Belgian Security Blognetwork

Dump Tools: Cut Cut Cut … [Didier Stevens]

Tue, 29 Sep 2015 00:00:04 +0000

I added a new option to my different dump tools (oledump, emldump, base64dump, zipdump and the new rtfdump): the cut option. And I will also release a standalone cut tool.

This option allows you to cut out a part of a data stream. For example to extract a PE file hidden in a byte stream.

The first updated tool to get published is oledump:

oledump_V0_0_18.zip (https)
MD5: 88C9999726C0157267E2FF31E137D66C
SHA256: 1FC9EE7A0BB5A016339C73CBE5DE2F2C0A9C006BC924A5F9346F9F4EDE060939

Here I demo the –cut option in a new video:

PDF + DOC + VBAs Videos [Didier Stevens]

Mon, 21 Sep 2015 10:46:44 +0000

I produced videos showing how I created my “Test File: PDF With Embedded DOC Dropping EICAR” and how to change the settings in Adobe Reader to mitigate this.

Wireshark Wifi and Lua Training – Brucon 2015 [Didier Stevens]

Mon, 07 Sep 2015 00:00:30 +0000

I teach a 2 day training “Wireshark Wifi and Lua Training” at Brucon. More details here.

[BruCON]

Matt — Thu, 03 Sep 2015 21:38:00 +0000

Good evening Brucon Followers ! We just thought we'd drop a quick update on some of the happenings/logistics for Brucon this year. Training Updates:----------------- * Colin Ames will replace Russ...

[[ This is a content summary only. Visit my website for full links, other content, and more! ]]

nsrl.py: Using the Reference Data Set of the National Software Reference Library [Didier Stevens]

Tue, 01 Sep 2015 00:00:19 +0000

When I scan executables on a Windows machine looking for malware or suspicious files, I often use the Reference Data Set of the National Software Reference Library to filter out known benign files.

nsrl.py is the program I wrote to do this. nsrl.py can read the Reference Data Set directly from the ZIP file provided by the NSRL, no need to unzip it.

Usage: nsrl.py [options] filemd5 [NSRL-file]
NSRL tool

Options:
–version             show program’s version number and exit
-h, –help            show this help message and exit
-s SEPARATOR, –separator=SEPARATOR
separator to use (default is ; )
-H HASH, –hash=HASH NSRL hash to use, options: SHA-1, MD5, CRC32 (default
MD5)
-f, –foundonly       only report found hashes
-n, –notfoundonly    only report missing hashes
-a, –allfinds        report all matching hashes, not just first one
-q, –quiet           do not produce console output
-o OUTPUT, –output=OUTPUT
output to file
-m, –man             Print manual

Manual:

nsrl.py looks up a list of hashes in the NSRL database and reports the
results as a CSV file.

The program takes as input a list of hashes (a text file). By default,
the hash used for lookup in the NSRL database is MD5. You can use
option -H to select hash algorithm sha-1 or crc32. The list of hashes
is read into memory, and then the NSRL database is read and compared
with the list of hashes. If there is a match, a line is added to the
CSV report for this hash. The list of hashes is deduplicated before
matching occurs. So if a hash appears more than once in the list of
hashes, it is only matched once. If a hash has more than one entry in
the NSRL database, then only the first occurrence will be reported.
Unless option -a is used to report all matching entries of the same
hash. The first part of the CSV report contains all matching hashes,
and the second part all non-matching hashes (hashes that were not
found in the NSRL database). Use option -f to report only matching
hashes, and option -n to report only non-matching hashes.

The CSV file is outputted to console and written to a CSV file with
the same name has the list of hashes, but with a timestamp appended.
To prevent output to the console, use option -q. T choose the output
filename, use option -o. The separator used in the CSV file is ;. This
can be changed with option -s.

The second argument given to nsrl.py is the NSRL database. This can be
the NSRL database text file (NSRLFile.txt), the gzip compressed NSRL
database text file or the ZIP file containing the NSRL database text
file. I use the “reduced set” or minimal hashset (each hash appears
only once) found on http://www.nsrl.nist.gov/Downloads.htm. The second
argument can be omitted if a gzip compressed NSRL database text file
NSRLFile.txt.gz is stored in the same directory as nsrl.py.

nsrl_V0_0_1.zip (https)
MD5: 5063EEEF7345C65D012F65463754A97C
SHA256: ADD3E82EDABA7F956CDEBE93135096963B0B11BB48473EEC2C45FC21CFB32BAA

Test File: PDF With Embedded DOC Dropping EICAR [Didier Stevens]

Fri, 28 Aug 2015 09:30:52 +0000

Over at the SANS ISC diary I wrote a diary entry on the analysis of a PDF file that contains a malicious DOC file.

For testing purposes, I created a PDF file that contains a DOC file that drops the EICAR test file.

The PDF file contains JavaScript that extracts and opens the DOC file (with user approval). The DOC file contains a VBA script that executes upon opening of the file, and writes the EICAR test file to a temporary file in the %TEMP% folder.

You can download the PDF file here. It is in a password protected ZIP file. The password is eicardropper, with eicar written in uppercase: EICAR.

This will generate an anti-virus alert. Use at your own risk, with approval.
pdf-doc-vba-eicar-dropper.zip (https)
MD5: 65928D03CDF37FEDD7C99C33240CD196
SHA256: 48258AEC3786CB9BA032CD09DB09DC66E0EC8AA19677C299678A473895E79369

Hak4Kidz at Brucon [BruCON]

Matt — Wed, 19 Aug 2015 22:26:00 +0000

Hak4Kidz is an event by ethical hackers and Information Security professionals dedicated to bring the educational and communal benefits of whitehat hacking conferences to children and young adults....

[[ This is a content summary only. Visit my website for full links, other content, and more! ]]

BruCON 0x07 Training track complete [BruCON]

Tom — Wed, 03 Jun 2015 11:05:00 +0000

We are proud to present to you our complete training track for this 0x07 edition of BruCON. The line-up! : Practical Malware Analysis: Rapid Introduction by Andrew Honig (3...

[[ This is a content summary only. Visit my website for full links, other content, and more! ]]

BruCON 0x07 Line-up and Early Bird Registrations [BruCON]

Clément Herssens — Sat, 16 May 2015 01:00:00 +0000

Hello there BruCONneers! Over the past month we have been chewing over the CFP submissions. We received really great proposals and had to make some tough choices. And finally, white smoke! We are...

[[ This is a content summary only. Visit my website for full links, other content, and more! ]]

Brucon 2015 CFP Extension [BruCON]

Matt — Thu, 02 Apr 2015 20:52:00 +0000

Greetings all As you may know already (or know now for certain) the Brucon 2015 CFP has been extended by two weeks. This means it will close for good on Wednesday the 15th of April at midnight...

[[ This is a content summary only. Visit my website for full links, other content, and more! ]]

Unwanted or wanted toolbars, when to detect.. [miekiemoes]

noreply@blogger.com (miekiemoes) — Sat, 16 Feb 2013 17:26:00 +0000

This is a follow up on a previous blogpost of me: http://miekiemoes.blogspot.be/2012/01/unwanted-toolbars.html
I received a lot of feedback on this (mainly via mail) which was an eye-opener....

We can't ignore the fact that more and more free software is bundled with an additional toolbar or software to cover the costs. After all, developing & have the bandwith available for downloading the software isn't free, so it's understandable they need some sort of coverage for the costs. The affiliate who offers the most is obviously being used more frequently into bundled installs. In most (almost all) cases, when a user installs the software, they are presented with options whether they want - or do not want to install this additional certain software bundle. Since, in most (almost all) cases, this is pre-selected by default, people don't bother with the install screens, don't read and just click "next" and "next". Then, in the end, they are complaining about an additional toolbar/startpage/searchpage they never wanted.

