:50:00 -0700

Life is too short, isn't it. I'm already started planning events and meetings in September and October this year and I try to prepare myself for the Regatta from Kaspersky Lab Benelux tomorrow. I will post a picture from the event over here.
Friday I'm flying to Berlin to be ready for the upcoming EICAR conference in the Steigenberger Hotel. We have a terrific agenda with even Fred Cohen as a speaker at the event. You can find more at www.eicar.org
and if you want to come, there are still seats available.
I'm doing now about 2 local events a week not including my discussions with press, some large customers and international events. And that's just one part of my work.
But is my work not my hobby? Most of the time yes .. but it's a dangerous situation if you know what I mean...

And for people who didn't know it yet, you can follow me
on Twitter: www.twitter.com/EddyWillems
I'm inviting you all.

And concerning the safety on Twitter... pay attention please as I did see already a lot of security problems related to Twitter itself.

Gumtree.com.au Fraud Scams [Wouter Veugelen]

Wed, 06 May 2009 01:38:49 -0700

The last 2 months I have been looking around on the Internet to buy a car over here in Australia. I am amased by the amount of active fraud scammers trying to trick people into transferring money to them.In most cases they come up with a story that they have a car for sale, but they are currently staying overseas at the time, so meeting in person is not possible. They offer a ‘almost new’ car, low kilometers, lots of extra’s for a bargain price. The only drawback is obviously that you have to transfer them your money first before they will ship the car to you.

Here’s all the scam emails I received when responding to cars advertised on the gumtree.com.au website:

Re: Reply to your “2006 TOYOTA COROLLA HATCHBACK” Ad on Gumtree

from Emilio Narsete

Hello ,

Thank you for your enquiry regarding my vehicle.
The vehicle is in perfect working condition i’m the only owner and it has 2009 Rego so you will have no problem registering and licensing the vehicle.

I’ve worked in Australia for the past 3 years and since the birth of my son in January 2009 i came home to Italy.

The vehicle is in Australia at DAS freight department and i have full access(i can deliver the vehicle anywhere in Australia).

I will arrange delivery on my cost to your home address and you will have a 5 days period for inspection.
The total price includes (stamp duty, registration, transfer fee, and insurance).

We can use an escrow agreement to facilitate payment so that we both can be 100 % protected.

www.escrow.com/solutions/escrow/process.asp

I will also supply some more pictures as soon as i get home from work.
If you are interested,please reply with the following information’s in order to arrange shipping at DAS freight department:

-Your full name ;
-Full delivery address(with postal code);

Regards ,

RE: Reply to your “TOYOTA RAV4 2003″ Ad on Gumtree

from tommy dreamer

Hello,
Sorry for the delayed response, but I’m in Cameroon right now
and I have been very busy.Anyway,thank you for your interest in buying
the car. The car is located in Cameroon right now and has Australian/Cameroon papers.It’s been a great car for my wife to drive but we now need something a little bigger seeing as how she is pregnant.So all that I want to do now is to sell
the car at this price, because I need to sell it fast(I already made a
deposit here to buy another one).The title is clean and you will have
absolutely no problems to register the car in the States.I will tell
you a few words about the car..
my TOYOTA RAV4 2003″ car with manual transmission it is in immaculate
condition with approximately 56,500 miles on it,rust free , no scratch and hasn’t been
involved in any accident. The motor runs very well.The interior looks
great(NO SMOKING).This car needs nothing,the title is clear ,it is not
a salvage one. I want this transaction to go smoothly enough as I am
caught in the middle of some very important events and have little
time at my disposal. I already have tons of emails so I hope you
understand that I need to sort them out. The car is like new, in
perfect conditions,accident free, no scratches, no special marks, no
need for additional repairs what so ever. a genuine road runner ready
to be yours, but only if you shall understand and you won’t make me
loose time as it has already happened to me.

The price is $3,500 THIS IS MY LAST PRICE.I will not negotiate
the price.I will take in consideration only those buyers who are
really interested in buying the car ,to be sure that I don’t waste my
time with endless discussions.This way,I shall be assured of the
serious intentions .
So if you are interested please email me back for next step.
Regards !! call me on

Hi again,
Look how we will do this step:

Before leaving I had prearranged shipping and also the payment with MoneyBookers. so my presence in Cameroon isn’t necessary(The car is locked in a MoneyBookers warehouse Cameroon ready for delivery).The price of car $3,500 includes all the shipping costs and insurance, so you won’t have to pay any extra charges.
Here is what I suggest: we will use MoneyBookers which acts like an escrow service , you make a deposit of 1/4 the price of the car in a MoneyBookers managed trust fund ( they hold the money until you receive the car ), I send the car over( the car will be delivered with the title, owner’s manual, 2 sets of keys, service records, and of course the bill of sale authorised and signed by me),I will offer a 14 day period from the day you receive it from the shipping company,you can inspect it, take it to a mechanic to check it out, drive it and then if you decided to keep it, you’ll confirm to MoneyBookers the sale so that they can start paying me and then you send me the remaining money. If, by any reason, you will not be satisfied with it ( even though I can assure you that it is exactly as described), you can return it at my expense for a full refund of your money, no questions asked.I think this is more than fair for the both of us.
NOTE: The deposit (down payment) is refundable, and is just a security measure, to make sure that you are serious, and that I am not going to ship the car, and loose time and money.

So if you are interested to go ahead with the deal, please reply with your full name and shipping address so I can ask MoneyBookers to open a case! After, they will contact you explaining all the details regarding the payment..
I’m looking forward to hear from you.

Thank you,
tommy

RE: 2005 MAZDA 3 SP23 48200 km

from Vanessa Cubriel

Hello,
First of all I want to thank you for your interest for my car. I sell at this price(AU$5,000.00) because i just finished the divorce with my husband. When the divorce has finished i own this car. Now as a women i don’t need. This car is in excellent working conditions, no scratches, flaws or any kind of damage, slightly used in 100% working and looking conditions and comes with a clear title, 3 months transferable warranty. From the beginning you have to know that for the payment I request ONLY secure pay, I prefer the payment to be done using eBay services. We will use a safe payment method because I am affiliated at eBay and I have a purchase protection account for $20.000.00Au. The final price that I want for this car is AU$5,000.00 including shipping and handling.
PS If you are interested in buying it please provide me your full name and address so I can initiate the deal through eBay.
I will wait your answer(if you are interested to buy) very soon!!
Thank you and have a nice day

Vehicle Features*

17In Alloy Wheels
6 Speaker Stereo
…

I replied to every of those scammers that I reported them to the police. Interestingly enough, at a later stage when I showed my interest in another car advertised, I get a reply from exactly the same email address! The fact that they don’t even recognise my name means they are trying to perform this kind of fraud on massive scales!

If you have a similar experience, you can find all info you need for reporting these kinds of scams in Australia on the following page: http://www.scamwatch.gov.au/content/index.phtml/tag/reportascam#h2_160

Software Assurance Maturity Model (SAMM) [Wouter Veugelen]

Mon, 06 Apr 2009 16:16:25 -0700

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. The resources provided by SAMM will aid in:

◊ Evaluating an organization’s existing
software security practices

◊ Building a balanced software security program
in well-defined iterations

◊ Demonstrating concrete improvements
to a security assurance program

◊ Defining and measuring security-related activities
within an organization

SAMM was defined with flexibility in mind such that it can be utilized by small, medium, and large organizations using any style of development. Additionally, this model can be applied organization-wide, for a single line-of-business, or even for an individual project.

As an open project, SAMM content shall always remain vendor-neutral and freely available for all to use.

http://www.opensamm.org/

Protecting your Laptop, or better finding the thief! [Karim Vaes]

Tue, 31 Mar 2009 14:21:46 -0700

The article “Protect And Track Your Laptop In Case Of Theft” has a good breakdown of the service of The Laptop Lock. It kind of reminds me of iAlertU on Mac…

Share and Enjoy:

Sherwood Applied Business Security Architecture (SABSA) [Wouter Veugelen]

Fri, 27 Mar 2009 16:37:44 -0700

SABSA is a framework and methodology for Enterprise Security Architecture. The official description of the SABSA website:

“SABSA is a model and a methodology for developing risk-driven enterprise information security architectures and for delivering security infrastructure solutions that support critical business initiatives. The primary characteristic of the SABSA model is that everything must be derived from an analysis of the business requirements for security, especially those in which security has an enabling function through which new business opportunities can be developed and exploited.

The process analyses the business requirements at the outset, and creates a chain of traceability through the strategy and concept, design, implementation, and ongoing ‘manage and measure’ phases of the lifecycle to ensure that the business mandate is preserved. Framework tools created from practical experience further support the whole methodology.

The model is layered, with the top layer being the business requirements definition stage. At each lower layer a new level of abstraction and detail is developed, going through the definition of the conceptual architecture, logical services architecture, physical infrastructure architecture and finally at the lowest layer, the selection of technologies and products (component architecture).

The SABSA model itself is generic and can be the starting point for any organisation, but by going through the process of analysis and decision-making implied by its structure, it becomes specific to the enterprise, and is finally highly customised to a unique business model. It becomes in reality the enterprise security architecture, and it is central to the success of a strategic programme of information security management within the organisation.”

SABSA Model

The SABSA model is based on the Zachman framework for enterprise architecture, adapted with a security view: Each layer represents the view of a different player in the process of specifying, designing, constructing and using the business system:

Contextual Security Architecture: The Business View
Conceptual Security Architecture: The Architect’s View
Logical Security Architecture: The Designer’s View
Physical Security Architecture: The Builder’s View
Component Security Architecture: The Tradesman’s View
Operational Security Architecture: The Facilities Manager’s View

SABSA Matrix

The SABSA Matrix represents the whole model for the enterprise security architecture.

SABSA Framework for Security Service Management

SABSA Development Process

SABSA Lifecycle

SABSA Attributes

A list of business attributes compiled from extensive resources.

Official website: http://www.sabsa.org/

In between message... [miekiemoes]

noreply@blogger.com (miekiemoes) — Fri, 06 Mar 2009 03:26:00 -0800

It's been a while that I've blogged and since I'm going through some major changes in my personal and professional life (maybe new job), I won't have the time and inspiration either to blog in the next couple of weeks.
In a meanwhile... Click the icon to play a little game, so you didn't come here for nothing. :-)

See you later!

How to properly erase your hard disk? [Karim Vaes]

Tue, 03 Mar 2009 10:21:30 -0800

A whopping 40% of the used hard drives on eBay contain easily recoverable personal data. Use the following guide to ensure your personal data never makes it out into the wild.

Pretty scary words ain’t it… but it’s not far from the truth! Read the article to tutor yourself about the matter as you probably don’t want anyone to invade your privacy.

The first step in securing your data is bolstering your understanding of how data is stored and what happens when you delete it. Many people operate under the impression that when they delete a file it’s gone, as though they had torn a page from a book. But the way most operating systems handle such events is by simply removing the little marker that points to the file. That’s more like having information written on a chalk board in columns, each column labeled with a header, and then simply erasing that header to signify that column is “deleted” and available for future writing over. Anyone who looks at the board can read everything written in the column, until someone starts writing over it.

Share and Enjoy:

New SSL MITM at BlackHat DC [vandeneynde.net]

Fri, 20 Feb 2009 01:05:11 -0800

At the recent BlackHat Washington conference, a nice presentation was given about new man-in-the-middle techniques for SSL

The presentation starts with a good intro-primer on how SSL certificate validation works, continues with explaining how the old MITMs worked (including the trick with the intermediate CA which is used by most SSL inspection devices) and goes on with how it can be defeated now with stripping https or providing real valid https connections with ‘just’ a valid wild card certificate and some homo-graphic tricks.

The impact of this is not alarming in my opinion as there were already mitm tricks which worked. Attackers tend to stick to simple things that work before moving on. This is just an addition to the arsenal of tricks to fool a user into thinking his connection is secured. However, this might even trick the more experienced computer users and not only your mom who does a little online banking.

