Uma rede de espionagem informática localizada sobretudo na China conseguiu infiltrar-se em 1295 computadores de ministérios, embaixadas e outras organizações de 103 países, (...) segundo um relatório de investigadores da Universidade de Toronto. Portugal também está na lista de países afectados, através do Centro de Gestão da Rede Informática do Governo (Ceger) e das embaixadas de Portugal na Finlândia e na Alemanha.
Não é ainda clara a dimensão do ataque levado a cabo a partir de três servidores em províncias chinesas e um na Califórnia, Estados Unidos, segundo o relatório Tracking Ghostnet: Investigating a Cyber Espionage Network do Centro de Estudos Internacionais Munk da Universidade de Toronto, no Canadá.
"Acredita-se que a espionagem na Internet está muito activa", adianta Paulo Veríssimo, professor do Departamento de Informática da Faculdade de Ciências de Lisboa. "Não é uma surpresa que se consiga penetrar em redes governamentais."
Há cerca de seis anos, Paulo Veríssimo acompanhou um estudo sobre o sistema informático do Ceger. "Concluímos que a rede estava bastante segura", explica. "Mas não chega uma boa firewall e antivírus. Estes sistemas necessitam de soluções tecnológicas avançadas, porque temos de ter um sistema que está ao nível da segurança dos aviões e não dos automóveis".
Para Paulo Veríssimo, "os Estados estão a encarar de forma ligeira o facto de, através de um sistema informático, podermos aceder e manipular informação".
(com agradecimentos ao Wagner Dantas)
"CANN's Interim Trust Anchor Repository – or ITAR -- allows top-level domains such as .se for Sweden and .br for Brazil to have fully functioning DNSSEC deployments without waiting for the root zone to be signed."
Um ataque interessante de XSS usando DNS:
(com agradecimentos ao Eugénio Pinto)
mas mesmo assim caiu como os outros no CanSecWest 09:
Pwn2Own 2009 Day 1 - Safari, Internet Explorer, and Firefox Taken Down by Four Zero-Day Exploits
(com agradecimentos ao Nuno Loureiro)
"System Management Mode (SMM) is the most
privileged CPU operation mode on x86/x86_64
architectures. It can be thought of as of "Ring -2",
as the code executing in SMM has more privileges
than even hardware hypervisors (VT), which are
colloquially referred to as if operating in "Ring -1".
The SMM code lives in a specially protected region
of system memory, called SMRAM. The memory
controller offers dedicated locks to limit access to
SMRAM memory only to system firmware (BIOS).
BIOS, after loading the SMM code into SMRAM,
can (and should) later "lock down" system
configuration in such a way that no further access,
from outside the SMM mode, to SMRAM is
possible, even for an OS kernel (or a hypervisor).
In this paper we discuss an architectural problem
affecting Intel-based systems that allow for
unauthorized access to SMRAM. We also discuss
how to practically exploit this problem, showing
working proof of concept codes that allow for
arbitrary SMM code execution. This allows for
various kind of abuses of the super-privileged SMM
mode, e.g. via SMM rootkits ."
introdução ao ataque
(com agradecimentos ao Bruno Garrancho)
"I announced Watcher at CanSecWest and I’m happy to say IE8 Security Program Manager and Fiddler author Eric Lawrence also announced our it at MIX09 yesterday. Check out his talk at http://videos.visitmix.com/MIX09/T54F it’s an eye opener for Web developers - introducing us to the new features of IE8 while also covering state-of-the-art secure development practices for today’s Web applications.
Watcher is designed as a Fiddler plugin that passively monitors HTTP/S traffic for vulnerabilities. It gives pen-testers hot-spot detection for user-controlled inputs, open redirects, and other issues, and it gives auditors an easy way to find PCI compliance and other organizational issues."
Cisco IOS patch day covers multiple vulnerabilities
fonte: Zero Day
Browser Security Handbook
Michal Zalewski, Google 2008
This document is meant to provide web application developers, browser engineers, and information security researchers with a one-stop reference to key security properties of contemporary web browsers. Insufficient understanding of these often poorly-documented characteristics is a major contributing factor to the prevalence of several classes of security vulnerabilities.
Although all browsers implement roughly the same set of baseline features, there is relatively little standardization - or conformance to standards - when it comes to many of the less apparent implementation details. Furthermore, vendors routinely introduce proprietary tweaks or improvements that may interfere with existing features in non-obvious ways, and seldom provide a detailed discussion of potential problems.
Cyclone is like C: it has pointers and pointer arithmetic, structs, arrays, goto, manual memory management, and C’s preprocessor and syntax.
Cyclone adds features such as pattern matching, algebraic datatypes, exceptions, region-based memory management, and optional garbage collection.