This is exactly why I can't stress enough to read "install screens" while you're installing a program. If you don't want the additional crap, just unselect from the install screens. In case you have installed it already, in most cases, it's easy to uninstall them again. Most of these affiliates have additional uninstall/remove instructions on their site.

Alot of these toolbars or additional software is harmless though - you can basically compare them with the "google" - or "yahoo" toolbar (although there are some exceptions).
This is why I would love to hear your thoughts on this. Should an AV-Vendor detect such (harmless) toolbars or not? Basically, when to detect - or when not to detect?

Toys for Xmas [miekiemoes]

noreply@blogger.com (miekiemoes) — Tue, 18 Dec 2012 18:19:00 +0000

I've listed some "must have" goodies for the geeks among us for 2013. Probably, most of you have these goodies already, but in case you don't, it may be a good idea to put on your Xmas list.

* USB3 & USB3 & more USB3

If you're planning to buy a new PC or laptop or anything else with USB ports, please make sure you have at least 1 or 2 USB3 ports. While USB3 was released in November 2008 already, we now start to see more units with USB3 ports/support. USB3 is much faster than USB1 or USB2 and they are still backwards compatible with older USB ports. Basically, it's almost 10 times faster than USB2. If you want to buy a flash drive, get a USB3 flash drive. It's still more expensive than USB2, but it's really worth the price (which will drop soon anyway). Ofcourse, you gain most from this if you connect from a USB3 port. Most (if not all) new units are supported/have USB3 ports now anyway, so this is one of the reasons why you should stop buying USB2 flash drives or anything else USB2-ish :D

* Replace old drives with an SSD (Solid State Drive).

Many of you probably have old PCs/laptops and you want to give it some boost/power. Adding RAM is a good option, but you may want to consider to replace your HDD with an SSD. Solid State Drives are faster than conventional spinning drives because they have no moving parts. The storage on an SSD is handled by flash memory chips. Advantages are less power usage, higher reliability and faster access to your data. They are also less resistant to shocks and vibration.

In general, when you install an SSD, the first immediate benefits are faster application load time and faster boot time. SSDs aren't cheap, but really worth the price. Disadvantage is, you have less data storage than a conventional HDD (comparison size/price with HDD), but if storage isn't a real problem for you - then you really might want to consider an SSD. After all, you can still combine it with an internal or external HDD to store your data. SSDs have dropped in price to the point where it's affordable to replace your laptop or PC HDD. Normally, a 128GB SSD should suffice your storage needs (just compare with the current storage you need/have) - but a 256GB SSD is even better. You can have larger SSDs as well ofcourse. You can read more about SSDs here: http://en.wikipedia.org/wiki/Solid-state_drive and here: http://lifehacker.com/5932009/the-complete-guide-to-solid+state-drives

You can also easily migrate your Windows installation from an HDD to an SSD without losing any data or reinstalling Windows. There are a lot of tutorials on the net for that.But I personally prefer to start from scratch to avoid any issues. In either way, there's a good tutorial here: http://lifehacker.com/5837543/how-to-migrate-to-a-solid+state-drive-without-reinstalling-windows

* Get a docking station for your SATA drives with USB support

This is really a MUST HAVE! I am sure many of you have come in situations where your HDD wouldn't boot, or you want to mount a drive that has failed.

For many (inluding me), it's a hassle to mess around with adding the drive as a slave to your PC in order to get access to the data and transfer/alter/delete. This is exactly one of the reasons why I bought this. Just slide in your SATA hard drive, connect via USB to your PC/Laptop and power on in order to see it as an external drive. You have them in all types and flavours - support for 2,5" drives AND/OR 3,5" drives, SSD, dual docking SATA station (for quick/easy cloning)... Ofcourse, I also recommend to get one with USB3 ports/support.

If you have any other MUST-HAVE! for Xmas, please let me know - I still haven't decided yet what to get (I have above already) :)

images courtesy of http://blog.laptopmag.com, http://www.sharkoon.com, http://www.datapro.net

New PGP key [Security4all]

Bkay — Mon, 27 Feb 2012 17:01:00 +0000

Just a short notice that I updated my PGP key. Barely anyone ever used my key and sent me encrypted email. But as I'm lately getting more involved in CERT/CSIRT related activities and communication with teams around the world, there was a need for starting encrypting my mails again.

My key can be found on the usual keyserver(s) and the fingerprint is: 16BD 01DD DD08 1144 48DF 4464 D3FB 8E48 B68C F245

I'm not sure if I'll pick up blogging again soon, but don't unsubscribe just yet. My move to Japan was very interesting and the adventure has only just started!

(Cartoon courtesy of XKCD)

Unwanted Toolbars [miekiemoes]

noreply@blogger.com (miekiemoes) — Thu, 05 Jan 2012 12:38:00 +0000

While I know this is old news and has been blogged/posted about a thousand times already - I still notice a lot of users having problems with an overload of toolbars they don't want/need.

More and more software (mainly free software) bundle their software package with a toolbar since it's an extra source of income.
While in some cases, a toolbar *can* be necessary or useful, always ask yourself if you really need/want this toolbar.

Additional Toolbars can slow down your browser since it takes longer to start them up, can interfere with certain webpages you want to view, can have compatibility issues with other toolbars/add-ons already installed or can even crash your entire browser.
Apart from a toolbar/BHO, some toolbars also add additional loading points (run key, service, appinit_dlls..) which may cause an extra slowdown of your computer in general.
Toolbars also take up extra space in your browser, leaving you with less content of the webpage you want to view.

Do you really want your browser to look like this?

If the answer is Yes, then I suggest you check with your eye specialist or stay away from computers and find another hobby.

Also, not all toolbars are as harmless as they look. Do you want them to monitor your browser activities? What sites you visit? Collect other info from your computer?
Do you want them to redirect searches? Change your startpage? Display Advertisements (targetted Ads)? If the answer is No, then uninstall them or don't install them in the first place.
In most cases, legit software with a toolbar bundled, offers the user the option to uncheck the toolbar during install. Too bad most have these toolbars pre-checked already, so many users who install the software just click through the installation screens (next) in a hurry and end up with toolbars they don't want or need.
And that's still the biggest mistake users make.

That's why it is always a good practice to read every part of the installation screens the software displays, so you don't miss the option where you can uncheck the toolbar or other junk during install.
Also, it's a good practice to always read the EULA/Privacy Policy when you want to install certain software.

Example:

Unfortunately, not every software bundled with a toolbar/other junk offers this option to uncheck during install. This is bad practice and such software should be avoided in the first place.

In case you have (accidentally) installed a toolbar you didn't want/need in the first place, use the Windows’ built-in "Add/Remove Programs" in the Control Panel ("Programs and Features" in Vista/Win7) and look if it's listed there so you can uninstall it.
Or, in case it's not listed there, you can disable or remove them them via your browser:
For Internet Explorer: http://technet.microsoft.com/en-us/magazine/dd364987.aspx or http://mintywhite.com/windows-7/7security/5-easy-ways-uninstall-toolbars-internet-explorer-8/
For Firefox: http://kb.mozillazine.org/Uninstalling_toolbars
For Google Chrome: http://support.google.com/chrome/bin/answer.py?hl=en&answer=113907
For Opera: Click Tools > Preferences > Advanced Tab > Toolbars (listed on the left). There you can select and delete the toolbar.

In general, if you don't use/need toolbars, uninstall them or don't install them in the first place.

ABN AMRO Phishing mail [miekiemoes]

noreply@blogger.com (miekiemoes) — Wed, 30 Nov 2011 09:22:00 +0000

Another phishing mail I received today. Looks like my mailbox attracks phishing mails this week...
This certainly gives me a reason to blog more often again ;-)

This one is targeting Dutch ABN AMRO bank account users.

------

Geachte ABN-Amro klant,

® Op dit moment is ABN-Amro bezig met het vernieuwen van de systeembeveiligingen. Hierbij vragen wij u om uw persoonsgegevens opnieuw in te vullen door op de onderstaande link te klikken

Wij zullen de gegevens verifieren en als het nodig is de aanpassingen opnieuw in het systeem opnemen. Hierna wordt telefonisch contact met u opgenomen om de gegevens te beveiigen.

------

This one is sent from the spoofed mailaddress ABN AMRO NV customercare @ abnamro.nl
When you click the Log in button, it redirects you to a phishing page where it asks you to fill in your bank account and passnumber.

It looks like there are a lot of similar phishing mails going around lately to target ABN AMRO bank account users and I fear a lot of new ones will follow.
In case you have received a similar mail from ABN AMRO, please report it via their website:
https://www.abnamro.nl/nl/overabnamro/f_aanvragen.html

Beware Telenet.be users - Telenet.be phishing scam going around [miekiemoes]

noreply@blogger.com (miekiemoes) — Sat, 26 Nov 2011 14:25:00 +0000

First of all - WOW! It has been ages I have blogged here ! I really should start to blog more often again. Work & life has kept me real busy lately, so unfortunately there's not much extra free time left over anymore.
If only there were 36 hours in a day, so much I still want to do and learn...

Anyway, Just received the following in my mailbox today:

Dear 'pandora.be' E-mail User,

We are currrently upgrading our database and all account need to be verified.To complete your account activation with us, you are required to reply
to this message and enter your password in the space provided (********) you are required to do this before the next 48 hours of the receipt of this email or your database will be de-activated from our database.You are required to reply this message to telenet.be helpdesk database office on their email address: help-desk@email.com

Full Name:
username:
Password:
Thank you for using pandora.be.
Copyright 2011 © pandora.be web Team.

Stacy Williams
PANDORA.BE HELP DESK OFFICE
Hosting: Telenet Operaties N.V.
IP Address: 195.130.144.20

Telenet.be (Pandora.be is controlled by telenet.be) is one of the biggest ISPs here in Belgium
Above is a fake email and in no way associated with Telenet.be.
This mail is designed to steal your telenet.be credentials.
Telenet.be would never ask for your credentials via email, nor would any other company.
As a matter of fact, never ever give your passwords/credentials via mail, no matter who the company claims to be.

If you received this mail, delete it - certainly do not respond to it.
In case you have become a victim of this mail already and responded to it, change your password asap.
For telenet.be users, see here.

The unofficial BruCON party guide (plz RT) [Security4all]

Bkay — Fri, 16 Sep 2011 07:36:00 +0000

The third edition of BruCON is about to happen and I'm really looking forward to it. This is an attempt to the Hitchhikers Guide to the... euhm... fun bits of BruCON. Besides the workshops, presentations and training of BruCON, there are also some social events you can attend. So here we go.

First is SushiCon, the pre-BruCON get-together at a Japanese restaurant. Details here. After dinner we'll head for the Belgian beer heavens. You can just join us for a beer later as well. Check Twitter for last minute movements.

Second main event is of course the BruCON party @ Havana Club on Monday evening! Feel free to throw some events of your own and list them on the wiki. For ad-hoc meetings, follow the #brucon hashtag.

The BruCON wiki also has a small list of bars / restaurants (plus recommendations of beer) etc you can explore! It's far from complete so please expand this page based on what you know or discover!!

Now what about Travel aka How to get around? Apart from the basic BruCON Travel page, here are some tips:

Once in the city, the metro/tram will probably be your main mode of transportation! The metro connects the BruCON hotel (Ibiz) with the city center (Grand place) and the BruCON Venue @ VUB. Check out this awesome Google map with all of the known BruCON (party) locations.

http://g.co/maps/fkm5y (hat tip to @5M7X)

Metro Stops: Here is the network map of the Metro: http://www.mivb.be/netplan-plan-reseau.html?l=en
Payment: You can get a pre-paid 10-journey card at newsstands and vending machines at the stations: http://www.mivb.be/10-voyages-ritten.html?l=en (if they sell the MOBIB one, it's RFID based on Calypso). The difference between the MOBIB and the JUMP card is that the JUMP also allows you to take the train between the different Brussels stations (but not beyond Brussels).

Getting from Ibiz hotel to Grand Place:
Take Tramway route 4 direction GARE DU NORD. At 8:08, get off at stop BOURSE (5 min.) or alternatively, you can walk for +-25 minutes.
Getting from VUB (BruCON) to Grand Place:
Walk to stop DELTA (3 min.). Take Metro route 5 direction ERASME. Get off at stop GARE CENTRALE (12 min.) and walk to Grand Place. (check Google map)
Getting from Ibiz hotel to VUB:
This PDF map from VUB explain all the possible transits from all major stations (South (Midi), Central and North)

So I hope this helps. Have fun but keep it safe! See you all at BruCON!

UPDATE: First new event on Saturday already popped up (hat tip to Andreas):

Moeder Lambic feat. Stone Brew Co.
http://www.moederlambic.net/events/en/events 30 Belgian beers on tap, 30 US specialty beers from Stone Brewing Co on tap, and to finish it off, the Cantillon Zwanze will be served on saturday. Historic event not to miss for any beer geek. Date: Saturday, 17th @19:00

Keep checking the events page for updates!!

Help improve the CISSP community. Support Wim. [Security4all]

Bkay — Mon, 29 Aug 2011 18:28:00 +0000

My blog kinda died down after being involved with BruCON and I wasn't really planning on blogging again unless I had some good (original) content. Since I'm going for the JLPT1 certification in the next years, this may take a while. BUT I'll make an exception today to support Wim.

A lot of us in the infosec community have a CISSP. The first reason is to bypass the HR checklist filters but is there really an added value besides it? I hear a lot of the people in this community being more critical with the years. Especially the CISSP code of ethics is something I think is too black and white.

But why only complain about it? Why not TRY to change things for the better. This is why Wim Remes has decided to try for a board election. I know him personally and I can vouch a 100% for him. Here are some of his points:

A closer collaboration with the information security community at large. This means recognition of what is currently considered to be an outlawish community but what I consider as a treasure trove of knowledge and capability that remains untapped. Either because we are afraid of what we don't understand or because hackers are still suffering from a bad image. Not in my book!
A review of the certification requirements for the flagship (ISC)2 certification, the CISSP, in order to bring it back to the level it once was on. Ideally with the incorporation of more in-depth requirements on a technical level, requirements in soft skills and, possibly, the addition of a written paper requirement that would show the knowledge the candidate has acquired during the learning process. This last requirement would feedback into the community becoming a valuable resource for security professionals globally.
I am from Europe. I still feel that many of the subject covered by (ISC)2 and other organizations are focused on the US. My goal is to widen the efforts to a global approach that brings communities from different continents together instead of seperating them further. While there is a different in laws, culture, etc. across continents, I firmly belief that we have more in common and there needs to be a better collaboration in order to address the security challenges we have coming at us.

Check out more details here. Or listen to the latest Eurotrashsec podcast where he explains more about his views.

For the latest updates, follow the #wim4board hashtag on Twitter

Don't just take my word for it. I can also see that I am not the only one who thinks this is a good idea. He has the support of a lot of good people.

You don't have the certificate? Then give out a shout to him online and throw up a blogpost!

Got for it Wim!!!

How to follow #Blackhat / #Defcon / #BsidesLV without being there (2011 edition) [Security4all]

Bkay — Wed, 03 Aug 2011 21:09:00 +0000

Note: update of my similar older posts

Well, I'm one of the poor souls who couldn't make it to the Blackhat/Defcon / SecurityBsides fun. There are some ways to follow the events in Vegas (real time). ;-)

The first tool is to use twitter and follow the hashtags #defcon, #blackhat and #bsideslv. If you have a twitter account, I would recommend installing tweetdeck and setting up 3 search columns. For those without a twitter account, you can use the Twitter search (and import it through RSS) or even better: twitterfall.com which is more interactive. Alternatively, give monitter also a try. Has a more Tweetdeck column "feel". I like it.

Keep an eye on the Security Bloggers Network (RSS). A lot of security bloggers will be covering the event.

You can also monitor Flickr for the tag 'defcon19' (RSS). And this site collects all the @blackhat and @defcon pictures from twitter: http://hashalbum.com/blackhat and http://hashalbum.com/defcon

This social media aggregator also looks nice: http://twubs.com/bsideslv, http://twubs.com/defcon and http://twubs.com/blackhat (all your tweets and twitpics are belong to us!) ;-)

I think that's more then enough to follow the event except for a live video stream. And in a limited way, for Blackhat there is one: https://www.blackhat.com/html/bh-us-11/bh-us-11-uplink.html. Giving it a go as we speak.

If you have more tips, feel free to mention them in the comments.

Are you a pentester? Then read this! [Security4all]

Bkay — Thu, 24 Feb 2011 13:26:00 +0000

If you work in a Redteam, then the following "project" is certainly one to take note of!!!

The Open Penetration Testing Bookmarks Collection …is just that, a collection of handy bookmarks I initially collected that aid me in my day to day work or I find in the course of research. They are not all inclusive and some sections need to be parsed but they are all good reference materials. I find having this Hackery folder in Firefox an easy way to reference syntax, tricks, methods, and generally facilitate and organize research. Hopefully the initial set will grow and expand. Opening it up to everyone will facilitate a knowledge transfer.

Speaking of Pentesting, a lot of people have been complaining about the difference of quality and the lack of a standard for Pentesting assignments. So here we have it: the "Penetration Testing Execution Standard" has been kicked off by some experienced people from the field! It's far from finished but I expect some good things to come from it. Check it out!!!

The Dutch National Cyber Security Strategy [Security4all]

Bkay — Wed, 23 Feb 2011 19:29:00 +0000

Our Dutch neighbors will start a National Cyber Security Center. GoverCERT.nl will play a major role and published the strategy document this week. A lot of non-brainers are in there like the need for more international collaboration etc... There is an English version so you can read it yourself.

Download here

They did mention the need for more individual responsibility but apart from awareness campaigns, I'm not sure how they will achieve this. A lot of reports show that 30-50% (some even more) of consumers are infected with some kind of malware and this is certainly a problem that we need to tackle.

There was one little detail in the report that sparked my interest: "International Watch and Warning Network (IWWN)". I never heard about this before so please excuse me while I'll go Google it!

Does your country have a strategy? Link it below! ;-)

When a CERT has to break the law [Security4all]

Bkay — Wed, 23 Feb 2011 19:07:00 +0000

I spotted an interesting article on ZDnet Australia today: "Fraudsters escape as laws bind AusCERT".

AusCERT head Graham Ingram said the logs were previously viewable in plain text, but are now stored in a protected MySQL format.

"They are encrypted and we can't break that by law," he told an audience at the National Security Australia conference in Sydney yesterday.

This was the part that caught my eye. Is this a new trend? Is this a legal issue limited to Australia? At least I hope so. There have been many examples on police getting exempt from certain security laws like the "police trojans" (Germany). I have mixed feelings about such actions but I totally support a CERT or forensics team bypassing "protected" parts of a system if crimeware is involved. I'm just wondering if the malware writers had this legal issue in mind when they 'protected' the info or if they were just protecting their assets against competitors?

Speaking of CERTs, CERT Polska published a really interesting article today on the new Zeus malware involving banking trojans that infect Blackberries and Android phones. Check it out here. Now that banks are gearing towards dual authentication through phones and/or mobile apps, the threat landscape just followed. Where there is money, there is.....