Biblioteca para construção de sistemas tolerantes a intrusões

A Tolerância a Intrusões é a aplicação do paradigma da Tolerância a Faltas no domínio da Segurança. Muitos grupos de investigação internacionais (incluindo o nosso http://www.navigators.di.fc.ul.pt) têm vindo a debruçar-se sobre este tema nos últimos anos.

Recentemente disponibilizámos uma biblioteca de replicação que permite precisamente ajudar na construção de sistemas tolerantes a intrusões. A biblioteca está disponível em http://code.google.com/p/bft-smart/ e contamos com toda a comunidade de segurança e confiabilidade para testar e ajudar-nos na evolução desta biblioteca de código aberto.

Para quem nunca ouviu falar sobre tolerância a intrusões, recomendamos a leitura do artigo (em português) disponível em http://docs.di.fc.ul.pt/jspui/handle/10455/3011.

Feeds vídeo dos UAVs americanos em claro

Os UAVs americanos, usados tipicamente em operações de vigilância no Iraque, Afeganistão e Somália, não são assim tão "stealth" como se pensava. Aparentemente os vídeos emitidos pelos UAV não são cifrados e é possível interceptá-los com equipamento de valor inferior a 20 euros. O mais problemático é que este bug poderá permitir a localização destas aeronaves.

Mais informações em:
http://online.wsj.com/article/SB126102247889095011.html

http://www.dailytech.com/Insurgents+Intercept+US+Military+UAV+Feeds+with+26+Software/article17168.htm

Academia CMU|Portugal em Segurança e Confiabilidade - em Dezembro

CMU|Portugal Security and Dependability Academy

14-15th December, 2009
Faculdade de Ciências, Universidade de Lisboa

*see the Academy brochure*

The CMU|Portugal Security and Dependability Academy is an opportunity for professionals of computer science and engineering or related areas, interested in improving their skills, to get in touch with the experts involved in the Dual Carnegie Mellon University – University of Lisboa Master of Science in Information Technology–Information Security (MSIT-IS).

The Academy will provide a sample of the topics taught during the MSIT-IS program through a set of exciting technical lectures and hands-on experiments in the program’s lab, where the attendees will get the chance to try live cyber-attack and defense technologies.

Although inspired by the MSIT-IS, the academy will be interesting on its own as a forum for discussion of the latest concepts in Security and Dependability.

After the lectures and laboratory experiments, the academy will close with the Pen Testing Trophy, where a victim machine will be subject to penetration testing by willing participants competing for a mysterious trophy.


A informação completa encontra-se em: http://msi.di.fc.ul.pt/?Carnegie_Mellon_|Portugal_Security_and_Dependability_Academy

OWASP top 10 2010

Saiu a 1ª versão da edição 2010 do top 10 de vulnerabilidades / factores de risco de aplicações web do projecto OWASP. Mudanças em relação à edição anterior:















Explicação das mudanças:

1)We clarified that the Top 10 is about the Top 10 Risks, not the Top 10 most common weaknesses. See the details on the “Understanding Application Security Risk” page below.

2)We changed our ranking methodology to estimate risk, instead of relying solely on the frequency of the associated weakness. This affects the ordering of the Top 10 somewhat, as you can see in the table below.

3)We replaced two items on the list with two new items:

+ADDED: A6 –Security Misconfiguration. This issue was A10 in the Top 10 from 2004: Insecure Configuration Management, but was dropped because it wasn’t thought of as a software issue. However, from an organizational risk and prevalence perspective, it clearly merits re-inclusion in the Top 10, and so now it’s back.

+ADDED: A8 –UnvalidatedRedirects and Forwards. This issue is making its debut in the Top 10. The evidence shows that this relatively unknown issue is widespread and can cause significant damage.

–REMOVED: A3 –Malicious File Execution. This is still a significant problem in many different environments. However, its prevalence in 2007 was inflated by large numbers of PHP applications with this problem. PHP is now shipped with more default security, lowering the prevalence of this problem.

–REMOVED: A6 –Information Leakage and Improper Error Handling. This issue is extremely prevalent, but the impact of disclosing stack trace and error message information is typically minimal.

botnet Mega-D/Ozdok desligada

Uma grande botnet dedicada ao envio de spam foi desligada por uma acção conjunta de diversas pessoas. O nível de spam enviado desceu para zero.

Na ArsTechnica (notícia completa aqui):

Security researchers have taken down a major spam offender, though the dip in spam levels may be only temporary. Members of the FireEye security team coordinated an attack on the Mega-D botnet (also known as Ozdok) last week by preemptively registering domains meant for the botnet's command and control channels (CnCs) and shutting down others. Spam coming from Mega-D stopped almost instantly, proving that David really can take down Goliath every once in a while.

Ever since the shut-down of McColo in 2008, the brains behind spam botnets have been much smarter about diversifying their CnCs. As pointed out by a FireEye blog post, they're no longer relying on a single net of domains to control the botnet—instead, many current botnets have mechanisms in place that randomly generate the next block of domains that the zombie machines will look for once the current set is shut down, and the people controlling the CnCs just register those domains on the fly as needed.

Such is the case with Mega-D/Ozdok, which has not one, but two fallback mechanisms for when the original CnCs go down. Not only can it use its own list of DNS servers to access its CnCs, it can generate new domains based on the current date and time. "Unless someone is committed enough to pre-register those domains, the bot herders can always come forward and register those domains and take botnet control back," the FireEye team wrote.

FireEye's move against Mega-D started with abuse notifications to the ISPs being used as hosts—all but four were taken down immediately. The firm then worked with numerous domain registrars to take down the primary CnC domains in order to throw a wrench into the botnet's workings. Then, the researchers registered a number of domains that were on Mega-D's permanent CnC list but were mysteriously unregistered; this move essentially gave FireEye CnC control of the botnet, which they pointed to a sinkhole server where data was collected on victim machines in order to help users recover control of their PCs.

Finally, FireEye began registering in advance some of the soon-to-be-generated domains based on date and time for the next three days, anticipating that the botnet would begin looking for those domains once it realized the current ones were out of commission. This, apparently, was the nail in the coffin, as the firm wrote in a new blog post (via Slashdot) that "everything went right according to plan."

Spam coming out of Mega-D has stopped altogether (at least for the time being) (...)

McAfee sobre Ciber-guerra

A McAfee publicou o seu Virtual Criminology Report 2009 dedicado à ciber-guerra. O relatório pode ser obtido aqui.

Alguns excertos:

Is the “Age of Cyber War” at hand? This year, the fifth annual McAfee Virtual Criminology Report contemplates this question and others prompted by the fact that nation-states are arming themselves for the cyberspace battlefield. Since our 2007 report, when we last discussed the growing cyber threat to national security, there have been increasing reports of cyber attacks and network infiltrations that appear to be linked to nation-states and political goals. The most obvious of these attacks was the August 2008 cyber campaign against Georgia during the South Ossetia War. We decided it was time to further examine whether cyber warfare is now a part of human conflict that we should get used to seeing more often.

key findings:

• Although there is no commonly accepted
definition for cyber war today, we have
seen nation-states involved in varying
levels of cyber conflict. Further, while we have
not yet seen a “hot” cyber war between major
powers, the efforts of nation-states to build
increasingly sophisticated cyber attack capabilities,
and in some cases demonstrate a willingness
to use them, suggests that a “Cyber Cold
War” may have already begun.

• If a major cyber conflict between nationstates
were to erupt, it is very likely that
the private sector would get caught in
the crossfire. Most experts agree that critical
infrastructure systems—such as the electrical
grid, banking and finance, and oil and gas sectors—
are vulnerable to cyber attack in many
countries. Some nation-states are actively doing
reconnaissance to identify specific vulnerabilities
in these networks. In the words of one expert,
nation-states are “laying the electronic battlefield
and preparing to use it.”

