Onze Aalsterse carnavalgroep presenteert: PETRAIAIAI.BE! Is het citaat AI, of écht?
Speel ons spel tegen AI brainrot!
(ook beschikbaar in 't Oilsjters! 😉🧅)
👉 https://petraiaiai.be

I am now officially a victim of AI-hallucination: anyone that Googles my company name now thinks I am a cybercriminal because I used the words "cybercrime investigator" on my website.
As people start to blindly trust AI-search, I wonder if this would classify as harAIssment? 🤔💭

NEWS: A few hours after notifying their 850K breached users, Orange has silently retracted their statement that they have "found no evidence that the accessed data was disseminated". Was this vibe PR or a lack of actual investigation? I filed a complaint!
https://inti.io/p/how-brands-like-orange-downplay-security

For the sake of correctness: Orange Cyberdefense shares the same brand as Orange Belgium but is hosted within a different entity. My post is about Orange Belgium

I would expect Orange to at least:

- Explain the additional in-depth security measures they will take against SIM swapping attacks
- Provide new SIM cards / PUK codes to their users
- Provide FULL transparency about the steps they took to look for "evidence" of further leaks

Rather than shifting responsibility to its users and reframing the data theft in a misleading way to dodge the real consequences, Orange could lead by example and show the world that they're really the security leader @orangecyberdef claims to be.

We should not tolerate this.

The SIM card number is a crucial piece of information hackers need for a SIM swap attack resulting in number theft. And with the PUK code you can reset any PIN code. Both attacks can lead to complete social media takeovers. So no sensitive data? That is some solid corporate PR BS

Here's their translated security page (not available in EN), as usual they start with listing the 'sensitive data' not accessed.
Only then they talk about 'certain' data (PII, SIM card number and PUK) that HAS been accessed. What does that mean?

Orange Belgium just informed its 850K users about a "cyberattack" following the typical PR-playbook: downplay the risks and shift the responsibility to their users to protect themselves.
What triggers me the most is that they don't even talk about the risk of SIM swapping AT ALL:

@floort was de test strafbaar? Want dan loop je in NL toch ook een risico? Voor data lekken ga ik langs twee entiteiten, CCB voor technische luik en GBA voor privacy violations die daaruit voortvloeien. CCB zal me zelden expliciete toestemming geven om te publiceren maar ik ben van mening dat ik die toestemming soms niet nodig heb

@floort ik denk dat dit, mits het niet om strafbare feiten gaat, ook het geval is in België. De legale techniciteit is denk ik dat een entiteit zoals CCB je niet altijd expliciet toestemming kan geven ookal valt het wel binnen het gedoogspectrum, maar dat is natuurlijk maar mijn interpretatie

@floort @janboddez maar is dat niet een beetje hetzelfde dan? CVD gaat strafbare situaties zelfs expliciet niet strafbaar maken maar houdt haar handen af in andere situaties, kan ook gedoogd geacht worden dan? Want toestemming geven = niet langer gedogen

@floort @janboddez ik denk dat de nuance daar zit dat dat ze denk ik geen disclosure preventen in dat soort zaken maar wel de impliciete bescherming kunnen achterwege laten indien je de (vrij conservatieve voor generalisatie purposed) regels niet zou volgen. Uit interesse: het in NL zo dat als ik morgen een SQL injection rapporteer in staatsveiligheid ik daar altijd over kan schrijven, ook als het een bvb structureel probleem zou zijn dat ze aan het aanpakken zijn?

@floort @janboddez with the policy being unpublished I actually never expected there is a policy (yet). I always thought it was a strategic move to include at least the option it so they could expand it later on, once there was more political buy-in (which I do sense has increased). Perhaps their policy is that they can approve it for system they own or government systems, but I’m not sure if they have a clear legal basis for third-party systems

@floort @janboddez I personally think (I am not affiliated with CCB or speaking on behalf of them, personal opinion) that when you would ask them, they would likely side with the more conservative answer to be sure. So I don’t - perhaps that’s the Belgian way of doing it (but then also don’t expect me to come help me when I miscalculated). I’m not even sure if they have actual legal grounds to approve such a disclosure request (which could be the bigger problem here)

@floort @janboddez I guess that would really depend on the situation. I think it’s important to make the distinction between breaking into someone else’s computer (cloud) or some on-prem version for which you can get a CVE. In the latter scenario as there is no crime the reporter has much more control. For business logic flaws I personally don’t bother with “guidelines” as IMO most of the testing can’t really be considered illegal (the result might be, fraud/privacy violation)

@janboddez @floort I think the bottom line is that if you follow the law by the letter and then ask CCB for explicit permission, yes, you will be disappointed. I do not think this is the fault of CCB but rather a (slowly) changing system. I think both Floor and I are putting pressure to change things, but our means are very different. Either way can’t hurt. But I personally disagree with the statement that Belgium is unsafe for CVD. Perhaps imperfect, like most of Europe.

@janboddez @floort my interpretation of the law is that it decriminalizes a crime by law (active testing, sending payloads to a system, potentially intruding in a third party system) if you report the vulnerability ethically. If this is not the case I have found them to be much more lenient (hacking self-owned products or non-cloud, misconfigs, business logic,…). I recently involved the press in a disclosure and CCB even helped me communicate it properly.

@janboddez @floort not sure if I want to be involved in what would be a lengthy discussion. I agree on a lot of things with Floor but I guess our approaches are different, which is fine. I do like some more nuance to the situation, I actually think that, despite some obvious red tape and bureaucracy which is luckily eroding as we speak, I think Belgium has become more progressive here. I am going to explain my viewpoint but am not seeking a debate:

Leeftijdscontrole voor pornosites gaat tegendraads werken, daar ben ik van overtuigd. Dit zal pornokijkers van alle leeftijden drijven naar ongereguleerde websites waar er niet gemodereerd wordt, dus ook niet op extreme en niet consensuele beelden, of erger. 🤦