Anti-virus baseado em comportamento

Interessante, embora não tão original como o artigo leva a crer...

Computer Scientists Set on Winning the Computer Virus 'Cold War'
University of Wisconsin-Madison (05/24/07)

ACM TechNews 30/05/2007

Computer scientists at the University of Wisconsin-Madison, the University of California-Berkeley, and Carnegie Mellon University have developed the Static Analyzer for Executables (SAFE), software that targets malware based on its behavior. SAFE examines the behavior of a program before running it and compares the behavior to a list of known malware behaviors, such as reading an address book and sending emails. Any program that performs a suspicious behavior is considered malware. Malware programmers can slip by traditional detection programs by creating a unique signature, requiring traditional malware detection programs to download updates at least every week. By examining the behavior rather than the signature, SAFE can detect malware even if it has a unique signature and only requires updates when a virus appears that exhibits a new behavior, creating a proactive defense rather than reactive. University of Wisconsin-Madison associate professor of computer science Somesh Jha calls SAFE "the next generation in malware detection." Jha and University of Wisconsin graduate student Mihai Christodorescu started working on SAFE when they tested different variations of four viruses on Norton and McAfee antivirus software. Norton and McAfee were only able to catch the original variation of each virus. SAFE caught all variations. SAFE will be particularly effective against a new type of malware that is designed to change every time it gets sent to another computer, which can create infinite variations of itself.
Click Here to View Full Article

Segurança e Virtualização

Do blog

Virtual machines are sometimes thought of as impenetrable barriers between the guest and host, but in reality they're (usually) just another layer of software between you and the attacker. As with any complex application, it would be naive to think such a large codebase could be written without some serious bugs creeping in. If any of those bugs are exploitable, attackers restricted to the guest could potentially break out onto the host machine. I investigated this topic earlier this year, and presented a paper at CanSecWest on a number of ways that an attacker could break out of a virtual machine.

Most of the attacks identified were flaws, such as buffer overflows, in emulated hardware devices. One example of this is missing bounds checking in bitblt routines, which are used for moving rectangular blocks of data around the display. If exploited, by specifying pathological parameters for the operation, this could lead to an attacker compromising the virtual machine process. While you would typically require root (or equivalent) privileges in the guest to interact with a device at the low level required, device drivers will often offload the parameter checking required onto the hardware, so in theory an unprivileged attacker could be able to access flaws like this by simply interacting with the regular API or system call interface provided by the guest operating system.

NSA ajuda Microsoft

Uma notícia interessante, já com uns meses:

For the first time, the giant software maker is acknowledging the help of the secretive agency, better known for eavesdropping on foreign officials and, more recently, U.S. citizens as part of the Bush administration's effort to combat terrorism. The agency said it has helped in the development of the security of Microsoft's new operating system -- the brains of a computer -- to protect it from worms, Trojan horses and other insidious computer attackers.

The NSA declined to comment on its security work with other software firms, but Sager said Microsoft is the only one "with this kind of relationship at this point where there's an acknowledgment publicly."

The NSA, which provided its service free, said it was Microsoft's idea to acknowledge the spy agency's role.

Post no blog Schneier on Security
Artigo no Washington Post

Comunidade Portuguesa de Segurança da Informação

Um site sobre segurança ligado à SINFIC SA:

Comunidade Portuguesa de Segurança da Informação

Negação de serviço a central nuclear?

A propósito de protecção de infraestruturas críticas... Excesso de tráfego na rede pode ter causado um shut down a uma central nuclear nos EUA:

"Data storm" blamed for nuclear-plant shutdown
By: Robert Lemos, SecurityFocus

A Congressional committee calls for the Nuclear Regulatory Commission to further investigate the cause of excessive network traffic that shut down an Alabama nuclear plant.

