The date for the Hackerspace Antwerp Startup Meeting

A lot of people responded for a startup meeting in Antwerp and are really divided over two possible dates. So I decided I will be there on both dates, although I can't stay very late.

So on Saturday the 9th or Friday the 15th, please join us. Here is the original doodle: http://doodle.com/pci5yiksm5nwimg6

Feel free to comment and to share the link to others!!!

(Photo under creative commons from "Scott Beale / Laughing Squid")

Download the #26C3 videos and bonus material

So the 26th Chaos Communication Congress is over and it was a blast. For those that missed some talks (like me) or couldn't watch the live streams, you can download the video of almost all presentations.

Best location to find the lastest videos is:
ftp://mirror.fem-net.de/CCC/26C3/

There you will find the videos in mp4-format, in mp3 or ogg audio files or mp4-ipod formatted videos.

You can also watch the videos online thanks to CCC-TV. No need to download everything.

I made some recordings of some the things happening around the conference. Check my Ustream.

Discussing about Hackerspace Antwerp

Some people have been thinking aloud about also starting a hackerspace in Antwerp. I decided to gather all these people and have a beer. Let's see if there are enough people to set the first step. If you know people that could be interested, please let them know.

If you want to join us, have a look at http://doodle.com/participation.html?pollId=pci5yiksm5nwimg6&0

A hackerspace is an interdisciplinary community for learning, teaching, and creating. Instead of starting with a defined range of projects or programming, a hackerspace is driven by its members. It is a place where members have the infrastructure and resources to work on projects that interest them. Hackerspaces promote people to be hackers in the broadest sense: to learn all they can about the fields that interest them, explore their bounds, and create new and interesting ways to apply that knowledge.

The people in a hackerspace also share their knowledge with others who share their interests, through classes, working groups, or day-to-day discussion while working on projects. That is where the fascinating educational potential of the hackerspace lies: there is no finite list of the skills that can be taught and exchanged. People share what they know with members and the community at large, and it results in more people having the knowledge to make something new and tangible out of their ideas and interests. (source: pumping station one)

Related posts:

• What is a hackerspace?
• What does a hackerspace looks like? And the next Hackerspace Brussels meetup.
• Hacker Space Brussels - Wifi Workshop
• New hackerspace @ Brussels

(Photo under creative commons from mightyohm's photostream)

#26C3 Mobile Schedule for Android and iPhone

In less then a week, it will be time for the biggest hackerconference in Europe: The Chaos Communication Congress (which I will be visiting). I will be covering the event and documenting some tips. Let's start with a few good ones.

For your convenience, two applications were made with the 26C3: Here be Dragons Schedule (Fahrplan), one for Android and one for the iPhone (iTunes link). Kudos for the people who made them.

If you don't have PDA/Smartphone but are bringing a DECT phone: Call Voicebarf on DECT#7666 to know the upcoming talks at that moment.

There will also schedules displayed throughout the conference center so don't print them and save some trees.

If you can't make it to the conference, several locations around the world will be displaying the live video streams. Go out and meet some new people. Check "Dragons everywhere" for locations.

If it's your first time to this conference, have a look at: Preparing your laptop (or iPhone) for a security/hacker conference.

For all other matters, read through the 26C3 wiki and their FAQ.

Follow @security4all on Twitter for live tweets about the conference or follow the #26c3 hashtag in general. Some clients like tweetdeck support following hashtags or you can use http://search.twitter.com. Either online or through an RSS feed.

If you want a free BruCON sticker, find me at the conference. ;-)

Related posts:

• Get the #DEFCON 17 CD Archive (updated x2)
• Day 2: A collection of #Blackhat articles: keeping remote track of the event
• BlackHat slides available and first blogposts
• How to follow Blackhat/Defcon without being there
• Preparing your laptop (or iPhone) for a security/hacker conference

(Photo under creative commons from wili_hybrid's photostream)

Ways to bypass the Big Belgian firewall

Yes, the Belgian government can decide which websites we visit and which we don't. The first step on a road that will lead us to situations like we have seen in Australia (According to Child Support groups, Net filtering is a waste of money)

Here is the best Belgian article I have read to date about this issue which covers all aspects : "zwarte lijst voor belgische surfers omstreden" by Els Bellens (Zdnet.be)

Like Tim Berners-Lee, inventor of the WWW stated, the internet was designed to be used without limitations. The main argument of government officials to start with this blacklist, is that "average users won't be able to stumble upon these bad websites anymore. It's for their own protection. "

And in a typical Belgian fashion, (luckily for us), it's implemented in the least efficient manner: a DNS blacklist.

And as expected, a lot of internet users (e.g. blogologie, lvb.net, belgiancowboys.be, tik vzw) have started listing ways to bypass this filter just as a matter of principle (like the Streisand effect).

So let's hope that this blacklist will go away and the government will stop throwing away money on an inefficient systems that will never work.

Sign against Dataretention - bewaarjeprivacy.be

Finally something in Belgium to be proud of. Several organizations in Belgium representing internet users, lawyers, journalists, etc.... have started a petition against the Belgian adaptation of the EU Dataretention law.

Why should you sign this petition?

• It's an invasion on your privacy
• It makes 10 million Belgians potential suspects
• It invades the professional confidentiality between lawyers and their clients, journalists and their sources etc....
• The necessity of Dataretention has yet to be proven
• Dataretention provides no guarantee against terrorism or crime
• It will result in a high price that consumers will have to pay....

So go to http://bewaarjeprivacy.be/ and sign the petition.

Automated Social Networking Surveillance Systems

Last week, I noticed the existence of an EU surveillance project called "Intelligent information system supporting observation, searching and detection for security of citizens in urban environment" better known as "INDECT". You can have a look at their official website.

According to Wikileaks, INDECT’s “Work package 4″ is designed “to comb web blogs, chat sites, news reports, and social-networking sites in order to build up automatic dossiers on individuals, organizations and their relationships.” Ponder that phrase again: “automatic dossiers.” (source)

Automatic dossiers? Doesn't that give you a warm fuzzy feeling inside? There are a lot more reports and articles mentioned about similar projects (including network monitoring and data mining suites designed by Nokia Siemens, Ericsson and Verint) on this website.

I enjoy and believe in the benefits of social networks as long as commons sense prevails about what you publish. But how many people are aware of the potential issues? Not that mass surveillance should be expected and allowed.
Say a word online out of context and be labeled a potential 'problem' case. I don't believe in a technological magic wand who will correctly filter information. Too much possible false positives. Hasn't the world of IDS taught us that? Question is, who is making the alert filters for this systems? Who is going to watch the watchers?

Some time ago, the Social Media Security blog and podcast was founded. While I haven't really had time to spend some time on it, I highly advice to have a closer look at it.

So apart from cybercriminals, must we also fear our governments?

Related posts:

• International Action Day “Freedom not Fear 2009 – Stop the Surveillance Mania!” on 12th September 2009
• According to Child Support groups, Net filtering is a waste of money
• Big Brother 2009: Has the rebellion started?
• Privacy matters: A movie by XS4ALL to raise user awareness to data surveillance
• ENISA's New Paper: "Inside the matrix: Privacy & data protection challenges".
• Dress good! Google Streetview driving around in Belgium.
• ENISA releases paper on Security and Privacy in online games and social and corporate virtual worlds
• Skype backdoor speculation and Data surveillance of today
• FBI Wiretapping: Just point and click
• China's golden shield, a citizen mass surveillance system
• The dangers of social networking and some countermeasures
• German ID card won't include fingerprints
• Billion pound UK CCTV solves 3% of crimes. Efficient?
• When technology takes over our life
• Airport Security: All your data are belong to us
• Dutch government wants fingerprints of every dutchman in national database
• Wikileaks releases details on German police Trojan
• EU might decide that an IP is personal information

(Photo under creative commons from matthileo's photostream)

Privacy and the 'Belgian Mobility Card' (BMC)

It has been some while since we blogged about the "Privacy failure in the Belgian RFID transport card", but the card will still be introduced nationally.

See Chipkaarten De Lijn niet voor volgend jaar (datanews)

Testing will occur in 2010 and the rollout will happen during 2011 and 2012. Time to go over some past facts.

Some researchers of the UCL published a report about a privacy issue together with opensource tools that they used to test the card. On http://www.uclouvain.be/sites/security/mobib.html

But the details of the research were removed soon after, together with the tool. Why? Were they pressured in removing it? What would the benefit be in removing it? Don't people know that security by obscurity doesn't work? Sound a bit like a conspiracy, considering who owns the transport card company and who subsides the university. But we can't say for sure.

Some details could still be found via google:

http://www.uclouvain.be/sites/security/download/slides/Avoine-2009-iwrt-slides.pdf

From the PDF:

Personal data are stored in the clear in the card.

• Data stored in the card during its personalization: name of the holder, birthdate, zipcode, language, etc.

• Data recorded by the card when used for validations: last three validations (date, time, bus line, bus stop, subway station, etc.), and some additional technical data.

How can this not be an issue? This can totally be abused by stalkers with a good antenna and a laptop in their backpack, just to name one of the obvious abuses. Fathers, lock up your wife and your daughters.

So I hope that the MIVB/STIB, minister Hilde Crevits and other parties involving the Belgian Mobility Card (BMC) will do the right thing and NOT store this sensitive information in the clear before launching this card!!!

Claiming that our national ID contains the same public information is true but it is not on a contactless card. Meaning I have to take it out of your wallet and physically put it in a reader. Comparing those two and claiming there is no issue with cleartext information on a wireless chip is a fantasy story.

There is enough information and other tools available to read the info on the card. e.g.

