Ghosnet: espionagem na Internet 101

do Público de hoje:

Uma rede de espionagem informática localizada sobretudo na China conseguiu infiltrar-se em 1295 computadores de ministérios, embaixadas e outras organizações de 103 países, (...) segundo um relatório de investigadores da Universidade de Toronto. Portugal também está na lista de países afectados, através do Centro de Gestão da Rede Informática do Governo (Ceger) e das embaixadas de Portugal na Finlândia e na Alemanha.

Não é ainda clara a dimensão do ataque levado a cabo a partir de três servidores em províncias chinesas e um na Califórnia, Estados Unidos, segundo o relatório Tracking Ghostnet: Investigating a Cyber Espionage Network do Centro de Estudos Internacionais Munk da Universidade de Toronto, no Canadá.

(...)

"Acredita-se que a espionagem na Internet está muito activa", adianta Paulo Veríssimo, professor do Departamento de Informática da Faculdade de Ciências de Lisboa. "Não é uma surpresa que se consiga penetrar em redes governamentais."
Há cerca de seis anos, Paulo Veríssimo acompanhou um estudo sobre o sistema informático do Ceger. "Concluímos que a rede estava bastante segura", explica. "Mas não chega uma boa firewall e antivírus. Estes sistemas necessitam de soluções tecnológicas avançadas, porque temos de ter um sistema que está ao nível da segurança dos aviões e não dos automóveis".
Para Paulo Veríssimo, "os Estados estão a encarar de forma ligeira o facto de, através de um sistema informático, podermos aceder e manipular informação".

computador comprometido via BIOS

"...demonstrated a method for patching the BIOS with a small bit of code that gave them complete control of the machine. And the best part is, the method worked on a Windows machine, a PC running OpenBSD and another running VMware Player."

http://threatpost.com/blogs/researchers-unveil-persistent-bios-attack-methods
Fonte: ThreatPost

(com agradecimentos ao Wagner Dantas)

ataques ao DNS e DNSSEC

ITAR - Interim Trust Anchor Repository:
http://www.networkworld.com/news/2009/022309-dns-security.html

"CANN's Interim Trust Anchor Repository – or ITAR -- allows top-level domains such as .se for Sweden and .br for Brazil to have fully functioning DNSSEC deployments without waiting for the root zone to be signed."

Um ataque interessante de XSS usando DNS:
http://en.wikipedia.org/wiki/DNS_rebinding

(com agradecimentos ao Eugénio Pinto)

Segurança em browsers

IE 8 released - some nice security features built in

mas mesmo assim caiu como os outros no CanSecWest 09:


Pwn2Own 2009 Day 1 - Safari, Internet Explorer, and Firefox Taken Down by Four Zero-Day Exploits

(com agradecimentos ao Nuno Loureiro)

ataque ao System Management Mode dos CPUs Intel


"System Management Mode (SMM) is the most
privileged CPU operation mode on x86/x86_64
architectures. It can be thought of as of "Ring -2",
as the code executing in SMM has more privileges
than even hardware hypervisors (VT), which are
colloquially referred to as if operating in "Ring -1".

The SMM code lives in a specially protected region
of system memory, called SMRAM. The memory
controller offers dedicated locks to limit access to
SMRAM memory only to system firmware (BIOS).
BIOS, after loading the SMM code into SMRAM,
can (and should) later "lock down" system
configuration in such a way that no further access,
from outside the SMM mode, to SMRAM is
possible, even for an OS kernel (or a hypervisor).
In this paper we discuss an architectural problem
affecting Intel-based systems that allow for
unauthorized access to SMRAM. We also discuss
how to practically exploit this problem, showing
working proof of concept codes that allow for
arbitrary SMM code execution. This allows for
various kind of abuses of the super-privileged SMM
mode, e.g. via SMM rootkits [9]."

introdução ao ataque
artigo

(com agradecimentos ao Bruno Garrancho)

Watcher: nova ferramenta para teste de aplicações web

Watcher: a free web-app security testing and compliance auditing tool

"I announced Watcher at CanSecWest and I’m happy to say IE8 Security Program Manager and Fiddler author Eric Lawrence also announced our it at MIX09 yesterday. Check out his talk at http://videos.visitmix.com/MIX09/T54F it’s an eye opener for Web developers - introducing us to the new features of IE8 while also covering state-of-the-art secure development practices for today’s Web applications.

Watcher is designed as a Fiddler plugin that passively monitors HTTP/S traffic for vulnerabilities. It gives pen-testers hot-spot detection for user-controlled inputs, open redirects, and other issues, and it gives auditors an easy way to find PCI compliance and other organizational issues."

vulnerabilidades em routers

Ainda há quem acredite que os routers são invulneráveis. A realidade é que não são, têm vulnerabilidades como todos os sistemas informáticos:

Cisco IOS patch day covers multiple vulnerabilities
fonte: Zero Day

The Building Security In Maturity Model

The Building Security In Maturity Model (BSIMM) described on this website is designed to help you understand and plan a software security initiative. BSIMM was created through a process of understanding and analyzing real-world data from nine leading software security initiatives. Though particular methodologies differ (think OWASP CLASP, Microsoft SDL, or the Cigital Touchpoints), many initiatives share common ground. This common ground is captured and described in BSIMM. As an organizing feature, we introduce and use a Software Security Framework (SSF), which provides a conceptual scaffolding for BSIMM. Properly used, BSIMM can help you determine where your organization stands with respect to real-world software security initiatives and what steps can be taken to make your approach more effective.

http://bsi-mm.com/

Browser Security Handbook



Browser Security Handbook
Michal Zalewski, Google 2008

This document is meant to provide web application developers, browser engineers, and information security researchers with a one-stop reference to key security properties of contemporary web browsers. Insufficient understanding of these often poorly-documented characteristics is a major contributing factor to the prevalence of several classes of security vulnerabilities.

Although all browsers implement roughly the same set of baseline features, there is relatively little standardization - or conformance to standards - when it comes to many of the less apparent implementation details. Furthermore, vendors routinely introduce proprietary tweaks or improvements that may interfere with existing features in non-obvious ways, and seldom provide a detailed discussion of potential problems.

Cyclone

Cyclone is a safe dialect of C.

Cyclone is like C: it has pointers and pointer arithmetic, structs, arrays, goto, manual memory management, and C’s preprocessor and syntax.

Cyclone adds features such as pattern matching, algebraic datatypes, exceptions, region-based memory management, and optional garbage collection.

Cyclone is safe: pure Cyclone programs are not vulnerable to a wide class of bugs that plague C programs: buffer overflows, format string attacks, double free bugs, dangling pointer accesses, etc.

Cyclone attempts to avoid some of the common pitfalls of the C programming language, while still maintaining the look and performance of C. To this end, Cyclone places the following restrictions upon programs:

* NULL checks are inserted to prevent segmentation faults
* Pointer arithmetic is restricted
* Pointers must be initialized before use (this is enforced by definite assignment analysis)
* Dangling pointers are prevented through region analysis and limitations on free()
* Only "safe" casts and unions are allowed
* goto into scopes is disallowed
* switch labels in different scopes are disallowed
* Pointer-returning functions must execute return
* setjmp and longjmp are not supported

fontes:

Cyclone web site

Wikipedia

token kidnapping

Conhecida há um ano e ainda não corrigida:

One-year-old (unpatched) Windows 'token kidnapping' under attack
Zero Day

"The vulnerability, called token kidnapping (.pdf), was originally discussed last March by researcher Cesar Cerrudo and led to Microsoft issuing an advisory with workarounds. Five months later (October 2008), Cerrudo released a proof-of-concept in an apparent effort to nudge Microsoft into patching but the company has not yet released a fix.

Now comes word from the SANS ISC (Internet Storm Center) that the flaw is being used in a blended attack against an unknown target"

CSRF no Gmail

interessante pois fornece muitos detalhes: http://www.securiteam.com/securitynews/5ZP010UQKK.html

"Cross-Site Request Forgery, also known as one click attack or session riding and abbreviated as CSRF (Sea-Surf) or XSRF, is a kind of malicious exploit of websites. Although this type of attack has similarities to cross-site scripting (XSS), cross-site scripting requires the attacker to inject unauthorized code into a website, while cross-site request forgery merely transmits unauthorized commands from a user the website trusts.

GMail is vulnerable to CSRF attacks in the "Change Password" functionality. The only token for authenticate the user is a session cookie, and this cookie is sent automatically by the browser in every request."

HackBar

HackBar

"This toolbar will help you in testing sql injections, XSS holes and site security. It is NOT a tool for executing standard exploits and it will NOT teach you how to hack a site. Its main purpose is to help a developer do security audits on his code. If you know what your doing, this toolbar will help you do it faster. If you want to learn to find security holes, you can also use this toolbar, but you will probably also need a book, and a lot of google :)"

ataques a ATMs

Já nem as ATMs estão a salvo:

Diebold ATMs infected with credit card skimming malware
Zero Day

Insecure MAG 20

disponível o número 20 da Insecure Magazine:


















(com agradecimentos ao João Ramos)

BBC demonstra uso de botnet

Um programa da BBC alugou uma botnet com 22 mil computadores e usou-a para enviar SPAM... mas apenas com o fim de demonstrar como funcionam esses serviços.



Actualização a 18/3/2009: BBC botnet buy: What were they thinking? (Zero Day)

The Cell Broadband Engine processor security architecture

Há mais de dois anos que a Playstation 3 se encontra no mercado e ainda não existem ataques contra este consola de modo a se executar software "caseiro" (i.e., sem estar autorizado pela Sony) ou jogos piratas. O grande responsável por este sucesso é o microprocessador Cell, desenvolvido em conjunto pela Sony, Toshiba e IBM. O seguinte artigo proporciona uma perspectiva muito interessante sobre a arquitectura de segurança do Cell.

http://www.ibm.com/developerworks/power/library/pa-cellsecurity/

uma ferramenta não pode resolver...

... o que é um problema de processo:

Application Security: A Tool Cannot Solve What Fundamentally is a Process Problem

Sobre segurança de software e o uso de ferramentas.

ainda a ciber-guerra contra a Estónia

Um deputado do parlamento Russo deixou cair numa conferência de imprensa que os ataques tinham sido iniciativa de um dos seus assistentes. Será informação ou desinformação? Revelações espontâneas de políticos experientes...

Behind The Estonia Cyberattacks
Radio Free Europe

buying vulnerabilities for fun and profit

Google wants to buy Native Client security flaws

Google is (indirectly) buying security vulnerabilities from white hat hackers.

Under the guise of a Native Client Security Contest, the search engine firm is offering big cash prizes to hackers who find bugs and other security flaws in the open-source research technology for running x86 native code in Web applications.

fonte: ZDnet

http://blogs.zdnet.com/security/?p=2702


um ataque de phishing...

... que até parece piada. Vale a pena ler. Removi algumas linhas do cabeçalho mas o resto é copy&paste:

Return-Path:
...
Date: Sat, 28 Feb 2009 23:02:36 +0530 (IST)
Subject: Important: Email Account Verification Update ! ! !
From: "ADMIN"
Reply-To: upgrade_department@live.com
User-Agent: SquirrelMail/1.4.8-4.0.1.el5.centos.2
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
To: undisclosed-recipients: ;


Dear Webmail User,

This message was sent automatically by a program on Webmail which
periodically checks the size of inboxes, where new messages are
received.The program is run weekly to ensure no one's inbox grows
too large. Ifyour inbox becomes too large, you will be unable to
receive new email.Just before this message was sent, you had 18
Megabytes (MB) or more ofmessages stored in your inbox on your
Webmail. To help us re-set yourSPACE on our database prior to
maintain your INBOX, you must reply to
this e-mail and enter your

Current User name ( )
and Password( )

You will continue to receive this warning message periodically if your
inbox size continues to be between 18 and 20 MB. If your inbox size
grows to 20 MB, then a program on Bates Webmail will move your oldest
email to afolder in your home directory to ensure that you will continue
to be able to receive incoming email. You will be notified by email that
this has taken place. If your inbox grows to 25 MB, you will be unable to
receive new email as it will be returned to the sender.
After you read a message, it is best to REPLY and SAVE it to another
folder.

Thank you for your cooperation.
Help Desk

AJAX e segurança

Um pequeno artigo com uma série de pointers interessantes sobre o tema:

GWT: Advanced AJAX Security
http://campustechnology.com/articles/2008/01/gwt-advanced-ajax-security.aspx

um pequeno excerto:
"In this talk, Hoffman demonstrated advanced attacks against AJAX applications, including manipulating client-side logic, defeating logic protection techniques, function hijacking (client-side code being changed), JavaScript Object Notation (JSON) hijacking and denial of service attacks. He discussed the susceptibility of GWT applications to these kinds of attacks and compared GWT security features to other AJAX frameworks, such as Prototype and Dojo. He ended by talking about hacking Google Gears, an open source browser extension that lets developers create Web applications that can run offline."

Intrusão na Procuradoria

... ou num PC pessoal de um dos Procuradores? Interessante.

Pirata informático atacou ficheiros da Procuradoria
Por Ana Paula Azevedo, Sol, 28 de Fevereiro de 2009

O sistema informático da Procuradoria-Geral da República (PGR) sofreu um ataque de pirataria, tendo sido detectada uma intromissão não autorizada no computador de um dos procuradores titulares do inquérito ao ‘caso Freeport’

Segundo o SOL apurou, essa intromissão ocorreu há cerca de três semanas, estando, entretanto, a decorrer um inquérito. Sabe--se que foi utilizado um trojan, ou seja, um ‘cavalo de Tróia’ – um ‘programa’ que permite aceder, à distância, à memória dos computadores, ler, copiar e reenviar ficheiros para um endereço pré-definido.

O ataque foi feito através do sistema informático usado pela Procuradoria, em cuja dependência funciona o DCIAP (Departamento Central de Investigação e Acção Penal) – onde trabalham os magistradores responsáveis pela investigação do ‘caso Freeport’, Vítor Magalhães e Pais Faria. Foi no computador deste último que foi detectada a intromissão.

No Sol de 12 de Junho:
http://sol.sapo.pt/PaginaInicial/Politica/Interior.aspx?content_id=127390