The presentation is worth a read because it gives a nice background on SSL validation, makes you think about website security architecture and makes you a little more paranoid when surfing the web in a public place.

This just shows once more that the cornerstone of SSL is trust. If you can come up with a way to get your malicious stuff to look trustworthy, it’s game over.

Virut and other File infectors - Throwing in the Towel? [miekiemoes]

noreply@blogger.com (miekiemoes) — Tue, 17 Feb 2009 05:25:00 -0800

I actually wanted to blog about this last week, but didn't find the time yet...
In the last couple of weeks, I noticed a HUGE increase of Virut present on computers. As a matter of fact, 30% of the infected computers I analyzed were infected with Virut. This is bad, really bad... :-(

Virut is a Polymorphic File Infector that infects .EXE and .SCR files. It opens a Backdoor by connecting to a predefined IRC Server and waits for commands from the remote attacker - for example to download/run more malware on the compromised computer. Emails may be harvested as well.
This latest variant may also search for htm, html, asp and php files on the drives and modifies them by inserting an iframe that points to a malicious website. So you can already imagine what may happen if the owner is a webdesigner and uploads the infected webpages.
An excellent write up on this latest variant (and previous one) can also be found here (by Nicolas Brulez): http://securitylabs.websense.com/content/Blogs/3300.aspx

Disinfection of the infected webpages should be easy - it's just a matter of deleting the iframe script in it.
The disinfection of the infected exe and scr files is something else...
Since Virut infects legitimate files, the files may not be deleted, but disinfected instead. And that's where the problems start...
Virut was known to be a buggy Virus in the past and it appears that this hasn't changed yet. We've seen this with other File infectors as well: To Junk Or Not To Junk.

And because of that, Virut may misinfect a proportion of executable files > result > corrupted file.
The same applies for other File infectors such as Sality.

If I guide someone with Virut (or any other File Infector) present and their Antivirus cannot properly disinfect it, then I recommend a format and reinstall.
And even though an Antivirus is able to disinfect the files, in a lot of cases, many files will be corrupted anyway > result > many programs won't work > loads of errors > corrupted Windows + there's still no guarantee that the Virus is really gone.
So why bother to clean this if a format and reinstall is the fastest and especially the safest solution?

And that's why I am blogging about this in the first place, especially since Virut is a very common infection nowadays. It's a pity to see that so many people are struggling with it and whatever they try, nothing helps. Then they ask for support via the forums and in a lot of cases, the one who is helping/guiding won't give up either and posts a new set of instructions to deal with this one.
Unfortunately another failure as result, so again, new instructions are posted... and this may go on and on...sometimes for weeks....
Is this responsible?
I'm not saying it fails everytime, but from what I have seen so far and especially if you're helping someone else with this infection... don't guarantee them a "clean" and errorfree computer afterwards .

In anyway, that's how I see it. Imho, dealing with such infections is a waste of time and that's why I prefer the fastest and safest solution - which is a format and reinstall.
Many people may see this as "giving up", but I see this different.
After all, I think it would be irresponsible to let the malware "stew" (download/spread/run more malware) for another couple of days/weeks if you already know it's a lost case.

Happy Dance - Blog 1 year old! [miekiemoes]

noreply@blogger.com (miekiemoes) — Wed, 04 Feb 2009 07:55:00 -0800

I started with this blog exactly 1 year ago. I actually didn't expect anything from this since I'm not a writer and don't have enough inspiration either to update my blog every (other) day.
The main goal of this blog was to post some tutorials and thoughts for the "average" user I was helping on forums and newsgroups - so I could link to my blogposts instead of reposting it again and again.
I was already happy with only a few blogposts and actually didn't really plan to update it anyway - only once in a while.
Maybe I could have updated my blog more often with latest Security News etc, but decided not to do so.
However, after a month or two, I saw that some people started to follow this blog and linked to it as well. That was a pleasant surprise.
And that's why I'm still updating this blog with thoughts (mainly rants), tutorials and other (stupid) stuff.

Anyway, thanks for the comments and feedback I have received so far - I've learned a lot from this and I'm still learning every day!

Thank you readers!

False Libelous Info About Yourself? [Karim Vaes]

Tue, 20 Jan 2009 23:00:09 -0800

Bloggers are usually well aware of the dangers of being accused of libel, and that’s why most independent online journalists are very careful to make sure that everything they write about someone on their blog is backed with documentation and evidence. But when someone writes something libelous about you, you need to be well prepared to fight back hard.

So what can you do? Read the article @ makeuseof.com!

Sidenote
In November a Dutch waitress got “shut down” by a Belgian politician after comments about his visit to NY. I guess that’s the downside to the “libel” part, who’s the judge in right/wrong?

Share and Enjoy:

Getting DHCP reservations into a Belkin N1 Vision router [vandeneynde.net]

Tue, 28 Oct 2008 10:12:54 -0700

Yesterday, I bought a new wireless router for home. I was in the computer store to buy some DVDs and picked it up in more of an impulse. My old router was not performing well so I bought the first draft-n gigabit router I happened to stumble upon after quickly having verified that it was supported by dd-wrt.

Back home, I noticed that I was a little too quick in verifying the dd-wrt support. It will be supported by dd-wrt but currently it is still a work in progress. So I decided to use the stock Belkin firmware for now. However, one minute later, I stumbled upon a major problem in that plan. The little router does not support DHCP reservations which I need in my home network. I could offload DHCP to another small device in my network but I preferred to have the router handle it.

This leaves three options for getting DHCP reservations in the box:

cross-compile my own firmware (GPL sources and MIPS toolchain are available for download)
modify an existing Belkin firmware image by injecting extras in the image
hack into the router and modify configuration parameters to support DHCP reservations.

I decided to see what’s behind door number 3 and after a an hour or two I found two ways of adding your static DHCP leases to the device.

The first way is by modifying he configuration file of the device. You can backup the running configuration from the GUI and save it to your local PC. That backup file (user.conf) contains all nvram parameters to get the router configured. I noticed that it had quite the same parameters as my old linksys router. Especially the parameter static_dhcp_clients was of interest to me. After looking at the linksys example, I filled it up with my dhcp leases :

static_dhcp_clients=hostname1:192.168.20.2:001AAABBCCDD:1:hostname2:192.168.20.3:009988776655:1

After feeding it back to the GUI (restore configuration), the GUI told me the CRC was incorrect. Some trial & error learned me that the check was a CRC-32 (8 bit) check done over all the parameters. This checksum was put at the end of the file in hex. With this knowledge, I opened up my hex editor, changed the checksum, uploaded the modified configuration and after a reboot of the router, I had static leases working!

The second way I found is even easier. There is a hidden web page in the administration website : http://routerIP/wukongjiuwo.html. This is a diagnostics page which gives you web-form based console access to the device. In the console, the following command followed by a reboot should bring static dhcp leases in the box:

nvram set static_dhcp_clients=hostname1:192.168.20.2:001AAABBCCDD:1:hostname2:192.168.20.3:009988776655:1

If you decide to use some of this ‘wisdom’ on your own router, please do so at your own risk!

Backup Encryption [vandeneynde.net]

Fri, 26 Sep 2008 04:40:48 -0700

Quick Post. I just read that laptops were stolen from one of our Belgian ministries. According to the ministry, the data was safe because it was backed up to a central server. That server was not comprimised and all sensitive data was stored there. I sure hope they also thought about encrypting the laptop hard drives and/or used some kind of DLP system to prevent data to be copied locally on the laptops. If not, the central backup won’t guarantee that no sensitive data was stolen. Availability in the form of backups is just covering one letter of the CIA (Confidentiality, Integrity, Availability) Triad which forms the core of Information Security.

Re: Spideroak [Karim Vaes]

Thu, 18 Sep 2008 08:38:23 -0700

A while ago I posted about Mozy. As a response to this post, Maya Zarchan contacted me with the following note:

I read your piece discussing Mozy and thought you might be interested in
another vendor, SpiderOak. They provide a free, secure, automated approach for
storing, backing up, accessing, and sharing personal files. SpiderOak is the
only backup software to work across ANY platform (Mac, Linux, and PC) – it
also has unparalleled anonymity, there is literally no visibility into anything
being stored – not even SpiderOak employees have access to the data.