• rfidiot.org
  
• http://wiki.yobi.be/wiki/MOBIB

Other online articles mentioning the issue:

• Met Mobib op het openbaar vervoer in Brussel: uw gegevens te grabbel? (Permanent Gecontroleerde Zones)
• Gekraakte Mobib-kaart doet vragen rijzen naar privacy (Brussel Nieuws)

(Photo under creative commons from Jools of Sweden's photostream)

Flu epidemic already announced in Belgium

First of all, this is about the general flu epidemic which occurs every year. It's nothing H1N1 specific, which has been overhyped. Act normal and use common sense. But this is relevant information. Apply good hand hygiene, eat healthy and get enough sleep. Enough said.

The Belgian center for Flu Control announced a flu epidemic in their latest week report (pdf) mentioned in their weekly newsletter. Here is the interesting bit translated to English.

Influenza Surveillance for week 40 (28 September tot 4 October)

The epidemic findings for week 40 are: The surveyed data show a heightened circulation of the Influenza virus and a moderate activity for the flu symptoms. According to the determined criteria, the flu epidemic has started.
...
The number of H1N1 cases have doubled compared to last week and was estimated at 4160 in week 39 with a cumulative total of 12678.

Google search results and other online sources are also a good indicator and they do confirm the results of the Belgian flu center. Have a look at the B.V.L.G blog for a detailed analysis (Dutch) with some nice graphs.

Related posts:

• Business continuity and useful resources about the N1H1 Swine Flu.

Null character MITM Certificate released

This year Dan Kaminsky and Moxie Marlinspike discovered that when requesting a certificate for example "Paypal.com\0.phishing.com" that some CAs would approve the request. What made it worse is that SSL client (and browsers) would ignore the characters after the null character, leading to an effective SSL Man in the Middle attack.

Although it isn't possible to request these certificates anymore, Jacob Appelbaum released such a certificate yesterday together with the private key, stating that everybody had time enough to fix the issue. If you're a developer, you might want to look into this issue. For example Blackberries were still vulnerable to the attack.

Firefox patched the issue a few days after the initial presentation but other browsers like IE and Chrome rely on Microsoft's CryptoAPI to process the certificate and are still vulnerable.

"There are thousands of products on Windows right now that are still vulnerable to this SSL attack, and if someone were to publicly publish a targeted null prefix certificate, they'd be in trouble," said the white-hat hacker, who goes by the moniker Moxie Marlinspike. "Basically, everything that runs on Windows would be vulnerable with that one certificate." (source: Theregister.co.uk)

Note: The wildcard SSL certificate that Jacob Appelbaum released tricks older versions of the Network Security Services library into authenticating any website on the internet. But a lot of other applications using CryptoAPI might still be vulnerable to similar SSL MITM attacks. Time to patch the API like Firefox did.

Previous posts:

• Download the #brucon videos and presentations
• Collection of Defcon 17 articles, videos, pictures and podcasts
• Day 2: A collection of #Blackhat articles: keeping remote track of the event
• BlackHat slides available and first blogposts

Security bloggers meetup London @ RSA

Well, like last year us securitybloggers (-twits) are coming together for a drink and meet the people behind the avatars. It was a small but fun beginning last year and we hope to see even more people this year.

Details on location etc... can be found on securityactive.co.uk.

SMBv2 exploit for Vista and Server 2008 released

While I was too busy with BruCON, it seems that a SMBv2 vulnerability was published: Security Advisory 975497. While it affects Windows Vista and Server 2008, other versions are not vulnerable (including Windows 7 and Windows Server 2008 R2).

Port 445 needs to be open for the service to be exploited. Microsoft hasn't released an (out of band) patch since there was no working exploit code but promised to do so if the threat landscape changed. Blocking ports 135 and 445 is one of the recommended countermeasures. You can also disable SMBv2 through a registry key if not needed.

So far it was only possible to crash the service, but that changed today. Working code has now been added to Metasploit. Although the code still needs improvement, it worked on several machines.

So, will we see new worms coming our way? Although Conficker was well written, fortunately it wasn't really used to it's full potential. Will we be that lucky again?

Discuss vulnerabilities instead of patches at your patch meetings, because only patching doesn't cut it. Have a look at NIST's Creating a patch and vulnerability management program.

CERT.be is hiring

As was told during BruCON, we can stop complaining about a missing CERT in Belgium. BELNET is looking for people to extend their team and the team should be up and running by January 2010. A big applause for their introduction!

If you are interested, look at their website cert.be/jobs.

International Action Day “Freedom not Fear 2009 – Stop the Surveillance Mania!” on 12th September 2009

I somehow completely missed any communication about this International Action Day “Freedom not Fear 2009.

Unfortunately, it seems that it is on the 12th of September already and that there is nothing planned in Brussels. Bad communication? Or is there nobody in Belgium at least a little bit interested in their privacy and civil rights?

More info on http://wiki.vorratsdatenspeicherung.de/Freedom_Not_Fear_2009

(Photo under creative commons from maha-online's photostream)