relatório sobre roubo de dados na internet

Está disponível o 2009 Data Breach Investigations Report da Verizon. Muito interessante.

"The 2009 Data Breach Investigations Report (DBIR) covers this chaotic period in history from the viewpoint of our forensic investigators. The 90 confirmed breaches within our 2008 caseload encompass an astounding 285 million compromised records. These records have a compelling story to tell, and the pages of this report are dedicated to relaying it. As with last year, our goal is that the data and analysis presented in this report prove helpful to the planning and security efforts of our readers. Below are a few highlights from the report:"

http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf

Workshop sobre Tolerância a Intrusões - 29 de Junho

CALL FOR PARTICIPATION

3rd Workshop on Recent Advances on Intrusion-Tolerant Systems
WRAITS 20089


In conjunction with
The 39th IEEE/IFIP International Conference on Dependable Systems and Networks
DSN 2009

June 29, 2009
Estoril, Lisbon, Portugal
http://wraits09.di.fc.ul.pt/

http://www.dsn.org/?ADVANCE_PROGRAM:DETAILED


OVERVIEW

The 3rd Workshop on Recent Advances on Intrusion-Tolerant Systems aims to foster the understanding of and collaborative discourse on the challenges of building intrusion tolerant systems and innovative ideas to address them. The workshop will provide a forum for researchers and practitioners to present architectures for intrusion-tolerant systems, new defense mechanisms, recent results, discuss open problems that still need research, and survivability challenge problems in specific application and domain areas.


HIGHLIGHTS

Keynote Speech
* Metrics, methods and tools to measure security and trustworthiness
Henrique Madeira, University of Coimbra

Panel
* Intrusion tolerance going mainstream - Which applications stand to benefit?
Saurabh Bagchi, Walter Heimerdinger, Navjot Singh, Paulo Verissimo


----- // ------

PROGRAM

Keynote Speech

* Metrics, methods and tools to measure security and trustworthiness
Henrique Madeira
University of Coimbra

Paper session 1

* What next in intrusion tolerance
P. Pal, R. Schantz, J. Loyall, M. Atighetchi and F. Webber
BBN Technologies, USA

* Quantitative Approach to Tuning of a Time-Based Intrusion-Tolerant System Architecture
Q. Nguyen and A. Sood
George Mason University, USA

* Network Intrusion Detection with Minimal Communication Overhead
O. Patrick Kreidl and A. Willsky
MIT, USA

Panel

* Intrusion tolerance going mainstream - Which applications stand to benefit?
Saurabh Bagchi, Purdue University, USA (chair)
Walter Heimerdinger, Honeywell (retired), USA
Navjot Singh, Avaya, USA
Paulo Verissimo, University of Lisboa, Portugal

Paper session 2

* On the Use of Radio Resource Tests in Wireless ad hoc Networks
D. Mónica, J. Leitão, L. Rodrigues and C. Ribeiro
INESC-ID/IST, Portugal

* Enhancing Fault / Intrusion Tolerance through Design and Configuration Diversity
A. Bessani, A. Daidone, I. Gashi, R. Obelheiro, P. Sousa and V. Stankovic
University of Lisbon, Portugal / University of Florence, Italy /
City University London, UK / Universidade do Estado de Santa Catarina, Brazil

* Practical Techniques for Regeneration and Immunization of COTS Applications
L. Li, R. Sekar, M. Cornwell, E. Hultman and J. Just
Global InfoTek, USA / Stony Brook University, USA


See also:
http://wraits09.di.fc.ul.pt/
http://www.dsn.org/?ADVANCE_PROGRAM:DETAILED

Informação sobre registo: http://www.dsn.org/

Microsoft Security Intelligence Report

Já com um par de meses: Microsoft "Security Intelligence Report Volume 6" (July through December 2008) e "Key Findings Summary" (available in 10 languages):
http://www.microsoft.com/security/portal/sir.aspx

leituras remotas de electricidade deixam rede vulnerável

Buggy 'smart meters' open door to power-grid botnet
The Register

"New electricity meters being rolled out to millions of homes and businesses are riddled with security bugs that could bring down the power grid, according to a security researcher who plans to demonstrate several attacks at a security conference next month.

The so-called smart meters for the first time provide two-way communications between electricity users and the power plants that serve them. Prodded by billions of dollars from President Obama's economic stimulus package, utilities in Seattle, Houston, Miami, and elsewhere are racing to install them as part of a plan to make the power grid more efficient. Their counterparts throughout Europe are also spending heavily on the new technology.

There's just one problem: The newfangled meters needed to make the smart grid work are built on buggy software that's easily hacked, said Mike Davis, a senior security consultant for IOActive. The vast majority of them use no encryption and ask for no authentication before carrying out sensitive functions such as running software updates and severing customers from the power grid. The vulnerabilities, he said, are ripe for abuse. (...)"

Em Portugal a assim chamada telecontagem já existe em algumas localidades (p.ex. procurar telecontagem no site da EDP).

(com agradecimentos a Acácio Vitorino que enviou a notícia do The Register)

a vida é dura: strongwebmail não era assim tão "strong"







Diziam que eram "hack proof" e ofereceram 10 mil dólares a quem provasse o contrário. Perderam e os ataques XSS marcaram mais um ponto.

StrongWebmail CEO's mail account hacked via XSS
fonte: ZeroDay

o crime não compensa?

Microsoft study debunks profitability of the underground economy
fonte: ZeroDay

"A newly released paper presented by Cormac Herley and Dinei Florencio at this year’s Workshop on the Economics of Information Security 2009 entitled “Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy” debunks the often taken for granted profitability of the underground economy comparing it to that of a Market for Lemons, where the seller knows more about the product than the buyer.

Earlier this year, the same researchers also debunked the profitability of phishing (Microsoft study debunks phishing profitability) in general, using the Tragedy of the Commons as an analogy for their findings.

I beg to differ with the conclusions drawn in both papers, and here’s why: (...)"

malware em máquinas ATM

Foi descoberto código malicioso em máquinas ATM (aka Multibanco) em países do Leste da Europa. O ataque exige acesso físico à máquina, ou melhor, ao computador da máquina, mas o impacto é enorme. O artigo:

Data-sniffing trojans burrow into Eastern European ATMs
By Dan Goodin
The Register

Detalhes em pdf.

(com agradecimentos ao Ricardo Oliveira)

Relatório da Casa Branca sobre estado actual e direcções futuras dos EUA em relação ao ciberespaço

"Protecting cyberspace requires strong vision and leadership and will require changes in policy, technology, education, and perhaps law. The 60-day cyberspace policy review summarizes our conclusions and outlines the beginning of a way forward in building a reliable, resilient, trustworthy digital infrastructure for the future. There are opportunities for everyone—individuals, academia, industry, and governments—to contribute toward this vision. During the review we engaged in more than 40 meetings and received and read more than 100 papers that informed our recommendations. As you will see in our review there is a lot of work for us to do together and an ambitious action plan to accomplish our goals. It must begin with a national dialogue on cybersecurity and we should start with our family, friends, and colleagues."

Mais detalhes em http://www.whitehouse.gov/CyberReview/

Link directo para o relatório: http://www.whitehouse.gov/asset.aspx?AssetId=1732