I must admit that I haven’t tried out SpiderOak, but it seems to offer the same kind of service as Mozy. So it’s only fair that I’d give it the same spotlight…

Share and Enjoy:

Chrome [vandeneynde.net]

Sat, 06 Sep 2008 13:15:53 -0700

First of all: No I am not dead and yes I will continue to blog here. I just took a bit of a ‘blogging sabbatical’ the last couple of months.

That said, I (and many others so it seems) downloaded Chrome, Google’s vision of a web browser this week and played around with it for a while. A new browser always means new (or old) vulnerabilities and Chrome does not seem to be an exception to this. Google has a pretty good track record in following up on vulnerabilities so they will hopefully fix them soon.

On the positive side, it seems that Google really thought about security in Chrome by isolating processes for different tabs and enforcing a security model. They explain most of it in a cartoon you can find here.

Although I like the layout, the speed and the software design of Chrome, I will not be moving away from Firefox just yet. Even if all known vulnerabilities were to be fixed, there is one feature in Firefox which I think every browser should have and Chrome hasn’t: a decent password manager.

As a security conscious person, I use different passwords for each website I use on the internet. Unfortunately, I can’t remember all of them, so I store some of them in Firefox. I know I could use a tool like KeePass (and I do) but for most sites I find this overkill. Now what I like about Firefox is that you can specify a master password. Without this master password, you cannot unlock the password file (signons3.txt, passwords, and key3.db, the key, in your profile folder). This even survives a copy of the files. When you copy both files to another computer, you still have to specify the master password before getting access to the stored (encrypted) passwords.

Now back to Chrome. The profile data (in Vista) seems to be stored in C:\Users\username\AppData\Local\Google\Chrome\User Data\Default. There is an SQLite file called ‘Web Data’ in that folder and this seems to contain the URLs and (obfuscated) saved passwords. Since there is no master password functionality as there is in firefox, this file can be copied to another computer. Doing this gives the other computer access to all websites were there is a password stored for in the file (yups, I verified this).
This might not seem like a big deal but think about it. Every process running on your computer with the same rights as the user (or more) has access to these password storage files. This includes malware as well…

So I’ll stick to Firefox for now

2 GB of Free Online Backup [Karim Vaes]

Wed, 03 Sep 2008 00:00:17 -0700

Today I want to talk about Mozy. It provides a Simple, Automatic & Secure way to backup your files online. Enjoy peace of mind in knowing that your data is encrypted and stored in a safe, remote location. Maybe the last point might frighten you, as your data/information is kept on infrastructure that isn’t yours. Then you might think to add an extra layer of encryption yourself.

The features of Mozy;

Block-level incremental backup: After the initial backup, MozyHome only backs up files that have been added or changed, making subsequent backups lightning fast.
Open/locked file support: Mozy will back up your documents whether they’re open or closed.
128-bit SSL encryption: The same technology used by banks secures your data during the backup process.
448-bit Blowfish encryption: Secures your files while in storage, providing peace of mind that your private data is safe from hackers.
Automatic: Schedule the times to back up and MozyHome does the rest.
New and changed file detection: MozyHome finds and saves the smallest changes.
Backs up Outlook files: Disaster-proof email protection.

An the last thing… You get 2GB of free online storage space! This might help you to keep important data safe?!?

Share and Enjoy:

Belgian Terrorists caught on possession of wiping software? [vandeneynde.net]

Mon, 09 Jun 2008 03:27:49 -0700

An article in Datanews (dutch only) today reports on the police arresting four ex-CCC members on two facts:

They were linked to a terrorist organization in Italy
They had ‘encoding’ software on their PC’s to securely wipe hard drives. (most likely the reporter meant wiping instead of encoding.)

On the first fact, I can certainly agree but with regards to the second fact, I did not know it was illegal in Belgium to have this kind of software installed on your PC.

I for one have Truecrypt as encryption software and Eraser as DoD compliant erasing software installed on my laptop. Am I a terrorist now?