• Too much of the debate on policies related
to cyber war is happening behind closed
doors. Important questions, such as where to
draw the line between cyber espionage and
cyber war, are being discussed in private, or perhaps
not at all. Many governments have chosen
to keep debate on cyber conflict classified. Since
governments, corporations and private citizens
all have a stake in the future of the Internet, it is
time to open a global dialogue on how to manage
this new form of conflict.
There have been increased reports of
cyber attacks and network infiltrations
that appear to be linked to nation-states
and political goals.

scareware

interessante:

The ultimate guide to scareware protection
no blog ZeroDay

excerto:

"Throughout the last two years, scareware (fake security software), quickly emerged as the single most profitable monetization strategy for cybercriminals to take advantage of. Due to the aggressive advertising practices applied by the cybercrime gangs, thousands of users fall victim to the scam on a daily basis, with the gangs themselves earning hundreds of thousands of dollars in the process.

Not surprisingly, Q3 of 2009 was prone to mark the peak of the scareware business model, whose affiliate program revenue sharing scheme is not only attracting new cybercriminals due to its high pay-out rates, but also, is directly driving innovation within the cybercrime underground acting as a reliable financial incentive.

This end user-friendly guide aims to educate the Internet user on what scareware is, the risks posed by installing it, how it looks like, its delivery channels, and most importantly, how to recognize, avoid and report it to the security community taking into consideration the fact that 99% of the current releases rely on social engineering tactics."

proibido fazer "testes de prenetração" ... sem licença

A Polícia Judiciária publicou ontem um comunicado sobre uma apreensão de computadores alegadamente relacionados com "testes de segurança" ilegais -- operação Ghostbuster. Apesar de o comunicado não o referir, um dos telejornais das 20h de ontem disse que a empresa da qual foram apreendidos os computadores foi a que recentemente fez um relatório sobre a penetração da Ghostnet em computadores de organismos do Estado.

O comunicado diz que "os chamados - na gíria da comunidade informática internacional,- "tiger teams" e "white hat hackers" não têm acolhimento legal, sendo, por isso, passíveis de perseguição penal." Sem ser especialista em assuntos jurídicos, parece-me que o que é ilegal é fazer "testes de segurança" sem permissão do organismo ou empresa testada (e bem). Já, por exemplo, o teste de uma empresa por parte de uma tiger team contratada para o efeito pela própria empresa não me parece ser ilegal. Ou pelo menos não devia.

O comunicado da PJ:

Criminalidade informática e de alta tecnologia - Operação "Ghostbuster"

A Policia Judiciária, através da Directoria de Lisboa e Vale do Tejo, desencadeou durante o dia de ontem uma operação em que foram efectuadas buscas simultâneas a quatro residências e a uma empresa, sedeadas na área de Lisboa, tendo por objectivo identificar e recolher elementos probatórios da eventual prática organizada de crimes informáticos de natureza transnacional, designadamente acesso ilegítimo, acesso indevido e dano informático, tendo sido constituídos dois arguidos, que cooperaram com a acção da Justiça.

No decurso da operação foram aprendidos dispositivos electrónicos, dados informáticos e software de cifra e encriptação, bem como outros elementos probatórios que foram preservados e serão sujeitos a posterior análise no âmbito da investigação em curso.

A investigação, que já decorre há já algum tempo, reporta-se a notícias sobre eventuais fragilidades de segurança em redes informáticas do Estado Português e que teriam por base um relatório elaborado por uma empresa que fazia referência à obtenção e à posse de informação sensível de diversos organismos do Estado e empresas privadas, entre os quais o Ministério da Justiça.

Face à sensibilidade e complexidade da matéria em causa, a operação contou com a participação do Juiz de TCIC e dos Procuradores do DCIAP titulares do inquérito, que emitiram as competentes ordens judiciais, visando, não só a preservação da prova, como também a neutralização imediata dos meios que permitiriam a continuação da actividade criminosa.


* A POLÍCIA JUDICIÁRIA ALERTA para o facto de, à luz da legislação vigente, constituir um ilícito criminal punido com pena de prisão qualquer acto de pretenso ou eventual teste de segurança sem consentimento expresso dos titulares e proprietários dos sistemas e das redes informáticas visadas.

Nestas circunstâncias, os chamados - na gíria da comunidade informática internacional,- "tiger teams" e "white hat hackers" não têm acolhimento legal, sendo, por isso, passíveis de perseguição penal.

23 de Outubro de 2009

DNS.PT mais seguro

press release da FCCN:

FCCN, Fundação para a Computação Científica Nacional, a entidade que gere o sistema DNS de atribuição de nomes de domínios na Internet sob .PT adopta a norma DNSSEC, juntando Portugal ao pequeno conjunto de países que já adoptaram esta norma nos seus domínios de topo.

A norma DNSSEC consiste em extensões de segurança ao protocolo DNS, introduzindo desta forma mecanismos de segurança que permitem resolver vários dos principais problemas nesta área.

O DNSSEC garante respostas DNS assinadas, independência dos algoritmos criptográficos e confiança no serviço, com vista a suprimir fragilidades, prevenir ataques, reduzir o risco de manipulação, prestar um serviço seguro e aumentar a segurança.

Entre as vantagens desta norma, destaca-se a autenticação da origem, a integridade dos dados, e a verificação segura da não existência de um domínio ou de registos DNS a ele associados. Além disso, permite evitar intrusões como a corrupção da memória de cache (pharming, phishing,..) e proteger contra transmissões modificadas (spoofing).

Numa linguagem simples, o DNSSEC permite garantir aos utilizadores da Internet que o domínio a que estão a aceder está assinado digitalmente e não foi alvo de adulteração por terceiros, desde que disponham de um programa que verifique esta assinatura digital.

O .PT é, assim, um dos primeiros códigos de domínios de topo para países (ccTLD - country code Top Level Domais) a utilizar esta nova tecnologia, tendo a FCCN já assinado nomes de domínio da sua responsabilidade aplicando as extensões DNSSEC a zonas DNS como: fccn.pt, cert.pt, zappiens.pt, rcts.pt e dnssec.pt .

O sucesso da implementação desta solução técnica está também dependente da intervenção activa por parte da comunidade Internet nacional. Este primeiro passo da FCCN cria as condições de partida para a adesão de outras entidades, nomeadamente as titulares de nomes de domínio críticos (entidades judiciais, banca, e outros), fornecedores de serviços de Internet (ISPs) e Agentes de Registo, e disponibiliza o apoio técnico necessário para esse efeito. Para mais informações, foi criada uma plataforma de testes e de respostas a questões frequentes em www.dnssec.pt.

(...)

duas notícias: Citius e GhostNet

do site do Público:

Erros informáticos fazem desaparecer despachos de juízes dos tribunais

Conselho Superior da Magistratura tem recebido "inúmeros" protestos de juízes, mas o ministério nega problemas graves e garante que o Citius é usado sem problemas

Despachos judiciais já desapareceram da aplicação informáticaCitius Magistrados Judiciais devido a erros no sistema. Desde Janeiro que o uso desta aplicação se tornou obrigatório para os processos cíveis, o que tem posto muitos juízes à beira de um ataque de nervos. A lentidão do sistema e o frequente bloqueio da aplicação são as queixas mais frequentes.

O Conselho Superior da Magistratura (CSM) diz que desde então "têm sido inúmeras as queixas por parte dos utilizadores juízes", mas assegura que o desaparecimento de despachos do sistema corresponde "a situações raras" relacionadas com quebras do sistema. O Ministério da Justiça nega a existência de problemas graves e insiste que a "larga maioria dos magistrados utiliza oCitius quotidianamente sem problemas".

O Tribunal Judicial de Ponta Delgada é um dos que têm sentido os problemas mais graves. "Consigno que o presente despacho foi redigido por duas vezes (após ter desaparecido do sistema, por razões informáticas que desconhecemos) e que o acesso aoCitiuspara nele o integrar foi tentado ao longo de mais de uma hora e 10 minutos, sem sucesso", lê-se num despacho de 24 de Setembro. "O mau funcionamento do sistemaCitius", acrescenta-se "vem[-se] repetindo diariamente e prejudicando o nosso desempenho".

(...)

Mas há queixas um pouco por todo o país. "Desde o início do ano judicial [1 de Setembro], o sistema Citiusdeixou de funcionar em condições normais, o que tem vindo a prejudicar gravemente o serviço", denunciou por carta Marlene Rodrigues, juíza-presidente do Tribunal Judicial de Barcelos. A lentidão do sistema, a impossibilidade de abrir determinados documentos e de os remeter internamente para as respectivas secções (que tratam da parte administrativa) e a activação obrigatória do processador em inglês foram os principais problemas referidos. Marlene Rodrigues insiste que é uma adepta da informatização dos tribunais. "Fui das primeiras a trabalhar noCitius, em Novembro de 2007, porque acho que traz transparência", argumenta. "Mas não podem continuar a alterar o sistema sem testar previamente as mudanças", realça. "Estes erros todos não se compadecem com o volume de serviço que temos", sustenta. As últimas alterações noCitius custaram a Jorge Teixeira, juiz de círculo em Barcelos, um mês sem trabalhar na aplicação e o regresso ao papel.

(...)


Empresa diz que encontrou dados do Estado em rede de ciber-espionagem chinesa

Um relatório divulgado esta semana afirma que informação sensível do Estado português foi roubada por uma rede informática sediada na China. Esta rede chama-se GhostNet e já em Março tinha sido alvo de um trabalho de investigadores da Universidade de Toronto, no Canadá, que concluíram que era usada para espiar computadores de mais de 100 países, entre os quais Portugal. Mas o documento levanta dúvidas.

O relatório foi publicado por uma empresa de segurança informática portuguesa, chamada Trusted Technologies e que é praticamente desconhecida. Os autores dizem ter entrado nos servidores da GhostNet e encontrado, entre outros dados, informação capaz de facultar o acesso a bases de dados do Ministério da Justiça, ficheiros sobre o sistema que gere as eleições em Portugal, documentos da Polícia Judiciária e informação sobre juízes e magistrados. A empresa diz ter uma cópia de toda esta informação, que só divulgará se existir “autorização expressa pelas entidades competentes”.

A própria Trusted Technologies enviou o documento às redacções e a instituições como a Presidência da República, a Procuradoria Geral da República, o Sindicato dos Magistrados e a Ordem dos Advogados. Hoje ao final da tarde, Bruno Vieira, engenheiro na Trusted e co-autor do relatório, disse ao PÚBLICO que não tinha tido qualquer resposta por parte destas entidades. Bruno Vieira contou que a investigação se desenrolou ao longo de cerca de seis meses e que foi motivada por notícias do início deste ano, que davam conta que vários computadores de organismos do Estado tinham sido alvo de ataques informáticos.

“Em teoria”, garantiu Vieira, a informação encontrada nos computadores chineses “põe em causa a segurança das instituições” e permite alterar bases de dados como as do Registo Predial ou até interferir com a contagem de votos numa eleição.

O PÚBLICO tentou sem sucesso contactar o Instituto de Tecnologias de Informação na Justiça, entidade que gere os sistemas informáticos associados a este ministério.

Muitos especialistas acreditam que a GhostNet possa ser operada por serviços de espionagem chineses, mas Vieira admitiu que, embora seja possível localizar geograficamente os computadores, não é possível ligá-los ao Governo de Pequim.

Já o director técnico da Symantec em Portugal, Timóteo Menezes, disse ao PÚBLICO haver casos conhecidos de redes que tentam roubar informação de computadores de organismos estatais (os EUA queixam-se frequentemente de serem espiados pela China). Mas argumentou que o relatório levanta “muitas dúvidas”, não oferece uma explicação cabal da investigação e parece ser “uma história em que se pode querer acreditar”.

Segundo a Trusted, o processo de roubo de informação implica aquilo a que se chama engenharia social – ou seja, é necessário que um utilizador (como um funcionário) abra um ficheiro num e-mail ou aceda a um site controlado pelos atacantes. Depois, a GhostNet explora vulnerabilidades e instala software malicioso, com o qual é possível controlar à distância os computadores. As máquinas infectadas são então instruídas para enviar ficheiros para os computadores da rede espiã.

(...)

tentativas de intrusão na rede do governo

notícia da Lusa e no site do Público de hoje (com ref. a outra do Expresso):

Tentativas de intrusão no sistema informático do governo duplicaram após comunicação do PR

excertos:

"As tentativas de intrusão no sistema informático do Governo intensificaram-se “a níveis preocupantes” nos últimos dias, depois de Cavaco Silva ter admitido “vulnerabilidades” no sistema da Presidência, revela hoje a Presidência do Conselho de Ministros.

Numa nota enviada às redacções, a Presidência do Conselho de Ministros garante a eficácia do sistema informático do Governo que “rejeitou, com sucesso, 12 tentativas graves de intrusão entre os dias 27 e 29 de Setembro, tendo esse número mais do que duplicado (32 tentativas graves de intrusão) entre os dias 30 de Setembro e 2 de Outubro”.

(...)

A Presidência do Conselho de Ministros salienta hoje que, “se necessário”, o Governo irá participar criminalmente contra os autores de ilícitos criminais ao abrigo da lei do cibercrime e avisa que o Centro de Gestão da Rede Informática do Governo (CEGER) já iniciou “diligências tendo em vista detectar a origem das tentativas de intrusão”.

O CEGER está também a reavaliar os “mecanismos de prevenção disponíveis para contrariar a intensificação dos ataques informáticos, incluindo ao nível dos servidores que disponibilizam conteúdo de acesso público pela Internet”.

O semanário "Expresso" afirma hoje em manchete que conseguiu entrar na rede informática do Governo. “O Expresso entrou na rede informática de São Bento, mas a de Belém mostrou-se inviolável”, destacou o semanário.

(...)

“Da notícia do Expresso, o que resulta é a constatação da possibilidade de eventual acesso apenas a uma zona de registo de nomes dos subdomínios ‘gov.pt’, que são meros endereços para acesso a sítios da Internet, nos quais apenas residem conteúdos de divulgação pública”, realça.
"

De facto, apesar do título ("Conseguimos entrar na rede informática do Governo", a notícia do Expresso refere apenas um ataque de DNS poisoning ao qual é estranho chamar "entrar".

best student paper award - DISC'09

Este trabalho ainda não tem a ver com segurança mas virá a ter. Seja como for, aqui fica o resultado dado 2 dos autores do blog estarem envolvidos:

Henrique Moniz, aluno de doutoramento do DI-FCUL, obteve o "best student paper award" no 23rd International Symposium on Distributed Computing (DISC 2009) com o artigo:

Randomization Can Be a Healer: Consensus with Dynamic Omission Failures
Henrique Moniz, Nuno F. Neves, Miguel Correia, Paulo Verissimo

o artigo

notícia na info-Ciências digital

entrevista com o Henrique Moniz

o sítio da conferência

vulnerabilidades na Presidência da República

toda a gente ouviu e leu, mas aqui fica:

"8. A segunda interrogação que a publicação do referido e-mail me suscitou foi a seguinte: “será possível alguém do exterior entrar no meu computador e conhecer os meus e-mails? Estará a informação confidencial contida nos computadores da Presidência da República suficientemente protegida?”

Foi para esclarecer esta questão que hoje ouvi várias entidades com responsabilidades na área da segurança. Fiquei a saber que existem vulnerabilidades e pedi que se estudasse a forma de as reduzir."

Declaração do Presidente da República

Palácio de Belém, 29 de Setembro de 2009

Conferência Ibérica sobre Segurança de Aplicações Web - IBWAS'09


O OWASP está a patrocinar a primeira conferência ibérica na área. A chamada de trabalhos está aberta:

First Iberic Conference on Web-Applications Security (IBWAS’09)
Escuela Universitaria de Ingeniería Técnica de Telecomunicacíon - Universidad Politécnica de Madrid
10th – 11th December 2009
Madrid, Spain
[organised by OWASP Spain and OWASP Portugal]

Announce and Call for Papers

Introduction
------------
There is a change in the information systems development paradigm. The emergence of Web 2.0 technologies led to the extensive deployment and use of web-based applications and web services as a way to developed new and flexible information systems. Such systems are easy to develop, deploy and maintain and demonstrate impressive features for users, resulting in their current wide use.

As a result of this paradigm shift, the security requirements have also changed. These web-based information systems have different security requirements, when compared to traditional systems. Important security issues have been found and privacy concerns have also been raised recently. In addition, the emerging Cloud Computing paradigm promises even greater flexibility; however corresponding security and privacy issues still need to be examined. The security environment should involve not only the surrounding environment but also the application core.

This conference aims to bring together application security experts, researchers, educators and practitioners from the industry, academia and international communities such as OWASP, in order to discuss open problems and new solutions in application security. In the context of this track academic researchers will be able to combine interesting results with the experience of practitioners and software engineers.

Conference proceedings will be published by Springer in the "Communications in Computer and Information Science" (CCIS) series.

Keynote Speakers
----------------
* Bruce Schneier, acclaimed security guru, author, BT CSTO (confirmed)
* Inspector Jorge Martín from the High Tech Crime Unit of the Spanish National Police (confirmed)


Conference Topics
-----------------
Suggested topics for papers submission include (but are not limited to):
• Secure application development
• Security of service oriented architectures
• Security of development frameworks
• Threat modelling of web applications
• Cloud computing security
• Web applications vulnerabilities and analysis (code review, pen-test, static analysis etc.)
• Metrics for application security
• Countermeasures for web application vulnerabilities
• Secure coding techniques
• Platform or language security features that help secure web applications
• Secure database usage in web applications
• Access control in web applications
• Web services security
• Browser security
• Privacy in web applications
• Standards, certifications and security evaluation criteria for web applications
• Application security awareness and education
• Security for the mobile web
• Attacks and Vulnerability Exploitation

More information: http://www.ibwas.com

novo estudo: principais vulnerabilidades

um novo estudo do SANS Institute: http://www.sans.org/top-cyber-security-risks/

principais conclusões:
  • Priority One: Client-side software that remains unpatched.
  • Priority Two: Internet-facing web sites that are vulnerable.
  • Operating systems continue to have fewer remotely-exploitable vulnerabilities that lead to massive Internet worms.
  • Rising numbers of zero-day vulnerabilitiesnumbers

perigos da virtualização


Enthusiasm for virtualisation creates security problems


um excerto:

"Organisations that rush into server virtualisation are storing up trouble for themselves, security experts have warned. They say that many implementations have been done with little or no consideration for the added virtualisation security risks.

"Most people don't realise the security issues, and those that do understand are quite happy to accept the platitudes from the suppliers that virtualisation is secure," said Ian Kilpatrick, chairman of Wick Hill Group Ltd., a distributor focusing on the security market.

Kilpatrick said that running multiple virtual machines (VMs) within a single server is inherently harder to control and requires higher levels of security. But in his experience, companies are relying on the same weak controls they used before the introduction of virtualisation.

"Communicating from one physical server to another can be easily controlled, but in a virtual environment, it is more complex. If I get in as a guest on a virtual machine, then it is much easier to get to others. If I can breach one VM, then I can breach many," he said.

Stronger authentication of users will limit that risk, but as Kilpatrick said, "90% of the world is not using any form of two-factor authentication. Anyone working in a virtual environment without two-factor authentication is a lunatic. If I can get on to the hypervisor and get administrator rights to the whole thing, I have the keys to the farm."

He added that security fears have been ignored because virtualisation is so attractive in most other respects. In a time of economic belt-tightening, the technology allows companies to make better use of resources, reduce the number of actual servers they run, cut infrastructure costs and also reduce their energy bills."


artigo completo
em SearchSecurity

Livros

Existem vários livros com histórias de polícias e ladrões verdadeiras envolvendo hackers e ataques informáticos. São uma leitura sempre divertida para quem gosta da área.

Acabo de reencontrar um clássico do género que li há muitos anos, tantos que já não me lembrava da sua existência:

The Hacker Crackdown, law and disorder on the electronic frontier
Bruce Sterling, 1994
disponível no projecto Gutenberg

Outro clássico:

The Cuckoo's Egg
Clifford Stoll, 1990

virus, vermes e hackers ao longo dos anos

Mantido pela Wikipedia:

Timeline of computer viruses and worms

List of convicted computer criminals

Interessante e útil como referência.

segurança aos quadradinhos

virtualização?!


os perigos da cripto de chave pública

leis da segurança

Estava a ler um artigo do Eugene Spafford de Purdue na CACM de Junho e este referia 3 leis da segurança atribuídas a Robert H. Courtney Jr., "one of the first computer security professionals". Entretanto descobri essas "leis" no RFC 4949. São:

Courtney's first law: You cannot say anything interesting (i.e., significant) about the security of a system except in the context of a particular application and environment.

Courtney's second law: Never spend more money eliminating a security exposure than tolerating it will cost you.
-- First corollary: Perfect security has infinite cost.
-- Second corollary: There is no such thing as zero risk.

Courtney's third law: There are no technical solutions to management problems, but there are management solutions to technical problems.

phishing & co

A criatividade de quem se dedica a atacar a banca online (homebancking) não deixa de me surpreender. Hoje encontrei esta mensagem na CGD online que mostra que andam por aí ataques surpreendentes:

"A Caixa nunca pede a totalidade dos dígitos do cartão matriz mesmo dentro do serviço Caixadirecta on-line. Este tipo de pedido é sempre uma fraude. Recomendamos que siga as medidas de protecção e preservação do seu cartão matriz."

Mas o mais interessante é uma página com diversos ataques:

Conheça as fraudes sobre o cartão matriz...

sql seguro, não tão seguro assim

Beware SQL injections due to missing prepared statement support Just because your library or framework allows you to specify an SQL query and the data separately, doesn't mean that it's sending data separately from code to the database.

Imagine this scenario. You read that prepared statements are a good way to avoid SQL injection, because the database is given code and data explicitly and separately. You chose a database that supports prepared statements. The library you use also seems to support them as you can pass SQL code and data as two separate arguments. However... internally the library just constructs a string and sends that to the database, and doesn't use the database's prepared statement support!

An example is the library "pyPGSQL", which supports PostGreSQL in Python. It has an "execute" command taking a query and parameters as separate arguments. However, internally it simply constructs a string to send off: self.res = self.conn.conn.query(_qstr % parms)

(...)

continuar a ler no blog CERIAS

disponibilidade de data centers

Não é uma questão de segurança mas de disponibilidade / confiabilidade / tolerância a faltas. A disponibilidade dos data centers parece ser um dado adquirido mas não é verdade: a semana passada houve indisponibilidade em vários que afectou diversos serviços da internet. Mais informação:

The Day After: A Brutal Week for Uptime
fonte: Data Center Knowledge

Várias vulnerabilidades detectadas recentemente no Iphone

Privacidade:

The Mail component in Apple iPhone OS 1.0 through 2.2.1 and iPhone OS for iPod touch 1.1 through 2.2.1 does not provide an option to disable remote image loading in HTML email, which allows remote attackers to determine the device address and when an e-mail is read via an HTML email containing an image URL.
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0960


Negação de serviço:

The MPEG-4 video codec in Apple iPhone OS 1.0 through 2.2.1 and iPhone OS for iPod touch 1.1 through 2.2.1 allows remote attackers to cause a denial of service (device reset) via a crafted MPEG-4 video file that triggers an "input validation issue."
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0959


The Telephony component in Apple iPhone OS 1.0 through 2.2.1 and iPhone OS for iPod touch 1.1 through 2.2.1 allows remote attackers to cause a denial of service (device reset) via a crafted ICMP echo request, which triggers an assertion error related to a "logic issue."
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1683


WebKit in Apple iPhone OS 1.0 through 2.2.1 and iPhone OS for iPod touch 1.1 through 2.2.1 allows remote attackers to cause a denial of service (device reset) via a web page containing an HTMLSelectElement object with a large length attribute.
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1692

relatório sobre roubo de dados na internet

Está disponível o 2009 Data Breach Investigations Report da Verizon. Muito interessante.

"The 2009 Data Breach Investigations Report (DBIR) covers this chaotic period in history from the viewpoint of our forensic investigators. The 90 confirmed breaches within our 2008 caseload encompass an astounding 285 million compromised records. These records have a compelling story to tell, and the pages of this report are dedicated to relaying it. As with last year, our goal is that the data and analysis presented in this report prove helpful to the planning and security efforts of our readers. Below are a few highlights from the report:"

http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf

Workshop sobre Tolerância a Intrusões - 29 de Junho

CALL FOR PARTICIPATION

3rd Workshop on Recent Advances on Intrusion-Tolerant Systems
WRAITS 20089


In conjunction with
The 39th IEEE/IFIP International Conference on Dependable Systems and Networks
DSN 2009

June 29, 2009
Estoril, Lisbon, Portugal
http://wraits09.di.fc.ul.pt/

http://www.dsn.org/?ADVANCE_PROGRAM:DETAILED


OVERVIEW

The 3rd Workshop on Recent Advances on Intrusion-Tolerant Systems aims to foster the understanding of and collaborative discourse on the challenges of building intrusion tolerant systems and innovative ideas to address them. The workshop will provide a forum for researchers and practitioners to present architectures for intrusion-tolerant systems, new defense mechanisms, recent results, discuss open problems that still need research, and survivability challenge problems in specific application and domain areas.


HIGHLIGHTS

Keynote Speech
* Metrics, methods and tools to measure security and trustworthiness
Henrique Madeira, University of Coimbra

Panel
* Intrusion tolerance going mainstream - Which applications stand to benefit?
Saurabh Bagchi, Walter Heimerdinger, Navjot Singh, Paulo Verissimo


----- // ------

PROGRAM

Keynote Speech

* Metrics, methods and tools to measure security and trustworthiness
Henrique Madeira
University of Coimbra

Paper session 1

* What next in intrusion tolerance
P. Pal, R. Schantz, J. Loyall, M. Atighetchi and F. Webber
BBN Technologies, USA

* Quantitative Approach to Tuning of a Time-Based Intrusion-Tolerant System Architecture
Q. Nguyen and A. Sood
George Mason University, USA

* Network Intrusion Detection with Minimal Communication Overhead
O. Patrick Kreidl and A. Willsky
MIT, USA

Panel

* Intrusion tolerance going mainstream - Which applications stand to benefit?
Saurabh Bagchi, Purdue University, USA (chair)
Walter Heimerdinger, Honeywell (retired), USA
Navjot Singh, Avaya, USA
Paulo Verissimo, University of Lisboa, Portugal

Paper session 2

* On the Use of Radio Resource Tests in Wireless ad hoc Networks
D. Mónica, J. Leitão, L. Rodrigues and C. Ribeiro
INESC-ID/IST, Portugal

* Enhancing Fault / Intrusion Tolerance through Design and Configuration Diversity
A. Bessani, A. Daidone, I. Gashi, R. Obelheiro, P. Sousa and V. Stankovic
University of Lisbon, Portugal / University of Florence, Italy /
City University London, UK / Universidade do Estado de Santa Catarina, Brazil

* Practical Techniques for Regeneration and Immunization of COTS Applications
L. Li, R. Sekar, M. Cornwell, E. Hultman and J. Just
Global InfoTek, USA / Stony Brook University, USA


See also:
http://wraits09.di.fc.ul.pt/
http://www.dsn.org/?ADVANCE_PROGRAM:DETAILED

Informação sobre registo: http://www.dsn.org/

Microsoft Security Intelligence Report

Já com um par de meses: Microsoft "Security Intelligence Report Volume 6" (July through December 2008) e "Key Findings Summary" (available in 10 languages):
http://www.microsoft.com/security/portal/sir.aspx

leituras remotas de electricidade deixam rede vulnerável

Buggy 'smart meters' open door to power-grid botnet
The Register

"New electricity meters being rolled out to millions of homes and businesses are riddled with security bugs that could bring down the power grid, according to a security researcher who plans to demonstrate several attacks at a security conference next month.

The so-called smart meters for the first time provide two-way communications between electricity users and the power plants that serve them. Prodded by billions of dollars from President Obama's economic stimulus package, utilities in Seattle, Houston, Miami, and elsewhere are racing to install them as part of a plan to make the power grid more efficient. Their counterparts throughout Europe are also spending heavily on the new technology.

There's just one problem: The newfangled meters needed to make the smart grid work are built on buggy software that's easily hacked, said Mike Davis, a senior security consultant for IOActive. The vast majority of them use no encryption and ask for no authentication before carrying out sensitive functions such as running software updates and severing customers from the power grid. The vulnerabilities, he said, are ripe for abuse. (...)"

Em Portugal a assim chamada telecontagem já existe em algumas localidades (p.ex. procurar telecontagem no site da EDP).

(com agradecimentos a Acácio Vitorino que enviou a notícia do The Register)

a vida é dura: strongwebmail não era assim tão "strong"







Diziam que eram "hack proof" e ofereceram 10 mil dólares a quem provasse o contrário. Perderam e os ataques XSS marcaram mais um ponto.

StrongWebmail CEO's mail account hacked via XSS
fonte: ZeroDay

o crime não compensa?

Microsoft study debunks profitability of the underground economy
fonte: ZeroDay

"A newly released paper presented by Cormac Herley and Dinei Florencio at this year’s Workshop on the Economics of Information Security 2009 entitled “Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy” debunks the often taken for granted profitability of the underground economy comparing it to that of a Market for Lemons, where the seller knows more about the product than the buyer.

Earlier this year, the same researchers also debunked the profitability of phishing (Microsoft study debunks phishing profitability) in general, using the Tragedy of the Commons as an analogy for their findings.

I beg to differ with the conclusions drawn in both papers, and here’s why: (...)"

malware em máquinas ATM

Foi descoberto código malicioso em máquinas ATM (aka Multibanco) em países do Leste da Europa. O ataque exige acesso físico à máquina, ou melhor, ao computador da máquina, mas o impacto é enorme. O artigo:

Data-sniffing trojans burrow into Eastern European ATMs
By Dan Goodin
The Register

Detalhes em pdf.

(com agradecimentos ao Ricardo Oliveira)

Relatório da Casa Branca sobre estado actual e direcções futuras dos EUA em relação ao ciberespaço

"Protecting cyberspace requires strong vision and leadership and will require changes in policy, technology, education, and perhaps law. The 60-day cyberspace policy review summarizes our conclusions and outlines the beginning of a way forward in building a reliable, resilient, trustworthy digital infrastructure for the future. There are opportunities for everyone—individuals, academia, industry, and governments—to contribute toward this vision. During the review we engaged in more than 40 meetings and received and read more than 100 papers that informed our recommendations. As you will see in our review there is a lot of work for us to do together and an ambitious action plan to accomplish our goals. It must begin with a national dialogue on cybersecurity and we should start with our family, friends, and colleagues."

Mais detalhes em http://www.whitehouse.gov/CyberReview/

Link directo para o relatório: http://www.whitehouse.gov/asset.aspx?AssetId=1732

virus em imagens

As imagens dos vírus informáticos
Fonte: TDSnews e InformationWeek

um conjunto de imagens 3D criadas com base no código e comportamento de um conjunto de virus

O MYDOOM:

mudar o ssid do router wireless

É necessário porque a partir dos SSIDs usados por alguns fabricantes é possível descobrir a chave WEP/WPA:

Default key algorithm in Thomson and BT Home Hub routers
fonte: gnucitizen

botnets vistas por dentro

Uma série de screenshots engraçados:

Inside the botnets that never make the news - a gallery
http://blogs.zdnet.com/security/?p=3432

"If you ever wanted to take an inside view of targeted-botnets primarily run by novice cybercriminals sometimes utilizing outdated, but very effective methods - this ZDNet photo gallery is for you."

Gumblar

"A malware exploit that has been circulating since March or so is picking up the pace lately, hijacking more than 3,000 websites as of this week. Gumblar's goal is to manipulate Google's results in order to affect as many PCs as possible, which has some researchers describing it as "a botnet of compromised websites."

"Security researchers are stepping up their warnings about the Gumblar malware exploit as it continues to hijack webpages and manipulate Google results. Gumblar recently got the attention of the United States Computer Emergency Readiness Team (US-CERT), which noted on its website that Gumblar is alive and well and continues to circulate by hijacking vulnerable Web applications, poor configuration settings, or simply by stealing FTP credentials.

Experts who have been tracking Gumblar since March say that the malware directly manipulates files on Web servers after getting access to them. From there, the attack changes the files to inject scripts and distribute more malicious code out of gumblar.cn or from other, varying IP addresses. The code appears to target sites that show up in Google searches, according to the ScanSafe STAT Blog, and although Google began delisting compromised websites months ago, the code keeps changing, keeping Google on its toes."

fonte: ArsTechica
http://arstechnica.com/security/news/2009/05/gumblar-exploit-hijacking-websites-and-picking-up-steam.ars

ciber-guerra: episódio 3?

Analyst: cyberwarfare arms race with China imminent

A security expert informed Congress last month that the United States is entering a cyberwarfare arms race with China. Some of his information, however, seems to be misleading, especially about China's "top secret" OS.

fonte: ArsTechnica

risk management

Risk Management is Where Money Is
Dan Geer, Nov. 1998

Given my biases, I am going to describe where the future of the security
marketplace is and where it is not. I will argue that the financial
community is and remains the place to look for "first light" for new
security technology. I will give you a rundown of what's new while I predict
what little time is left for many of today's products, purveyors and
regulators. I will argue that, in many ways, the party's over for the
security field as we know it now. I will range broadly because security, as
a concept, is universal. (...)

Risk Management Is Still Where the Money Is
Dan Geer, Computer, Dez. 2003

Five years ago, I gave a short speech at the Digital Commerce Society of Boston, titled “Risk Management Is Where the Money Is” (http://catless.ncl.ac.uk/Risks/20.06.html). In the speech, I proposed looking at security as a risk management proposition. Many things have changed since then, so perhaps it is time to reassess and to confirm in word what has been confirmed in deed. (...)

algumas ferramentas para segurança de aplicações web

GreenSQL
http://www.greensql.net/
GreenSQL is an Open Source database firewall used to protect databases from SQL injection attacks. GreenSQL works as a proxy and has built in support for MySQL. The logic is based on evaluation of SQL commands using a risk scoring matrix as well as blocking known db administrative commands (DROP, CREATE, etc).

w3af
http://w3af.sourceforge.net/
w3af is a Web Application Attack and Audit Framework. The project's goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend.

(in)segurança no Twitter


um artigo interessante do Gary McGraw:

Software [In]Security: Twitter Security

"(...) But this is a security column, so lets spend a few minutes pondering the security ramifications of Twitter. I can think of a few right off the top of my head: it's easy to spoof someone on Twitter, it's a perfect vector for malicious code and phishing, Twitter allows dingbats to cash in their last remaining privacy chit, and it has a coolness factor that often overrides common sense."

Mestrados

Ainda estão abertas até ao fim de Maio as candidaturas ao Mestrado em Segurança Informática /Master in Information Technology - Information Security (MSIT-IS) com grau duplo Carnegie Mellon Univ. / Univ. de Lisboa. Informação em:
http://cmuportugal.di.fc.ul.pt/?MSc_in_Information_Security

Estão também abertas as candidaturas aos outros mestrados em informática da FCUL:
http://acesso.fc.ul.pt/

Codificação de output e ataques XSS

Um artigo interessante no blog Coding Insecurity:
http://coding-insecurity.blogspot.com/2009/05/getting-output-encoding-right.html

botnet desliga 100 mil PCs

Botnet master hits the kill switch, takes down 100,000 PCs

"Botnets aren't just dangerous because they can steal massive amounts of personal data and launch denial-of-service attacks—they can also self-destruct, leaving the owners of affected machines in the dust. The controllers of one such botnet recently hit the kill switch for one reason or another, taking down some 100,000 infected computers with it.

(...) But Zeus had another interesting feature—one that isn't terribly uncommon among botnet software, it turns out. A command was built into the software to kos—or "kill operating system"—and it was apparently executed some time last month.

The reason for BSODing 100,000 machines isn't quite clear, but several security experts have offered up their opinions. S21sec wrote on its blog that those behind Zeus might have wanted more time to exploit the financial data they had harvested by removing the user's ability to get online and see that money was being transferred. On the other hand, (...) "Maybe the botnet was hijacked by another crime group," Hüssy told the Post. Or, he postulated, perhaps those behind Zeus were just dumb. (...)"

Fonte: ArsTechnica

Segurança da informação: confiança

A questão da confiança (trust/trustworthiness) é muito mais difícil em relação aos dados do que ao serviço prestado. Um artigo muito interessante relacionado com isso (e infelizmente não apenas sobre os dados fornecidos por sistemas informáticos):

Wikipedia hoax points to limits of journalists' research

A sociology student placed a fake quote on Wikipedia, only to see it show up in prominent newspapers, revealing that a lot of the press doesn't go much further than most 'Net users when it comes to researching a story.

Excerto:

"Fitzgerald was apparently curious how far his hoax would spread, and expected it to appear on a variety of blogs and similar sites. Instead, to his surprise, a search picked it up in articles that appeared at a variety of newspapers. Fitzgerald eventually removed his own fabricated quote and notified a variety of news outlets that they had been tricked, but not all of them have apparently seen fit to publish corrections or to ensure that their original stories were accurate, even though fixing a webpage shouldn't be a challenging thing.

Fonte: ArsTechnica

Complexidade do software é razão para a falta de segurança?

um artigo que discute essa ideia:

Shin, Y. and Williams, L., Is Complexity Really the Enemy of Software Security?, Quality of Protection Workshop at the ACM Conference on Computers and Communications Security (CCS) 2008, Alexandria, VA, pp. 47-50.

Software complexity is often hypothesized to be the enemy of
software security. We performed statistical analysis on nine
code complexity metrics from the JavaScript Engine in the
Mozilla application framework to investigate if this hypothesis
is true. Our initial results show that the nine complexity
measures have weak correlation (ρ=0.30 at best) with security
problems for Mozilla JavaScript Engine. The study should be
replicated on more products with design and code-level metrics.
It may be necessary to create new complexity metrics to
embody the type of complexity that leads to security problems.

A história de uma hacker

em banda desenhada... divertido. São vários episódios, é preciso ir carregando em "next":

hacking a botnet for fun and profit

Researchers hijack botnet, score 56,000 passwords in an hour

The Torpig botnet was hijacked by the good guys for ten days earlier this year before its controllers issued an update and took the botnet back. During that time, however, researchers were able to gain a glimpse into the kind of information the botnet gathers as well as the behavior of Internet users who are prone to malware infections.

Artigo completo
Fonte: http://arstechnica.com

vulnerabilidades importantes em 5 aplicações web

Five 'must-secure' Web app vulnerabilities
by Ryan Naraine, ZeroDay

na realidade não são 5 mas vulnerabilidades em 5 web apps:
1. Apache Geronimo Application Server
2. SAP cFolders
3. CS Whois Lookup
4. phpMyAdmin
5. Novell Teaming

downloads ilegais e lei francesa

do Público de hoje:

Fazer downloads ilegais merece cortar acesso à Internet?
27.04.2009 - 08h49 Isabel Gorjão Santos

"O debate sobre downloads ilegais é tão antigo quanto a Internet, pelo menos desde que há largura de banda suficiente para deixar passar música e filmes. Mas nenhuma proposta tinha ido tão longe como a que será discutida quarta-feira no Parlamento francês. Propõe-se que, depois de dois avisos, os cibernautas que descarregam música sem pagar fiquem impedidos de aceder à Internet. Entre os acérrimos defensores e os que deploram a lei, todos procuram responder à pergunta: há ou não violação da liberdade de expressão?

A lei Criação e Internet já foi reprovada, mas apenas por 21 votos contra 15. As abstenções foram torrenciais, pois o Parlamento francês tem 577 deputados. Mas, apesar dessa reprovação, voltará a ser debatida na quarta-feira. É apoiada pelo Presidente Nicolas Sarkozy e é também conhecida por Lei Hadopi, o acrónimo em francês de Alta Autoridade para a Difusão de Obras e Protecção dos Direitos na Internet - a organização que, caso a lei seja aprovada, ficará responsável pela aplicação de sanções.

Esse é, aliás, um dos aspectos mais polémicos da lei: ficar nas mãos de uma entidade não judicial a decisão de impedir um cidadão de aceder à Internet. Mas o principal argumento de quem contesta a proposta é o facto de se poder estar a restringir direitos fundamentais como a liberdade de expressão e o acesso à informação."

artigo completo

XSS no Twitter

O Twitter foi atingido por uma série de ataques cross site scripting (XSS) interessantes:

Twitter hit by multiple variants of XSS worm
Fonte: Zero Day

Rede eléctrica americana penetrada por espiões

Um aspecto sui generis da investigação em protecção de infaestruturas críticas é o cepticismo de muitos em relação à possibilidade destas serem atacadas informaticamente com efeitos devastadores. Saiu hoje um artigo na capa do Wall Street Journal que penso ser capaz de convencer os mais cépticos (ou os muito cépticos; os mesmo mais cépticos só quando ficarem às escuras ou sem água por uma temporada). Um excerto:

Electricity Grid in U.S. Penetrated By Spies
By SIOBHAN GORMAN

WASHINGTON -- Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials.

The spies came from China, Russia and other countries, these officials said, and were believed to be on a mission to navigate the U.S. electrical system and its controls. The intruders haven't sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war.

"The Chinese have attempted to map our infrastructure, such as the electrical grid," said a senior intelligence official. "So have the Russians."

The espionage appeared pervasive across the U.S. and doesn't target a particular company or region, said a former Department of Homeland Security official. "There are intrusions, and they are growing," the former official said, referring to electrical systems. "There were a lot last year."

Many of the intrusions were detected not by the companies in charge of the infrastructure but by U.S. intelligence agencies, officials said. Intelligence officials worry about cyber attackers taking control of electrical facilities, a nuclear power plant or financial networks via the Internet.

Authorities investigating the intrusions
have found software tools left behind that could be used to destroy infrastructure components, the senior intelligence official said. He added, "If we go to war with them, they will try to turn them on."

Officials said water, sewage and other infrastructure systems also were at risk.

"Over the past several years, we have seen cyberattacks against critical infrastructures abroad, and many of our own infrastructures are as vulnerable as their foreign counterparts," Director of National Intelligence Dennis Blair recently told lawmakers. "A number of nations, including Russia and China, can disrupt elements of the U.S. information infrastructure."


A versão online do WSN inclui também uma ligação para uma carta muito interessante:
"The North American Electric Reliability Corporation on Tuesday warned its members that not all of them appear to be adhering to cybersecuirty requirements."
http://online.wsj.com/public/resources/documents/CIP-002-Identification-Letter-040609.pdf

Um excerto:

Most of us who have spent any amount of time in the industry understand that the bulk power system is designed and operated in such a way to withstand the most severe single contingency, and in some cases multiple contingencies, without incurring significant loss of customer load or risking system instability. This engineering construct works extremely well in the operation and planning of the system to deal with expected and random unexpected events. It also works, although to a lesser extent, in a physical security world. In this traditional paradigm, fewer assets may be considered “critical” to the reliability of the bulk electric system.

But as we consider cyber security, a host of new considerations arise. Rather than considering the unexpected failure of a digital protection and control device within a substation, for example, system planners and operators will need to consider the potential for the simultaneous manipulation of all devices in the substation or, worse yet, across multiple substations. I have intentionally used the word “manipulate” here, as it is very important to consider the misuse, not just loss or denial, of a cyber asset and the resulting consequences, to accurately identify CAs under this new “cyber security” paradigm. A number of system disturbances, including those referenced in NERC’s March 30 advisory on protection system single points of failure, have resulted from similar, non-cyber-related events in the past five years, clearly showing that this type of failure can significantly “affect the reliability (and) operability of the bulk electric system,” sometimes over wide geographic areas.

Taking this one step further, we, as an industry, must also consider the effect that the loss of that substation, or an attack resulting in the concurrent loss of multiple facilities, or its malicious operation, could have on the generation connected to it.

(com agradecimentos ao Luis Marques)

bye bye privacidade

Por agora ainda são só os britânicos a dizer bye bye à privacidade do cabeçalho dos emails (endereço do emissor, endereço do destinatário, hora, etc) que enviam e recebem. O Governo inglês também já fala em guardar todo o conteúdo dos emails ... e aqui por terras tugas existe o hábito de se imitar estas decisões sábias, nem que seja para citar pela milésima vez o plano tecnológico, ou para justificar a aquisição de uma infra-estrutura TI milionária.

Toda a estória em:
http://news.zdnet.co.uk/security/0,1000000189,39629479,00.htm

Ghosnet: espionagem na Internet 101

do Público de hoje:

Uma rede de espionagem informática localizada sobretudo na China conseguiu infiltrar-se em 1295 computadores de ministérios, embaixadas e outras organizações de 103 países, (...) segundo um relatório de investigadores da Universidade de Toronto. Portugal também está na lista de países afectados, através do Centro de Gestão da Rede Informática do Governo (Ceger) e das embaixadas de Portugal na Finlândia e na Alemanha.

Não é ainda clara a dimensão do ataque levado a cabo a partir de três servidores em províncias chinesas e um na Califórnia, Estados Unidos, segundo o relatório Tracking Ghostnet: Investigating a Cyber Espionage Network do Centro de Estudos Internacionais Munk da Universidade de Toronto, no Canadá.

(...)

"Acredita-se que a espionagem na Internet está muito activa", adianta Paulo Veríssimo, professor do Departamento de Informática da Faculdade de Ciências de Lisboa. "Não é uma surpresa que se consiga penetrar em redes governamentais."
Há cerca de seis anos, Paulo Veríssimo acompanhou um estudo sobre o sistema informático do Ceger. "Concluímos que a rede estava bastante segura", explica. "Mas não chega uma boa firewall e antivírus. Estes sistemas necessitam de soluções tecnológicas avançadas, porque temos de ter um sistema que está ao nível da segurança dos aviões e não dos automóveis".
Para Paulo Veríssimo, "os Estados estão a encarar de forma ligeira o facto de, através de um sistema informático, podermos aceder e manipular informação".

computador comprometido via BIOS

"...demonstrated a method for patching the BIOS with a small bit of code that gave them complete control of the machine. And the best part is, the method worked on a Windows machine, a PC running OpenBSD and another running VMware Player."

http://threatpost.com/blogs/researchers-unveil-persistent-bios-attack-methods
Fonte: ThreatPost

(com agradecimentos ao Wagner Dantas)

ataques ao DNS e DNSSEC

ITAR - Interim Trust Anchor Repository:
http://www.networkworld.com/news/2009/022309-dns-security.html

"CANN's Interim Trust Anchor Repository – or ITAR -- allows top-level domains such as .se for Sweden and .br for Brazil to have fully functioning DNSSEC deployments without waiting for the root zone to be signed."

Um ataque interessante de XSS usando DNS:
http://en.wikipedia.org/wiki/DNS_rebinding

(com agradecimentos ao Eugénio Pinto)

Segurança em browsers

IE 8 released - some nice security features built in

mas mesmo assim caiu como os outros no CanSecWest 09:


Pwn2Own 2009 Day 1 - Safari, Internet Explorer, and Firefox Taken Down by Four Zero-Day Exploits

(com agradecimentos ao Nuno Loureiro)

ataque ao System Management Mode dos CPUs Intel


"System Management Mode (SMM) is the most
privileged CPU operation mode on x86/x86_64
architectures. It can be thought of as of "Ring -2",
as the code executing in SMM has more privileges
than even hardware hypervisors (VT), which are
colloquially referred to as if operating in "Ring -1".

The SMM code lives in a specially protected region
of system memory, called SMRAM. The memory
controller offers dedicated locks to limit access to
SMRAM memory only to system firmware (BIOS).
BIOS, after loading the SMM code into SMRAM,
can (and should) later "lock down" system
configuration in such a way that no further access,
from outside the SMM mode, to SMRAM is
possible, even for an OS kernel (or a hypervisor).
In this paper we discuss an architectural problem
affecting Intel-based systems that allow for
unauthorized access to SMRAM. We also discuss
how to practically exploit this problem, showing
working proof of concept codes that allow for
arbitrary SMM code execution. This allows for
various kind of abuses of the super-privileged SMM
mode, e.g. via SMM rootkits [9]."

introdução ao ataque
artigo

(com agradecimentos ao Bruno Garrancho)

Watcher: nova ferramenta para teste de aplicações web

Watcher: a free web-app security testing and compliance auditing tool

"I announced Watcher at CanSecWest and I’m happy to say IE8 Security Program Manager and Fiddler author Eric Lawrence also announced our it at MIX09 yesterday. Check out his talk at http://videos.visitmix.com/MIX09/T54F it’s an eye opener for Web developers - introducing us to the new features of IE8 while also covering state-of-the-art secure development practices for today’s Web applications.

Watcher is designed as a Fiddler plugin that passively monitors HTTP/S traffic for vulnerabilities. It gives pen-testers hot-spot detection for user-controlled inputs, open redirects, and other issues, and it gives auditors an easy way to find PCI compliance and other organizational issues."

vulnerabilidades em routers

Ainda há quem acredite que os routers são invulneráveis. A realidade é que não são, têm vulnerabilidades como todos os sistemas informáticos:

Cisco IOS patch day covers multiple vulnerabilities
fonte: Zero Day

The Building Security In Maturity Model

The Building Security In Maturity Model (BSIMM) described on this website is designed to help you understand and plan a software security initiative. BSIMM was created through a process of understanding and analyzing real-world data from nine leading software security initiatives. Though particular methodologies differ (think OWASP CLASP, Microsoft SDL, or the Cigital Touchpoints), many initiatives share common ground. This common ground is captured and described in BSIMM. As an organizing feature, we introduce and use a Software Security Framework (SSF), which provides a conceptual scaffolding for BSIMM. Properly used, BSIMM can help you determine where your organization stands with respect to real-world software security initiatives and what steps can be taken to make your approach more effective.

http://bsi-mm.com/

Browser Security Handbook



Browser Security Handbook
Michal Zalewski, Google 2008

This document is meant to provide web application developers, browser engineers, and information security researchers with a one-stop reference to key security properties of contemporary web browsers. Insufficient understanding of these often poorly-documented characteristics is a major contributing factor to the prevalence of several classes of security vulnerabilities.

Although all browsers implement roughly the same set of baseline features, there is relatively little standardization - or conformance to standards - when it comes to many of the less apparent implementation details. Furthermore, vendors routinely introduce proprietary tweaks or improvements that may interfere with existing features in non-obvious ways, and seldom provide a detailed discussion of potential problems.

Cyclone

Cyclone is a safe dialect of C.

Cyclone is like C: it has pointers and pointer arithmetic, structs, arrays, goto, manual memory management, and C’s preprocessor and syntax.

Cyclone adds features such as pattern matching, algebraic datatypes, exceptions, region-based memory management, and optional garbage collection.

Cyclone is safe: pure Cyclone programs are not vulnerable to a wide class of bugs that plague C programs: buffer overflows, format string attacks, double free bugs, dangling pointer accesses, etc.

Cyclone attempts to avoid some of the common pitfalls of the C programming language, while still maintaining the look and performance of C. To this end, Cyclone places the following restrictions upon programs:

* NULL checks are inserted to prevent segmentation faults
* Pointer arithmetic is restricted
* Pointers must be initialized before use (this is enforced by definite assignment analysis)
* Dangling pointers are prevented through region analysis and limitations on free()
* Only "safe" casts and unions are allowed
* goto into scopes is disallowed
* switch labels in different scopes are disallowed
* Pointer-returning functions must execute return
* setjmp and longjmp are not supported

fontes:

Cyclone web site

Wikipedia

token kidnapping

Conhecida há um ano e ainda não corrigida:

One-year-old (unpatched) Windows 'token kidnapping' under attack
Zero Day

"The vulnerability, called token kidnapping (.pdf), was originally discussed last March by researcher Cesar Cerrudo and led to Microsoft issuing an advisory with workarounds. Five months later (October 2008), Cerrudo released a proof-of-concept in an apparent effort to nudge Microsoft into patching but the company has not yet released a fix.

Now comes word from the SANS ISC (Internet Storm Center) that the flaw is being used in a blended attack against an unknown target"

CSRF no Gmail

interessante pois fornece muitos detalhes: http://www.securiteam.com/securitynews/5ZP010UQKK.html

"Cross-Site Request Forgery, also known as one click attack or session riding and abbreviated as CSRF (Sea-Surf) or XSRF, is a kind of malicious exploit of websites. Although this type of attack has similarities to cross-site scripting (XSS), cross-site scripting requires the attacker to inject unauthorized code into a website, while cross-site request forgery merely transmits unauthorized commands from a user the website trusts.

GMail is vulnerable to CSRF attacks in the "Change Password" functionality. The only token for authenticate the user is a session cookie, and this cookie is sent automatically by the browser in every request."

HackBar

HackBar

"This toolbar will help you in testing sql injections, XSS holes and site security. It is NOT a tool for executing standard exploits and it will NOT teach you how to hack a site. Its main purpose is to help a developer do security audits on his code. If you know what your doing, this toolbar will help you do it faster. If you want to learn to find security holes, you can also use this toolbar, but you will probably also need a book, and a lot of google :)"

ataques a ATMs

Já nem as ATMs estão a salvo:

Diebold ATMs infected with credit card skimming malware
Zero Day

Insecure MAG 20

disponível o número 20 da Insecure Magazine:


















(com agradecimentos ao João Ramos)

BBC demonstra uso de botnet

Um programa da BBC alugou uma botnet com 22 mil computadores e usou-a para enviar SPAM... mas apenas com o fim de demonstrar como funcionam esses serviços.



Actualização a 18/3/2009: BBC botnet buy: What were they thinking? (Zero Day)

The Cell Broadband Engine processor security architecture

Há mais de dois anos que a Playstation 3 se encontra no mercado e ainda não existem ataques contra este consola de modo a se executar software "caseiro" (i.e., sem estar autorizado pela Sony) ou jogos piratas. O grande responsável por este sucesso é o microprocessador Cell, desenvolvido em conjunto pela Sony, Toshiba e IBM. O seguinte artigo proporciona uma perspectiva muito interessante sobre a arquitectura de segurança do Cell.

http://www.ibm.com/developerworks/power/library/pa-cellsecurity/

uma ferramenta não pode resolver...

... o que é um problema de processo:

Application Security: A Tool Cannot Solve What Fundamentally is a Process Problem

Sobre segurança de software e o uso de ferramentas.

ainda a ciber-guerra contra a Estónia

Um deputado do parlamento Russo deixou cair numa conferência de imprensa que os ataques tinham sido iniciativa de um dos seus assistentes. Será informação ou desinformação? Revelações espontâneas de políticos experientes...

Behind The Estonia Cyberattacks
Radio Free Europe

buying vulnerabilities for fun and profit

Google wants to buy Native Client security flaws

Google is (indirectly) buying security vulnerabilities from white hat hackers.

Under the guise of a Native Client Security Contest, the search engine firm is offering big cash prizes to hackers who find bugs and other security flaws in the open-source research technology for running x86 native code in Web applications.

fonte: ZDnet

http://blogs.zdnet.com/security/?p=2702


um ataque de phishing...

... que até parece piada. Vale a pena ler. Removi algumas linhas do cabeçalho mas o resto é copy&paste:

Return-Path:
...
Date: Sat, 28 Feb 2009 23:02:36 +0530 (IST)
Subject: Important: Email Account Verification Update ! ! !
From: "ADMIN"
Reply-To: upgrade_department@live.com
User-Agent: SquirrelMail/1.4.8-4.0.1.el5.centos.2
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
To: undisclosed-recipients: ;


Dear Webmail User,

This message was sent automatically by a program on Webmail which
periodically checks the size of inboxes, where new messages are
received.The program is run weekly to ensure no one's inbox grows
too large. Ifyour inbox becomes too large, you will be unable to
receive new email.Just before this message was sent, you had 18
Megabytes (MB) or more ofmessages stored in your inbox on your
Webmail. To help us re-set yourSPACE on our database prior to
maintain your INBOX, you must reply to
this e-mail and enter your

Current User name ( )
and Password( )

You will continue to receive this warning message periodically if your
inbox size continues to be between 18 and 20 MB. If your inbox size
grows to 20 MB, then a program on Bates Webmail will move your oldest
email to afolder in your home directory to ensure that you will continue
to be able to receive incoming email. You will be notified by email that
this has taken place. If your inbox grows to 25 MB, you will be unable to
receive new email as it will be returned to the sender.
After you read a message, it is best to REPLY and SAVE it to another
folder.

Thank you for your cooperation.
Help Desk