Academia CMU|Portugal em Segurança e Confiabilidade - em Dezembro

CMU|Portugal Security and Dependability Academy

14-15th December, 2009
Faculdade de Ciências, Universidade de Lisboa

*see the Academy brochure*

The CMU|Portugal Security and Dependability Academy is an opportunity for professionals of computer science and engineering or related areas, interested in improving their skills, to get in touch with the experts involved in the Dual Carnegie Mellon University – University of Lisboa Master of Science in Information Technology–Information Security (MSIT-IS).

The Academy will provide a sample of the topics taught during the MSIT-IS program through a set of exciting technical lectures and hands-on experiments in the program’s lab, where the attendees will get the chance to try live cyber-attack and defense technologies.

Although inspired by the MSIT-IS, the academy will be interesting on its own as a forum for discussion of the latest concepts in Security and Dependability.

After the lectures and laboratory experiments, the academy will close with the Pen Testing Trophy, where a victim machine will be subject to penetration testing by willing participants competing for a mysterious trophy.

A informação completa encontra-se em:|Portugal_Security_and_Dependability_Academy

OWASP top 10 2010

Saiu a 1ª versão da edição 2010 do top 10 de vulnerabilidades / factores de risco de aplicações web do projecto OWASP. Mudanças em relação à edição anterior:

Explicação das mudanças:

1)We clarified that the Top 10 is about the Top 10 Risks, not the Top 10 most common weaknesses. See the details on the “Understanding Application Security Risk” page below.

2)We changed our ranking methodology to estimate risk, instead of relying solely on the frequency of the associated weakness. This affects the ordering of the Top 10 somewhat, as you can see in the table below.

3)We replaced two items on the list with two new items:

+ADDED: A6 –Security Misconfiguration. This issue was A10 in the Top 10 from 2004: Insecure Configuration Management, but was dropped because it wasn’t thought of as a software issue. However, from an organizational risk and prevalence perspective, it clearly merits re-inclusion in the Top 10, and so now it’s back.

+ADDED: A8 –UnvalidatedRedirects and Forwards. This issue is making its debut in the Top 10. The evidence shows that this relatively unknown issue is widespread and can cause significant damage.

–REMOVED: A3 –Malicious File Execution. This is still a significant problem in many different environments. However, its prevalence in 2007 was inflated by large numbers of PHP applications with this problem. PHP is now shipped with more default security, lowering the prevalence of this problem.

–REMOVED: A6 –Information Leakage and Improper Error Handling. This issue is extremely prevalent, but the impact of disclosing stack trace and error message information is typically minimal.

botnet Mega-D/Ozdok desligada

Uma grande botnet dedicada ao envio de spam foi desligada por uma acção conjunta de diversas pessoas. O nível de spam enviado desceu para zero.

Na ArsTechnica (notícia completa aqui):

Security researchers have taken down a major spam offender, though the dip in spam levels may be only temporary. Members of the FireEye security team coordinated an attack on the Mega-D botnet (also known as Ozdok) last week by preemptively registering domains meant for the botnet's command and control channels (CnCs) and shutting down others. Spam coming from Mega-D stopped almost instantly, proving that David really can take down Goliath every once in a while.

Ever since the shut-down of McColo in 2008, the brains behind spam botnets have been much smarter about diversifying their CnCs. As pointed out by a FireEye blog post, they're no longer relying on a single net of domains to control the botnet—instead, many current botnets have mechanisms in place that randomly generate the next block of domains that the zombie machines will look for once the current set is shut down, and the people controlling the CnCs just register those domains on the fly as needed.

Such is the case with Mega-D/Ozdok, which has not one, but two fallback mechanisms for when the original CnCs go down. Not only can it use its own list of DNS servers to access its CnCs, it can generate new domains based on the current date and time. "Unless someone is committed enough to pre-register those domains, the bot herders can always come forward and register those domains and take botnet control back," the FireEye team wrote.

FireEye's move against Mega-D started with abuse notifications to the ISPs being used as hosts—all but four were taken down immediately. The firm then worked with numerous domain registrars to take down the primary CnC domains in order to throw a wrench into the botnet's workings. Then, the researchers registered a number of domains that were on Mega-D's permanent CnC list but were mysteriously unregistered; this move essentially gave FireEye CnC control of the botnet, which they pointed to a sinkhole server where data was collected on victim machines in order to help users recover control of their PCs.

Finally, FireEye began registering in advance some of the soon-to-be-generated domains based on date and time for the next three days, anticipating that the botnet would begin looking for those domains once it realized the current ones were out of commission. This, apparently, was the nail in the coffin, as the firm wrote in a new blog post (via Slashdot) that "everything went right according to plan."

Spam coming out of Mega-D has stopped altogether (at least for the time being) (...)

McAfee sobre Ciber-guerra

A McAfee publicou o seu Virtual Criminology Report 2009 dedicado à ciber-guerra. O relatório pode ser obtido aqui.

Alguns excertos:

Is the “Age of Cyber War” at hand? This year, the fifth annual McAfee Virtual Criminology Report contemplates this question and others prompted by the fact that nation-states are arming themselves for the cyberspace battlefield. Since our 2007 report, when we last discussed the growing cyber threat to national security, there have been increasing reports of cyber attacks and network infiltrations that appear to be linked to nation-states and political goals. The most obvious of these attacks was the August 2008 cyber campaign against Georgia during the South Ossetia War. We decided it was time to further examine whether cyber warfare is now a part of human conflict that we should get used to seeing more often.

key findings:

• Although there is no commonly accepted
definition for cyber war today, we have
seen nation-states involved in varying
levels of cyber conflict. Further, while we have
not yet seen a “hot” cyber war between major
powers, the efforts of nation-states to build
increasingly sophisticated cyber attack capabilities,
and in some cases demonstrate a willingness
to use them, suggests that a “Cyber Cold
War” may have already begun.

• If a major cyber conflict between nationstates
were to erupt, it is very likely that
the private sector would get caught in
the crossfire. Most experts agree that critical
infrastructure systems—such as the electrical
grid, banking and finance, and oil and gas sectors—
are vulnerable to cyber attack in many
countries. Some nation-states are actively doing
reconnaissance to identify specific vulnerabilities
in these networks. In the words of one expert,
nation-states are “laying the electronic battlefield
and preparing to use it.”

• Too much of the debate on policies related
to cyber war is happening behind closed
doors. Important questions, such as where to
draw the line between cyber espionage and
cyber war, are being discussed in private, or perhaps
not at all. Many governments have chosen
to keep debate on cyber conflict classified. Since
governments, corporations and private citizens
all have a stake in the future of the Internet, it is
time to open a global dialogue on how to manage
this new form of conflict.
There have been increased reports of
cyber attacks and network infiltrations
that appear to be linked to nation-states
and political goals.