Um excerto interessante:

"Conversations between the Homeland Security Committee staff and the NRC representatives suggest that it is possible that this incident could have come from outside the plant," Committee Chairman Bennie G. Thompson (D-Miss.) and Subcommittee Chairman James R. Langevin (D-RI) stated in the letter. "Unless and until the cause of the excessive network load can be explained, there is no way for either the licensee (power company) or the NRC to know that this was not an external distributed denial-of-service attack."

The August 2006 incident is the latest network threat to affect the nation's power utilities. In January 2003, the Slammer worm disrupted systems of Ohio's Davis-Besse nuclear power plant, but did not pose a safety risk because the plant had been offline since the prior year. However, the incident did prompt a notice from the NRC warning all power plant operators to take such risks into account.

In August 2003, nearly 50 million homes in the northeastern U.S. and neighboring Canadian provinces suffered from a loss of power after early warning systems failed to work properly, allowing a local outage to cascade across several power grids. A number of factors contributed to the failure, including a bug in a common energy management system and the MSBlast, or Blaster, worm which quickly spread among systems running Microsoft Windows, eventually claiming more than 25 million systems.

A primeira ciber-guerra?

... talvez esteja a acontecer agora. Longo mas interessante:

Cyber Assaults on Estonia Typify a New Battle Tactic

By Peter Finn Washington Post Foreign Service
Saturday, May 19, 2007

This small Baltic country, one of the most wired societies in Europe, has been subject in recent weeks to massive and coordinated cyber attacks on Web sites of the government, banks, telecommunications companies, Internet service providers and news organizations, according to Estonian and foreign officials here.
Computer security specialists here call it an unprecedented assault on the public and private electronic infrastructure of a state. They say it is originating in Russia, which is angry over Estonia's recent relocation of a Soviet war memorial. Russian officials deny any government involvement.
The NATO alliance and the European Union have rushed information technology specialists to Estonia to observe and assist during the attacks, which have disrupted government e-mail and led financial institutions to shut down online banking.
As societies become increasingly dependent on computer networks that cross national borders, security experts worry that in wartime, enemies will attempt to cripple those networks with electronic attacks. The Department of Homeland Security has warned that U.S. networks should be secured against al-Qaeda hackers. Estonia's experience provides a rare chance to observe how such assaults proceed.
"These attacks were massive, well targeted and well organized," Jaak Aaviksoo, Estonia's minister of defense, said in an interview. They can't be viewed, he said, "as the spontaneous response of public discontent worldwide with the actions of the Estonian authorities" concerning the memorial. "Rather, we have to speak of organized attacks on basic modern infrastructures."
The Estonian government stops short of accusing the Russian government of orchestrating the assaults, but alleges that authorities in Moscow have shown no interest in helping to end them or investigating evidence that Russian state employees have taken part. One Estonian citizen has been arrested, and officials here say they also have identified Russians involved in the attacks.
"They won't even pick up the phone," Rein Lang, Estonia's minister of justice, said in an interview.
Estonian officials said they traced some attackers to Internet protocol (IP) addresses that belong to the Russian presidential administration and other state agencies in Russia.
"There are strong indications of Russian state involvement," said Silver Meikar, a member of Parliament in the governing coalition who follows information technology issues in Estonia. "I can say that based on a wide range of conversations with people in the security agencies."
Russian officials deny that claim. In a recent interview, Kremlin spokesman Dmitri Peskov called it "out of the question." Reached Friday at a Russia-E.U. summit, he reiterated the denial, saying there was nothing to add.
A Russian official who the Estonians say took part in the attacks said in an interview Friday that the assertion was groundless. "We know about the allegations, of course, and we checked our IP addresses," said Andrei Sosov, who works at the agency that handles information technology for the Russian government. His IP address was identified by the Estonians as having participated, according to documents obtained by The Washington Post.
"Our names and contact numbers are open resources. I am just saying that professional hackers could easily have used our IP addresses to spoil relations between Estonia and Russia."
Estonia has a large number of potential targets. The economic success of the tiny former Soviet republic is built largely on its status as an "e-society," with paperless government and electronic voting. Many common transactions, including the signing of legal documents, can be done via the Internet.
The attacks began on April 27, a Friday, within hours of the war memorial's relocation. On Russian-language Internet forums, Estonian officials say, instructions were posted on how to disable government Web sites by overwhelming them with traffic, a tactic known as a denial of service attack.
The Web sites of the Estonian president, the prime minister, Parliament and government ministries were quickly swamped with traffic, shutting them down. Hackers defaced other sites, putting, for instance, a Hitler mustache on the picture of Prime Minister Andrus Ansip on his political party's Web site.
The assault continued through the weekend. "It was like an Internet riot," said Hillar Aarelaid, a lead specialist on Estonia's Computer Emergency Response Team, which headed the government's defense.
The Estonian government began blocking Internet traffic from Russia on April 30 by filtering out all Web addresses that ended in .ru.
By April 30, Aarelaid said, security experts noticed an increasing level of sophistication. Government Web sites and new targets, including media Web sites, came under attack from electronic cudgels known as botnets. Bots are computers that can be remotely commanded to participate in an attack. They can be business or home computers, and are known as zombie computers.
When bots were turned loose on Estonia, Aaviksoo said, roughly 1 million unwitting computers worldwide were employed. Officials said they traced bots to countries as dissimilar as the United States, China, Vietnam, Egypt and Peru.
By May 1, Estonian Internet service providers had come under sustained attack. System administrators were forced to disconnect all customers for 20 seconds to reboot their networks.
Newspapers in Estonia responded by closing access to their Web sites to everyone outside the country, as did the government. The sites of universities and nongovernmental organizations were overwhelmed. Parliament's e-mail service was shut for 12 hours because of the strain on servers.
Foreign governments began to take notice. NATO, the United States and the E.U. sent information technology experts. "It was a concerted, well-organized attack, and that's why Estonia has taken it so seriously and so have we," said Robert Pszczel, a NATO spokesman. Estonia is a new member of NATO and the E.U.
The FBI also provided assistance, according to Estonian officials. The bureau referred a reporter's calls to the U.S. Embassy in Estonia, which said there was no one available to discuss American assistance to the Baltic State.
On May 9, the day Russia celebrates victory in World War II, a new wave of attacks began at midnight Moscow time.
"It was the Big Bang," Aarelaid said. By his account, 4 million packets of data per second, every second for 24 hours, bombarded a host of targets that day.
"Everyone from 10-year-old boys to very experienced professionals was attacking," he said. "It was like a forest fire. It kept spreading."
By May 10, bots were probing for weaknesses in Estonian banks. They forced Estonia's largest bank to shut down online services for all customers for an hour and a half. Online banking remains closed to all customers outside the Baltic States and Scandinavia, according to Jaan Priisalu, head of the IT risk management group at Hansabank, a major Baltic bank.
"The nature of the latest attacks is very different," said Linnar Viik, a government IT consultant, "and it's no longer a bunch of zombie computers, but things you can't buy from the black market," he said. "This is something that will be very deeply analyzed, because it's a new level of risk. In the 21st century, the understanding of a state is no longer only its territory and its airspace, but it's also its electronic infrastructure.
"This is not some virtual world," Viik added. "This is part of our independence. And these attacks were an attempt to take one country back to the cave, back to the Stone Age."

Fonte: Washington Post

Chaves RSA de 1024 bits?

Foi factorizado recentemente um número de 307 dígitos, ou seja, 1023 bits... Está na altura de deixar de usar chaves RSA de 1024 bits...

Artigo no blog do Bruce Schneier

Comentário a 28/05/2007: Uma notícia mais detalhada sobre o assunto em ars technica

Maus produtos de segurança

Um excerto de um artigo do Bruce Schneier na Wired:

More than a year ago, I wrote about the increasing risks of data loss because more and more data fits in smaller and smaller packages. Today I use a 4-GB USB memory stick for backup while I am traveling. I like the convenience, but if I lose the tiny thing I risk all my data.

Encryption is the obvious solution for this problem -- I use PGPdisk -- but Secustick sounds even better: It automatically erases itself after a set number of bad password attempts. The company makes a bunch of other impressive claims: The product was commissioned, and eventually approved, by the French intelligence service; it is used by many militaries and banks; its technology is revolutionary.

Unfortunately, the only impressive aspect of Secustick is its hubris, which was revealed when completely broke its security. There's no data self-destruct feature. The password protection can easily be bypassed. The data isn't even encrypted. As a secure storage device, Secustick is pretty useless.


With so many mediocre security products on the market, and the difficulty of coming up with a strong quality signal, vendors don't have strong incentives to invest in developing good products. And the vendors that do tend to die a quiet and lonely death.

artigo completo

Número de vulnerabilidades por categoria em 2006

Segundo Jean Paul Ballerini, numa apresentação no IBM/ISS X-Force Road Show 2007, anteontem (15/5/2007) em Lisboa:

vulnerabilidades descobertas em 2006: 7247

principais categorias:
-- cross-site scripting: 1313 (18%)
-- SQL injection: 1003 (14%)
-- buffer overflow: 680 (9%)

Digital Ethnography

Um video engraçado sobre a Web 2.0. Não tem nada propriamente sobre segurança mas sugere o quão complicada poder ser a segurança nessa "nova web".

The Machine is Us/ing Us

Pelo menos 10% dos sites da web com código malicioso

segundo um artigo de autores da Google:

"We analyzed the content of several billion URLs and executed an
in-depth analysis of approximately 4.5 million URLs. From
that set, we found about 450,000 URLs that were successfully
launching drive-by-downloads of malware binaries and
another 700, 000 URLs that seemed malicous but had lower


The Ghost In The Browser Analysis of Web-based Malware


As more users are connected to the Internet and conduct
their daily activities electronically, computer users have become
the target of an underground economy that infects hosts
with malware or adware for financial gain. Unfortunately,
even a single visit to an infected web site enables the attacker
to detect vulnerabilities in the user’s applications and force
the download a multitude of malware binaries. Frequently,
this malware allows the adversary to gain full control of the
compromised systems leading to the ex-filtration of sensitive
information or installation of utilities that facilitate remote
control of the host. We believe that such behavior is similar
to our traditional understanding of botnets. However,
the main di erence is that web-based malware infections are
pull-based and that the resulting command feedback loop is
looser. To characterize the nature of this rising thread, we
identify the four prevalent mechanisms used to inject malicious
content on popular web sites: web server security,
user contributed content, advertising and third-party widgets.
For each of these areas, we present examples of abuse
found on the Internet. Our aim is to present the state of
malware on the Web and emphasize the importance of this
rising threat.

Privacy is not just about data security

Um post interessante sobre privacidade no blog The Security Development Lifecycle:
Privacy is not just about data security
A conclusão:

"Privacy is not just about protecting data once you have it; it’s also about minimizing the data collected, and making sure that you know what that data will be used for and consent to that use before your data is captured. This is one of the main reasons Privacy has been built into the SDL. Securing the data alone is not enough."

Defesas contra buffer overflows no Vista

Um artigo interessante da Microsoft:

Windows Vista incorporates numerous defensive strategies to protect customers from exploits. Some of these defenses are in the core operating system, and others are offered by the Microsoft Visual C++ compiler. The defenses include:

* /GS Stack buffer overrun detection.
* /SafeSEH exception handling protection.
* No eXecute (NX) / Data Execution Prevention (DEP) / eXecute Disable (XD).
* Address space layout randomization (ASLR).
* Heap randomization.
* Stack randomization.
* Heap corruption detection.

In the rest of this document, we will briefly explain each of these defenses and offer guidance deployment and test guidance.

Exemplo de SQL injection

Vulnerabilidade de projecto no IPv6

Experts scramble to quash IPv6 flaw
By: Robert Lemos

Only a few weeks after researchers raised the design issue in the next-generation Internet protocol, two drafts to the Internet Engineering Task Force propose different fixes.

This week, experts sent two drafts to the Internet Engineering Task Force (IETF)--the technical standards-setting body for the Internet -- proposing different ways of fixing a problem in the way that Internet Protocol version 6 (IPv6) allows the source of network data to determine its path through the network. The drafts recommend that the IPv6 feature should either be eliminated or, at the very least, disabled by default.

The specification, known as the Type 0 Routing Header (RH0), allows computers to tell IPv6 routers to send data by a specific route. Originally envisioned as a way to let mobile users to retain a single IP for their devices, the feature has significant security implications. During a presentation at the CanSecWest conference on April 18, researchers Philippe Biondi and Arnaud Ebalard pointed out that RH0 support allows attackers to amplify denial-of-service attacks on IPv6 infrastructure by a factor of at least 80. (...)

The RH0 security issues has its roots in the current Internet protocol implementation. The specification for IPv4 allows the sender of data to specify one or more routers through which the data must travel. Known as source routing, the technique allows up to 9 other addresses to be included in an IPv4's extended header, requesting that the packet be routed through those specific addresses. While source routing can be beneficial for diagnostics, it can also be used to amplify a denial-of-service attack by a factor of 10 by alternating two target Internet addresses in the header, ping-ponging the data between two machines.

While source routing has been accepted as a bad security risk by most companies and most routers disable the feature by default, the IETF has not eliminated the option from the specification and extended it to IPv6.

Mac vs PC

Com agradecimentos à Teresa Chambel

Analisadores estáticos de código

As principais ferramentas de análise estática de código comerciais:

Coverity Prevent
Fortify Source Code Analysis
Secure Software CodeAssure

Ferramentas de segurança e Live CDs

A quantidade de ferramentas de segurança disponíveis hoje em dia na Internet
é gigantesca, mesmo considerando apenas as que são gratuitas. Assim, o trabalho necessário para instalar essas ferramentas é também enorme. Uma solução para reduzir quase a zero o esforço de instalação consiste em usar um Live CD, como o Knoppix, mas que contenha já ferramentas de segurança. Há diversos disponíveis mas um que me parece mais confiável é o do projecto OWASP:

Testes de penetração

...por um mínimo de 15 mil dólares...


We have reviewed, tested, and played with many products and applications over the years, but none of them compare to CORE IMPACT. From the moment you purchase the product, to the first time you get a shell on a vulnerable system, you are constantly being made aware of the fact that CORE understands security. We are not talking about flashy marketing tactics, but instead real security that is implemented to both mitigate real security related risks and exploit real system and application vulnerabilities.


Identidade Digital e Falsificações

Falsificações com Identidade Digital mais difíceis de detectar
Fonte: RTP

O coordenador de um estudo apresentado hoje em Lisboa alerta para o risco de roubo da identidade digital, quando ela for criada, por ser muito mais difícil distinguir as falsificações do que nos actuais documentos convencionais.

A identidade electrónica, contida num cartão, "permite falsificações de assinatura muito mais parecidas do que as manuais", disse à agência Lusa o professor universitário e perito em sistemas de segurança Paulo Veríssimo.

O investigador coordenou o estudo "Identidade Digital", apresentado hoje em Lisboa, elaborado para dar "um contributo construtivo para se compreenderem melhor os riscos e as oportunidades que se colocam na transição para a esfera da Identidade Digital".

A realização do estudo foi promovida pela Associação para a Promoção e Desenvolvimento da Sociedade da Informação (APDSI).

Embora reconhecendo as enormes vantagens de cada cidadão passar a ter os seus dados num sistema digital em vez dos ainda usuais cartões de leitura (bilhete de identidade, cartão de saúde, segurança social eleitor ou Finanças, para citar alguns casos), os especialistas alertam para os maiores riscos se for possível a cópia da informação contida no "chip" de um cartão.

Será como "roubar o rosto" a alguém, com uma enorme dificuldade de ser recuperado, considera Paulo Veríssimo.

Contudo, o especialista defende que a "tecnologia está num ponto em que é possível criar condições de segurança" para se avançar no sentido da identidade electrónica.

Em Portugal, exemplos de documentos digitais são o passaporte electrónico e o novo cartão de cidadão, que começou por ser emitido nos Açores, mas que vai ser gradualmente alargado a todo o país.

Outro colaborador no estudo, o dirigente da APDSI José Gomes Almeida, considera que a identificação digital "é vantajosa", mas é necessário alertar os cidadãos, que "têm de estar conscientes de que tudo passa a ser mais fácil, para o bem e para o mal".

"É fácil alguém andar com um único cartão", em vez dos vários actuais, "mas se for copiado..." tudo se complica, sustenta Gomes Almeida.

Este especialista considera mesmo que está na altura de "rever" o artigo 35 da Constituição da República que proíbe a atribuição de um número nacional único aos cidadãos.

A situação que se coloca com um cartão e número único para cada cidadão é semelhante à que se passa com os cartões de crédito e a relativa facilidade com que são falsificados.

Por isso, a identificação digital "pode-nos dificultar a vida se não estivermos preparados" para ela, acrescenta.

O novo Cartão de Cidadão começou a ser emitido a 14 de Fevereiro na ilha do Faial, Açores, numa cerimónia em que o primeiro-ministro, José Sócrates, entregou os primeiros documentos à melhor aluna, Cristina Resendes Maia, 15 anos, e a João Ferreira Matos, 86 anos, um dos cidadãos mais idosos da ilha.

O novo documento de identificação substitui o Bilhete de Identidade e os cartões de Contribuinte, da Segurança Social, da Saúde e, posteriormente, o do número de eleitor.

Até Junho, a emissão dos novos cartões deverá estar generalizada às nove ilhas açorianas, chegando a Portalegre no mês seguinte, e alargando-se aos distritos de Évora e Bragança em Outubro.

Nos restantes distritos do país, na Região Autónoma da Madeira e nos consulados portugueses no estrangeiro, os documentos vão ser emitidos apenas em 2008.

Agência LUSA
2007-04-18 13:15:01

Oracle, bases de dados e patches trimestrais

Diversas empresas de software definiram uma periodicidade fixa para o lançamento de patches aos seus produtos. A Microsoft publica patches mensais e alguns vendors de bases de dados como a Oracle, publicam patches trimestralmente. O tema tem gerado alguma discussão, como já dito aqui no blog a propósito da Microsoft. Entretanto, apareceu na TechRepublic um artigo interessante sobre os patches trimestrais da Oracle e outros vendors de bases de dados.

Are Quarterly patches a good idea on Database Servers?
April 30th, 2007
Steven Warren

Hacking a Vista PC

...usando a vulnerabilidade nos cursores animados:
video na ZDNet

"Security experts at Determina show how a Vista PC can be compromised by exploiting a flaw in the way the operating system handles animated-cursor files. They've determined that Firefox users are at a higher risk than IE 7 users."

Propriedade intelectual e pirataria de software

Uma entrevista interessante com Gregg Gronowski, vice presidente da Aladdin, sobre o tema na ACM Queue deste mês. Disponível em podcast e texto.

Na mesma revista/site está disponível uma entrevista sobre gestão de licenças de software.

Rootkit para o Vista

Interessante pois alegadamente no Vista tomaram especial cuidado para evitar a inclusão de código malicioso...

0wning Vista from the boot
By Federico Biancuzzi

Federico Biancuzzi interviews Nitin and Vipin Kumar, authors of VBootkit, a rootkit that is able to load from Windows Vista boot-sectors. They discuss the "features" of their code, the support of the various versions of Vista, the possibility to place it inside the BIOS (it needs around 1500 bytes), and the chance to use it to bypass Vista's product activation or avoid DRM.

Honeypots e outros em Português

Diversos textos sobre honeypots e outros temas de segurança em Português do Brasil -- projecto Honeypot Brasil