Cyclone is safe: pure Cyclone programs are not vulnerable to a wide class of bugs that plague C programs: buffer overflows, format string attacks, double free bugs, dangling pointer accesses, etc.
Cyclone attempts to avoid some of the common pitfalls of the C programming language, while still maintaining the look and performance of C. To this end, Cyclone places the following restrictions upon programs:
* NULL checks are inserted to prevent segmentation faults
* Pointer arithmetic is restricted
* Pointers must be initialized before use (this is enforced by definite assignment analysis)
* Dangling pointers are prevented through region analysis and limitations on free()
* Only "safe" casts and unions are allowed
* goto into scopes is disallowed
* switch labels in different scopes are disallowed
* Pointer-returning functions must execute return
* setjmp and longjmp are not supported
One-year-old (unpatched) Windows 'token kidnapping' under attack
"The vulnerability, called token kidnapping (.pdf), was originally discussed last March by researcher Cesar Cerrudo and led to Microsoft issuing an advisory with workarounds. Five months later (October 2008), Cerrudo released a proof-of-concept in an apparent effort to nudge Microsoft into patching but the company has not yet released a fix.
Now comes word from the SANS ISC (Internet Storm Center) that the flaw is being used in a blended attack against an unknown target"
"Cross-Site Request Forgery, also known as one click attack or session riding and abbreviated as CSRF (Sea-Surf) or XSRF, is a kind of malicious exploit of websites. Although this type of attack has similarities to cross-site scripting (XSS), cross-site scripting requires the attacker to inject unauthorized code into a website, while cross-site request forgery merely transmits unauthorized commands from a user the website trusts.
"This toolbar will help you in testing sql injections, XSS holes and site security. It is NOT a tool for executing standard exploits and it will NOT teach you how to hack a site. Its main purpose is to help a developer do security audits on his code. If you know what your doing, this toolbar will help you do it faster. If you want to learn to find security holes, you can also use this toolbar, but you will probably also need a book, and a lot of google :)"
Diebold ATMs infected with credit card skimming malware
Application Security: A Tool Cannot Solve What Fundamentally is a Process Problem
Sobre segurança de software e o uso de ferramentas.
Behind The Estonia Cyberattacks
Radio Free Europe
Google is (indirectly) buying security vulnerabilities from white hat hackers.
Under the guise of a Native Client Security Contest, the search engine firm is offering big cash prizes to hackers who find bugs and other security flaws in the open-source research technology for running x86 native code in Web applications.
Date: Sat, 28 Feb 2009 23:02:36 +0530 (IST)
Subject: Important: Email Account Verification Update ! ! !
X-Priority: 3 (Normal)
To: undisclosed-recipients: ;
Dear Webmail User,
This message was sent automatically by a program on Webmail which
periodically checks the size of inboxes, where new messages are
received.The program is run weekly to ensure no one's inbox grows
too large. Ifyour inbox becomes too large, you will be unable to
receive new email.Just before this message was sent, you had 18
Megabytes (MB) or more ofmessages stored in your inbox on your
Webmail. To help us re-set yourSPACE on our database prior to
maintain your INBOX, you must reply to
this e-mail and enter your
Current User name ( )
and Password( )
You will continue to receive this warning message periodically if your
inbox size continues to be between 18 and 20 MB. If your inbox size
grows to 20 MB, then a program on Bates Webmail will move your oldest
email to afolder in your home directory to ensure that you will continue
to be able to receive incoming email. You will be notified by email that
this has taken place. If your inbox grows to 25 MB, you will be unable to
receive new email as it will be returned to the sender.
After you read a message, it is best to REPLY and SAVE it to another
Thank you for your cooperation.
GWT: Advanced AJAX Security
um pequeno excerto:
Pirata informático atacou ficheiros da Procuradoria
Por Ana Paula Azevedo, Sol, 28 de Fevereiro de 2009
O sistema informático da Procuradoria-Geral da República (PGR) sofreu um ataque de pirataria, tendo sido detectada uma intromissão não autorizada no computador de um dos procuradores titulares do inquérito ao ‘caso Freeport’
Segundo o SOL apurou, essa intromissão ocorreu há cerca de três semanas, estando, entretanto, a decorrer um inquérito. Sabe--se que foi utilizado um trojan, ou seja, um ‘cavalo de Tróia’ – um ‘programa’ que permite aceder, à distância, à memória dos computadores, ler, copiar e reenviar ficheiros para um endereço pré-definido.
O ataque foi feito através do sistema informático usado pela Procuradoria, em cuja dependência funciona o DCIAP (Departamento Central de Investigação e Acção Penal) – onde trabalham os magistradores responsáveis pela investigação do ‘caso Freeport’, Vítor Magalhães e Pais Faria. Foi no computador deste último que foi detectada a intromissão.
No Sol de 12 de Junho: