Benny for president

Today, a friend sent me this image:

Very funny! ;-)

The USCC report about chinese espionage

After the MI5 letters, after the McAfee Report, we bring you information from the U. S.-China Economic and Security Review Commision. (USCC)

The Commission has just published the executive summary to their 2007 report to Congress stating "Chinese espionage activities in the United States are so extensive that they comprise the single greatest risk to the security of American technologies."

Concerning China's offensive computer capabilities the summary states:

"Chinese military strategists have embraced disruptive warfare techniques, including the use of cyber attacks, and incorporated them in China’s military doctrine. Such attacks, if carried out strategically on a large scale, could have catastrophic effects on the target country’s critical infrastructure."
And recommends:
"...adequate support for protecting critical American computer networks and data: The Commission recommends that Congress assess the adequacy of and, if needed, provide additional funding for military, intelligence, and homeland security programs that monitor and protect critical American computer networks and sensitive information, specifically those tasked with protecting networks from damage caused by cyber attacks."
Previous articles:
Read all my related articles.

MI5 warns UK firms about China's People's Liberation Army

The plot thickens. Today, the head of MI5 Jonathan Evans, has written letters to financial, legal and retail firms advising them to undertake a risk assessment of their IT security defences. Why? Because they claim that China's People's Liberation Army is conducting a concentrated campaign of cyber espionage against UK businesses. Sounds familiar? From

"The Centre for the Protection of National Infrastructure (CPNI) has been monitoring activity from the People's Liberation Army in China," said KPMG principal advisor Martin Jordan, who has seen a copy of the letter.

"The activity has led them to believe that there is a serious and concerted attempt at electronic espionage through every sinew of British industry."

Chinese companies are allegedly looking to make financial gain out of the information.

"If they know that British firms are trying to buy a company or a plot of land in China then they have got room to manoeuvre at the negotiating table because they know what a company is prepared to pay," said Jordan.

Last summer a slew of cyber attacks on Whitehall departments were alleged to have originated in China. Beijing strenuously denied the claim .

Bot herders arrested in 'Bot Roast II' operation

From the FBI press release:

'Bot Roast II' Nets 8 Individuals
Second Phase of Ongoing Cyber Investigation Reveals More Than $20 Million in Economic Loss and More Than One Million Victimized Computers. Public Urged To Take Precaution.

The FBI today announced the results of the second phase of its continuing investigation into a growing and serious problem involving criminal use of botnets. Since Operation 'Bot Roast' was announced last June, eight individuals have been indicted, pled guilty, or been sentenced for crimes related to botnet activity. Additionally, 13 search warrants were served in the U.S. and by overseas law enforcement partners in connection with this operation. This ongoing investigative effort has thus far uncovered more than $20 million in economic loss and more than one million victim computers.


World's first Cyber Coldwar soon in a theater near you

Remember the cyberwarfare in Estonia? Remember the Chinese targeted attacks, against the United States, India and Germany? This might have been just the tip of the iceberg.

Today, McAfee released their "VIRTUAL CRIMINOLOGY REPORT" (broken link fixed). The report is based on input from more than a dozen security experts from NATO, the FBI, SOCA, The London School of Economics, and the International Institute for Counter-Terrorism.

According to the report,
about 120 countries are developing ways to use the Internet as a weapon to target financial markets, government computer systems and utilities and internet security companies.

China might be at the forefront of the cyberwar. "The Chinese were first to use cyber-attacks for political and military goals," according to James Mulvenon, director of the Center for Intelligence and Research in Washington.

Intelligence agencies already routinely test other states' networks looking for weaknesses and their techniques are growing more sophisticated every year.

According to the report, attacks have progressed from initial curiosity probes to well-funded and well-organized operations for political, military, economic and technical espionage.

It's time to shore up our defenses, both on the enterprise front and the government side. Especially in Belgium, we have a long way ahead of us. Anyway, the report is a MUST READ!!

On a side note, my blog seems to be mentioned in the references. ;-)

UPDATE: China is officially disputing the report.

"China has also been attacked by hackers of some countries, so the Chinese government attaches great importance to and participates in the international law enforcement cooperation in this area," Foreign Ministry spokesman Liu Jianchao said at a briefing Thursday.

Liu refused to reveal which countries were targeting China.

SANS' Information Security Reading Room

The SANS' Information Security Reading Room is a great resource with all sorts of security topics. It currently features over 1663 original computer security white papers in 72 different categories.

Last 25 Papers Added to the SANS InfoSec Reading Room
Top 25 Papers Based on Views

How to prepare for your CISSP certification

I'm currently studying for my CISA exam and I will post some tutorials in a few weeks. I just wanted to let you know that if you are planning to pass the CISSP certification, there is a new book release. This is the latest edition of the book I used to pass the exam and I highly recommended to use this one. Since security is a domain in constant evolution, a new edition of this book is released every two year.

Shon Harris, renowned security expert, CISSP, and author of CISSP ALL-IN-ONE EXAM GUIDE, 4th EDITION (McGraw-Hill; December 2007;) has fully revised her best-selling book for the latest exam release. This guide offers thorough coverage of all the material on the CISSP exam and complete details on all 10 exam domains developed by the International Information Systems Security Certification Consortium (ISC) 2.

The CCCure website might also be a useful source of information.

Bonus: A Guide to Information Security Certifications


Paper on Botnets – The Silent Threat on the Internet

ENISA is launching its latest Position Paper: on 'botnets', i.e. silent, 'hijacked' computers. The paper identifies roles and structures of criminal organizations for creating and controlling botnets, and trends in this type of cyber crime. In particular, it is often overlooked that browser exploits account already for more than 60% of all infections. Clicking on a malicious link may be enough to get infected. The main problem is uninformed users. Consequently, ENISA calls for an agreement to address this security threat in a more consistent way. The paper also identifies online tools to identify and counter malicious code.

ENISA calling for concerted efforts to counter the botnet threat

Better solutions are needed to solve the botnet threat. Botnets usually involve computers from several countries, making tracking very difficult. ENISA therefore calls for a more coordinated, cross country cooperation among multi-national law enforcement agencies, Internet Service Providers (ISPs) and software vendors. More structure and more resources are needed. Education of the everyday user in detecting malicious activity in their computers is a key measure.

Botnets - a big problem for society, business, and governments

Estimations show that there are at least 1.000 different Botnet C& C servers running constantly. An average C&C server controls 20.000 compromised computers (ranging from 10-300.000). Estimations indicate ca 53.000, new, active bots/day. A spam bot can send up to 3 spam emails/s (ca 259.000 emails/day).

Click to see activity map of Botnets, and map of Infection methods.

For further information or information pleaser refer to the full ENISA Position Paper:

College Cryptography Course Online


"Practical Aspects of Modern Cryptography," taught by Josh Benaloh, Brian LaMacchia, and John Manferdelli at the University of Washington. The page includes links to lecture notes and video of the classes.

Reminder: Barcamp Brussels #4 on 1 Dec

I'm not able to go for myself because I will be studying for the CISA exam. But for those who have time, this can be an interesting day.

Brussels #4 will take place on Saturday Dec 1st, in the mVillage business center in Schaarbeek, close to the Koninginneplein, Kruidtuin/Botanique and the Brussels North station .

There are currently 56 people on the Barcamp Brussels attendee list, and I sure would like that list to be longer still. So a mentioning on your blog would be nice!

What is Barcamp, you might ask?
BarCamp is an international network of user generated conferences — open, participatory workshop-events, whose content is provided by participants — often focusing on early-stage web applications, and related open source technologies, social protocols, and open data formats.
  • Presentations should be in English.
  • We’ll have 4 rooms, one really big one, two medium ones and a small one.
  • The presentation schedule is filled in between 9AM and 10AM, on a first come-first served basis. You can always swap slots and rooms with other presenters, but if you arrive at 9:57AM, chances are, it will be full!
  • If you have a Powerpoint/Keynote slideshow, please put a copy on Slideshare and send me the link
  • I would like video recordings of the presentations, but I cannot make them myself. So if you’re not presenting anything, this might be a way to help out! Please send me the GoogleVideo links afterwards!


  • we still need some stuff like projectors, Wifi routers and extra coffee machines. I’ve put a list here: - put your name next to items you can take care of, your support is really appreciated!

Firefox security extensions FireCAT Update 1.3

FireCAT is a Firefox Framework Map collection of the most useful security oriented extensions.

Changes for version 1.3

Category Information Gathering (Googling and Spidering)

  • GSI Google Site indexer (GSI Creates Site Maps based on Google queries. Useful for both Penetration Testing and Search Engine Optimization. GSI sends zero packets to the host making it anonymous) (Thanks to Jeff Stewart)

Category Information Gathering (Data mining)

  • Who is this person (Highlight any name on a web page and see matching information from Wink, LinkedIn, Wikipedia, Facebook, Google News, Technorati, Yahoo Person Search, Spock, WikiYou, ZoomInfo, IMDB, MySpace and more...)
  • FaceBook Toolbar (Search Facebook from anywhere The Search Box allows you to easily search Facebook no matter)

Category Information Gathering (Location info)

  • Router Status (Shows the current status of your router in the status bar and allows you to control it)

Category Security Auditin

  • XSS-Me (the Exploit-Me tool used to test for reflected Cross-Site Scripting (XSS) vulnerabilities)
  • SQL Inject-Me (the Exploit-Me tool used to test for SQL Injection vulnerabilities)
  • FireWatir (Watir is a simple open-source library for automating web browsers. It allows you to write tests that are easy to read and easy to maintain. It is optimized for simplicity and flexibility)

Category Network utilities (Database)

  • SQLite Manager (Manage any SQLite database on your computer.)


German Police tried to crack Skype encryption

Telephone calls, made by VOIP, travel over the open internet. So it makes sense to encrypt the call. Nothing wrong with that. This week, I saw several articles on the German police not able to crack the Skype encryption. Since calls aren't routed centrally but are Peer to Peer encrypted, you need the key to listen in on the call. The articles lacked technical details on the encryption and authentication method. So I fired up Google in search for more info:

You can download the full report from Skype security center (PGP signature). There’s also an executive summary available. Note that while the full report was compiled by Dr. Tom BersonAnagram Laboratories, the summary is written in-house by Skype based on the full report. from

Brief summary - AES 256-bit symetric for conversations the key for which is negotiated using a 1024 RSA key exchange. Each user has a public key which is certified at logon by a 1536 or 2048-bit RSA key. Now let's have a look at the comments from the German police.


Ziercke said they were not asking Skype to divulge its encryption keys or leave "back doors open" for German and other country's law enforcement authorities.

"There are no discussions with Skype. I don't think that would help," he said, adding that he did not want to harm the competitiveness of any company. "I don't think that any provider would go for that."

Skype is of course closed source and we are never sure if there isn't a backdoor or if they keep a copy of your private key. Only very recently, we also saw that the encrypted webmail service Hushmail also had a backdoor.

As a solution, the German authorities still haven't dismissed the possibility to use Trojans to send/install on the victim's PC so that they can monitor communications. They are even actively searching for candidates to create this police malware. *sigh*

Bad idea guys.


Whitepaper on Russian Business Network and more updates

SANS referred to a whitepaper from David Bizeul on the RBN. He spent the past three months researching the Russian Business Network (RBN). The 70-page paper is on David's web site, or you can use the SANS mirror.

The paper describes the complete netwerk setup, their affiliates, their customers. It also provides an analysis of some real life cases of MPACK, the Bank of India intrusion all pointing back to the RBN. He even mentions the names of the persons involved in the organisation.

In the last part, filtering and blocking solutions are provided for ISP's to help mitigate the risks. Also Idefense asked their customer to also block these ranges and several UK ISPs implemented them. This all might explain the faked death of the RBN and plans to relocate to china two weeks ago.

I would say, read the paper if you want all the juicy details. The RBN has not been sitting idle these last weeks. Spreading malware through false False Codecs downloads or by Banner-Ads infections on Major Web Portals. They even took a bite out of

As they say, reports of their demise have been greatly exaggerated.

Using a streetsign for user awareness

This picture was taken in Norway. The concept might be useful in a user awareness campaign. I wanted to show it because it thought it was cool.


Overview of 24C3 Conference presentations online

The 'fahrplan' (schedule) for the upcoming 24th Chaos Computer Congress (24C3) with the overview and time of all presentations is finally online. Just a quick overview of some of the interesting ones:

I would say, don't miss this event!!!!

Anonym.OS Live CD - Encrypt and Anonymize your Traffic!

There are so many livecds for a lot of different purposes. Here is another one:

Hardend, Optimized, Transportable System for Encrypting and Anonymizing Traffic”
Anonym.OS is a Linux Live CD Operating system
based on OpenBSD with strong encryption and anonymization tools. The purpose of this OS is to provide a secure anonymous web browsing access to everyday users. Anonym.OS makes extensive use of Tor, the onion routing network that relies on an array of servers passing encrypted traffic to permit untraceable surfing.

Official site here.

Remember: Anonymity isn't bad; bad behavior is bad!

Update: Good point from Karim. After the whole Tor exit node sniffing story, let us keep you aware of the pitfals of using Tor. Using Tor might make you vulnerable to man-in-the-middle attacks. Use end-to-end encryption and make sure to check the certificate chain when using SSL/TLS.

UPDATE: Rogue nodes snoop on TOR traffic (TheRegister)


Don't break the MD5 hash, just look it up.

This not about using rainbowtables. Kind of. Today an interesting article on Slashdot appeared: Using Google To Crack MD5 Passwords. I was a bit surprised to see yet another application (Wordpress) storing raw MD5 hashes in the user database without using salt.

In one of the comments, I found this interesting link:

Bonus: Google as an MD5 Cracker.. (Sensepost)

Tool: sqlninja 0.2.1-r1 - SQL Injection Tool for MS-SQL

Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote shell on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.

It is written in perl and so far has been successfully tested on:

  • Linux
  • FreeBSD
  • Mac OS X

You can download sqlninja 0.2.1-r1 here:

sqlninja 0.2.1-r1

UK officials loose datadisks - 25 million citizens at risk

Even if you are careful not to fall victim to identity theft, the people you entrust your data to also need to take care:

The government was forced to admit the most fundamental breach of faith between the state and citizen yesterday when it disclosed that the personal records of 25 million individuals, including their dates of birth, addresses, bank accounts and national insurance numbers had been lost in the post, opening up the threat of mass identity fraud and theft from personal bank accounts. (The Guardian)

Just like the stolen laptops from the Japanese embassy, encrypt sensitive data or put it in a vault!


Podcast: AudioParasitics Episode 22 - Top 10 Security Threats for 2008

The next episode is out:

Episode 22 - Special Episode - AudioParasitics Presents : McAfee Avert Labs' Top 10 Security Threats for 2008

Don't forget your CPE points.


11 Laptops Stolen Out Of Japanese Embassy in Brussels

From The Yomiuri Shimbun:

Eleven laptop computers were stolen from the Japanese Embassy in central Brussels earlier this month, leading to fears that personal information on about 12,700 Japanese living in Belgium may have been exposed, the embassy said Wednesday.

The robbery is believed to have taken place early Nov. 3. Security guards alerted by an alarm found the lock broken on the seventh-floor entrance to the embassy in an office building.

Some of the stolen computers held electronic data on matters such as the expats' residence certification, overseas voting registration and passport information, according to the embassy.

The residence certification contains details such as a person's name, birthdate, permanent address in Japan, occupation, family information and passport number.

Sounds like they didn't use harddisk encryption. Laptops containing sensitive data should ALWAYS have the necessary protection. If they can not be stored in a safe, at least use encryption. Even if the laptops never leave the office.

Bonus: Lax Laptop Security Can Be Dangerous...and Expensive (

Examples on giving a good presentation

Some time ago, I talked about how to give good presentations. I have been comparing presentations on conferences on what to do and what not to do. Let me show you an example of a good presentation. (source: By the way, the subject of the talk is "How creativity is being strangled by the law".

No bullet points. No off-the-shelf template. Three stories, one argument, and a core message that is memorable and "sticky." See video below.

More examples here.


"Tor" embassy hacker gets arrested

In the beginning of September, a security consultant demonstrated how Tor was used to send confidential data by embassies all over the world. He put up Tor exit nodes to analyze the traffic and came to some amazing discoveries. Remember, Tor is a network built for a privacy, not confidentiality. You still have to encrypt sensitive data.
After noticing that email from several embassies was being read in clear text (POP3), he notified the authorities. Since most of them didn't react, he published his findings including the accounts and passwords involved. This action was widely criticized.
Now, there is the theory that these email accounts were already hacked and were being used by hackers or counterintelligence services. It's also painful to see that some of the passwords were in the style of "123456".

Unfortunately, last monday he got picked up by the Swedish Security Police:

On Monday, Egerstad was leaving his Malmo apartment when he was arrested by four plainclothes agents of the Swedish National Police (a domestic intelligence agency) and an agent of the Swedish Security Police (Sweden's CIA). He was taken to the local police station for questioning while two of the agents seized computers, CDs and papers from his house. (Source: TheRegister)

Now did he do the correct thing by disclosing the vulnerability? I stumbled upon the RFPolicy v2.0. It's a Full Disclosure Policy from Rain Forest Puppy. It's not a written law but it is a guideline in having a responsible disclosure. I think he did a responsible disclosure. Was it legal? He did intercept traffic that was not destined for him. So probably "no" depending on Swedish law. Is our society a safer place after the disclosure. Yes, I think it is. Instead of arresting him, the government should have offered him a job.

And what did we learn today? Don't report a security hole, sell it to Russia. Just kidding, but do check legal council before doing a disclosure.

(IN)SECURE Magazine Issue 14 released

The covered topics are:

  • Attacking consumer embedded devices
  • Review: QualysGuard
  • CCTV: technology in transition - analog or IP?
  • Interview with Robert "RSnake" Hansen, CEO of SecTheory
  • The future of encryption
  • Endpoint threats
  • Review: Kaspersky Internet Security 7.0
  • Interview with Amol Sarwate, Manager, Vulnerability Research Lab, Qualys Inc.
  • Network access control: bridging the network security gap
  • Change and configuration solutions aid PCI auditors
  • Data protection and identity management while browsing and transacting over the Internet
  • Information security governance: the nuts and bolts
  • Securing moving targets
  • The need for a new security approach
  • Data insecurity: lessons learned?
  • Wi-Fi safety and security


Will ".be" domains be more at risk in 2008?, the Belgian association for domain registrations, will start supporting IDN (Internationalised Domain Name) in 2008. By implementing this, it will follow in the footsteps of Germany, Austria and Switzerland. At this moment, only domain names composed of a subset of ASCII characters are allowed. This means upper and lower case, the digits 0 through 9, the dot, and the hyphen (See RFC 3696 section 2 for details.)

This of course prevented the use of other characters like é or è or the umlaut ü. Belgium is a trilingual country. Our official languages are Dutch, French and German and these characters are used in the last two.

My first thought was phishing!! This just opens the gate to more phishing opportunities. So why do this? Isn't the closest Roman (plain) equivalen good enough? Something good is to be said about the whole situation and it's because only the extra characters used in French and German are allowed. At least for the sunrise period, in which companies are given priority to their domain name. Just to prevent cybersquatters to get their hands on them.

Supporting the full IDN has serious drawbacks. Because IDN allows websites to use full Unicode names, it also makes it much easier to create a spoofed web site that looks exactly like another. This exploit was disclosed at the hacker conference Shmoocon (
Since only Internet Explorer does support IDNs, older versions of IE are not vulnerable to this kind of attack. However, those older versions can be made IDN-compatible by browser plug-ins some of which are vulnerable to the spoofing attacks.
This problem was anticipated before IDN was introduced, and guidelines were issued to registries to try and avoid or reduce the problem -- for example, recommending that registries only accept the Latin alphabet and that of their own country, not all of Unicode.

It will be an interesting experiment to monitor phising activity on ".be" domains before and after this move. Call me a pessimist! ;-)

New kid on the block: Cisco Security Blog

Cisco has just started a security blog:

The purpose of this blog is to make you aware of what makes the global internet more secure, keep you updated on some of the latest developments, and give you greater access to the Cisco security community. We plan to update the blog several times a month so add it to your favorites and subscribe to the feeds.

Might be interesting to watch.


Video: Bluesnarfing in action

Bluesnarfing is one of most famous of all bluetooth attack on devices. It is a major security issue since the advent of bluetooth technology.When a person performs a bluetooth attack, he is able to connect to another persons bluetooth devices and able to gain access to the files on his device. This means that he can read all the messages, files and even photos on the victims device.

This video shows a pocket PC Bluesnarfing a Handphone.

How to Protect yourself from Bluesnarfing (Bluesnarf Blog)

Previous posts:

Belgian Security Blognetwork is online

Belgian (Security) Bloggers are a rare breed. As kind of an experiment, some of us started a Belgian Security Blognetwork. It is just a beta, but it is a beginning and more will be added.

Here is the RSS feed (20 latest articles only). In the future, some of us would like to see an online portal for Information Security in Belgium (and a national CERT). Maybe this is the first step in the good direction. Who knows.

If you have a Belgian Security RSS feed that is worth being incorporated, you can send it to me. If you don't have a blog/rss feed yourself and would like to contribute anyway, go to belsec.


Detecting and Blocking the Russian Business Network with Snort (Update)

From Dancho Danchev:

Bleeding Edge Threats recently announced the release of some very handy RBN blocking/detecting rulesets.

Remember RBN's fake anti virus and anti spyware software? The list is getting bigger with another 20 additions again hosted on RBN IPs exposed by the RBNExploit blog.

Meanwhile you may be also be interested in how does an abuse request get handled at the RBN? Deceptively of course. Each and every domain or IP that has been somehow reported malicious to them, not once but numerous times by different organizations starts serving a fake account suspended message like the following malicious domains hosted at the RBN do :

"This Account Has Been Suspended For Violation Of Hosting Terms And Conditions. Please contact the billing/support department as soon as possible."
More here.

UPDATE: RBN Rule Updates

Updated those to include the new Chinese additions to the RBN IP ranges, and split them out into 3 rules.

First are the major nets that rbn owns where mass servers are. Second are the new chinese nets, and then third are the individual hosts. SOme of those are just routers, some are individual web or dns servers.

Hopefully that separation helps out some, let me know if it could be done differently to be more useful.

Google XSS & Firefox Jar: Protocol Vulnerability

This weekend I noticed that my Noscript plugin got updated to V. 1.1.8 "JAR Jammer". I remembered reading something about JAR vulnerabilities on GNUCITIZEN but with my current workload (/studies), it was limited to a quick glance. I had another look at it and read the PoC explanation on beford:

According to pdp, this issue makes vulnerable to Cross-site scripting applications that allow users uploading compressed ZIP, and JAR files. After a couple of minutes messing around the poc's, I figured out that sites with open redirect issues are vulnerable too. I've created this poc that attacks Gmail, it's based on my previous post and it will only show your contacts list, it's not being logged server side or anything (as some people thought that my previous poc did. Credit to tx for discovering the open redirect issue used to exploit Google / Firefox):

See also:
Severe XSS in Google and Others due to the JAR protocol issues (Gnucitizen)
Web Mayhem: Firefox’s JAR: Protocol issues (original finding)

So unless Google fixes all open redirects (which are far too many) or Firefox releases an update, you are vulnerable. Another solution is to use the latest NoScript plugin who provides protection.


Busting physical security

In one of my previous post: 'Mythbusters vs Biometrics', we saw how biometrics access controls could be bypassed in this episode of the show. But I actually never saw the entire episode and missed the other experiments. I did find a transcript of the show describing how they circumvented ultrasonic motion detectors and thermal sensors. Let's have a look.

  • Fingerprint scanners can't be defeated: busted (broke both a computer scanner and a 'never been defeated' door lock)
  • Ultrasonic motion sensors can't be defeated: busted
    • ... a shag rug costume: busted
    • ... a bed sheet: confirmed
    • ... walking slowly: confirmed
  • Thermal sensors can't be defeated: busted. You can defeat a thermal motion alarm with
    • ... cooling yourself with a fire extinguisher: busted
    • ... wearing a neoprene suit: busted
    • ... covering your body in mud: busted
    • ... increasing the temperature of the room: busted
    • ... a pane of glass: confirmed
  • Bypassing a glass-relocker safe with water and explosives: plausible. Numerous problems with this technique, though.
Full explanation of the experiments. So don't forget, information security isn't only about firewalls.

Video: Kensington MicroSaver Lock Defeated In Seconds!

I found this video on Metacafe. It shows us that laptop locks' weakest link isn't necessarily the lock, but the cable itself. Don't believe the marketing brochure, buy one yourself and try the resiliency of the lock AND the cable.

This video shows how unsafe your notebook or laptop is when you are using the Kensignton MicroSaver Lock to secure it. I used a "copper wire cutter" to cut through the "arcraft grade braided steel cable". Do NOT use this lock to "secure" your notebook anywhere. Anyone with a stainless steel scissors could easily cut the cable.

And a reminder about some ways to also test the lock yourself: Physical security & lockpicking.


Alicia Keys MySpace page gets hacked to serve malware

From the exploit prevention lab blog, there is an article on the MySpace page of Alica Keys being hacked and referring to an exploit site hosted in China.

The interesting thing about this is that rather than using an iframe for an automatic embed, as they usually do, they've added some sort of image background href, with a large size ... 8000 by 1000 pixels, with the effect that a click that slightly *misses* a control or link on the page, ends up going to the exploit site.

What's not clear at this point is how they're doing it, and how widespread it is. Neither google nor myspace seems to be indexing the critical bit of html. If you search for the exploit site (, the only results seem to be victims, or people talking about victims.

Here's a vid that shows a bit more..

The site was cleaned, only to be hacked again a few hours later.
So as we reported, Alicia Keys' myspace page was hacked, with a background image linking out to Within a couple of hours of releasing our blog and vid, myspace had fixed the page... Yay MySpace!!! (which had been hacked for at least three or four days earlier, because that's when we first noticed it.
The original hack was an href image reference to and while that's now out of the html, there's now an href image reference to .... see any similarities there??? :-)
Reminds me of an article I read some hours earlier. Another Belgian site got hacked, after already being hacked on the 28th of October. But more info in a future article.


Presentations and Videos from and CCCamp 2007

Some of the presentations and videos from are coming online. They are not yet complete. Check here for the list of speakers and presentations. I hope the rest will come online soon.

There are also eight more video's available from CCCamp 2007 since the 28th of October.

One of the new videos of CCCamp is 'Antivirus (in)security'. You should watch that one before you have a look at the presentation The death of defense in depth? (Revisiting AV software) from

24C3: The 24th Chaos Communication Congress

It's already November so that means that 24C3 is coming near. If you are interested in going, I would advise you not to wait to long to book a hotel. The ticket sale of the event has not yet started but will so soon.

You can follow news on the weblog
or find more information on the wiki (in the near future)

If you are also going and want to meet me at the event, just drop me a message! ;-)

The 24th Chaos Communication Congress (24C3) is the annual four-day conference organized by the Chaos Computer Club (CCC) in Berlin, Germany. First held in 1984, it since has established itself as “the European Hacker Conference”. Lectures and workshops on a multitude of topics attract a diverse audience of thousands of hackers, scientists, artists, and utopists from all around the world. The 24C3s slogan is Volldampf voraus! – the German equivalent of “full steam ahead” – a particular request for talks and projects featuring forward looking hands-on topics. The Chaos Computer Club has always encouraged creative and unorthodox interaction with technology and society, in the good tradition of the real meaning of “hacking”.


The 24C3 conference program is roughly divided into six general categories. These categories serve as guidelines for your submissions (and later as a means of orientation for your prospective audience). However, it is not mandatory for your talk to exactly match the descriptions below. Anything that is interesting and/or funny will be taken into consideration.

The ‘Hacking’ category addresses topics dealing with technology, concentrating on current research with high technical merit. Traditionally, the majority of all lectures at 24C3 revolve around hacking.
Topics in this domain include but are in no way limited to: programming, hardware hacking, cryptography, network and system security, security exploits, and creative use of technology.

The ‘Making’ category is all about making and breaking things and the wonderful stuff you can build in your basement or garage. Most welcome are submissions dealing with the latest in electronics, 3D-fabbing, climate-change survival technology, robots and drones, steam machines, alternative transportation tools and guerilla-style knitting.

The ‘Science’ category covers current or future objects of scientific research that have the potential to radically change our lives, be it basic research or projects conducted for the industry.
We are looking for talks and papers on the state of the art in this domain, covering subjects such as nano technology, quantum computing, high frequency physics, bio-technology, brain-computer interfaces, automated analysis of surveillance cctv, etc.

Technology development causes great changes in society and will determine our future. This category is for all talks on subjects like hacker tools and the law, surveillance practices, censorship, intellectual property and copyright issues, data retention, software patents, effects of technology on kids, and the impact of technology on society in general.

Shaping the world we live in means making it more interesting, entertaining and beautiful. The hacker culture has many facets ranging from electronic art objects, stand-up comedy, geek entertainment, video game and board game culture, music, 3D art to e-text literature and beyond. If you like to show your art and teach others how to make their lives more enjoyable, this category is for you.

In addition to individual speakers the Chaos Communication Congress is also inviting groups such as developer teams, projects and activists to present themselves and their topics.
Developer groups are also encouraged to ask for support to hold smaller on-site developer conferences and meetings in the course of the Congress.

UPDATE: Overview of 24C3 Conference presentations online

Report: November Symantec State of Spam

An interesting read (pdf):

A new tactic during the month of October was the inclusion of MP3 files to promote pump and dump stock spam. This variation of the classic pump-and-dump stock is just the most recent technique being utilized to market these stocks to the masses. A blog was created earlier in the month regarding this novel type spam attack and can be read here. The proliferation of pump-and-dump stocks over the course of the year has been interesting as spammers have tried their hand at various techniques to avoid filtering of their messages. In the November State of Spam Report we illustrate the various techniques spammers have used over the course of the past year to promote these penny stocks.

The November State of Spam report includes other interesting spam seen during the month such as:

  • Spammers saving the planet from global warming; this appears to be a spammer’s attempt to collect personal information that could be used later for scam attacks.
  • Halloween themed spam; this also appears to be an attempt to collect personal information for later use
  • Spammers still targeting foreclosures and hawking refinancing deals.
  • Pharmaceutical spam in Spanish; this is a Spanish version of common male enhancement spam; however, the delivery varies slightly from what is commonly seen in English
  • Russian bride spam; while dating spam is nothing new we illustrate one particular attack and the variations it has gone through.


Has the Russian Business Network gone into hiding? *updated*

From the Trendlabs Malware Blog:

Yesterday, the infamous Russian Business Network (RBN) dropped out of the Internet at around 7 PM PST. Since then, IP addresses of RBN can no longer be reached because there is no routing for them any longer. It could be that the upstream providers who provided RBN with Internet connectivity may have terminated their services to their problematic customer temporarily or (hopefully) even permanently. Trend Micro will continue to closely monitor whether RBN remains down.
In recent weeks, moreover, Trend Micro has seen equivalents of RBN pop up in Turkey and Taiwan. These hosting providers seem to have the same kind of customer base as RBN. Thus, even if RBN drops off of the Internet permanently, its customers might find a new home soon.

It seems that nearly all of the RBN's known autonomous systems (AS) have recently disappeared from the global routing tables: RBN-AS, SBT-AS, MICRONNET-AS, OINVEST-AS, AKIMON-AS, CONNCETCOM-AS and NEVSKCC-AS.

CREDOLINK-ASN is the only one left but the network has also become unavailable. It seems almost voluntarily. Are they moving their base of operation? Did they got too much attention? According to the Spamhaus Project, RBN might have gone Chinese. Somehow they managed to get IP blocks located in China, Shanghai in particular.

Will this become a whac-a-mole game? To be continued. Anyway, for a little while, the internet is a safer place.

UPDATE (8/11/2007): Some ranges of the RBN still seem active. This excellent blog has more information:
RBN – The Russian Business Network Has Closed Shop?

Prefixes withdrawn by this origin AS in the past 7 days = AS40989 (RBN)

- = Withdrawn
- = Withdrawn
- = Withdrawn
- = Withdrawn

However, as shown here and elsewhere the recent RBN based PDF exploit utilized and, further many of the RBN “fake” anti-spyware and anti-malware websites use as one of the many Internet “name servers”. Therefore one can only conclude

- = Still active
- = Still active
- = Still active

Full story.

Podcast: Audioparasitics Episode 20: Is 'security through virtualization' a myth? Part 2

Episode 20 - Part 2 of 2 - Is 'security through virtualization' a myth? We tackle the subject with special guests Rafal Wojtczuk and Rahul Kashyap.


Three part story on fake anti-spyware and the RBN involvement

You shouldn't miss this three part analysis on fake anti-malware software and the involvement of the Russian Business Network:

In a continuation of the discovery of the RBN’s “Retail Division” one of the most important exploit delivery methods is the fake anti-spyware and anti-malware for PC hijacking and personal ID theft, this is a source of revenue for the RBN also from a direct sale.

It is important to recognize the scale of the RBN fakes i.e. over 4 million internet visitors per month The same RBN organizational structure is responsible for a majority of the major internet and PC security threats and exploits seen over recent times, e.g. Bank of India hack, PDF spam exploit, Mpack, etc. The “stooges” and other server operations that even unknowingly house RBN operations should act to prove they are not working in tandem with the RBN, not vice-versa. For example this blog is housed by Blogger which is Google. As any organization does the RBN has elements which are not titled RBN, written in Russian, or physically based in St. Petersburg. So let us commence to be realistic i.e. AS 27596 - Intercage, Estdomains, et. al - IS A FUNDEMENTAL PART OF THE RBN!


Also Sweden has become targeted by Turkish hackers

The swedish websites are also actively targeted, just like the Belgian ones. The response in Belgium is one website being reported in the news. The Swedish had a different approach:

From ddanchev:

Last month's Turkish/Sweden hacktivism tensions surprised me mainly because the Swedes responded to the defacements in an entirely different way.

How do you keep track of defaced sites "courtesy" of Turkish script kiddies? Zone-h for sure, while in fact there're so many defacements done by Turkish hacking groups, that the hacktivists have localized the defacement achives into Turkish for better transparenc
y, and by doing so it makes Turkish defacements during hacktivism wars much easier to keep track of. Who are the most active Turkish defacers anyway?

Most people know Zone-h for their mirror of defaced sites. Here are two other mirrors mentioned in the article that focus on Turkish defacements: and

The campaign against .be sites is still quite active. Luckily it didn't take the proportions like in Estonia. On the other hand, if it did, maybe the politicians would wake up and realize that our government is not prepared and equipped to handle a large scale cyberattack. I found this link on the website of ENISA, it's a list of organizations and events in Belgium. Let me show you the events:

Nada. This is a far cry away like a conference like or like 24C3? Why aren't there any security conferences or events in Belgium? I'm not counting because it's mostly a lot of vendors trying to sell their product. We really should get more organized in Belgium and start hosting our own events. Or are we as incapable to realize this as forming a new government? Who is with me? ;-)

Update (06/11/2007): I know there is but those meetings get often cancelled and I would like to see some workshops in the future. I have been promoting them too but at the moment, I'm a bit disappointed. The one from September got moved to October and since then, nothing new has been communicated. Sad, it had potential.


HowTo extend your WiFi range

Don't know what to do with old frying cookware? Well, you can use it to extend you WiFi range. I knew the pringles and soupcan designs from some years ago but this one was new to me.

Here is a list of several examples and building instructions.

Cyber Security Awareness Month 2007 (complete)

(Update 31/10/2007) Part A-E (Full set) is complete.

SANS is featuring a Cyber Security Awareness Month. I will use the overview and for each day, update the index linked to the correct page.
They need your help beginning this weekend and continuing through the month of October. If you would like to submit a tip, please use the contact form and be sure to put something in the subject like "Security Tip, day 15" to make it easier to sort them. Keep your tips brief and to the point, also remember that the audience is the end user, not your sysadmins or netops geeks.

A. Establishing a User Awareness Training Program
1 Penetrating the "This Does Not Apply To Me" Attitude
2 Multimedia Tools, Online Training, and Useful Websites
3 Getting the Boss Involved
4 Enabling the Road Warrior
5 Social Engineering and Dumpster Diving Awareness
6 Developing and Distributing Infosec Policies

B. Best Practices
7 Host-based Firewalls and Filtering
8 Anti-Virus, Anti-Spyware, and Other Protective Software
9 Access Controls, Including Wireless, Modems, VPNs, and Physical Access
10 Authentication Mechanisms (Passwords, Tokens, Biometrics, Kerberos, NTLM, Radius)
11 File System Backups
12 Managing and Understanding Logs on the Desktop or Laptop (AV, Firewall, or System Logs)
13 Patching and Updates

C. Hardware/Software Lockdown
14 Data Encryption
15 Protecting Laptops
16 Protecting Portable Media like USB Keys, iPods, PDAs, and Mobile Phones
17 Windows XP/Vista Tips
18 Mac Tips
19 Linux Tips
20 Software Authenticity (Digital Signatures, MD5, etc.)

D. Safe Internet Use
21 Understanding Online Threats, Phishing, Fraud, Keystroke Loggers
22 Detecting and Avoiding Bots and Zombies
23 Using Browsers, SSL, Domain Names
24 Using Email, PGP, X509 Certs, Attachments
25 Using Instant Messaging and IRC
26 Safe File Swapping
27 Online Games and Virtual Worlds

E. Privacy and Protection of Intellectual Property
28 Cookies
29 Insider Threats
30 Blogging and Social Networking
31 Legal Awareness (Regulatory, Statutory, etc.)

About security awareness, users are still the greatest risk. McAfee Avertlabs also mentioned it yesterday.

Is it that hard to think twice?
Don’t users know enough about risks?
Don’t they know about the consequences of an outbreak?

What have we learned from history?


There are few companies in Belgium that give user awareness training. But I have the impression that a lot of companies consider it a waste of money. However, people are still weakest security link. When will people start to care?