memory scraping attack

ou "pervasive memory scraping"

Memory scraping malware goes after encrypted private information

"Simply put, pervasive memory scraping is used by attackers who have gained administrative privileges to successfully get hold of personally identifiable information (PII) and other sensitive data held encrypted in a file system (...). Evidence of this attack is coming up again and again in data-breach cases, he said.(...)

Although data encryption is widely regarded as good protection for sensitive data — and may be required under regulations — attackers are probing the chinks in encryption's armor to steal it. That's done by taking advantage of the fact that to be processed, data has to be unencrypted, and attackers "go into memory and grab the crypto key" and start "fetching the PII itself from memory."

top 10 de novas técnicas de ataque contra aplicações web

muito interessante:

Top 10 Web hacking techniques of 2010 revealed 

A lista:
1 Padding Oracle Crypto Attack
2 Evercookie
3 Hacking Autocomplete 
4 Attacking HTTPS with Cache Injection
5 Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution
6 Universal XSS in IE8
8 JavaSnoop
9 CSS History Hack in Firefox without JavaScript for Intranet Port Scanning
10 Java Applet DNS Rebinding

padding oracle attack

Padding oracle attack (contra CBC-mode encryption):

- assume a existência de um oráculo que diz se o padding de um pacote de dados decifrados está ou não correcto

- com base nesse oráculo consegue decifrar de forma eficiente dados sem conhecimento da chave de cifra

Duong e Rizzo transformaram o ataque teórico numa série de ataques práticos:

Ataques "Night Dragon" - roubo de informação confidencial

Um relatório da McAfee relata o que a empresa descobriu sobre ataques contra empresas que operam infraestruturas críticas visando o roubo de informação confidencial.


"In 2010, we entered a new decade in the world of cybersecurity. The prior decade was stained with immaturity, reactive technical solutions, and a lack of security sophistication that promoted critical outbreaks, such as Code Red, Nimda, Blaster, Sasser, SQL Slammer, Conficker, and myDoom—to name a few. The security community has evolved and grown smarter about security, safe computing, and system hardening but so have our adversaries. This decade is setting up to be the exponential jumping off point. The adversaries are rapidly leveraging productized malware toolkits that let them develop more malware than in all prior years combined, and they have matured from the prior decade to release the most insidious and persistent cyberthreats ever known.

The Google hacks (“Operation Aurora”), named by McAfee and announced in January 2010, and the WikiLeaks document disclosures of 2010 have highlighted the fact that external and internal threats are nearly impossible to prevent. Miscreants continue to infiltrate networks and exfiltrate sensitive and proprietary data upon which the world’s economies depend every day. When a new attack emerges, security vendors cannot stand by idly and watch. We are obligated to share our findings to protect those not yet impacted and to repair those who have been. As such, McAfee Foundstone Professional Services and McAfee Labs decided to release the following discovery.

Starting in November 2009, coordinated covert and targeted cyberattacks have been conducted against global oil, energy, and petrochemical companies. These attacks have involved social engineering,  spearphishing attacks, exploitation of Microsoft Windows operating systems vulnerabilities, Microsoft Active Directory compromises, and the use of remote administration tools (RATs) in targeting and harvesting sensitive competitive proprietary operations and project-financing information with regard to oil and gas field bids and operations. We have identified the tools, techniques, and network activities used in these continuing attacks — which we have dubbed Night Dragon — as originating primarily in China. Through coordinated analysis of the related events and tools used, McAfee has determined identifying features to assist companies with detection and investigation. While we believe many actors have participated in these attacks, we have been able to identify one individual who has provided the crucial C&C infrastructure to the attackers."

O relatório:

OSSTMM3 e testes de penetração

Saiu a versão 3 do OSSTMM - Open Source Security Testing Methodology Manual

"The Open Source Security Testing Methodology Manual (OSSTMM) is a peer-reviewed methodology for performing security tests and metrics. The OSSTMM test cases are divided into five channels (sections) which collectively test: information and data controls, personnel security awareness levels, fraud and social engineering control levels, computer and telecommunications networks, wireless devices, mobile devices, physical security access controls, security processes, and physical locations such as buildings, perimeters, and military bases. The OSSTMM focuses on the technical details of exactly which items need to be tested, what to do before, during, and after a security test, and how to measure the results. New tests for international best practices, laws, regulations, and ethical concerns are regularly added and updated."

(roubado do blog do Miguel Almeida:  )

Nova botnet fast-flux

New Fast-Flux Botnet Unmasked

Para quem não sabe o que é fast-flux:

"Fast-flux service networks are a network of compromised computer systems with public DNS records that are constantly changing, in some cases every few minutes. These constantly changing architectures make it much more difficult to track down criminal activities and shut down their operations."
Know Your Enemy: Fast-Flux Service Networks

Backups não cifrados expõem registos de saúde de 1.7 milhões de pessoas

Tudo graças ao roubo de um conjunto de tapes de backup, pertencentes a algumas clínicas e hospitais de Nova Iorque, durante o seu transporte para um sítio mais seguro. Tivessem adicionado alguma segurança (leia-se, cifra) na origem e talvez o roubo nem tivesse ocorrido.

Mas não há fome que não dê em fartura: o transporte de backups não cifrados foi proibido e está em marcha um plano para se usar a versão mais forte (256 bits) do AES.

Mais detalhes em:

Exploit Kits

Exploit Kits – A Different View

Marco Preuss, Vicente Diaz

"Exploit kits are packs containing malicious programs that are mainly used to carry out automated ‘drive-by’ attacks in order to spread malware. These kits are sold on the black market, where prices ranging from several hundred to over a thousand dollars are paid. Nowadays, it is also quite common to rent hosted exploit kits. Because of this, it is a competitive market with lots of players and many different authors.

Appearing several years ago, MPack was one of the first examples of this kind of ‘tool’. This was followed shortly after by ICE-Pack, Fire-Pack and a lot of others. Today’s well-known exploit kits are, for example, Eleonore, the YES Exploit Pack and Crimepack. (...)"

ditribuição dos alvos dos 5 exploit kits mais populares:

anos em que as vulnerabilidades exploradas por esses kits foram reportadas:

Segurança nos aviões


HTTP Strict Transport Security

"HSTS, standing for HTTP Strict Transport Security, is a relatively new standard that aims to bolster the strength of HTTPS connections. Hopefully it's about to catch on. Google Chrome has supported HSTS for a while now, and Firefox support is imminent.

The stated benefits of HSTS include:

* Defenses against sslstrip-like attacks. The initial navigation to is automatically upgraded to HTTPS.

* Zero tolerance for certification problems. The user is not permitted to "click through" anything such as a self-signed cert.



"The characteristics of the HTTP Strict Transport Security policy, as  applied by a UA in its interactions with a web site wielding HSTS Policy, known as a HSTS Server, is summarized as follows:

1. All insecure ("http") connections to a HSTS Server are redirected  by the HSTS Server to be secure connections ("https").

2. The UA terminates, without user recourse, any secure transport  connection attempts upon any and all secure transport errors or warnings, including those caused by a site presenting self-signed certificates.

3. UAs transform insecure URI references to a HSTS Server into secure URI references before dereferencing them."

Draft do IETF:


"ryū is a complete expert system that combines fully trained Artificial Intelligence systems with new compiler theory to deliver security that predicts threats to the system, sensitive data or other components from any operation in the entire Web Application Stack. ryū security system analyses every operation and determines any direct or indirect threat it may cause in combination with other past or future operations."

Infelizmente o site não explica como funciona.

Estado Global da Segurança da Informação 2011

Um relatótio muito "business-oriented" feito pelas revistas CIO, CSO e PricewaterhouseCoopers no site

"As global economic conditions continue to fluctuate, information security hovers in the balance—caught between a new hard-won respect among executives and a painstakingly cautious funding environment."

OWASP Appsec Tutorial Series

Uma série de filmes pedagógicos muito bem feitos sobre segurança de aplicações web:

Os dois primeiros episódios:

Relatório sobre segurança de redes - 2010

"In a painful reminder of the fragile state of wireless network security, some 55 percent of mobile providers worldwide suffered outages in 2010 due to security incidents, according to a new report on network infrastructure released today. And more than half admit to having limited visibility into their networks.
Meanwhile, DDoS attacks against ISPs have hit a new high, breaking the 100-Gbps barrier, and application-layer attacks continue to rise beyond HTTP, with attacks against HTTPS, SMTP, and VOIP, Arbor Networks' 2010 Infrastructure Security Report found. And with the wave of attacks on high-profile commercial websites in the wake of the arrest of WikiLeaks founder Julian Assange, DDoS has become more of a household name.

"Some said 2009 was the year of DDoS. But 2010 is the year DDoS went mainstream," says Carlos Morales, vice president of sales engineering for Arbor. "2010 is when DDoS became more noted in the public conscience .. It's the tool of choice for protest now and political/ideological motivation.""

Artigo: "More Than Half Of Mobile Providers Hit By Attacks That Resulted In Outages"

Relatório da Arbor Networks

P.S. Verdade seja dita, o relatório conclui que são graves os problemas resolvidos pelos produtos da própria empresa.

Jnanabot - um cavalo de Tróia / bot multiplataforma

muito interessante do site da Symantec:

"Recently Symantec Security Response analyzed a Trojan that uses social networking vectors to infect users on multiple platforms. (...)

This particular Trojan (that Symantec detects as Trojan.Jnanabot) is one such attempt to target multiple platforms. Jnanabot has numerous functionalities that include key logging, connection to IRC servers, and posting malicious links on social networking sites, affecting users on Windows, Mac OSX, and Linux platforms.

The threat is composed of multiple files. I will address them as components throughout this blog. Each component is meant for a specific task. Some components are compiled Java files whereas others are platform specific executable files.
  1. Library component:  Contains Library files needed to run the threat on various platforms namely: Mac OSX, Linux with AMD 64 machines, Linux with x86 machines, Windows with x86 machines
  2. Main component: The main .jar file that controls execution of all the components.
  3. Install/update component: Installs and updates the threat.
  4. IRC component:Connects to remote IRCs and waits for further commands from the master.
  5. Key logging component.
  6. Crypt component: Windows and Mac executable files to decrypt the packaged files.
  7. Facebook component: We are currently analyzing this component. From our brief analysis it seems as if the threat can read cookies of logged on user and may post malicious links on the social networking site.
Its worth noting that the choice of language to code the Trojan is also cleverly chosen. The Trojan is written in Java, which is a platform independent language. Individual modules contain Java compiled files (.class files), which are packaged in a Java runtime executable (.jar files). As long as a computer has the Java Runtime Environment (JRE) installed on it, which is often the case across all the platforms, the threat can execute itself."

Artigo completo: